cs 527 software security
play

CS-527 Software Security Basic Security Principles Asst. Prof. - PowerPoint PPT Presentation

CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Security goals Table of Contents


  1. CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017

  2. Security goals Table of Contents Security goals 1 Fundamental security mechanisms 2 Hardware and software abstractions 3 Security mechanisms 4 Summary and Conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 2 / 26

  3. Security goals Software Security Definition Allow intended use of software, prevent unintended use that may cause harm. Mathias Payer (Purdue University) CS-527 Software Security 2017 3 / 26

  4. Security goals Security principles Confidentiality: an attacker cannot recover protected data. Integrity: an attacker cannot modify protected data. Availability: an attacker cannot stop/hinder computation. These fundamental CIA properties are used in different contexts of software security policies and mechanisms. Accountability/non-repudiation is sometimes mentioned as fourth fundamental concept. It prevents denial of message transmission or receipt. Non-repudiation is, at its core, a legal concept. Mathias Payer (Purdue University) CS-527 Software Security 2017 4 / 26

  5. Security goals Security analysis Given a software system, is the system secure? ... it depends What is the interface? (What is the attack surface?) What are the assets? (How profitable is an attack?) What are the goals? (What drives an attacker?) Mathias Payer (Purdue University) CS-527 Software Security 2017 5 / 26

  6. Security goals Threat model Definition: Threat model Threat model defines an attacker’s abilities and resources. Assume you want to protect an asset (your valuables) by locking them in a safe. In cloud cuckoo land you don’t need to lock your safe. An attacker might pick your lock. An attacker might use a torch to open the safe. An attacker may have some advanced safe opening technology (e.g., an X-ray). An attacker may know you and get access to (or copy) your key. Mathias Payer (Purdue University) CS-527 Software Security 2017 6 / 26

  7. Security goals Cost of security There’s no free lunch, security will incur overhead. Security is... expensive to develop, may have performance overhead, may be inconvenient to users. Mathias Payer (Purdue University) CS-527 Software Security 2017 7 / 26

  8. Fundamental security mechanisms Table of Contents Security goals 1 Fundamental security mechanisms 2 Hardware and software abstractions 3 Security mechanisms 4 Summary and Conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 8 / 26

  9. Fundamental security mechanisms Security principles Least privilege The principle of least privilege ensures that a component has the least privileges needed to function. Any privilege that is further removed from the component removes some functionality. Any additional privilege is not needed to run the component according to the specification. Note that this property constrains an attacker in the privileges that can be obtained. Mathias Payer (Purdue University) CS-527 Software Security 2017 9 / 26

  10. Fundamental security mechanisms Security goals Separation Separate individual components into smallest functional entity possible. General idea: contain faults to individual components. Allows abstraction and permission checks at boundaries. Note that this property builds on least privilege. Both properties are most effective in combination: many small components that are running and interacting with least privileges. Mathias Payer (Purdue University) CS-527 Software Security 2017 10 / 26

  11. Fundamental security mechanisms Security goals Trust and correctness Specific components are assumed to be trusted or correct according to a specification. Formal verification ensures that a component correctly implements a given specification and can therefore be trusted. Note that this property is an ideal property that cannot generally be achieved. Mathias Payer (Purdue University) CS-527 Software Security 2017 11 / 26

  12. Fundamental security mechanisms Security scope (Parts of a water-tight compartment, Seaman’s Pocket Book, 1943) Mathias Payer (Purdue University) CS-527 Software Security 2017 12 / 26

  13. Fundamental security mechanisms Security scope (Parts of a water-tight compartment, Seaman’s Pocket Book, 1943) Mathias Payer (Purdue University) CS-527 Software Security 2017 13 / 26

  14. Fundamental security mechanisms Security scope (USS South Dakota (BB-57) at the New York Shipbuilding Corporation shipyard, Camden, New Jersey, 1 April 1940.) Mathias Payer (Purdue University) CS-527 Software Security 2017 14 / 26

  15. Fundamental security mechanisms Security scope (Side plan of the RMS Titanic, 1911, annotated) Mathias Payer (Purdue University) CS-527 Software Security 2017 15 / 26

  16. Hardware and software abstractions Table of Contents Security goals 1 Fundamental security mechanisms 2 Hardware and software abstractions 3 Security mechanisms 4 Summary and Conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 16 / 26

  17. Hardware and software abstractions Operating System (OS) abstraction Allows individual processes exclusive access to resources. Provides well-defined API to access hardware resources. Enforces mutual exclusion to resources. Enforces access permissions for resources. Restricts attacker to specific user privileges. ... is a trusted component. All process can be attacked through vulnerabilities in the OS kernel. ... trusts the hardware. Mathias Payer (Purdue University) CS-527 Software Security 2017 17 / 26

  18. Hardware and software abstractions Hardware abstraction Virtual memory is a hardware-enforced separation of memory pages to individual processes. Only operating system has access to physical memory (or at least believes so). DMA allows trusted devices direct access to memory. ISA implements different privilege level (ring 0 to ring 3 on x86). Hardware abstractions are fundamental for performance. Mathias Payer (Purdue University) CS-527 Software Security 2017 18 / 26

  19. Security mechanisms Table of Contents Security goals 1 Fundamental security mechanisms 2 Hardware and software abstractions 3 Security mechanisms 4 Summary and Conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 19 / 26

  20. Security mechanisms Access control Access control specifies how entities interact with resources. Authentication: Who are you (something you know, have, or are)? Authorization: Who has access to object? (Follows authentication) Audit: I’ll check what you did. Mathias Payer (Purdue University) CS-527 Software Security 2017 20 / 26

  21. Security mechanisms Types of access control Discretionary Access Control (DAC): Object owners specify policy. Mandatory Access Control (MAC): Rule and lattice-based policy. Role-Based Access Control (RBAC): Policy defined in terms of roles (sets of permissions), individuals are assigned roles, roles are authorized for tasks. Mathias Payer (Purdue University) CS-527 Software Security 2017 21 / 26

  22. Security mechanisms Different security models Access control lists Capabilities Bell - LaPadula Information flow Mathias Payer (Purdue University) CS-527 Software Security 2017 22 / 26

  23. Security mechanisms Access control matrix Goal: provide access rights for subjects to corresponding objects 1 . foo bar baz user rwx rw rw group rx r r other rx r Used, e.g., in the Unix/Linux security model for file accesses or the Android, iOS, or Java security model for privileged APIs. 1 Introduced by Butler Lampson in 1971, http://research.microsoft. com/en-us/um/people/blampson/08-Protection/Acrobat.pdf . Mathias Payer (Purdue University) CS-527 Software Security 2017 23 / 26

  24. Summary and Conclusion Table of Contents Security goals 1 Fundamental security mechanisms 2 Hardware and software abstractions 3 Security mechanisms 4 Summary and Conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 24 / 26

  25. Summary and Conclusion Summary Software security goal: allow intended use of software, prevent unintended use that may cause harm. Three principles: Confidentiality, Integrity, Availability. Security of a system depends on its threat model. Least privilege, separation, and trust as concepts. Security relies on abstractions to reduce complexity. Reading assignment: Butler Lampson, Protection, http://doi.acm.org/10.1145/775265.775268 . Mathias Payer (Purdue University) CS-527 Software Security 2017 25 / 26

  26. Summary and Conclusion Questions? ? Mathias Payer (Purdue University) CS-527 Software Security 2017 26 / 26

Recommend


More recommend