INF226 Software Security

Fall 2023

Software Security

Recently, in a small Scandinavian country...:

  • Volue – Ransomware attack, 10 MNOK
  • Østre Toten – 30000 documents, 4 MNOK fine
  • Stortinget – attacked twice
  • Inocean – 2 TB data stolen
  • Nordic Choice Hotels – 2000 documents incl. payment and employee data
  • Amedia – ransomware stopped papers
  • Nortura – virus stopped production
  • Nordland – system down for weeks after attack

We can do better

Nasjonal sikkerhetsmyndighet (NSM) hjelper norske virksomheter mot dataangrep.

Der har de sett en tredobling i antall dataangrep på kort tid. Over 80 prosent av hendelsene NSM bistår med kunne vært unngått med grunnleggende sikkerhetstiltak.

(NRK)

How to study

  • Lectures
    • Thu/Fri 14–16 in Aud A
    • Videonotat in Mitt UiB (no guarantees!)
  • Read (textbooks, other resources)
  • Work! – Weekly, complusory and online exercises
  • Figure things out on your own
  • …and together – in group sessions, on Discord, self-organized

Do stuff => learn stuff!

Textbooks

Notes and exercises

https://git.app.uib.no/inf226/23h/inf226-23h

  • First exercise published (but server not up yet)
  • Three compulsory exercises (dates TBD)

Groups next week!

Ethics and laws

Ethics is an important part of learing outcomes

You'll need to do exercises that would be unethical or illegal in a normal setting

Be careful, only use/try techniques as directed!

Topics

Common vulnerabilities – Buffer overflows, Code injections, XSS

Writing secure software – Software design, client/server, access control, authentication

Understanding – underlying systems (OS, internet, web, …), problem domain, threats, pitfalls, user behaviour

What is security?

  • …software security?

When is a system secure?

CIA(-T)

  • Confidentiality
  • Integrity
  • Availability
  • (Traceability)

Lessons of Security

  • Lesson 1: “A Rigelian tiger pounces with no warning.”
  • Lesson 2: “There are no breaks in security because threats never take breaks.”
  • Lesson 3: “Let your tricorder do the investigating.”
  • Lesson 6: “Know when to bend the rules.”
  • Lesson 7: “Leave no stone unturned.”

– La'an Noonien-Singh
(Star Trek: Strange New Worlds)

Lessons of Security

  • Lesson 1: “A Rigelian tiger pounces with no warning.”
  • Lesson 2: “There are no breaks in security because threats never take breaks.”
  • Lesson 3: “Let your tricordertools do the investigating.”
  • Lesson 6: “Know when to bend the rules.”
  • Lesson 7: “Leave no stone unturned.”

– La'an Noonien-Singh
(Star Trek: Strange New Worlds)

What are the biggest security threats?

More Star Trek Lessons

‘Matter of internal security’ - the age-old cry of the oppressor

– Jean Luc Picard (quoting Voltaire)
(Star Trek: The Next Generation)