Safe memory management is a crucial pillar in modern programming and cybersecurity, essential to prevent vulnerabilities and errors that can compromise the reliability and security of computer systems. Memory safety problems, as evidenced by many cases (e.g., Wannacry and Crowdstrike) can have a devastating impact on the entire Trusted Computing Base (TCB) of organisations. Despite such important issues, there is still a lack of standardised frameworks, methods, and tools able to guide software engineers in a systematic consideration and mitigation of software memory safety during the entire Software Development Life Cycle (SDLC). In this work, we propose a first attempt towards an approach that contextualises and considers, within the SDLC, main issues related to memory safety, and proposes guidelines to apply specific techniques for reducing potential memory safety risks. Specifically, our approach is pragmatic and oriented towards the industry, with the aim of helping organisations to individuate the parts where memory safety issues more often occur, and to mitigate such problems contextually to a secure SDLC. The concept of memory safety is introduced, followed by an overview of the main classes of vulnerabilities, and then by an in-depth analysis of the applicable mitigation techniques. We present our approach and a case study as an initial application of our approach, and exemplification of concepts related to it. The main contribution of this work consists in the systematization of mitigation techniques deriving from memory management problems, according to the SDLC, and in the practical demonstration of their effectiveness in a case study.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Towards a Systematic Approach to Memory Safety: A Case Study Integrating Techniques and Practices Over the Software Development Life Cycle (SDLC)

  • Isaia Tonini,
  • Giacomo Nalli,
  • Luca Piras,
  • Pietro De Matteis,
  • Stelios Kapetanakis,
  • Silvio Ranise

摘要

Safe memory management is a crucial pillar in modern programming and cybersecurity, essential to prevent vulnerabilities and errors that can compromise the reliability and security of computer systems. Memory safety problems, as evidenced by many cases (e.g., Wannacry and Crowdstrike) can have a devastating impact on the entire Trusted Computing Base (TCB) of organisations. Despite such important issues, there is still a lack of standardised frameworks, methods, and tools able to guide software engineers in a systematic consideration and mitigation of software memory safety during the entire Software Development Life Cycle (SDLC). In this work, we propose a first attempt towards an approach that contextualises and considers, within the SDLC, main issues related to memory safety, and proposes guidelines to apply specific techniques for reducing potential memory safety risks. Specifically, our approach is pragmatic and oriented towards the industry, with the aim of helping organisations to individuate the parts where memory safety issues more often occur, and to mitigate such problems contextually to a secure SDLC. The concept of memory safety is introduced, followed by an overview of the main classes of vulnerabilities, and then by an in-depth analysis of the applicable mitigation techniques. We present our approach and a case study as an initial application of our approach, and exemplification of concepts related to it. The main contribution of this work consists in the systematization of mitigation techniques deriving from memory management problems, according to the SDLC, and in the practical demonstration of their effectiveness in a case study.