Java/Scala Lab 2016. Владимир Гарбуз: Написание безопасного кода на Java.

•Als PPTX, PDF herunterladen•

1 gefällt mir•313 views

16.4.16 Java/Scala Lab Upcoming events: goo.gl/I2gJ4H Этот доклад поможет вам разрабатывать софт, который огорчит хакеров. Мы рассмотрим самые часто-встречающиеся и опасные уязвимости ПО, которые создаются непосредственно разработчиками, а так же как их можно избежать силами Java.

Software

WRITING SECURE CODE
IN JAVA
Vladimir Garbuz

Problem summary
 Developers are NOT responsible for security
bugs!
 Well, almost
 Absolute most security issues are due to
design!
 Either a vulnerable one
 Or an incomplete one – which makes the
developers decide what and how should be
implemented

Object deserialization
https://www.contrastsecurity.com/security-
influencers/java-serialization-vulnerability-
threatens-millions-of-applications

Lack of web security
configurations
 X-Frame-Options
 Content Security Policy
 HTTP Strict Transport Security
 HTTP Public Key Pinning

Sessions - Cookie security flags
 HTTPOnly flag
 Secure flag
 Cookie scope - Domain
 domain better not be set than set liberally to a
domain
 e.g. domain=server.com gives the cookie to
subdomains
 It shouldn’t, but thanks to the RFC 2109 and 6265 circle-
jerk…
 Cookie scope - Path
 path must include only the webapp for which the

Sessions – Session fixation
 http://whatever.com/login.jsp?jsessionid=E85FA
C04E331FFCA55549B10B7C7A4FA
 Session token in URL – bad, bad practice!
 It will also appear in server logs, browser history,
proxies, etc…

Decisions based on untrusted
data
 &admin=true
 Invisible/disabled controls
 Data MIME type
 Forced navigation to ID

Race conditions
 Easy to create, hard to spot
Consider following pseudocode:
X = X + 10
Thread 1 and 2 (T1 and T2) execute it:
15 != 25 

Vulnerable components used
 Libraries and frameworks
 OWASP Dependency Check
 BlackDuck
 Vulnerable software

Input validation
 Make it a universal component!
 used throughout the application, not ad-hoc

Random
 Always use CSPRNG!
 “Oh please, what’s the difference?”

Random
 Popular PRNG named RANDU
 Dots as (x,y) and (x,y,z) – all fall in 15 3D
planes!

Random
 CSPRNG sequence attractor analysis

Random
 Windows 98 PRNG attractor analysis

Random
Hacking Java’s Random(): predicting the future
 Linear Congruential PRNG:
seed = (seed * multiplier + addend) mod (2 ^ precision)
 Has 48 bits of state, but discloses only 32 at a time e.g.
nextInt()
 The remaining 16 bits are easily bruteforcible on modern
PCs:

Random
Hacking Java’s Random(): peeking into the past
 Long story short, one bit at a time we unwind the changes
a previous seed would’ve had on the current number
 And can do so recursively as far back as we wish
USE SECURE RANDO

Vulnerable crypto
 EXP – export crypto
 DES
 RC4
 MD4
 MD5 – yes, fully broken since 2007, stop using
it!
 SHA-1
“Oh please, we’ve used MD5 forever and it’s

Cryptographic hash
What’s similar for these 3 images?..
Their MD5 hash!
And a freely available tool HashClash was used!

Cryptographic hash
MD5 Chosen prefix collisions

Cryptographic hash
Password storage
 Never store passwords for verification in the
clear
 Use salts with hashes to fight rainbow tables
 Never use clear hash functions to hash
passwords
 Yep! Go for a key derivation function!
 PBKDF2
 scrypt
 bcrypt

Setting up SSL/TLS
 Do TLS the right way!
 Yay or nay?
 ECDHE-RSA-AES256-GCM-SHA256
 Yay!
 ECDHE-RSA-RC4-SHA
 Nay!
 EXP-RC4-MD5
 Nay nay nay!!!

