Blog Bug's

bugging blogs

on `KLEE` and `Finding Security Vulnerabilities in Java Applications with Static Analysis`…

I have read the two papers the third time and still with no luck, I still find it hard to understand the inner workings. Am hoping for the reporter today to explain the readings as simple as possible. I’ll repost this again sometime soon.

posted by ninoy in CS 253 and have No Comments

…on `Setuid Demystified` and `Understanding Android Security`

I did not appreciate much the topic (setuid) per se. Maybe because in my work, I still did not handle systems involving managing `setuid`’s or maybe I was not aware that I’m using them. But what I appreciate more is the reading suggests through formality (i.e. using a formal model) in understanding more of the `setuid` details. I’m really  a fan of mathematical proofs. For me, something explained and supported with mathematical models and proofs is something irrefutable. Building systems verified with mathematical models are somehow flawless and bug-free.

I’m really glad having read the `Android` topic. The last time I heard of it (Android) was during my undergraduate and it did not get my attention. Knowing what has come to it now (improved community, development, integration, and security),  it is now prioritized more on my `to-study` checklist. If I have extra money, I feel that I really should buy one (gadget with android os). If I have extra time, although not my leaning (mobile development), I will try to spend some time developing on top of it.

posted by ninoy in CS 253 and have Comment (1)

…on `Attacks and Defenses for the Vulnerability of the Decade`

The reading discusses security vulnerabilities involving mainly of some forms of buffer overflow attacks, and some known effective defenses against them (buffer overflows).

I admit that I’m also guilty of not coding the so called `correct` way (sometime). Well like most developer it’s a matter of weighing among functionality, performance, and correctness. Most of the time functionality is the major concern. On a reflection, the reading makes me realize of reconsidering some defenses against buffer overflow attacks although with some performance drawbacks.

I appreciated it more on reading it the second time after doing Project 1.  Well, learning by experiencing (that is doing it first hand), is still the best way to realize the importance of it. Now, I’m motivated to go deeper on other types of buffer overflow attacks since Project 1 only deals with type 1 (first).

On a second thought, although skeptic because of performance concerns, type-safe languages should be prioritized more in picking a base programming language for software development.

posted by ninoy in CS 253 and have No Comments

…on `CRS Report for Congress`

It is a lengthy yet informative reading. The reading reminds me of the `Love Bug` virus years ago. It discusses in detail different examples of crimes that can be committed involving computers and network.

I really feel fortunate that I took my computer science here in UP. I believe that `education` really plays a big role regarding having a sense of responsibility as a programmer. Having taught computer ethics and knowing the consequences for such illegal act of hacking somehow puts me a limit. Although the reading was somehow too negative to `hackers` and I disagree, I consider them (`hackers`) to be nicer ones. They maybe just misguided but not really bad after all. Browse the internet and you’ll find out that authors and contributors to well known open-source softwares are hackers. Frankly as part of the academe, if I found something that detriments learning and impedes flow of information (that in the first place I believe that information should be always be free), I would engage in hacking (if I knew hacking after all) but I’d rather not do if it will hurt someone.

All in all, the reading made me realize to accept the fact that the moment you connect to the internet, you will never be safe. So, my preventive measures include: i) as part of my awareness, I read, read and read; ii) I always update my OS and softwares for patches; iii) although skeptic of anti-viruses, I have installed one; iv) if I can’t live for hours without internet I always enable my firewall otherwise I disconnect from internet; v) I always take caution on opening and replying to suspecting mails especially spam mails and I only visit known websites.

posted by ninoy in CS 253 and have No Comments