principles for secure design
play

Principles for secure design Some of the slides and content are - PowerPoint PPT Presentation

Jan 04, 2024 •160 likes •1.27k views

Principles for secure design Some of the slides and content are from Mike Hicks Coursera course Making secure software Making secure software Flawed approach : Design and build software, and ignore security at first Add security once

  1. Security Requirements • Software requirements typically about what the software should do • We also want to have security requirements Security-related goals (or policies ) • Example : One user’s bank account balance should not be learned - by, or modified by, another user, unless authorized Required mechanisms for enforcing them •

  2. Security Requirements • Software requirements typically about what the software should do • We also want to have security requirements Security-related goals (or policies ) • Example : One user’s bank account balance should not be learned - by, or modified by, another user, unless authorized Required mechanisms for enforcing them • Example : - 1.Users identify themselves using passwords,

  3. Security Requirements • Software requirements typically about what the software should do • We also want to have security requirements Security-related goals (or policies ) • Example : One user’s bank account balance should not be learned - by, or modified by, another user, unless authorized Required mechanisms for enforcing them • Example : - 1.Users identify themselves using passwords, 2.Passwords must be “strong,” and

  4. Security Requirements • Software requirements typically about what the software should do • We also want to have security requirements Security-related goals (or policies ) • Example : One user’s bank account balance should not be learned - by, or modified by, another user, unless authorized Required mechanisms for enforcing them • Example : - 1.Users identify themselves using passwords, 2.Passwords must be “strong,” and 3.The password database is only accessible to login program.

  5. Typical Kinds of Requirements

  6. Typical Kinds of Requirements • Policies • Confidentiality (and Privacy and Anonymity) Integrity • Availability •

  7. Typical Kinds of Requirements • Policies • Confidentiality (and Privacy and Anonymity) Integrity • Availability • • Supporting mechanisms Authentication • Authorization • Audit-ability •

  8. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability

  9. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability How can a system 
 tell who a user is

  10. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability How can a system 
 tell who a user is What we know What we have 
 What we are > 1 of the above = 
 Mult-factor authentication

  11. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability How can a system 
 How can a system 
 tell who a user is tell what a user is 
 allowed to do What we know What we have 
 What we are > 1 of the above = 
 Mult-factor authentication

  12. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability How can a system 
 How can a system 
 tell who a user is tell what a user is 
 allowed to do What we know Access control policies What we have 
 (defines) 
 What we are + > 1 of the above = 
 Mediator Mult-factor authentication (checks)

  13. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability How can a system 
 How can a system 
 How can a system 
 tell who a user is tell what a user is 
 tell what a user did allowed to do What we know Access control policies What we have 
 (defines) 
 What we are + > 1 of the above = 
 Mediator Mult-factor authentication (checks)

  14. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability How can a system 
 How can a system 
 How can a system 
 tell who a user is tell what a user is 
 tell what a user did allowed to do What we know Access control policies Retain enough info 
 What we have 
 (defines) 
 to determine the What we are + circumstances of a 
 > 1 of the above = 
 Mediator breach Mult-factor authentication (checks)

  15. Defining Security Requirements • Many processes for deciding security requirements

  16. Defining Security Requirements • Many processes for deciding security requirements • Example: General policy concerns

  17. Defining Security Requirements • Many processes for deciding security requirements • Example: General policy concerns • Due to regulations /standards (HIPAA, SOX, etc.)

  18. Defining Security Requirements • Many processes for deciding security requirements • Example: General policy concerns • Due to regulations /standards (HIPAA, SOX, etc.) • Due organizational values (e.g., valuing privacy)

  19. Defining Security Requirements • Many processes for deciding security requirements • Example: General policy concerns • Due to regulations /standards (HIPAA, SOX, etc.) • Due organizational values (e.g., valuing privacy) • Example: Policy arising from threat modeling

  20. Defining Security Requirements • Many processes for deciding security requirements • Example: General policy concerns • Due to regulations /standards (HIPAA, SOX, etc.) • Due organizational values (e.g., valuing privacy) • Example: Policy arising from threat modeling • Which attacks cause the greatest concern ? Who are the likely adversaries and what are their goals and - methods?