Questions and Discussion
Skype: vigarbuz

Weitere ähnliche Inhalte

Was ist angesagt?

Multi-algorithm Ensemble Learning at Scale: Software, Hardware and Algorithmic Approaches: Multi-algorithm ensemble machine learning methods are often used when the true prediction function is not easily approximated by a single algorithm. The Super Learner algorithm, also known as stacking, combines multiple, typically diverse, base learning algorithms into a single, powerful prediction function through a secondary learning process called metalearning. Although ensemble methods offer superior performance over their singleton counterparts, there is an implicit computational cost to ensembles, as it requires training and cross-validating multiple base learning algorithms. We will demonstrate a variety of software- and hardware-based approaches that lead to more scalable ensemble learning software, including a highly scalable implementation of stacking called “H2O Ensemble”, built on top of the open source, distributed machine learning platform, H2O. H2O Ensemble scales across multi-node clusters and allows the user to create ensembles of deep neural networks, Gradient Boosting Machines, Random Forest, and others. As for algorithm-based approaches, we will present two algorithmic modifications to the original stacking algorithm that further reduce computation time — Subsemble algorithm and the Online Super Learner algorithm. This talk will also include benchmarks of the implementations of these new stacking variants.

Erin LeDell, Machine Learning Scientist, H2O.ai at MLconf ATL 2016

MLconf

[台灣人工智慧學校] 新竹分校第一期結業典禮 - 主題演講

台灣資料科學年會

Anomaly Detection and Automatic Labeling with Deep Learning

Adam Gibson

Keras is a high-level neural networks API, written in Python and capable of running on top of either TensorFlow, CNTK or Theano. We can easily build a model and train it using keras very easily with few lines of code.The steps to train the model is described in the presentation. Use Keras if you need a deep learning library that: -Allows for easy and fast prototyping (through user friendliness, modularity, and extensibility). -Supports both convolutional networks and recurrent networks, as well as combinations of the two. -Runs seamlessly on CPU and GPU.

Keras: Deep Learning Library for Python

Rafi Khan

Tridiagonal solver in gpu

Hunan University

Say What You Mean: Scaling Machine Learning Algorithms Directly from Source Code: Scaling machine learning applications is hard. Even with powerful systems like Spark, Tensor Flow, and Theano, the code you write has more to do with getting these systems to work at all than it does with your algorithm itself. But it doesn’t have to be this way! In this talk, I’ll discuss an alternate approach we’ve taken with Pyfora, an open-source platform for scalable machine learning and data science in Python. I’ll show how it produces efficient, large scale machine learning implementations directly from the source code of single-threaded Python programs. Instead of programming to a complex API, you can simply say what you mean and move on. I’ll show some classes of problem where this approach truly shines, discuss some practical realities of developing the system, and I’ll talk about some future directions for the project.

Braxton McKee, CEO & Founder, Ufora at MLconf NYC - 4/15/16

MLconf

Deploying signature verification with deep learning

Adam Gibson

MLConf 2016 SigOpt Talk by Scott Clark

SigOpt

Is Machine Learning Code for 100 Rows or a Billion the Same?: We have built an automatically distributed, implicitly parallel data science platform for running large scale machine learning applications. By abstracting away the computer science required to scale machine learning models, The Ufora platform lets data scientists focus on building data science models in simple scripting code, without having to worry about building large-scale distributed systems, their race conditions, fault-tolerance, etc. This automatic approach requires solving some interesting challenges, like optimal data layout for different ML models. For example, when a data scientist says “do a linear regression on this 100GB dataset”, Ufora needs to figure out how to automatically distribute and lay out that data across a cluster of machines in the cluster in order to minimize travel over the wire. Running a GBM against the same dataset might require a completely different layout of that data. This talk will cover how the platform works, in terms of data and thread distribution, how it generates parallel processes out of single-threaded programs, and more.

