design and architectural principles
play

Design and Architectural Principles Internet Security [1] VU Engin - PowerPoint PPT Presentation

Feb 15, 2023 •44 likes •384 views

Design and Architectural Principles Internet Security [1] VU Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at News from the Lab Challenge 4 will be announced today (16:00) after the lecture E-Mail

  1. Design and Architectural Principles Internet Security [1] VU Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at

  2. News from the Lab • Challenge 4 will be announced today (16:00) after the lecture – E-Mail Spoofer – First programming challenge (show us how good you can code ;-)) – You need to look at SMTP protocol (Web, RFCs,etc.) – You need to write a Java program • Quality control issues – Obviously, copying solutions is not allowed – Automated checks -- you might receive an invitation – don’t panic – follow the instructions Internet Security 1 2

  3. Overview • Security issues at various stages of application life- cycle – mistakes, vulnerabilities, and exploits – avoidance, detection, and defense • Design and Architecture – security considerations when designing the application – Implementation • security considerations when writing the application – Operation • security considerations when the application is in production Internet Security 1 3

  4. Architecture – A quick recap • A software architecture has emerged as a crucial part of design process – Much work was done in the early 90s. Today, there are research issues like product family architectures, architectural description languages, flexibility, fault tolerance, etc. • Software architecture encompasses the structures of large software systems – The architectural view is abstract and distills details of implementation, algorithm and data representation Internet Security 1 4

  5. Security Architecture • What is security architecture? A body of high-level design principles and decisions that allow a programmer to say "Yes" with confidence and "No" with certainty. A framework for secure design , which embodies the four classic stages of information security: protect , deter , detect , and react . • Security is a measure of the architecture’s ability to resist unauthorized usage – At the same time, services need to be provided to legitimate users. Internet Security 1 5

  6. What happens if the architecture is flawed? • Some history: The Swedish Warship Vasa – Now in Stockholm, Vasa Museum – A solemn reminder for engineers – The ship was built well, but it’s architecture was flawed . On its first voyage, it fired its guns to salute the port and… • OK, so what does Vasa have to do with security? – Your code might be good, but if your architecture is bad from a security point of view, your system may be broken by attacker – E.g., P2P systems Internet Security 1 6

  7. Architecture is Important Cost of fixing security flaws during different development phases (cost = 60) (cost = 15) (cost = 6.5) Cost (cost = 1) Design Testing Implementation Post-Release Time Internet Security 1 7

  8. Security and Design • Systems are often designed without security in mind – Application programmer is often more worried about solving the problem than protecting the system. – Often, security is ignored because either the policy is generally not available, or it is easier to ignore security issues. • Organizations and individuals want their technology to survive attacks, failures and accidents – Critical systems need to be survivable Internet Security 1 8

  9. Design Principles • Design is a complex, creative process • No standard technique to make design secure • But general rules derived from experience • 8 principles according to Saltzer and Schroeder (1975) in their paper “The protection of information of computer systems”, Univ. of Virginia – Economy of Mechanism – Fail-safe defaults – Complete mediation – Open design – Separation of privilege – Least privilege – Least common mechanism – Psychological acceptability Internet Security 1 9

  10. Economy of Mechanism • Design should be as simple as possible – KISS -- keep it simple, stupid – Brian W. Kernighan “ Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.” • Black-box / functional testing – treats system as a black box – usually does not discover security problems – makes white-box testing / code auditing necessary • For successful white-box testing, simple design necessary Internet Security 1 10

  11. Fail-safe Defaults • Allow as default action – grant access when not explicitly forbidden – in case of mistake, access allowed (often not noticed) – improves ease-of-use – wrong psychological model • Deny as default action – grant access only on explicit permission – in case of mistake, access denied (noticed quickly) – improves security – important for firewall configurations and input validation tasks Internet Security 1 11

  12. Fail-safe Defaults • Configuration – secure initial configuration – easy (re)configuration • Secure initial configuration – no default passwords – no sample users – files are write-protected, owned by root/admin • Error messages – should be very generic – additional information in log files Internet Security 1 12

