VM: Chapter 5 Guiding Principles for Software Security.

19
VM: Chapter 5 Guiding Principles for Software Security

Transcript of VM: Chapter 5 Guiding Principles for Software Security.

Page 1: VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5

Guiding Principles for Software Security

Page 2: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

2

The 10 Principles1. Secure the weakest link2. Practice defense in depth3. Fail securely4. Follow the principle of least privilege5. Compartmentalize6. KISS7. Promote Privacy8. Remember that hiding secrets is hard9. Be reluctant to trust10. Use your community resources

Page 3: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

3

Secure the weakest link

A chain is only as strong as the weakest link. Which is easier to be robbed? A convenience

store or a bank?

Page 4: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

4

Example: encrypted transmission

encrypted transmission

A B

plaintextplaintext

cyphertext

encryption

decryption

Where’s the weakest point?

Page 5: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

5

Risk Analysis

Identifying the weakest component of a system falls directly out of a good risk analysis.

Address the most serious risk first Question: How is the seriousness of a risk

determined?

Page 6: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

6

Social Engineering

An attack is launched by social manipulation to break into a system.

An example: A help desk worker dealing with a “frustrated” user who cannot get into his account (p.94)

A good strategy? Evaluate the “elaborate” scheme given on

page 95:

Page 7: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

7

2. Practice defense in depth Manage risk with diverse, redundant,

defensive strategies.

If one layer of defense is broken, another

layer hopefully prevents a full breach. The sum protection offered is far greater than

the protection offered by any single component.

An example: multiple layers of firewalls + encrypted data

Page 8: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

8

3. Fail securely A system failure may cause the system to

exhibit insecure behavior. When the system fails, the behavior of the

system is less secure than usual.

An example: Credit card authentication (p.98)

Another example: Support of legacy clients that

do not use encryption (backward compatibility)

Java’s RMI: server authentication with clients

(p.99)

Page 9: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

9

4. The principle of least privilege Only the minimum access necessary to

perform an operation should be granted. + That access should be granted only for the

minimum amount of time necessary. Keep windows of vulnerability as short as

possible. An example: The US government security

clearance system A program shall relinquish root privilege when

it no longer needs it.

Page 10: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

10

The Problem with default settings

Windows API (p.101)

Java applets (p.102)

Wireless network card: WEP encryption

File access permisions

Page 11: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

11

5. Compartmentalize

Break a system into small compartments, each of which can be sealed from the others.

Damage control Separation of privileges OS with compartmentalization: roles Reasonable compartmentalization

Page 12: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

12

6. KISS

“Keep it simple, sir.”

Complexity may introduce new vulnerability

and thus increases the risks.

Reuse tested, good quality software

components.

Page 13: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

13

Redundancy versus Simplicity

P.105 A balance between redundant security

features (principle 2) and simple security Choke points: small, easily controlled

interface No backdoors or secret entrance

Page 14: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

14

Usability Engineering

P.106

1. The user will not read documentation.– Provide security by default.

2. Talk to users to determine their security requirements.

3. Realize that users aren’t always right.

4. Users are lazy.

Page 15: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

15

7. Promote Privacy

User privacy is a security concern. Usability versus privacy protection

– Should credit card numbers be stored on the server?

– Should credit card numbers stored on a server be encrypted?

– Where should the encryption key be stored?

System information: Release as little system information as possible.

Page 16: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

16

8. Hiding secrets is hard

p.109 Security is often about keeping secrets. Is a secret kept in a binary format well

protected?– Copy protection– Java byte codes

Insider attacks are common and can cause serious damages.

Page 17: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

17

9. Be reluctant to trust

Servers and clients should be designed not to trust each other.

Many security products introduce more risks than they address.

Skepticism is always good, especially when it comes to security vendors.

Trust yourself? – Get objective, high-quality outside reviews

Page 18: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

18

10. Use your community resources

Public scrutiny Is a secret encryption algorithm better than a

publicly known one? Good cryptographic algorithms work because

they rely on keeping the key secret, not because the algorithm itself is secret.

Java developer community IETF RFC’s

Page 19: VM: Chapter 5 Guiding Principles for Software Security.

csci5233 computer security & integrity

19

Next

Pf: Ch 2