CS-527 Software Security Basic Security Principles Asst. Prof. - - PowerPoint PPT Presentation

cs 527 software security
SMART_READER_LITE
LIVE PREVIEW

CS-527 Software Security Basic Security Principles Asst. Prof. - - PowerPoint PPT Presentation

Sep 05, 2022 521 likes •800 views

CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Security goals Table of Contents

slide-1
SLIDE 1

CS-527 Software Security

Basic Security Principles

  • Asst. Prof. Mathias Payer

Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/

Spring 2017

slide-2
SLIDE 2

Security goals

Table of Contents

1

Security goals

2

Fundamental security mechanisms

3

Hardware and software abstractions

4

Security mechanisms

5

Summary and Conclusion

Mathias Payer (Purdue University) CS-527 Software Security 2017 2 / 26

slide-3
SLIDE 3

Security goals

Software Security

Definition Allow intended use of software, prevent unintended use that may cause harm.

Mathias Payer (Purdue University) CS-527 Software Security 2017 3 / 26

slide-4
SLIDE 4

Security goals

Security principles

Confidentiality: an attacker cannot recover protected data. Integrity: an attacker cannot modify protected data. Availability: an attacker cannot stop/hinder computation. These fundamental CIA properties are used in different contexts of software security policies and mechanisms. Accountability/non-repudiation is sometimes mentioned as fourth fundamental concept. It prevents denial of message transmission or

  • receipt. Non-repudiation is, at its core, a legal concept.

Mathias Payer (Purdue University) CS-527 Software Security 2017 4 / 26

slide-5
SLIDE 5

Security goals

Security analysis

Given a software system, is the system secure? ... it depends What is the interface? (What is the attack surface?) What are the assets? (How profitable is an attack?) What are the goals? (What drives an attacker?)

Mathias Payer (Purdue University) CS-527 Software Security 2017 5 / 26

slide-6
SLIDE 6

Security goals

Threat model

Definition: Threat model Threat model defines an attacker’s abilities and resources. Assume you want to protect an asset (your valuables) by locking them in a safe. In cloud cuckoo land you don’t need to lock your safe. An attacker might pick your lock. An attacker might use a torch to open the safe. An attacker may have some advanced safe opening technology (e.g., an X-ray). An attacker may know you and get access to (or copy) your key.

Mathias Payer (Purdue University) CS-527 Software Security 2017 6 / 26

slide-7
SLIDE 7

Security goals

Cost of security

There’s no free lunch, security will incur overhead. Security is... expensive to develop, may have performance overhead, may be inconvenient to users.

Mathias Payer (Purdue University) CS-527 Software Security 2017 7 / 26

slide-8
SLIDE 8

Fundamental security mechanisms

Table of Contents

1

Security goals

2

Fundamental security mechanisms

3

Hardware and software abstractions

4

Security mechanisms

5

Summary and Conclusion

Mathias Payer (Purdue University) CS-527 Software Security 2017 8 / 26

slide-9
SLIDE 9

Fundamental security mechanisms

Security principles

Least privilege The principle of least privilege ensures that a component has the least privileges needed to function. Any privilege that is further removed from the component removes some functionality. Any additional privilege is not needed to run the component according to the specification. Note that this property constrains an attacker in the privileges that can be obtained.

Mathias Payer (Purdue University) CS-527 Software Security 2017 9 / 26

slide-10
SLIDE 10

Fundamental security mechanisms

Security goals

Separation Separate individual components into smallest functional entity

  • possible. General idea: contain faults to individual components.

Allows abstraction and permission checks at boundaries. Note that this property builds on least privilege. Both properties are most effective in combination: many small components that are running and interacting with least privileges.

Mathias Payer (Purdue University) CS-527 Software Security 2017 10 / 26

slide-11
SLIDE 11

Fundamental security mechanisms

Security goals

Trust and correctness Specific components are assumed to be trusted or correct according to a specification. Formal verification ensures that a component correctly implements a given specification and can therefore be

  • trusted. Note that this property is an ideal property that cannot

generally be achieved.

Mathias Payer (Purdue University) CS-527 Software Security 2017 11 / 26

slide-12
SLIDE 12

Fundamental security mechanisms

Security scope

(Parts of a water-tight compartment, Seaman’s Pocket Book, 1943)

Mathias Payer (Purdue University) CS-527 Software Security 2017 12 / 26

slide-13
SLIDE 13

Fundamental security mechanisms

Security scope

(Parts of a water-tight compartment, Seaman’s Pocket Book, 1943)

Mathias Payer (Purdue University) CS-527 Software Security 2017 13 / 26

slide-14
SLIDE 14

Fundamental security mechanisms

Security scope

(USS South Dakota (BB-57) at the New York Shipbuilding Corporation shipyard, Camden, New Jersey, 1 April 1940.)