  13. Complete Mediation • Complete access control – check every access to every object – include all aspects (normal operation, initialization, maintenance, ..) – caching of checks is dangerous – identification of source of action (authentication) is crucial • Trusted path – make sure that user is talking to authentication program – important for safe login (thwart fake logins) – Windows “control-alt-delete” sequence Internet Security 1 13

  14. Complete Mediation • Secure interface – minimal – narrow – non-bypassable (e.g., check at server, not client) • Input validation (well-known by now) • Trust input only from trustworthy channels – any value that can be influenced by user cannot be trusted • do not authenticate based on IP source addresses / ports • E-mail sender can be forged (i.e., Challenge 4) • hidden fields or client side checks are inappropriate • reverse DNS lookup – safely load initialization (configuration) Internet Security 1 14

  15. Open Design • Design must not be secret – security mechanisms must be known – allows review – establishes trust – unrealistic to keep mechanism secret in widely distributed systems • Security depends on secrecy of few, small tokens – keys – passwords • Many violations of this principle – especially proprietary cryptography Internet Security 1 15

  16. Separation of Privilege • Access depends on more than one condition – for example, two keys are required to access a resource – two privileges can be (physically) distributed – more robust and flexible • Classic examples – launch of nuclear weapons requires two people – bank safe • Related principle – compartmentalization Internet Security 1 16

  17. Separation of Privilege • Compartmentalization – break system in different, isolated parts and – minimize privileges in each part – don’t implement all-or-nothing model → minimizes possible damage • Sandbox – traditional compartmentalization technique – examples • Java sandbox (bytecode verifier, class loader, security manager) • virtual machines • paper -- Goldberg et al., A secure environment for untrusted helper applications, USENIX Security Symposium,1996 Internet Security 1 17

  18. Least Privilege • Operate with least number of rights to complete task – minimize damage – minimize interactions between privileged programs • reduce unintentional, unwanted use – when misuse occurs, only few potential sources need auditing • Minimize granted privileges – avoid setuid root programs (UNIX/Linux) • use groups and setgid (e.g., group games for high scores) • use special user (e.g., nobody for web server) – make file owner different from setuid user • taking control of process does not allow to modify program images Internet Security 1 18

  19. Least Privilege • Minimize granted privileges – database restrictions • limit access to needed tables • use stored procedures • Minimize time that privilege can be used – drop privileges as soon as possible – make sure to clear saved ID values • Minimize time that privilege is active – temporarily drop privileges Internet Security 1 19

  20. Least Privilege • Minimize modules that are granted privilege – optimally, only single module uses privileges and drops them – two separate programs • one can be large and untrusted • other is small and can perform critical operations • important for GUI applications that require privileges • Limit view of system – limit file system view by setting new root directory chroot() – on UNIX – more complete virtual machine abstraction BSD system call jail(2) – Honeypot Internet Security 1 20

  21. Least Privilege • Do not use setuid scripts – “race condition” problems – Linux drops setuid settings • Minimize accessible data – CGI scripts • place data used by script outside document root • Minimize available resources – quotas • Paper -- Provos et al., Preventing Privilege Escalation., 12th USENIX Security Symposium, Washington DC, 2003 Internet Security 1 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Miller Career & Technology Center Architectural Design II Practicum in Architectural Design

Miller Career & Technology Center Architectural Design II Practicum in Architectural Design

Miller Career & Technology Center Architectural Design II Practicum in Architectural Design Practicum of STEM John Dombrowski johnmdombrowski@katyisd.org Born in Chicago, Illinois Instructor Graduated from the University of

274 views • 12 slides
SOLID is Solid Enterprise principles in OOP architectural design-phase pattern-level constructs

SOLID is Solid Enterprise principles in OOP architectural design-phase pattern-level constructs

SOLID is Solid Enterprise principles in OOP architectural design-phase pattern-level constructs Hillel Wayne SOLID Single responsibility Openclosed principle Liskov substitution principle Interface segregation principle