  21. Defining Security Requirements • Many processes for deciding security requirements • Example: General policy concerns • Due to regulations /standards (HIPAA, SOX, etc.) • Due organizational values (e.g., valuing privacy) • Example: Policy arising from threat modeling • Which attacks cause the greatest concern ? Who are the likely adversaries and what are their goals and - methods? • Which attacks have already occurred ? Within the organization, or elsewhere on related systems? -

  22. Abuse Cases

  23. Abuse Cases • Abuse cases illustrate security requirements

  24. Abuse Cases • Abuse cases illustrate security requirements • Where use cases describe what a system should do, abuse cases describe what it should not do

  25. Abuse Cases • Abuse cases illustrate security requirements • Where use cases describe what a system should do, abuse cases describe what it should not do • Example use case : The system allows bank managers to modify an account’s interest rate

  26. Abuse Cases • Abuse cases illustrate security requirements • Where use cases describe what a system should do, abuse cases describe what it should not do • Example use case : The system allows bank managers to modify an account’s interest rate • Example abuse case : A user is able to spoof being a manager and thereby change the interest rate on an account

  27. Defining Abuse Cases

  28. Defining Abuse Cases • Using attack patterns and likely scenarios, construct cases in which an adversary’s exercise of power could violate a security requirement

  29. Defining Abuse Cases • Using attack patterns and likely scenarios, construct cases in which an adversary’s exercise of power could violate a security requirement • Based on the threat model

  30. Defining Abuse Cases • Using attack patterns and likely scenarios, construct cases in which an adversary’s exercise of power could violate a security requirement • Based on the threat model • What might occur if a security measure was removed?

  31. Defining Abuse Cases • Using attack patterns and likely scenarios, construct cases in which an adversary’s exercise of power could violate a security requirement • Based on the threat model • What might occur if a security measure was removed? • Example : Co-located attacker steals password file and learns all user passwords

  32. Defining Abuse Cases • Using attack patterns and likely scenarios, construct cases in which an adversary’s exercise of power could violate a security requirement • Based on the threat model • What might occur if a security measure was removed? • Example : Co-located attacker steals password file and learns all user passwords • Possible if password file is not encrypted

  33. Defining Abuse Cases • Using attack patterns and likely scenarios, construct cases in which an adversary’s exercise of power could violate a security requirement • Based on the threat model • What might occur if a security measure was removed? • Example : Co-located attacker steals password file and learns all user passwords • Possible if password file is not encrypted • Example : Snooping attacker replays a captured message, effecting a bank withdrawal

  34. Defining Abuse Cases • Using attack patterns and likely scenarios, construct cases in which an adversary’s exercise of power could violate a security requirement • Based on the threat model • What might occur if a security measure was removed? • Example : Co-located attacker steals password file and learns all user passwords • Possible if password file is not encrypted • Example : Snooping attacker replays a captured message, effecting a bank withdrawal • Possible if messages are have no nonce

  35. Security design principles

  36. Design Defects = Flaws • Recall that software defects consist of both flaws and bugs • Flaws are problems in the design • Bugs are problems in the implementation • We avoid flaws during the design phase • According to Gary McGraw, 50% of security problems are flaws • So this phase is very important

  37. Categories of Principles

  38. Categories of Principles • Prevention

  39. Categories of Principles • Prevention • Goal : Eliminate software defects entirely

  40. Categories of Principles • Prevention • Goal : Eliminate software defects entirely • Example : Heartbleed bug would have been prevented by using a type-safe language, like Java

  41. Categories of Principles • Prevention • Goal : Eliminate software defects entirely • Example : Heartbleed bug would have been prevented by using a type-safe language, like Java • Mitigation

