may 19 design principles and confinement
play

May 19: Design Principles and Confinement Principles of Secure - PowerPoint PPT Presentation

May 31, 2023 •269 likes •584 views

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets say basically the same thing Confinement, non-VM isolation Library operating systems Sandboxes Program modification Covert

  1. May 19: Design Principles and Confinement • Principles of Secure Design – One set; other sets say basically the same thing • Confinement, non-VM isolation – Library operating systems – Sandboxes – Program modification – Covert channels May 19, 2017 ECS 235B Spring Quarter 2017 Slide #1

  2. Basis of Design Principles • Simplicity – Less to go wrong – Fewer possible inconsistencies – Easy to understand • Restriction – Minimize access – Inhibit communication May 19, 2017 ECS 235B Spring Quarter 2017 Slide #2

  3. Least Privilege • A subject should be given only those privileges necessary to complete its task – Function, not identity, controls – Rights added as needed, discarded after use – Minimal protection domain May 19, 2017 ECS 235B Spring Quarter 2017 Slide #3

  4. Related: Least Authority • Principle of Least Authority (POLA) – Often considered the same as Principle of Least Privilege – Some make distinction: • Permissions control what subject can do to an object directly • Authority controls what influence a subject has over an object (directly or indirectly, through other subjects) May 19, 2017 ECS 235B Spring Quarter 2017 Slide #4

  5. Fail-Safe Defaults • Default action is to deny access • If action fails, system as secure as when action began May 19, 2017 ECS 235B Spring Quarter 2017 Slide #5

  6. Economy of Mechanism • Keep it as simple as possible – KISS Principle • Simpler means less can go wrong – And when errors occur, they are easier to understand and fix • Interfaces and interactions May 19, 2017 ECS 235B Spring Quarter 2017 Slide #6

  7. Complete Mediation • Check every access • Usually done once, on first action – UNIX: access checked on open, not checked thereafter • If permissions change after, may get unauthorized access May 19, 2017 ECS 235B Spring Quarter 2017 Slide #7

  8. Open Design • Security should not depend on secrecy of design or implementation – Popularly misunderstood to mean that source code should be public – “ Security through obscurity ” – Does not apply to information such as passwords or cryptographic keys May 19, 2017 ECS 235B Spring Quarter 2017 Slide #8

  9. Separation of Privilege • Require multiple conditions to grant privilege – Separation of duty – Defense in depth May 19, 2017 ECS 235B Spring Quarter 2017 Slide #9

  10. Least Common Mechanism • Mechanisms should not be shared – Information can flow along shared channels – Covert channels • Isolation – Virtual machines – Sandboxes May 19, 2017 ECS 235B Spring Quarter 2017 Slide #10

  11. Least Astonishment • Security mechanisms should be designed so users understand why the mechanism works the way it does, and using mechanism is simple – Hide complexity introduced by security mechanisms – Ease of installation, configuration, use – Human factors critical here May 19, 2017 ECS 235B Spring Quarter 2017 Slide #11

  12. Related: Psychological Acceptability • Security mechanisms should not add to difficulty of accessing resource – Idealistic, as most mechanisms add some difficulty • Even if only remembering a password – Principle of Least Astonishment accepts this • Asks whether the difficulty is unexpected or too much for relevant population of users May 19, 2017 ECS 235B Spring Quarter 2017 Slide #12

  13. Key Points • Principles of secure design underlie all security-related mechanisms • Require: – Good understanding of goal of mechanism and environment in which it is to be used – Careful analysis and design – Careful implementation May 19, 2017 ECS 235B Spring Quarter 2017 Slide #13

  14. Library Operating Systems • Often process can optimize use of system resources better than the operating system • Goal is to move as much of operating system as is feasible to user level – This minimizes context switches – It maximizes process flexibility May 19, 2017 ECS 235B Spring Quarter 2017 Slide #14