Braxton McKee, Founder & CEO, Ufora at MLconf SF - 11/13/15

MLconf

GraphMat: Bridging the Productivity-Performance Gap in Graph Analytics: With increasing interest in large-scale distributed graph analytics for machine learning and data mining, more data scientists and developers are struggling to achieve high performance without sacrificing productivity on large graph problems. In this talk, I will discuss our solution to this problem: GraphMat. Using generalized sparse matrix-based primitives, we are able to achieve performance that is very close to hand-optimized native code, while allowing users to write programs using the familiar vertex-centric programming paradigm. I will show how we optimized GraphMat to achieve this performance on distributed platforms and provide programming examples. We have integrated GraphMat with Apache Spark in a manner that allows the combination to outperform all other distributed graph frameworks. I will explain the reasons for this performance and show that our approach achieves very high hardware efficiency in both single-node and distributed environments using primitives that are applicable to many machine learning and HPC problems. GraphMat is open source software and available for download.

Narayanan Sundaram, Research Scientist, Intel Labs at MLconf SF - 11/13/15

MLconf

Challenges in Large Scale Machine Learning

Sudarsun Santhiappan

HTML slides and longer abstract can be found at https://github.com/ljdursi/EuroMPI2016. For years, the academic science and engineering community was almost alone in pursuing very large-scale numerical computing, and MPI was the lingua franca for such work. But starting in the mid-2000s, we were no longer alone. First internet-scale companies like Google and Yahoo! started performing fairly basic analytics tasks at enormous scale, and since then others have begun tackling increasingly complex and data-heavy machine-learning computations, which involve very familiar scientific computing primitives such as linear algebra, unstructured mesh decomposition, and numerical optimization. These new communities have created programming environments which emphasize what we’ve learned about computer science and programmability since 1994 – with greater levels of abstraction and encapsulation, separating high-level computation from the low-level implementation details. At about the same time, new academic research communities began using computing at scale to attack their problems - but in many cases, an ideal distributed-memory application for them begins to look more like the new concurrent distributed databases than a large CFD simulation, with data structures like dynamic hash tables and Bloom trees playing more important roles than rectangular arrays or unstructured meshes. These new academic communities are among the first to adopt emerging big-data technologies over traditional HPC options; but as big-data technologies improve their tightly-coupled number-crunching capabilities, they are unlikely to be the last. In this talk, I sketch out the landscape of distributed technical computing frameworks and environments, and look to see where MPI and the MPI community fits in to this new ecosystem.

EuroMPI 2016 Keynote: How Can MPI Fit Into Today's Big Computing

Jonathan Dursi

Cyber-physical systems are engineered using a broad range of modeling methods, from systems of ODEs to finite automata. Each modeling method comprises ways of representing a system (models) and reasoning about it (analyses). The growing diversity of CPS modeling methods creates a challenge of using models and analyses together: what implicit assumptions are models making about each other? In what order should analyses be composed? Incorrect answers to these questions may lead to modeling errors and, eventually, system failures. In this talk I present a framework for inter-model analysis to deal with the challenge of multi-modeling. The framework allows its user to create architectural views as abstractions of models and specify contracts for analysis. Given views and contracts, the framework verifies model consistency, determines correct analysis execution sequence, an verifies that assumptions and guarantees of analyses hold.

Framework for Inter-Model Analysis of Cyber-Physical Systems

Ivan Ruchkin

Scalability and interactivity make Spark an excellent platform for data scientists who want to analyze very large datasets and build predictive models. However, the productivity of data scientists is hampered by lack of abstractions for building models for diverse types of data. For example, processing text or image data requires low level data coercion and transformation steps, which are not easy to compose into complex workflows for production applications. There is also a lack of domain specific libraries, for example for computer vision and image processing. We present an open-source Spark library which simplifies common data science tasks such as feature construction and hyperparameter tuning, and allows data scientists to iterate and experiment on their models faster. The library integrates seamlessly with SparkML pipeline object model, and is installable through spark-packages. The library brings deep learning and image processing to Spark through CNTK, OpenCV and Tensorflow in frictionless manner, thus enabling scenarios such training on GPU-enabled nodes, deep neural net featurization and transfer learning on large image datasets. We discuss the design and architecture of the library, and show examples of building a machine learning models for image classification.

