Programm Grazer Linuxtage 2017

This presentation will raise awareness of how attackers think and act to create an undefined state within a system to gain information or even exploit weaknesses within a software system. We will examine common security practices with the goal that the audience will change their mindset towards a more attacker oriented view of a system. Put differently, we will start thinking adversarially which will help to build more secure systems.

In contrast to regular users of software systems, adversaries aim to gain confidential information by trying to establish an undefined state within a software system. Many of the software based systems we use in our day to day life rely on the principle of trust and hence rely on the fact that users are not malicious and interact with the system only in the intended way.

Unfortunately trust is not binary and while we trust certain entities to perform certain tasks we do not trust the same entities to perform other tasks. Ideally we design systems which allow us to assign trust levels to certain entities and that those entities can only perform the tasks their trust level allows. Sadly this is easier said than done because real world systems have to respond to any kind of input. Adversaries observe those responses to gain information through so called ‘side channel attacks’.

In order to build secure systems we have to practice thinking adversarially and account for the fact that everyone and everything in our ecosystem is malicious. We can not base the security of our systems on the principle of trust and that everyone interacts with our system only in the way it was designed for. We have to provide safe defaults making sure that malicious actors can not abuse any form of trust and not intrinsically bypass security mechanisms.

This presentation will raise awareness of how attackers think and act to create an undefined state within a system to gain information or even exploit weaknesses within a software system. We will examine common security practices with the goal that the audience will change their mindset towards a more attacker oriented view of a system. We will discuss the problematic situation of resource, time and money constraints to invest in security and what every developer can do to raise the bar with low overhead. Put differently, we will start thinking adversarially which will help to build more secure systems.

Info

Tag: 29.04.2017
Anfang: 11:45 Uhr
Dauer: 00:45
Room: G.AP147.004
Track: Programmierung
Sprache: en

Links:

• iCalendar

Feedback

Uns interessiert deine Meinung! Wie fandest du diese Veranstaltung?