  15. Library Operating Systems • It’s a library(-ies) that provide operating system functionality at the user level • Develop kernel that: – Uses hardware protection to prevent processes from accessing memory space of others – Controls access to physical resources that must be shared by executing processes – Everything else is in user space May 19, 2017 ECS 235B Spring Quarter 2017 Slide #15

  16. Example • V++ Cache Kernel tracks OS that are in use – Also handles process co-ordination • Page faults – Application kernel loads new page mapping descriptor into Cache Kernel May 19, 2017 ECS 235B Spring Quarter 2017 Slide #16

  17. Example • Exokernel separates resource protection, resource management • Aegis: small kernel providing interface to hardware resources • ExOS: interface to Aegis that enables process to use resources s appropriate – Also provides resource protection May 19, 2017 ECS 235B Spring Quarter 2017 Slide #17

  18. Drawbridge • Library OS, security monitor for Windows – Security monitor provides interface to underlying OS • Processes use library OS to access security monitor interface – All interactions go through it – Library OS also provides application services (frameworks, rendering engines) May 19, 2017 ECS 235B Spring Quarter 2017 Slide #18

  19. Drawbridge • Handles kernel dependencies using emulator at lowest level of library OS – So all server dependencies, Windows subsystems moved into user layer – User interaction by emulated device drivers that tunnel I/O between desktop, security monitor • Processes isolated from one another May 19, 2017 ECS 235B Spring Quarter 2017 Slide #19

  20. Drawbridge Validation • Malware deleting all registry keys affected only that process • Keystroke logger captured keystrokes only for that process • Attacks causing Internet Explorer to to escape normal (protected) mode all mitigated May 19, 2017 ECS 235B Spring Quarter 2017 Slide #20

  21. Sandboxes • An environment in which actions are restricted in accordance with security policy – Limit execution environment as needed • Program not modified • Libraries, kernel modified to restrict actions – Modify program to check, restrict actions • Like dynamic debuggers, profilers May 19, 2017 ECS 235B Spring Quarter 2017 Slide #21

  22. Example: Janus • Implements sandbox in which system calls checked – Framework does runtime checking – Modules determine which accesses allowed • Configuration file – Instructs loading of modules – Also lists constraints May 19, 2017 ECS 235B Spring Quarter 2017 Slide #22

  23. Configuration File # basic module basic # define subprocess environment variables putenv IFS=“\t\n “ PATH=/sbin:/bin:/usr/bin TZ=PST8PDT # deny access to everything except files under /usr path deny read,write * path allow read,write /usr/* # allow subprocess to read files in library directories # needed for dynamic loading path allow read /lib/* /usr/lib/* /usr/local/lib/* # needed so child can execute programs path allow read,exec /sbin/* /bin/* /usr/bin/* May 19, 2017 ECS 235B Spring Quarter 2017 Slide #23

  24. How It Works • Framework builds list of relevant system calls – Then marks each with allowed, disallowed actions • When monitored system call executed – Framework checks arguments, validates that call is allowed for those arguments • If not, returns failure • Otherwise, give control back to child, so normal system call proceeds May 19, 2017 ECS 235B Spring Quarter 2017 Slide #24

  25. Use • Reading MIME Mail: fear is user sets mail reader to display attachment using Postscript engine – Has mechanism to execute system-level commands – Embed a file deletion command in attachment … • Janus configured to disallow execution of any subcommands by Postscript engine – Above attempt fails May 19, 2017 ECS 235B Spring Quarter 2017 Slide #25

  26. Examples Limiting Environment • Java virtual machine – Security manager limits access of downloaded programs as policy dictates • Sidewinder firewall – Type enforcement limits access – Policy fixed in kernel by vendor • Domain Type Enforcement – Enforcement mechanism for DTEL – Kernel enforces sandbox defined by system administrator May 19, 2017 ECS 235B Spring Quarter 2017 Slide #26

  27. Program Modification • Idea is to change program itself to comply with a stated security policy • Program can be rewritten to embed constraints in it • Compiler can apply constraints as program being compiled – Same for interpreter • Loader can apply constraints as program is loaded for execution May 19, 2017 ECS 235B Spring Quarter 2017 Slide #27