Data Science and Deep Learning on Spark with 1/10th of the Code with Roope As...

Databricks

DL4J and DataVec for Enterprise Deep Learning Workflows: Applications in NLP, sensor processing (IoT), image processing, and audio processing have all emerged as prime deep learning applications. In this session we will take a look at a practical review of building practical and secure Deep Learning workflows in the enterprise. We’ll see how DL4J’s DataVec tool enables scalable ETL and vectorization pipelines to be created for a single machine or scale out to Spark on Hadoop. We’ll also see how Deep Networks such as Recurrent Neural Networks are able to leverage DataVec to more quickly process data for modeling.

Josh Patterson, Advisor, Skymind – Deep learning for Industry at MLconf ATL 2016

MLconf

Meetup tensorframes

Paolo Platter

Machine Learning with TensorFlow: TensorFlow has enabled cutting-edge machine learning research at the top AI labs in the world. At the same time it has made the technology accessible to a large audience leading to some amazing uses. TensorFlow is used for classification, recommendation, text parsing, sentiment analysis and more. This talk will go over the design that makes it fast, flexible, and easy to use, and describe how we continue to make it better.

Rajat Monga, Engineering Director, TensorFlow, Google at MLconf 2016

MLconf

Anomaly detection in deep learning (Updated) English

Adam Gibson

Deep Recurrent Neural Networks for Sequence Learning in Spark by Yves Mabiala

Spark Summit

Tokyo Webmining Talk1

Kenta Oono

Was ist angesagt? (20)

Erin LeDell, Machine Learning Scientist, H2O.ai at MLconf ATL 2016

[台灣人工智慧學校] 新竹分校第一期結業典禮 - 主題演講

Anomaly Detection and Automatic Labeling with Deep Learning

Keras: Deep Learning Library for Python

Tridiagonal solver in gpu

Braxton McKee, CEO & Founder, Ufora at MLconf NYC - 4/15/16

Deploying signature verification with deep learning

MLConf 2016 SigOpt Talk by Scott Clark

Braxton McKee, Founder & CEO, Ufora at MLconf SF - 11/13/15

Narayanan Sundaram, Research Scientist, Intel Labs at MLconf SF - 11/13/15

Challenges in Large Scale Machine Learning

EuroMPI 2016 Keynote: How Can MPI Fit Into Today's Big Computing

Framework for Inter-Model Analysis of Cyber-Physical Systems

Data Science and Deep Learning on Spark with 1/10th of the Code with Roope As...

Josh Patterson, Advisor, Skymind – Deep learning for Industry at MLconf ATL 2016

Meetup tensorframes

Rajat Monga, Engineering Director, TensorFlow, Google at MLconf 2016

Anomaly detection in deep learning (Updated) English

Deep Recurrent Neural Networks for Sequence Learning in Spark by Yves Mabiala

Tokyo Webmining Talk1

Andere mochten auch

AI&BigData Lab 2016. Григорий Кравцов: Модель вычислений на классификациях

GeeksLab Odessa

4.6.16 AI&BigData Lab Upcoming events: goo.gl/I2gJ4H В начале вас ждет небольшой исторический экскурс в текущие способы автоматической коррекции ошибок в текстах. Потом мы плавно перейдем к основной части доклада, посвященной последним методам коррекции ошибок с использование различных современных Deep Learning архитектур, основанных на sequence-to-sequence моделях. Основная цель: перевести английский текст в английский, но с исправленными ошибками и улучшениями на выходе. Доклад будет в форме обзора современных архитектур и идей с введением для начинающих. Будет интересно!

AI&BigData Lab 2016. Анатолий Востряков: Перевод с "плохого" английского на "...