  42. Categories of Principles • Prevention • Goal : Eliminate software defects entirely • Example : Heartbleed bug would have been prevented by using a type-safe language, like Java • Mitigation • Goal : Reduce the harm from exploitation of unknown defects

  43. Categories of Principles • Prevention • Goal : Eliminate software defects entirely • Example : Heartbleed bug would have been prevented by using a type-safe language, like Java • Mitigation • Goal : Reduce the harm from exploitation of unknown defects • Example : Run each browser tab in a separate process, so exploitation of one tab does not yield access to data in another

  44. Categories of Principles • Prevention • Goal : Eliminate software defects entirely • Example : Heartbleed bug would have been prevented by using a type-safe language, like Java • Mitigation • Goal : Reduce the harm from exploitation of unknown defects • Example : Run each browser tab in a separate process, so exploitation of one tab does not yield access to data in another • Detection (and Recovery )

  45. Categories of Principles • Prevention • Goal : Eliminate software defects entirely • Example : Heartbleed bug would have been prevented by using a type-safe language, like Java • Mitigation • Goal : Reduce the harm from exploitation of unknown defects • Example : Run each browser tab in a separate process, so exploitation of one tab does not yield access to data in another • Detection (and Recovery ) • Goal : Identify and understand an attack (and undo damage)

  46. Categories of Principles • Prevention • Goal : Eliminate software defects entirely • Example : Heartbleed bug would have been prevented by using a type-safe language, like Java • Mitigation • Goal : Reduce the harm from exploitation of unknown defects • Example : Run each browser tab in a separate process, so exploitation of one tab does not yield access to data in another • Detection (and Recovery ) • Goal : Identify and understand an attack (and undo damage) • Example : Monitoring (e.g., expected invariants), snapshotting

  47. Principles for building secure systems • Security is economics • Accept that threat models change • Principle of least privilege • If you can’t prevent, detect • Use fail-safe defaults • Kerkhoff’s principle (no security • Use separation of responsibility through obscurity) • Defend in depth • Design security from the ground up • Take human factors into account • Prefer conservative designs • Ensure complete mediation • Proactively study attacks

  49. Ensure complete mediation

  51. Use separation of responsibility

  53. Defense in depth

  55. Account for human factors (“psychological acceptability”) 
 (a) Users must buy into the security (b) The system must be usable

  56. Account for human factors

  57. Account for human factors

  58. Account for human factors

  59. Account for human factors

Recommend

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets say basically the same thing Confinement, non-VM isolation Library operating systems Sandboxes Program modification Covert

584 views • 30 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles Introduction to Computer Security Day 7: Defensive programming and design, part 1 Software engineering for security Stephen McCamant Announcements

355 views • 7 slides
Outline More secure design principles Software engineering for security CSci 5271 Introduction

Outline More secure design principles Software engineering for security CSci 5271 Introduction

Outline More secure design principles Software engineering for security CSci 5271 Introduction to Computer Security Secure use of the OS Defensive programming and design, contd Announcements intermission Stephen McCamant Bernsteins

535 views • 8 slides
Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera course Making secure software Flawed approach : Design and build software, and ignore security at first Add security once the functional

830 views • 70 slides
Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera course Making secure software Flawed approach : Design and build software, and ignore security at first Add security once the functional

2.04k views • 152 slides
Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design

Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design

Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design principles Introduction to Computer Security Software engineering for security Defensive programming 2 (combined lecture) Announcements intermission

632 views • 9 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods -

SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods -

SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods - Endava @eoinwoodz 1 BACKGROUND Eoin Woods CTO at Endava (technology services, 3300 people) 10 years in product development - Bull,

453 views • 31 slides
Design Principles for Secure Systems Systems Driving Ideas for Security Principles Saltzer

Design Principles for Secure Systems Systems Driving Ideas for Security Principles Saltzer

