Robert Seacord and David Svoboda have both been selected for the JavaOne 2014 Security Track review team. JavaOne 2014 is Oracle's flagship software developers conference event for Java. Security has been a focus at the conference for many years, but last year Oracle brought security to the forefront by including it as a track. If you have ideas for interesting Java security sessions, we would be delighted to review them. The
JavaOne CFP is open until April 14, 2014. Two presentations have already been accepted early for this event: David Svoboda's presentation
Anatomy of Another Java Zero-Day Exploit and Jim Manico's
Leveraging Open Source for Secure Java Website Construction. Besides being a
JavaOne Rock Star, Jim got us started years ago working on
The CERT Oracle Secure Coding Standard for Java.
The CERT C Coding Standard has gone to press, and we are now waiting ever-so-patiently for the advance office copies. We are expecting the book to be a huge success, because we are unable to learn from history.
Our Mobile SCALe team continues to develop secure coding rules and guidelines for Android apps plus to do research and development of compliance checkers. We are currently developing a checker that looks for taint flows in Android apps, where a data source is sensitive and a dataflow containing it can reach a sink. The research challenge we focus on is to develop an analysis to determine taint flow endpoints with the following (sometimes conflicting) goals in mind: precision, soundness, speed, and conservation of memory/disk space. We recently designed and implemented a novel taint flow analyzer for sets of apps. It combines and augments the existing Android dataflow analyses of
FlowDroid (which analyzes for intracomponent taint flows) and
Epicc (which analyzes intercomponent intent communication)
to precisely track both intercomponent and intracomponent dataflow in a set of Android applications. Our analysis of a given set of apps takes place in two phases. In the first phase, we determine the dataflows enabled individually by each app and the conditions under which these are possible. In the second phase, we build on the first phase's results to enumerate the potentially dangerous dataflows enabled by the whole set of applications. Our taint flow analyzer prototype for static analysis of sets of Android apps, DidFail (
Droid Intent Dataflow Analysis for Information Leakage), was completed in March 2014. Our team is continuing to do research and development with this analyzer, with a special focus on methods to efficiently increase precision. Development of secure coding rules continues on the
CERT secure coding for Android wiki, and our previous work is described in the technical report
Mobile SCALe: Rules and Analysis for Secure Java and Android Coding and our recent SEI blogpost
Secure Coding for the Android Platform.
Many of our new Android secure coding rules and guidelines need work to be completed according to the standard format. We haven't announced them previously in the newsletter because they aren't done. For instance, DRD17-J and DRD18-J both need the noncompliant examples and compliant solutions to be added. If you are an Android, Java, or C expert and would like to contribute to completing these rules, we'd like to talk with you. We will give you guidance on filling in the missing content and would check your work before it goes public. If interested, please
contact us. Some Android rules and guidelines that need completion are
DRD05-J,
DRD06-J,
DRD07-J,
DRD11-J,
DRD12-J,
DRD13-J,
DRD14-J,
DRD16-J,
DRD17-J, and
DRD18-J.
How are you using the CERT Secure Coding Standards?
As a reader of this eNewsletter, we want to hear from you.
Submit your
comments about how you are using CERT Secure Coding Standards.