Fault Attacks on Secure Embedded Software: Threats, Design ...
Secure software design
-
Upload
ashis-kumar-chanda -
Category
Engineering
-
view
64 -
download
3
Transcript of Secure software design
![Page 1: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/1.jpg)
Dr. Md. Shariful IslamAssociate Professor (IIT, DU)
Ashis Kumar ChandaMS Student (JN - 343)
Dept. of Computer Science & EngineeringUniversity of Dhaka
Information Security
![Page 2: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/2.jpg)
Secure Software Design
![Page 3: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/3.jpg)
Contents
Introduction
Common flaws
S-SDLC
Developer - Security tester
Security Model
![Page 4: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/4.jpg)
Introduction
Security is the first concerning criteria in software development
A single feature can create a lot of trouble
Two groups – software developer & information security staff
![Page 5: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/5.jpg)
![Page 6: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/6.jpg)
![Page 7: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/7.jpg)
![Page 8: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/8.jpg)
Don’t stand
so close to me
![Page 9: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/9.jpg)
Come together (right now)
![Page 10: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/10.jpg)
10 common flaws
1. Earn or give, but never assume, trust.2. Use an authentication mechanism that cannot be bypassed or tampered with.3. Authorize after you authenticate.4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources.5. Define an approach that ensures all data are explicitly validated.
![Page 11: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/11.jpg)
10 common flaws
6. Use cryptography correctly.7. Identify sensitive data and how it should be handled.8. Always consider the users.9. Understand how integrating external components changes your attack surface.10. Be flexible when considering future changes to objects and actors.
![Page 12: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/12.jpg)
Security Principles
AuthenticationWho a user is
Authorization What a user can do
Confidentiality What a user can see
Non-repudiation Did a user really perform an action
Availability The system is ready for user activity
![Page 13: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/13.jpg)
“I already apply all those principles in my design…”
Model Security !
Bugs?
![Page 14: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/14.jpg)
Security Model
Techniques to evaluate an application’s overall security or assess the impact of a specific threat
Objectively identify vulnerabilities and address countermeasures
Integrated steps to take in the development process
![Page 15: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/15.jpg)
![Page 16: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/16.jpg)
![Page 17: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/17.jpg)
![Page 18: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/18.jpg)
… but wait. There’s more !
Buffer OverflowsInsecure Configuration ManagementInsecure StorageUnnecessary and Malicious Code Unauthorized Information Gathering Broken Caching, Pooling, and Reuse
![Page 19: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/19.jpg)
Look at to the core source of the problem and not the symptoms
![Page 20: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/20.jpg)
References
• Bridging the Gap between Software Development and Information Security - KENNETH R. VAN WYK, GARY MCGRAW
• G. Hogland and G. McGraw, Exploiting Software: How to Break Code, Addison-Wesley, 2004.
• J. Koziol et al., The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, John Wiley & Sons, 2004.
• D. Farmer and W. Venema, Forensic Discovery, Addison-Wesley, 2004
![Page 21: Secure software design](https://reader034.fdocuments.us/reader034/viewer/2022042717/55d0e482bb61eb0f1e8b4638/html5/thumbnails/21.jpg)
THANKS