  28. Rewriting Program Software fault isolation • Untrusted modules go into virtual segments • Flow of control remains in the segment • All memory accesses from within the segment go to locations within the segment May 19, 2017 ECS 235B Spring Quarter 2017 Slide #28

  29. Implementations • Put each module in separate segment – Unsafe instruction access address that can’t be verified to be in the segment • Statically analyze program, identify all unsafe instructions • When executed, check address is in segment – Check segment identifier of (virtual) address – Replace segment identifier of (virtual) address with identifier of the segment May 19, 2017 ECS 235B Spring Quarter 2017 Slide #29

Recommend

Design of Thread-Safe Classes 1 Topic Outline Thread-Safe Classes Principles Confinement

Design of Thread-Safe Classes 1 Topic Outline Thread-Safe Classes Principles Confinement

Design of Thread-Safe Classes 1 Topic Outline Thread-Safe Classes Principles Confinement Delegation Synchronization policy documentation 2 Thread-safe Class Design Process Identify the objects state (variables)

601 views • 20 slides
Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement problem Covert channels Isolation: virtual machines, sandboxes March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-1 Matt Bishop, UC

322 views • 30 slides
QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks

QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks

QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks in Nature [but quarks could combine with a fundamental coloured scalar] (ii) observable particles are colour singlets [but this confuses

1.58k views • 130 slides
May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

313 views • 27 slides
Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles

Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles

Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles Recap: Psychological principles 1. User sees what they expect to see. 2. Users have difficulty focusing on more than one activity at a time. 3. It

843 views • 55 slides
UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

Principles of VLSI Design Introduction CMPE 413/CMSC 711 Principles of VLSI Design Instructor: Professor Jim Plusquellic Text: Principles of CMOS VLSI Design: A Systems Perspective, by Neil H.E. Weste and Kamran Eshraghian. Supplementary

752 views • 21 slides
Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles

Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles

Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles Josh Bloch Charlie Garrod 17-214 1 Administrivia Homework 4c due Thursday, 10/29, 11:59pm EST Homework 5 coming soon Team sign-up

620 views • 47 slides
SunyoungKim,PhD Last class Psychological design principles Recap. Psychological

SunyoungKim,PhD Last class Psychological design principles Recap. Psychological

Human-Computer Interaction 17. Design Design Principles (2) SunyoungKim,PhD Last class Psychological design principles Recap. Psychological principles 1. User sees what they expect to see. 2. Users have difficulty focusing on more

963 views • 57 slides
Design principles for m-learning Outcome : To determine basic design principles for mobile

Design principles for m-learning Outcome : To determine basic design principles for mobile

Design principles for m-learning Outcome : To determine basic design principles for mobile learning and identify the key limitations to the design and development of mobile instruction. 1 Needs Assessment Before you start the design True

343 views • 10 slides
Tetraquarks in the Steiner tree model of confinement available at

Tetraquarks in the Steiner tree model of confinement available at

Introduction Symmetry breaking and tetraquarks The additive model of tetraquark confinement The Steiner-tree model of confinement Conclusions Tetraquarks in the Steiner tree model of confinement available at

644 views • 20 slides
Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles

Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles

Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles Recap. Usability Usability is a measure of the effectiveness, efficiency and satisfaction with which specified users can achieve specified goals in a

826 views • 68 slides
Laboratorio Nacional de Fusin, CIEMAT, Spain 1/ 31 CORE TRANSPORT EMPIRICAL ACTUATORS

Laboratorio Nacional de Fusin, CIEMAT, Spain 1/ 31 CORE TRANSPORT EMPIRICAL ACTUATORS

SUMMARY SESSION EX/C Magnetic Confinement experiments (Confinement) EX/D Magnetic Confinement Experiments: Plasma-material interactions PPC -Plasma Overall Performance and Control I. CORE TRANSPORT II. EDGE TRANSPORT III. PLASMA-WALL IV.