Mathias Payer (Purdue University) CS-527 Software Security 2017 14 / 26

slide-15
SLIDE 15

Fundamental security mechanisms

Security scope

(Side plan of the RMS Titanic, 1911, annotated)

Mathias Payer (Purdue University) CS-527 Software Security 2017 15 / 26

slide-16
SLIDE 16

Hardware and software abstractions

Table of Contents

1

Security goals

2

Fundamental security mechanisms

3

Hardware and software abstractions

4

Security mechanisms

5

Summary and Conclusion

Mathias Payer (Purdue University) CS-527 Software Security 2017 16 / 26

slide-17
SLIDE 17

Hardware and software abstractions

Operating System (OS) abstraction

Allows individual processes exclusive access to resources. Provides well-defined API to access hardware resources. Enforces mutual exclusion to resources. Enforces access permissions for resources. Restricts attacker to specific user privileges. ... is a trusted component. All process can be attacked through vulnerabilities in the OS kernel. ... trusts the hardware.

Mathias Payer (Purdue University) CS-527 Software Security 2017 17 / 26

slide-18
SLIDE 18

Hardware and software abstractions

Hardware abstraction

Virtual memory is a hardware-enforced separation of memory pages to individual processes. Only operating system has access to physical memory (or at least believes so). DMA allows trusted devices direct access to memory. ISA implements different privilege level (ring 0 to ring 3 on x86). Hardware abstractions are fundamental for performance.

Mathias Payer (Purdue University) CS-527 Software Security 2017 18 / 26

slide-19
SLIDE 19

Security mechanisms

Table of Contents

1

Security goals

2

Fundamental security mechanisms

3

Hardware and software abstractions

4

Security mechanisms

5

Summary and Conclusion

Mathias Payer (Purdue University) CS-527 Software Security 2017 19 / 26

slide-20
SLIDE 20

Security mechanisms

Access control

Access control specifies how entities interact with resources. Authentication: Who are you (something you know, have, or are)? Authorization: Who has access to object? (Follows authentication) Audit: I’ll check what you did.

Mathias Payer (Purdue University) CS-527 Software Security 2017 20 / 26

slide-21
SLIDE 21

Security mechanisms

Types of access control

Discretionary Access Control (DAC): Object owners specify policy. Mandatory Access Control (MAC): Rule and lattice-based policy. Role-Based Access Control (RBAC): Policy defined in terms of roles (sets of permissions), individuals are assigned roles, roles are authorized for tasks.

Mathias Payer (Purdue University) CS-527 Software Security 2017 21 / 26

slide-22
SLIDE 22

Security mechanisms

Different security models

Access control lists Capabilities Bell - LaPadula Information flow

Mathias Payer (Purdue University) CS-527 Software Security 2017 22 / 26

slide-23
SLIDE 23

Security mechanisms

Access control matrix

Goal: provide access rights for subjects to corresponding objects1. foo bar baz user rwx rw rw group rx r r

  • ther

rx r Used, e.g., in the Unix/Linux security model for file accesses or the Android, iOS, or Java security model for privileged APIs.

1Introduced by Butler Lampson in 1971, http://research.microsoft.

com/en-us/um/people/blampson/08-Protection/Acrobat.pdf.

Mathias Payer (Purdue University) CS-527 Software Security 2017 23 / 26

slide-24
SLIDE 24

Summary and Conclusion

Table of Contents

1

Security goals

2

Fundamental security mechanisms

3

Hardware and software abstractions

4

Security mechanisms

5

Summary and Conclusion

Mathias Payer (Purdue University) CS-527 Software Security 2017 24 / 26

slide-25
SLIDE 25

Summary and Conclusion

Summary

Software security goal: allow intended use of software, prevent unintended use that may cause harm. Three principles: Confidentiality, Integrity, Availability. Security of a system depends on its threat model. Least privilege, separation, and trust as concepts. Security relies on abstractions to reduce complexity. Reading assignment: Butler Lampson, Protection, http://doi.acm.org/10.1145/775265.775268.

Mathias Payer (Purdue University) CS-527 Software Security 2017 25 / 26

slide-26
SLIDE 26

Summary and Conclusion

Questions?

?

Mathias Payer (Purdue University) CS-527 Software Security 2017 26 / 26