490 views • 45 slides
Design Patterns: Background Design Patterns: Background Five Principles (revisited)

Design Patterns: Background Design Patterns: Background Five Principles (revisited)

Five Principles (revisited) Design Patterns: Background Design Patterns: Background Five Principles (revisited) Architectural design patterns Architectural design patterns 1. 1. Single Single- - Responsibility Principle

88 views • 5 slides
1 Design Pattern Description Design Pattern Observer Name Problem: We want to

1 Design Pattern Description Design Pattern Observer Name Problem: We want to

OBJECT ARCHITECTURE What Is Architectural Design? DESIGN These slides continue with our example Choices Made In Architectural Design: application, based on the simplified OMT-based Components technique. High-Level Design Patterns

483 views • 4 slides
ADU-Things to Know DEC. 2017 Example Timeline for full scale architectural & Interior Design

ADU-Things to Know DEC. 2017 Example Timeline for full scale architectural & Interior Design

BLEND DESIGN LA is your neighborhood architectural & interior design studio located in highland park. We strive to help Los Angeles home & business owners realize the best potential for their properties. We provide design services for

303 views • 4 slides
OBAMA PRESIDENTIAL CENTER INTRODUCTION 2 INTRODUCTION 3 ARCHITECTURAL DESIGN 4 ARCHITECTURAL

OBAMA PRESIDENTIAL CENTER INTRODUCTION 2 INTRODUCTION 3 ARCHITECTURAL DESIGN 4 ARCHITECTURAL

OBAMA PRESIDENTIAL CENTER INTRODUCTION 2 INTRODUCTION 3 ARCHITECTURAL DESIGN 4 ARCHITECTURAL DESIGN 5 6 ARCHITECTURAL DESIGN 7 ARCHITECTURAL DESIGN 8 ARCHITECTURAL DESIGN 9 ARCHITECTURAL DESIGN 10 ARCHITECTURAL DESIGN 11 ARCHITECTURAL

580 views • 29 slides
Architectural design process Sub- systems and modules System structuring A sub- system is

Architectural design process Sub- systems and modules System structuring A sub- system is

Architectural Design Objectives To introduce architect ural design and to discuss it s importance Establishing the overall To explain why multiple models are required to document a sof tware structure of a sof tware architecture

424 views • 16 slides
NES Architectural Ltd http://www.nes-solutions.co.uk/architectural Who Are we? NES Architectural

NES Architectural Ltd http://www.nes-solutions.co.uk/architectural Who Are we? NES Architectural

NES Architectural Ltd http://www.nes-solutions.co.uk/architectural Who Are we? NES Architectural is a family owned business, based in Colchester. The manufacturing facility is 70,000 sq. ft with a staff of over 50. What do we do? NES

274 views • 16 slides
May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets say basically the same thing Confinement, non-VM isolation Library operating systems Sandboxes Program modification Covert

584 views • 30 slides
WELCOME COMMUNITY MEETING 13 JUNE 2018 ARCHITECTURAL DESIGN NEW ARCHITECTURAL DESIGN JULY

WELCOME COMMUNITY MEETING 13 JUNE 2018 ARCHITECTURAL DESIGN NEW ARCHITECTURAL DESIGN JULY

WELCOME COMMUNITY MEETING 13 JUNE 2018 ARCHITECTURAL DESIGN NEW ARCHITECTURAL DESIGN JULY 2018 AUGUST 2019 OVERVIEW SITE UPDATE SITE UPDATE SITE UPDATE SITE UPDATE SECURITY & SAFETY Student Safety is Our #1 Priority

331 views • 15 slides
Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles

Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles

Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles Recap: Psychological principles 1. User sees what they expect to see. 2. Users have difficulty focusing on more than one activity at a time. 3. It

843 views • 55 slides
UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

Principles of VLSI Design Introduction CMPE 413/CMSC 711 Principles of VLSI Design Instructor: Professor Jim Plusquellic Text: Principles of CMOS VLSI Design: A Systems Perspective, by Neil H.E. Weste and Kamran Eshraghian. Supplementary