591 views • 31 slides
Design Principles The goals of good design Goals What kind of devices do we want to make?

Design Principles The goals of good design Goals What kind of devices do we want to make?

Design Principles The goals of good design Goals What kind of devices do we want to make? Useful vs. usable 2 CS 349 - Design Principles 3 CS 349 - Design Principles 4 CS 349 - Design Principles http://www.tvhistory.tv 5 CS 349 -

813 views • 62 slides
Design Principles for Security-conscious Systems 1 Overview Design principles from Saltzer

Design Principles for Security-conscious Systems 1 Overview Design principles from Saltzer

Design Principles for Security-conscious Systems 1 Overview Design principles from Saltzer & Schroeders 1975 paper A few case studies What did Saltzer-Schroeder overlook? (Personal opinions) 2 Saltzer and Schroeders

780 views • 45 slides
4 OO Package Design Principles 4.1 Packages Introduction 4.2 Packages in UML 4.3 Three

4 OO Package Design Principles 4.1 Packages Introduction 4.2 Packages in UML 4.3 Three

4 OO Package Design Principles 4.1 Packages Introduction 4.2 Packages in UML 4.3 Three Package Design Principles 4.4 Development Environment (Three more principles) 4.5 Summary OO Package Design Principles Stefan Kluth 1 4.1 Packages

392 views • 36 slides
Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University

Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University

Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University Object confinement: what is it? Object confinement is concerned with the encapsulation , or protection, of object references Code boundaries

412 views • 24 slides
UX Design Principles and Guidelines R.I.T S. Ludi/R. Kuehl p. 1 R I T Software Engineering

UX Design Principles and Guidelines R.I.T S. Ludi/R. Kuehl p. 1 R I T Software Engineering

UX Design Principles and Guidelines R.I.T S. Ludi/R. Kuehl p. 1 R I T Software Engineering Principles abstract design rules an interface should be easy to navigate Guidelines - advice on how to achieve principles

440 views • 30 slides
Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles Introduction to Computer Security Day 7: Defensive programming and design, part 1 Software engineering for security Stephen McCamant Announcements

355 views • 7 slides
Web Design Guidelines SWEN-444 Design Principles and Guidelines User Populations (Shared human

Web Design Guidelines SWEN-444 Design Principles and Guidelines User Populations (Shared human

Web Design Guidelines SWEN-444 Design Principles and Guidelines User Populations (Shared human ability and behavior) (Problem domains) Computing Paradigms (Platform guidelines and conventions) Foundation Design Principles (Empirical)

663 views • 21 slides
Cognitive Principles in Tutor & Cognitive Tutor Principles e-Learning Design

Cognitive Principles in Tutor & Cognitive Tutor Principles e-Learning Design

Lots of Lists of Principles 1 Cognitive Principles in Tutor & Cognitive Tutor Principles e-Learning Design Koedinger, K. R. & Corbett, A. T. (2006). Cognitive Tutors: Technology bringing learning science to the classroom.

325 views • 13 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

488 views • 22 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

787 views • 43 slides
Confinement and Shielding: Intrabay Doors, Floor Valves and Component Transfer Hatch Pit Lids

Confinement and Shielding: Intrabay Doors, Floor Valves and Component Transfer Hatch Pit Lids

Confinement and Shielding: Intrabay Doors, Floor Valves and Component Transfer Hatch Pit Lids Penetration Plugs Fire Suppression system COMMERCIAL | Critical Success Factors Affordable Economical design Value for money by delivering

681 views • 31 slides
SunyoungKim,PhD Last class 1. Prototype 2. Flowchart 3. Wizard of Oz Todays agenda

SunyoungKim,PhD Last class 1. Prototype 2. Flowchart 3. Wizard of Oz Todays agenda

Human-Computer Interaction 16. Design Part 3. Design: Design Principles (1) SunyoungKim,PhD Last class 1. Prototype 2. Flowchart 3. Wizard of Oz Todays agenda UI design principles: Psychological principles User-centered design

719 views • 60 slides

More recommend