Abstract

The first lecture introduced the problem of software security and showed how it goes beyond the problem of operational safety : software must resist not only " bugs " and accidental failures (safety), but also attacks and malicious use (security). We then looked at three recent attacks, representative of the diversity of software security flaws : the Heartbleed attack on web servers using the OpenSSL library, based on out-of-bounds access to memory buffers ; the Log4Shell attack on the Log4j logging library, which injects arbitrary code into data controlled by the attacker ; the attack on the DAO smart contract of the Ethereum cryptocurrency, exploiting the contract's vulnerability to re-entrant operations.

Software security : introduction and case studies

Abstract

Documents and media

Speaker(s)

Xavier Leroy

Events

Software security : introduction and case studies

Information flow

Influence of specification quality on software security

Software isolation

Differential Privacy: From the Central Model to the Local Model and their Generalization

Tempus fugit : time observation attacks

Verified Implementations for Real-World Cryptographic Protocols

Typing and safety

Fault injection attacks and software protection

Compilation and safety

Software obfuscation : scrambling code to protect programs

Calculate with figures or private data

Transient Execution Attacks and Defenses

See also