1 Design Principles for Secure Systems Systems Driving Ideas for Security Principles Saltzer and Schroeder (1975) defined 8 principles that are based on the ideas of simplicity and restriction are based on the ideas of simplicity and

468 views • 17 slides
Main principles of secure OS

Main principles of secure OS

Main principles of secure OS Trusted Flexible Secure Versatile modular Internet security

490 views • 26 slides
Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles

Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles

CSE 127: Computer Security Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles for building secure systems Understand mechanisms used to build secure systems Principles of secure design

1.1k views • 64 slides
Outline Saltzer & Schroeders principles CSci 5271 Announcements intermission

Outline Saltzer & Schroeders principles CSci 5271 Announcements intermission

Outline Saltzer & Schroeders principles CSci 5271 Announcements intermission Introduction to Computer Security Day 7: Defensive programming and design, More secure design principles part 1 Software engineering for security Stephen

571 views • 9 slides
Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles

Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles

Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles Recap: Psychological principles 1. User sees what they expect to see. 2. Users have difficulty focusing on more than one activity at a time. 3. It

843 views • 55 slides
Principles for Secure Software Following these doesnt guarantee security But they touch

Principles for Secure Software Following these doesnt guarantee security But they touch

Principles for Secure Software Following these doesnt guarantee security But they touch on the most commonly seen security problems Thinking about them is likely to lead to more secure code Lecture 13 Page 1 CS 236 Online 1.

439 views • 22 slides
UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

Principles of VLSI Design Introduction CMPE 413/CMSC 711 Principles of VLSI Design Instructor: Professor Jim Plusquellic Text: Principles of CMOS VLSI Design: A Systems Perspective, by Neil H.E. Weste and Kamran Eshraghian. Supplementary

752 views • 21 slides
Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles

Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles

Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles Josh Bloch Charlie Garrod 17-214 1 Administrivia Homework 4c due Thursday, 10/29, 11:59pm EST Homework 5 coming soon Team sign-up

620 views • 47 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff & Kenneth R. Van Wyk

753 views • 17 slides
SunyoungKim,PhD Last class Psychological design principles Recap. Psychological

SunyoungKim,PhD Last class Psychological design principles Recap. Psychological

Human-Computer Interaction 17. Design Design Principles (2) SunyoungKim,PhD Last class Psychological design principles Recap. Psychological principles 1. User sees what they expect to see. 2. Users have difficulty focusing on more

963 views • 57 slides
Design principles for m-learning Outcome : To determine basic design principles for mobile

Design principles for m-learning Outcome : To determine basic design principles for mobile

Design principles for m-learning Outcome : To determine basic design principles for mobile learning and identify the key limitations to the design and development of mobile instruction. 1 Needs Assessment Before you start the design True

343 views • 10 slides
HW/SW Codesign FSMD I ECE 522 FSMDs VHDL Essentials covers FSMD design principles Here, we

HW/SW Codesign FSMD I ECE 522 FSMDs VHDL Essentials covers FSMD design principles Here, we

HW/SW Codesign FSMD I ECE 522 FSMDs VHDL Essentials covers FSMD design principles Here, we consider an interesting example that builds on the secure memory access controller (SMAC) discussed previously The SMAC functionality allows C programs

321 views • 18 slides
Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles

Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles

Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles Recap. Usability Usability is a measure of the effectiveness, efficiency and satisfaction with which specified users can achieve specified goals in a

826 views • 68 slides
Design Principles The goals of good design Goals What kind of devices do we want to make?

Design Principles The goals of good design Goals What kind of devices do we want to make?

Design Principles The goals of good design Goals What kind of devices do we want to make? Useful vs. usable 2 CS 349 - Design Principles 3 CS 349 - Design Principles 4 CS 349 - Design Principles http://www.tvhistory.tv 5 CS 349 -

813 views • 62 slides
Secure by Design

Secure by Design

Secure by Design Jason Yang Secure by Design

496 views • 33 slides

More recommend