We know that serious attacks on software occur worldwide on a daily basis, targeting individuals, corporations, and governments alike. When these attacks target the software that controls critical infrastructure such as the power grid or maritime container shipping, the consequences can be even more serious. Vulnerabilities in the software that supports container shipping can disrupt commerce and enable smuggling, theft, and terrorism. These software vulnerabilities can even sink ships. The key to the prevention of such attacks is a comprehensive cybersecurity program that includes an in-depth vulnerability assessment of the software that control the shipping process.
Elisa Heymann and Bart Miller explain how they applied in-depth vulnerability assessment techniques to a critical part of the software that controls container shipping, the terminal operating system (TOS). The in-depth vulnerability assessment is based on their First Principles Vulnerability Assessment (FPVA) methodology. The goal of this methodology is to identify the key (high-value) assets in the system, determine their exposure to threats, and then perform detailed analysis of the code associated with those assets. This process proceeds without a preconceive notion of what threats or vulnerabilities might be present. Elisa and Bart outline the process that they followed, detail the vulnerabilities they found, and offer suggestions for remediating these vulnerabilities.
Elisa Heymann is a senior scientist within the NSF Cybersecurity Center of Excellence at the University of Wisconsin and an associate professor at the Autonomous University of Barcelona, where she codirects the MIST software vulnerability assessment. Elisa was also in charge of the Grid/Cloud Security Group at the UAB and participated in two major European grid projects: EGI-InSPIRE and the European Middleware Initiative (EMI). Elisa’s research interests include security and resource management for grid and cloud environments. Her research is supported by the NSF, the Spanish government, the European Commission, and NATO.
Barton Miller is a professor of computer sciences at the University of Wisconsin, the chief scientist for the DHS Software Assurance Marketplace research facility, and software assurance lead on the NSF Cybersecurity Center of Excellence. Bart also codirects the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona and leads the Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. In 1988, Bart founded the field of fuzz random software testing—the foundation of many security and software engineering disciplines—and in 1992, working with his then-student Jeffrey Hollingsworth, founded the field of dynamic binary code instrumentation and coined the term “dynamic instrumentation,” which forms the basis for his current efforts in malware analysis and instrumentation. His research interests include systems security, binary and malicious code analysis and instrumentation of extreme-scale systems, parallel and distributed program measurement and debugging, and mobile computing. Bart’s research is supported by the US Department of Homeland Security, the Department of Energy, the National Science Foundation, NATO, and various corporations.
©2018, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org