GeeksLab Odessa

4.6.16 AI&BigData Lab Upcoming events: goo.gl/I2gJ4H В мире машинного обучения многие годы доминируют нейронные сети прямого распространения (feed-forward), которые почти ничего общего не имеют с нейронами и сетями нашего мозга. В этом докладе мы познакомимся с бионическими (biologically plausible) нейронными сетями. В большинстве из них нейроны испускают и принимают импульсы (спайки). Какие возникают проблемы и сложности обучения таких сетей? В каких традиционно нерешаемых (или плохо решаемых) задачах они могут быть эффективны, как эффективен в них мозг человека и животных? Как можно реализовать такие сети аппаратно, и что такое нейроморфный компьютинг? -- Вот вопросы, которым посвящена данная презентация.

AI&BigData Lab 2016. Дмитрий Новицкий: cпайковые и бионические нейронные сети...

GeeksLab Odessa

16.4.16 Java/Scala Lab Upcoming events: goo.gl/I2gJ4H В докладе будет расммотрена идеология использования неявных классов в Scala, рассмотрен пример построения DAO слоя с поддержкой нативной нотации MongoShell, показана лекость организации тестирования при таком подходе на примере DAO слоя взаимодействия с MongoDB через ReactiveMongo драйвер. В заключение будут представлены положительные и отрицательные стороны предложенного подхода

Java/Scala Lab 2016. Григорий Кравцов: Реализация и тестирование DAO слоя с н...

GeeksLab Odessa

AI&BigData Lab 2016. Константин Герасименко: MOLAP: Новые границы возможного.

GeeksLab Odessa

4.6.16 AI&BigData Lab Upcoming events: goo.gl/I2gJ4H Это — рекомендательная система. Если взглянуть на нее со стороны, то она крепко застряла между Collaborative filtering и Content-based filtering. Используются рекомендательные системы уже давно, но рекомендации все еще не идеальны. Обычно проблемы — это выбор технологий или там фреймворка… А у нас — cold-start problem, semantic gap и др.!

AI&BigData Lab 2016. Игорь Костюк: Как приручить музыкальную рекомендательную...

GeeksLab Odessa

4.6.16 AI&BigData Lab Upcoming events: goo.gl/I2gJ4H В докладе представлен обзор новых подходов к обучению глубоких и рекуррентных нейросетей. Обсуждаются ортогональная инициализация весов для сверточных и рекуррентных нейросетей и ее влияние на проблему исчезновения градиентов (vanishing gradient effect), нормализацию мини-пакетов (batch normalization), разностное обучение (residual learning).

AI&BigData Lab 2016. Артем Чернодуб: Обучение глубоких, очень глубоких и реку...

GeeksLab Odessa

16.4.16 Java/Scala Lab Upcoming events: goo.gl/I2gJ4H Рассказ о сравнительно простых техниках программирования в scala, редко применяющихся за пределами широкоизвестных библиотек из-за ореола таинственности вокруг них, вызванных чрезмерным употреблением математической терминологии при их первоначальном описании.

Java/Scala Lab 2016. Руслан Шевченко: Несколько трюков scala-разработки, приг...

GeeksLab Odessa

4.6.16 AI&BigData Lab Upcoming events: goo.gl/I2gJ4H Проекты в области анализа данных - вызов не только для инженеров, но и для менеджеров. Доклад будет посвящён особенностям таких проектов по сравнению с обычной разработкой, ролям в команде и построению взаимодействия с заказчиком в условиях неопределённости R&D.

AI&BigData Lab 2016. Сергей Шельпук: Методология Data Science проектов

GeeksLab Odessa

4.6.16 AI&BigData Lab Upcoming events: goo.gl/I2gJ4H Поговорим об одной из базовых практических техник обучения нейронных сетей - предобучение, finetuning, transfer learning. В каких случаях применять, какие модели использовать, где их брать и как адаптировать.

AI&BigData Lab 2016. Александр Баев: Transfer learning - зачем, как и где.

GeeksLab Odessa

Andere mochten auch (10)