VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5

Guiding Principles for Software Security

csci5233 computer security & integrity

2

The 10 Principles1. Secure the weakest link2. Practice defense in depth3. Fail securely4. Follow the principle of least privilege5. Compartmentalize6. KISS7. Promote Privacy8. Remember that hiding secrets is hard9. Be reluctant to trust10. Use your community resources


3

Secure the weakest link

A chain is only as strong as the weakest link. Which is easier to be robbed? A convenience

store or a bank?


4

Example: encrypted transmission

encrypted transmission

A B

plaintextplaintext

cyphertext

encryption

decryption

Where’s the weakest point?


5

Risk Analysis

Identifying the weakest component of a system falls directly out of a good risk analysis.

Address the most serious risk first Question: How is the seriousness of a risk

determined?


6

Social Engineering

An attack is launched by social manipulation to break into a system.

An example: A help desk worker dealing with a “frustrated” user who cannot get into his account (p.94)

A good strategy? Evaluate the “elaborate” scheme given on

page 95:


7

2. Practice defense in depth Manage risk with diverse, redundant,

defensive strategies.

If one layer of defense is broken, another

layer hopefully prevents a full breach. The sum protection offered is far greater than

the protection offered by any single component.

An example: multiple layers of firewalls + encrypted data


8

3. Fail securely A system failure may cause the system to

exhibit insecure behavior. When the system fails, the behavior of the

system is less secure than usual.

An example: Credit card authentication (p.98)

Another example: Support of legacy clients that

do not use encryption (backward compatibility)

Java’s RMI: server authentication with clients

(p.99)


9

4. The principle of least privilege Only the minimum access necessary to

perform an operation should be granted. + That access should be granted only for the

minimum amount of time necessary. Keep windows of vulnerability as short as

possible. An example: The US government security

clearance system A program shall relinquish root privilege when

it no longer needs it.


10

The Problem with default settings

Windows API (p.101)

Java applets (p.102)

Wireless network card: WEP encryption

File access permisions


11

5. Compartmentalize

Break a system into small compartments, each of which can be sealed from the others.

Damage control Separation of privileges OS with compartmentalization: roles Reasonable compartmentalization


12

6. KISS

“Keep it simple, sir.”

Complexity may introduce new vulnerability

and thus increases the risks.

Reuse tested, good quality software

components.


13

Redundancy versus Simplicity

P.105 A balance between redundant security

features (principle 2) and simple security Choke points: small, easily controlled

interface No backdoors or secret entrance


14

Usability Engineering

P.106

1. The user will not read documentation.– Provide security by default.

2. Talk to users to determine their security requirements.

3. Realize that users aren’t always right.

4. Users are lazy.


15

7. Promote Privacy

User privacy is a security concern. Usability versus privacy protection

– Should credit card numbers be stored on the server?

– Should credit card numbers stored on a server be encrypted?

– Where should the encryption key be stored?

System information: Release as little system information as possible.


16

8. Hiding secrets is hard

p.109 Security is often about keeping secrets. Is a secret kept in a binary format well

protected?– Copy protection– Java byte codes

Insider attacks are common and can cause serious damages.


17

9. Be reluctant to trust

Servers and clients should be designed not to trust each other.

Many security products introduce more risks than they address.

Skepticism is always good, especially when it comes to security vendors.

Trust yourself? – Get objective, high-quality outside reviews


18

10. Use your community resources

Public scrutiny Is a secret encryption algorithm better than a

publicly known one? Good cryptographic algorithms work because

they rely on keeping the key secret, not because the algorithm itself is secret.

Java developer community IETF RFC’s


19

Next

Pf: Ch 2

VM: Chapter 5 Guiding Principles for Software Security.

Documents

Transcript of VM: Chapter 5 Guiding Principles for Software Security.