design privilege separation
play

Design, Privilege Separation CS 161: Computer Security Prof. David - PowerPoint PPT Presentation

Nov 12, 2023 •362 likes •695 views

Software Security: Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016 Robustness Security bugs are a fact of life How can we use access control to improve the security of software, so security bugs

  1. Software Security: Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

  2. Robustness • Security bugs are a fact of life • How can we use access control to improve the security of software, so security bugs are less likely to be catastrophic?

  3. Privilege separation • How can we improve the security of software, so security bugs are less likely to be catastrophic? • Answer: privilege separation. Architect the software so it has a separate, small TCB. – Then any bugs outside the TCB will not be catastrophic

  4. Sandbox Sandbox Rendering Web browser Engine Rendering Engine Web Site Trusted Computing Base IPC Web Browser IPC HTML, ¡JS, ¡... Rendered ¡Bitmap Browser Rendering Kernel Engine Browser ¡Kernel HTML, ¡JS, ¡... Rendered ¡Bitmap Browser ¡Kernel “Drive-by malware”: malicious web page exploits a browser bug to read/write local files or infect them with a virus

  5. The Chrome browser Sandbox Goal: prevent “drive-by malware”, where a malicious Rendering Engine web page exploits a browser bug to read/write local files or infect them with a virus IPC Rendered ¡Bitmap HTML, ¡JS, ¡... TCB (for this property) Browser ¡Kernel

  6. The Chrome browser 70% of vulnerabilities are Sandbox in the rendering engine. Rendering 1000K lines of code Engine Example: PNG, WMF, GDI+ rendering vulnerabilities in Windows OS IPC Rendered ¡Bitmap HTML, ¡JS, ¡... 700K lines of code Browser ¡Kernel

  7. Benefit of Secure Design Known unpatched vulnerabilities Secunia SecurityFocus Browser Extremely critical Highly critical Moderately critical Less critical Not critical Total (number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest) 4 534 Internet Explorer 8 12 0 0 17 November 20 November 6 27 February 2004 5 June 2003 2004 2000 Internet Explorer 1 4 10 213 0 0 7 30 October 2006 6 June 2006 5 June 2003 15 August 2006 Internet Explorer 1 8 123 0 0 0 8 26 February 2007 5 June 2003 14 January 2009 Internet Explorer 2 26 0 0 0 0 9 6 December 2011 5 March 2011 1 Firefox 3.6 0 0 0 0 0 20 December 2011 Firefox 38 0 0 0 0 0 0 Google Chrome 0 0 0 0 0 0 42 1 2 Opera 11 0 0 0 0 6 December 2011 6 December 2011 2 1 Safari 5 0 0 0 0 13 December 8 June 2010 2011

  9. Discuss with a partner • How would you architect mint.com to reduce the likelihood of a catastrophic security breach? – E.g., where attacker steals all users’ stored passwords or empties out all their bank accounts overnight

  10. Summary • Access control is a key part of security. • Privilege separation makes systems more robust: it helps reduce the impact of security bugs in your code. • Architect your system to make the TCB unbypassable, tamper-resistant, and verifiable (small).

  11. Software Security: Principles CS 161: Computer Security Prof. David Wagner January 29, 2016

  12. TL-15

  13. TL-30

  14. TRTL-30

  15. TXTL-60

  16. “ Security is economics. ”

  17. What does this program do?

  18. What can this program do? Can it delete all of your files? YES. Why?

  19. “ Least privilege. ”

  20. Touchstones for Least Privilege • When assessing the security of a system’s design, identify the Trusted Computing Base ( TCB ). – What components does security rely upon? • Security requires that the TCB: – Is correct – Is complete (can’t be bypassed) – Is itself secure (can’t be tampered with) • Best way to be assured of correctness and its security? – KISS = Keep It Simple, Stupid! – Generally, Simple = Small • One powerful design approach: privilege separation – Isolate privileged operations to as small a component as possible – (See lecture notes for more discussion)

  21. Check for Understanding • We’ve seen that PC platforms grant applications a lot of privileges • Quiz: Name a platform that does a better job of least privilege

  23. “ Ensure complete mediation. ”

  24. Ensuring Complete Mediation • To secure access to some capability/resource, construct a reference monitor • Single point through which all access must occur – E.g.: a network firewall • Desired properties: – Un-bypassable ( “ complete mediation ” ) – Tamper-proof (is itself secure) – Verifiable (correct) – (Note, just restatements of what we want for TCBs) • One subtle form of reference monitor flaw concerns race conditions …

  25. TOCTTOU Vulnerability procedure withdrawal(w) // contact central server to get balance 1. let b := balance 2. if b < w, abort // contact server to set balance 3. set balance := b - w 4. dispense $w to user TOCTTOU = Time of Check To Time of Use

  26. public void buyItem(Account buyer, Item item) { if (item.cost > buyer.balance) return; buyer.possessions.put(item); buyer.possessionsUpdated(); buyer.balance -= item.cost; buyer.balanceUpdated(); }

  30. “ Separation of responsibility. ”

  32. Coming Up … • Homework 1 due Monday • Project 1 is now available

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week How to build secure systems Least privilege and privilege separation

578 views • 46 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

488 views • 22 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

787 views • 43 slides
FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun

FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun

FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun Cho, T aesoo Kim, Insik Shin (NDSS 16) Presented by Shivansh Chandnani CS 563 (Fall 2018) 3 rd party libraries are very popular in Android

1.12k views • 28 slides
Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

CSE 127: Computer Security Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage Chromium security architecture Browser (&quot;kernel&quot;) Full privileges (file system,

