Information Systems Security

Applications Development

Domain #8

Objectives

Software Flaws OSI Model Database Concepts Software Lifecycle Change Control OOP Expert Systems

Why Security is Lacking?

Software vendors rush to market Security professionals are not software

developers Public is used to software with bugs Software vendors not held liable Programmers not taught secure coding in

school Note: Average 10 bugs every 1K lines

Usual Steps

Buggy software released to market Hackers find vulnerabilities Web sites post vulnerabilities Vendors develop patches Sits on network administrators desks to be

tested and installed

Where to Implement

Security should be planned and managed throughout the lifecycle

Not to be added as an afterthought Should not be forsaken due to deliverable

deadlines Focus on security AND functionality

Functional Requirements

Specific system functionalities Consider how the parts of the system

should interoperate Deliverable from this phase of development

is a functional requirements document

Design

Determine how exactly the various parts of the system will interoperate

How the modular system structure will be laid out

Lay out initial timelines for completion of coding milestones

Deliverable is formal design documents

Code Review Walk-Through

Schedule several code walk through meetings

Involve only development personnel Look for problems in logical flow or security

System Testing

Perform the initial system tests using development personnel

Agree that the system meets all functional requirements

Deliverable is beta code

Certification/Accreditation

Normally required by defense contractors Certification is the comprehensive

evaluation of the technical and non-technical security features of an IT system

Accreditation is the formal declaration by the approved authority that an IT system is approved to operate in a particular security mode

Maintenance

Ensure continued operation in the face of changing operational, data processing, storage, and environmental requirements

Changes to the code be handled through a formalized change request/control process

Life Cycle Models

Formalized life cycle management process Royce and Boehm proposed several

software life cycle models In 1991, the Software Engineering Institute

introduced the Capability Maturity Model

Waterfall Model

Developed by Royce in 1970 Series of iterative activities 7 stages of development

– System requirements– Software requirements– Preliminary design– Detailed design– Code/debug– Testing– Maintenance

Waterfall Model

Allows development to return to previous phase to correct defaults discovered

1st comprehensive model to allow a step back.

Only allows the developers to step back one phase in the process

Spiral Model

Developed by Boehm in 1988 at TRW Multiple iterations Each loop of the spiral results in a system

prototype Allows developers to return to the planning

stage based on changing technical demands and customer requirements

Software Capability Maturity

Developed at CMU in 1991 Repeatable – reuse of code begins Defined – developers use formal processes Managed – quantitative measures utilized Optimized – process of continuous

improvement

Security Control Architecture

Process isolation– Fundamental security procedures put into place

during system design Hardware segmentation

– Process isolation at the hardware level by enforcing memory access constraints

Protection Rings

Layer 0 – where the OS kernel resides– Has full control of all system resources

Layer 1 & 2 – device drivers and OS interfaces– Most O/S do not implement these layers

Layer 3 – user applications and processes– Known as user mode– Not allowed direct access to system resources

Ring 0 – Reference Monitor

Must be tamperproof Must always be invoked Small enough to be analyzed Must be complete

Virus

Piece of code that requires a host application to reproduce– Macro– Boot sector– Compression– Stealth– Polymorphic– Multi-partite– Self-garbling

Virus

Fred Cohen wrote the 1st in 1983– Called the morris worm

Over 60,000 viruses today Main functions – propagation and

destruction

Types of Viruses

File Infectors Boot Sector Infectors Companion Virus Email Virus Multi-partite

More Malware

Worms– Can reproduce on their own– Self contained

Logic bomb– Event triggers execution

Trojan horse– Disguised as another program– Uses program to exploit authorization process

MORE

DDoS Zombies Spyware/Adware Pranks

Threats in Software Environment

Buffer Overflow Citizen Programmers Covert Channels: Storage and Timing Malware Malformed Input Object Reuse Mobile Code Time of Check/Time of Use

System Development Life Cycle

Project Initiation Functional Requirements System Design Develop Acceptance Installation Maintenance Revisions

Software Protections Mechanisms

Security Kernel (Monitor) Processor Privilege State Buffer Overflow Controls Incomplete Parameter Controls Memory Protection Covert Channel Controls Cryptography

Database Vulnerabilities

Aggregation Bypass Attacks Deadlocking Query Attacks Web Security Compromising Database Views

Database Protection

Lock Controls View Based Controls Grant/Revoke Controls Metadata Controls Data Contamination Controls

Distributed Components

Agents– Performs actions on behalf of user– Carries out activities unattended

Applets– Sent from server to client– Self contained mini-programs– Java (Sun) & ActiveX (MS)

Java ‘sandboxed’ but Active X is ring 0

Databases

Relational– Flat 2-dimensional table– # of rows is cardinality– # of columns is degree– Security available through views– Primary & secondary keys used

Data Warehouses & Data Mining

Expert Systems

Accumulated knowledge of expert on a specific subject– Knowledge base– Inference engine– Fuzzy logic

Neural networks

Programming

Interpreted versus compiled Fail-secure versus fail-open Reverse engineering White box testing versus black box testing

Password Attacks

Dictionary attacks– Against /etc/passwd in Unix– Compares hash values

Social engineering Brute force attacks Complex passwords

DOS Attacks

SYN flood DDOS

– Tribal Flood Network (TFN) DRDos attacks

– Smurf (ICMP– Fraggle (UDP)– Teardrop (fragmentation)– Land (tight loop for old systems)– Ping of Death (larger than 64K packets)

More Attacks

Buffer Overflows– Combat with input controls

Time of check/Time of use– Restrictions only checked at login

IP probes or sweeps (Ping) Port scans to identify services Vulnerability attacks (Satan) IP spoofing