visualizing software security
DESCRIPTION
Richard Johnson [email protected]. Visualizing Software Security. Opening Questions. How can we use the visualization tools we currently have more effectively? How can the Software Development Lifecycle benefit from visualizations? - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/2.jpg)
Opening Questions
How can we use the visualization tools we currently have more effectively?
How can the Software Development Lifecycle benefit from visualizations?
What is the impact of visualizations on our software security processes?
![Page 3: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/3.jpg)
Visualization 101 What is visualization?
Information transmission through imagery
Why is visualization important? Visualizations utilize the mind’s most perceptive
input mechanism
What are the challenges in visualization? Create intuitive spatial mappings of non-spatial data Retain clarity while presenting highly dimensional
data
![Page 4: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/4.jpg)
Visualization Taxonomy
Data Visualization
![Page 5: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/5.jpg)
Visualization Taxonomy
Information Visualization
![Page 6: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/6.jpg)
Visualization Taxonomy
Concept Visualization
![Page 7: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/7.jpg)
Visualization Taxonomy
Strategy Visualization
![Page 8: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/8.jpg)
Visualization Taxonomy
Metaphor Visualization
![Page 9: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/9.jpg)
Software Visualization Problem Space
Program Visualization Algorithm Visualization
Sourcing Data Static vs Dynamic data Inaccurate analysis tools
The goal is always: Reduce Complexity!
![Page 10: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/10.jpg)
Static Software Properties
Structural Connectivity Execution & Data Flow Class Hierarchies
State Machine Models Memory profile Algorithm Complexity
Revision History Age and authorship Milestones in quality assurance
![Page 11: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/11.jpg)
Dynamic Software Properties
Execution tracing Code coverage Indirect relationships Dynamic dependencies
Memory tracing Heap management patterns Object instances Taint propagation
Environment
![Page 12: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/12.jpg)
Software Security Properties
Attack Surface Area Dataflow entry points Privilege boundaries
Implementation Flaws Arithmetic flaws Comparison flaws Unchecked user input
Exploitability Execution environment Compiler security Reachability
History Code age Author credibility
![Page 13: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/13.jpg)
Graph Visualization Hierarchical Layout
Layered by order of connectedness
Not for highly connected graphs
![Page 14: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/14.jpg)
Graph Visualization Circular
Nodes aligned on circles
Clustering
![Page 15: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/15.jpg)
Graph Visualization Orthogonal
Edges aligned on axes
Clustering
![Page 16: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/16.jpg)
Graph Visualization Force Directed
Spring, Magnetic, and Gravitational force
Packing
![Page 17: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/17.jpg)
Improved Graph Visualization
Hyperbolic Space Clarity on center
focus Packing
![Page 18: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/18.jpg)
Improved Graph Visualization
Higher Dimensional Space Clarity with high
connectivity Multi-level views
![Page 19: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/19.jpg)
Visual Attributes Nodes
Spatial coordinates Spatial extents Color Shape
Edges Color Shape Width Style
![Page 20: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/20.jpg)
Visual Attributes Nodes
Spatial coordinates Spatial extents Color Shape
Edges Color Shape Width Style
![Page 21: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/21.jpg)
Visual Attributes Nodes
Spatial coordinates Spatial extents Color Shape
Edges Color Shape Width Style
![Page 22: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/22.jpg)
Visualizing Software Security
Observe binary interdependencies
![Page 23: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/23.jpg)
Visualizing Software Security
Acquire a method level control flow graph
![Page 24: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/24.jpg)
Visualizing Software Security
Acquire a method level control flow graph
![Page 25: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/25.jpg)
Visualizing Software Security
Reduce graph using code coverage data
![Page 26: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/26.jpg)
Visualizing Software Security
Trace dataflow dependency to discover taint propagation
![Page 27: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/27.jpg)
Visualizing Software Security
Use static analysis plugins to derive security properties such as GS and SafeSEH
![Page 28: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/28.jpg)
Visualizing Software Security
Use static analysis plugins to derive security properties such as GS and SafeSEH
![Page 29: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/29.jpg)
Visualizing Software Security
Analyze non-covered paths in tainted functions
![Page 30: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/30.jpg)
Visualizing Software Security
Analyze non-covered paths in tainted functions
![Page 31: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/31.jpg)
Visualizing Software Properties Examine source code where
correlations occur
![Page 32: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/32.jpg)
Beyond Graphs
Source Code Revision History History Flow
![Page 33: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/33.jpg)
Beyond Graphs
Source Code Revision History History Flow
![Page 34: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/34.jpg)
Beyond Graphs
State Machine Models Thinking Machine
![Page 35: Visualizing Software Security](https://reader035.vdocuments.net/reader035/viewer/2022062315/56816456550346895dd6249d/html5/thumbnails/35.jpg)
Beyond Graphs
State Machine Models Thinking Machine