603 views • 29 slides
GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February

GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February

GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February 2013 1 Outline Introduction to GSS-API Using GSS-API Introduction to GSS-Proxy GSS-Proxy components Kernel upcalls and

186 views • 18 slides
Decomposition Announcements Modular Design Separation of Concerns 4 Separation of Concerns A

Decomposition Announcements Modular Design Separation of Concerns 4 Separation of Concerns A

Decomposition Announcements Modular Design Separation of Concerns 4 Separation of Concerns A design principle: Isolate different parts of a program that address different concerns 4 Separation of Concerns A design principle: Isolate

887 views • 76 slides
Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for dominant purpose of civil or criminal litigation Relate to litigation which is pending, reasonably contemplated, or existing Legal Advice Privilege:

532 views • 20 slides
Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege separation Introduction to Computer Security Announcements intermission Day 9: OS security basics OS security: protection and isolation Stephen

649 views • 13 slides
Stamps UDLS Jan Pilzer 2017-10-20 Components of a Stamp 1. Design 2. Separation 3.

Stamps UDLS Jan Pilzer 2017-10-20 Components of a Stamp 1. Design 2. Separation 3.

Stamps UDLS Jan Pilzer 2017-10-20 Components of a Stamp 1. Design 2. Separation 3. Denomination 4. Country Name (Except UK) Postage Stamp Design Design Categories Portrait bust - profile or full-face Emblem - coat of arms, flag,

560 views • 24 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides
Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix and Windows Michal Knapkiewicz, May 2016 whoami Senior Consultant at Advanced Security

884 views • 51 slides
+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited Non-Lawyer Tax Advisors Nicole Wilson-Rogers, Annette Morgan and Dale Pinto + Structure Snapshot: Argument advanced in the paper Current Privileges

422 views • 17 slides
Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Presenting a live 90-minute webinar with interactive Q&amp;A Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests Diverge? Navigating the Complexities of Joint Representations During Litigation, Spinoffs,

889 views • 42 slides
For over 30 years now, Design Benefits has had the privilege of helping thousand of clients with

For over 30 years now, Design Benefits has had the privilege of helping thousand of clients with

For over 30 years now, Design Benefits has had the privilege of helping thousand of clients with their insurance needs. We have a full staff of experienced employee's to assist you with any insurance questions, or needs you might have. We are

268 views • 22 slides
Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve Nested Kernel - Motivation Monoliths have single

398 views • 17 slides
Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check

Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check

Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with one of

693 views • 12 slides
LEDBAT A PPLICATIONS P RACTICES AND R ECOMMENDATIONS Presenter: Reinaldo Penno,

LEDBAT A PPLICATIONS P RACTICES AND R ECOMMENDATIONS Presenter: Reinaldo Penno,

LEDBAT A PPLICATIONS P RACTICES AND R ECOMMENDATIONS Presenter: Reinaldo Penno, rpenno@juniper.net Co-Authors: Joe Touch, touch@ISI.EDU Richard Woundy, richard_woundy@cable.comcast.com Vijay K. Gurbani, vkg@bell-labs.com Satish Raghunath,

642 views • 15 slides
Can your site work on IE3? By: Chen Hui Jing @hj_chen Talk CSS #39 (22 May 2019) Yeo Kheng Meng

Can your site work on IE3? By: Chen Hui Jing @hj_chen Talk CSS #39 (22 May 2019) Yeo Kheng Meng

Can your site work on IE3? By: Chen Hui Jing @hj_chen Talk CSS #39 (22 May 2019) Yeo Kheng Meng @yeokm1 1 1 Agenda 1. Background 2. Quick Live Demo 3. How I got DOS 6.22, Win3.1 and networking to work 4. Live coding/debugging 2

146 views • 13 slides
Internet Explorer turns your personal computer into a public File Server Black Hat DC 2010 |

Internet Explorer turns your personal computer into a public File Server Black Hat DC 2010 |

Internet Explorer turns your personal computer into a public File Server Black Hat DC 2010 | Jorge Luis Alvarez Medina 1 Jorge Luis Alvarez Medina | CORE Security Technologies | February 2010 Outline Attack results Internet Explorer

609 views • 38 slides
THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North Dan North &amp; Associates The gangs 1990: Tim Berners-Lee - (WorldWideWeb) 1993: NCSA Mosaic 1994: Netscape - Navigator 1995: Microsoft -

971 views • 21 slides
1 WeShare comes from the name in the address of the server. 2 SHAREPOINT is the name of

1 WeShare comes from the name in the address of the server. 2 SHAREPOINT is the name of

1 WeShare comes from the name in the address of the server. 2 SHAREPOINT is the name of the Application that runs on the server. It is a Microsoft application that is designed to enable people to Collaborate on documents. 3 One feature

434 views • 18 slides
New Statements 5 INDUCTION 1 Finance Statements 5 What is Statements 5 ? Financial reports

New Statements 5 INDUCTION 1 Finance Statements 5 What is Statements 5 ? Financial reports

Finance New Statements 5 INDUCTION 1 Finance Statements 5 What is Statements 5 ? Financial reports accessed via a web browser Security based on LSE network ID (single sign-on) Access remotely via remote desktop Runs against

918 views • 22 slides
SMORE : So)ware-Defined Networking Mobile Offloading Architecture

SMORE : So)ware-Defined Networking Mobile Offloading Architecture

SMORE : So)ware-Defined Networking Mobile Offloading Architecture Junguk Cho, Binh Nguyen, Arijit Banerjee, Robert Ricci, Jacobus Van der Merwe, and

806 views • 59 slides

More recommend