Abstract
Software insecurity can be explained as a potpourri of hacking methods, ranging from the familiar, e.g. buffer overruns, to the exotic, e.g. code insertion with Chinese characters. From such an angle software security would just be a collection of specific countermeasures. We will observe a common principle that can guide a structured presentation of software security and give guidance for future research directions: There exists a discrepancy between the abstract programming concepts used by software developers and their concrete implementation on the given execution platform. In support of this thesis, five case studies will be discussed, viz characters, integers, variables, atomic transactions, and double linked lists.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Ashcraft, K., Engler, D.: Using programmer-written compiler extensions to catch security holes. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 143–159 (2002)
Bishop, M., Dilger, M.M.: Checking for race conditions in file accesses. Computing Systems 9(2), 131–152 (1996)
Borisov, N., Johnson, R., Sastry, N., Wagner, D.: Fixing races for fun and profit: How to abuse atime. In: 14th USENIX Security Symposium, pp. 164–173 (2005)
Chen, H., Wagner, D.: MOPS: an infrastructure for examining security properties. In: 9th ACM Conference on Computer and Communications Security, pp. 235–244. Springer, Heidelberg (2002)
Corbato, F.J.: On building systems that will fail. Communications of the ACM 34(9), 72–81 (1991)
Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium, pp. 63–78 (1998)
Eichin, M.W., Rochlis, J.A.: With microscope and tweezers: An analysis of the Internet virus of November 1988. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp. 326–343 (1989)
Foster, J.C.: Buffer Overflow Attacks. Syngress Publishing, Rockland (2005)
Gollmann, D.: Computer Security, 2nd edn. John Wiley & Sons, Chichester (2006)
Graff, M.G., van Wyk, K.R.: Secure Coding. O’Reilly & Associates, Sebastopol (2003)
Howard, M., LeBlanc, D.: Writing Secure Code, 2nd edn. Microsoft Press, Redmond (2002)
Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems 10(4), 265–310 (1992)
Lee, R.B., Karig, D.K., McGregor, J.P., Shi, Z.: Enlisting hardware architecture to thwart malicious code injection. In: Hutter, D., Müller, G., Stephan, W., Ullmann, M. (eds.) Security in Pervasive Computing. LNCS, vol. 2802, pp. 237–252. Springer, Heidelberg (2004)
Lhee, K.-s., Chapin, S.J.: Detection of file-based race conditions. International Journal of Information Security 4(1-2), 105–119 (2005)
Aleph One: Smashing the stack for fun and profit. Phrack Magazine 49 (1996)
Uppuluri, P., Joshi, U., Ray, A.: Preventing race condition attacks on filesystem. In: SAC 2005 (2005) (invited talk)
Viega, J., McGraw, G.: Building Secure Software. Addison-Wesley, Boston (2001)
Xu, J., Kalbarczyk, Z., Patel, S., Iyer, R.K.: Architecture support for defending against buffer overflow attacks. In: Proceedings of the EASY-2 Workshop (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Gollmann, D. (2009). Software Security – The Dangers of Abstraction. In: Matyáš, V., Fischer-Hübner, S., Cvrček, D., Švenda, P. (eds) The Future of Identity in the Information Society. Privacy and Identity 2008. IFIP Advances in Information and Communication Technology, vol 298. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03315-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-03315-5_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03314-8
Online ISBN: 978-3-642-03315-5
eBook Packages: Computer ScienceComputer Science (R0)