752 views • 21 slides
Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles

Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles

Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles Josh Bloch Charlie Garrod 17-214 1 Administrivia Homework 4c due Thursday, 10/29, 11:59pm EST Homework 5 coming soon Team sign-up

620 views • 47 slides
Syllabus Faculty Architecture and Design Department Architectural Engineering Semester First

Syllabus Faculty Architecture and Design Department Architectural Engineering Semester First

Syllabus Faculty Architecture and Design Department Architectural Engineering Semester First 2019/2020 Academic Year Course Name Architectural Presentation Course Number 1101192 F112-3, Rev. c Ref.: Deans' Council Session (03/2019-2018),

312 views • 6 slides
IAB IAB Architectural Consideration for Architectural Consideration for OPES OPES Abbie

IAB IAB Architectural Consideration for Architectural Consideration for OPES OPES Abbie

IAB IAB Architectural Consideration for Architectural Consideration for OPES OPES Abbie Barbir abbieb@nortelnetworks.com Design Team IAB consideration (RFC 3238) Brief Review of Some Issue IP-layer communications (2.2) For an OPES

216 views • 8 slides
SunyoungKim,PhD Last class Psychological design principles Recap. Psychological

SunyoungKim,PhD Last class Psychological design principles Recap. Psychological

Human-Computer Interaction 17. Design Design Principles (2) SunyoungKim,PhD Last class Psychological design principles Recap. Psychological principles 1. User sees what they expect to see. 2. Users have difficulty focusing on more

963 views • 57 slides
Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably Authorization answers the question who is allowed to do what ? A first step in the development of an access control system is the

651 views • 53 slides
New York Metro Joint Computer Security Conference William Hugh Murray whmurray@sprynet.com 705

New York Metro Joint Computer Security Conference William Hugh Murray whmurray@sprynet.com 705

New York Metro Joint Computer Security Conference William Hugh Murray whmurray@sprynet.com 705 Weed StreetNew Canaan, CT 06840 1-203-966-4769 1-203-326-1266 Mobile/SMS http://whmurray.blogspot.com/ CVEs Breaches IOCs

204 views • 5 slides
Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System Evaluation Criteria (TCSEC) Background MAC Mandatory Access Control Firm security levels DAC Discretionary Access Control Access

240 views • 6 slides
CS5460: Operating Systems Lecture 24: Security CS 5460: Operating Systems Once upon a time,

CS5460: Operating Systems Lecture 24: Security CS 5460: Operating Systems Once upon a time,

CS5460: Operating Systems Lecture 24: Security CS 5460: Operating Systems Once upon a time, this patch was made to Linuxs wait4() system call: + if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) +

550 views • 33 slides
Application access to directories opening Pandoras box Victoriano Giralt Central Computing

Application access to directories opening Pandoras box Victoriano Giralt Central Computing

The problem The cure The solution Application access to directories opening Pandoras box Victoriano Giralt Central Computing Facility University of Mlaga A November 5th, 2008 Victoriano Giralt Application access to

1.11k views • 78 slides
SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

Anil Dhawan, Program Manager Rich Internet Applications Windows Mobile [anild@microsoft.com] Geir Olsen, Program Manager Security for Windows Mobile [geiro@microsoft.com] Microsoft Corp SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON

454 views • 6 slides
Advanced Security Automation Made Simple Mark Nunnikhoven Vice President, Cloud Research at

Advanced Security Automation Made Simple Mark Nunnikhoven Vice President, Cloud Research at

Advanced Security Automation Made Simple Mark Nunnikhoven Vice President, Cloud Research at Trend Micro @marknca The goal of cybersecurity Make sure that systems work as intended The goal of cybersecurity Make sure that systems work as

824 views • 45 slides
Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 /

Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 /

Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 / 21 Secure user-space software How to harden an application? secure development follow the least privilege principle compartmentalize

789 views • 61 slides

More recommend