From Theory to Practice: Deployment-grade Tools and Methodologies for Software Security

Rahaman, Sazzadur

25 August 2020

Following proper guidelines and recommendations are crucial in software security, which is mostly obstructed by accidental human errors. Automatic screening tools have great potentials to reduce the gap between the theory and the practice. However, the goal of scalable automated code screening is largely hindered by the practical difficulty of reducing false positives without compromising analysis quality. To enable compile-time security checking of cryptographic vulnerabilities, I developed highly precise static analysis tools (CryptoGuard and TaintCrypt) that developers can use routinely. The main technical enabler for CryptoGuard is a set of detection algorithms that refine program slices by leveraging language-specific insights, where TaintCrypt relies on symbolic execution-based path-sensitive analysis to reduce false positives. Both CryptoGuard and TaintCrypt uncovered numerous vulnerabilities in real-world software, which proves the effectiveness. Oracle has implemented our cryptographic code screening algorithms for Java in its internal code analysis platform, Parfait, and detected numerous vulnerabilities that were previously unknown. I also designed a specification language named SpanL to easily express rules for automated code screening. SpanL enables domain experts to create domain-specific security checking. Unfortunately, tools and guidelines are not sufficient to ensure baseline security in internet-wide ecosystems. I found that the lack of proper compliance checking induced a huge gap in the payment card industry (PCI) ecosystem. I showed that none of the PCI scanners (out of 6), we tested are fully compliant with the guidelines, issuing certificates to merchants that still have major vulnerabilities. Consequently, 86% (out of 1,203) of the e-commerce websites we tested, are non-compliant. To improve the testbeds in the light of our work, the PCI Security Council shared a copy of our PCI measurement paper to the dedicated companies that host, manage, and maintain the PCI certification testbeds. / Doctor of Philosophy / Automatic screening tools have great potentials to reduce the gap between the theory and the practice of software security. However, the goal of scalable automated code screening is largely hindered by the practical difficulty of reducing false positives without compromising analysis quality. To enable compile-time security checking of cryptographic vulnerabilities, I developed highly precise static analysis tools (CryptoGuard and TaintCrypt) that developers can use routinely. Both CryptoGuard and TaintCrypt uncovered numerous vulnerabilities in real-world software, which proves the effectiveness. Oracle has implemented our cryptographic code screening algorithms for Java in its internal code analysis platform, Parfait, and detected numerous vulnerabilities that were previously unknown. I also designed a specification language named SpanL to easily express rules for automated code screening. SpanL enables domain experts to create domain-specific security checking. Unfortunately, tools and guidelines are not sufficient to ensure baseline security in internet-wide ecosystems. I found that the lack of proper compliance checking induced a huge gap in the payment card industry (PCI) ecosystem. I showed that none of the PCI scanners (out of 6), we tested are fully compliant with the guidelines, issuing certificates to merchants that still have major vulnerabilities. Consequently, 86% (out of 1,203) of the e-commerce websites we tested, are non-compliant. To improve the testbeds in the light of our work, the PCI Security Council shared a copy of our PCI measurement paper to the dedicated companies that host the PCI certification testbeds.

Cryptographic API misuses

Static program analysis

Benchmark

Payment card industry

Internet measurement

Website scanning

Web security

La responsabilité pénale du dirigeant d'entreprise à la lumière du délit d'abus de biens sociaux et de la banqueroute / The criminal liability on the chief executive office in the light of misuses of company assets and bankruptcy

Khatir, Badra

07 December 2018

Dans le cadre de cette thèse, nous optons pour une recherche de la responsabilité pénale du dirigeant d’entreprise s'articulant autour des deux plus grandes infractions du droit pénal de l'entreprise : l'abus de biens sociaux et la banqueroute. Au-delà de l'étude de ces deux infractions présentant de nombreux points communs, ces deux incriminations ont donné lieu à une jurisprudence abondante et critiquée, tant leurs éléments manquent encore cruellement de clarté. Nous mettons ainsi l’accent sur le fait que ces incriminations apparaissent d'une certaine complexité liées notamment aux notions d'intérêt social et d'intérêt personnel non définit par le législateur. Cette complexité a dès lors pour conséquence de nuire d'abord à l'information des dirigeants sociaux et ne les incite pas suffisamment à modifier leurs comportements. Elle perturbe ensuite l'office du juge pénal en le menant à une analyse trop extensive. Quant aux sanctions pénales, elles semblent, a priori, insuffisantes ou inadaptées puisque les statistiques judiciaires1 révèlent une augmentation conséquente et constante des condamnations. Les exigences de clarté, de prévisibilité, de dissuasion et de réparation dans leurs textes d’incriminations et la jurisprudence qui en découle sont remises en cause, une réflexion globale s’impose. / The two biggest criminal infragement : misuses of company assets and bankruptcy. Beyond the study of those two infragements having many common threads, those two incriminations resulted to a plentiful and criticized jurisprudence because they still lack of clarity. In that respect we highlight that those infragements appears with a certain complexity related to social interest and personal interest undefined by the legislator. In that respect we highlight that those infragements appears with a certain complexity related to social interest and personal interest undefined by the legislator. This complexity harms the information for company executive and do not motivate them to change their behaviour. It disrupts the penal justice, leading to a too extensive analysis. As for the criminal sanctions, they seem inadequate since judicial statistics shows a consistent and constant increase of criminal sentences. The clarity demand, the predictability, the dissuasion, and reparation in their criminalization texts and the resulting jurisprudence reconsideration are call into questions. A total reflexion appears revelant.

Responsabilité

Pénale

Dirigeant d'entreprise

Abus de biens sociaux

Banqueroute

Liability

Criminal

Chief executive office

Misuses of company assets

Bankruptcy

345.026

345.04

Détection des utilisations à risque d’API : approche basée sur le système immunitaire

Gallais-Jimenez, Maxime

06 1900

No description available.

Erreur d’utilisation d’API

API

Interface de programmation

Système immunitaire artificiel

Génie logiciel

API Misuses

Programming interface

Artificial immune-system

Software engineering