may 19 design principles and confinement
play

May 19: Design Principles and Confinement Principles of Secure - PowerPoint PPT Presentation

May 31, 2023 •269 likes •584 views

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets say basically the same thing Confinement, non-VM isolation Library operating systems Sandboxes Program modification Covert

  1. May 19: Design Principles and Confinement • Principles of Secure Design – One set; other sets say basically the same thing • Confinement, non-VM isolation – Library operating systems – Sandboxes – Program modification – Covert channels May 19, 2017 ECS 235B Spring Quarter 2017 Slide #1

  2. Basis of Design Principles • Simplicity – Less to go wrong – Fewer possible inconsistencies – Easy to understand • Restriction – Minimize access – Inhibit communication May 19, 2017 ECS 235B Spring Quarter 2017 Slide #2

  3. Least Privilege • A subject should be given only those privileges necessary to complete its task – Function, not identity, controls – Rights added as needed, discarded after use – Minimal protection domain May 19, 2017 ECS 235B Spring Quarter 2017 Slide #3

  4. Related: Least Authority • Principle of Least Authority (POLA) – Often considered the same as Principle of Least Privilege – Some make distinction: • Permissions control what subject can do to an object directly • Authority controls what influence a subject has over an object (directly or indirectly, through other subjects) May 19, 2017 ECS 235B Spring Quarter 2017 Slide #4

  5. Fail-Safe Defaults • Default action is to deny access • If action fails, system as secure as when action began May 19, 2017 ECS 235B Spring Quarter 2017 Slide #5

  6. Economy of Mechanism • Keep it as simple as possible – KISS Principle • Simpler means less can go wrong – And when errors occur, they are easier to understand and fix • Interfaces and interactions May 19, 2017 ECS 235B Spring Quarter 2017 Slide #6

  7. Complete Mediation • Check every access • Usually done once, on first action – UNIX: access checked on open, not checked thereafter • If permissions change after, may get unauthorized access May 19, 2017 ECS 235B Spring Quarter 2017 Slide #7

  8. Open Design • Security should not depend on secrecy of design or implementation – Popularly misunderstood to mean that source code should be public – “ Security through obscurity ” – Does not apply to information such as passwords or cryptographic keys May 19, 2017 ECS 235B Spring Quarter 2017 Slide #8

  9. Separation of Privilege • Require multiple conditions to grant privilege – Separation of duty – Defense in depth May 19, 2017 ECS 235B Spring Quarter 2017 Slide #9

  10. Least Common Mechanism • Mechanisms should not be shared – Information can flow along shared channels – Covert channels • Isolation – Virtual machines – Sandboxes May 19, 2017 ECS 235B Spring Quarter 2017 Slide #10

  11. Least Astonishment • Security mechanisms should be designed so users understand why the mechanism works the way it does, and using mechanism is simple – Hide complexity introduced by security mechanisms – Ease of installation, configuration, use – Human factors critical here May 19, 2017 ECS 235B Spring Quarter 2017 Slide #11

  12. Related: Psychological Acceptability • Security mechanisms should not add to difficulty of accessing resource – Idealistic, as most mechanisms add some difficulty • Even if only remembering a password – Principle of Least Astonishment accepts this • Asks whether the difficulty is unexpected or too much for relevant population of users May 19, 2017 ECS 235B Spring Quarter 2017 Slide #12

  13. Key Points • Principles of secure design underlie all security-related mechanisms • Require: – Good understanding of goal of mechanism and environment in which it is to be used – Careful analysis and design – Careful implementation May 19, 2017 ECS 235B Spring Quarter 2017 Slide #13

  14. Library Operating Systems • Often process can optimize use of system resources better than the operating system • Goal is to move as much of operating system as is feasible to user level – This minimizes context switches – It maximizes process flexibility May 19, 2017 ECS 235B Spring Quarter 2017 Slide #14

  15. Library Operating Systems • It’s a library(-ies) that provide operating system functionality at the user level • Develop kernel that: – Uses hardware protection to prevent processes from accessing memory space of others – Controls access to physical resources that must be shared by executing processes – Everything else is in user space May 19, 2017 ECS 235B Spring Quarter 2017 Slide #15

  16. Example • V++ Cache Kernel tracks OS that are in use – Also handles process co-ordination • Page faults – Application kernel loads new page mapping descriptor into Cache Kernel May 19, 2017 ECS 235B Spring Quarter 2017 Slide #16

  17. Example • Exokernel separates resource protection, resource management • Aegis: small kernel providing interface to hardware resources • ExOS: interface to Aegis that enables process to use resources s appropriate – Also provides resource protection May 19, 2017 ECS 235B Spring Quarter 2017 Slide #17

  18. Drawbridge • Library OS, security monitor for Windows – Security monitor provides interface to underlying OS • Processes use library OS to access security monitor interface – All interactions go through it – Library OS also provides application services (frameworks, rendering engines) May 19, 2017 ECS 235B Spring Quarter 2017 Slide #18

  19. Drawbridge • Handles kernel dependencies using emulator at lowest level of library OS – So all server dependencies, Windows subsystems moved into user layer – User interaction by emulated device drivers that tunnel I/O between desktop, security monitor • Processes isolated from one another May 19, 2017 ECS 235B Spring Quarter 2017 Slide #19

  20. Drawbridge Validation • Malware deleting all registry keys affected only that process • Keystroke logger captured keystrokes only for that process • Attacks causing Internet Explorer to to escape normal (protected) mode all mitigated May 19, 2017 ECS 235B Spring Quarter 2017 Slide #20

  21. Sandboxes • An environment in which actions are restricted in accordance with security policy – Limit execution environment as needed • Program not modified • Libraries, kernel modified to restrict actions – Modify program to check, restrict actions • Like dynamic debuggers, profilers May 19, 2017 ECS 235B Spring Quarter 2017 Slide #21

  22. Example: Janus • Implements sandbox in which system calls checked – Framework does runtime checking – Modules determine which accesses allowed • Configuration file – Instructs loading of modules – Also lists constraints May 19, 2017 ECS 235B Spring Quarter 2017 Slide #22

  23. Configuration File # basic module basic # define subprocess environment variables putenv IFS=“\t\n “ PATH=/sbin:/bin:/usr/bin TZ=PST8PDT # deny access to everything except files under /usr path deny read,write * path allow read,write /usr/* # allow subprocess to read files in library directories # needed for dynamic loading path allow read /lib/* /usr/lib/* /usr/local/lib/* # needed so child can execute programs path allow read,exec /sbin/* /bin/* /usr/bin/* May 19, 2017 ECS 235B Spring Quarter 2017 Slide #23

  24. How It Works • Framework builds list of relevant system calls – Then marks each with allowed, disallowed actions • When monitored system call executed – Framework checks arguments, validates that call is allowed for those arguments • If not, returns failure • Otherwise, give control back to child, so normal system call proceeds May 19, 2017 ECS 235B Spring Quarter 2017 Slide #24

  25. Use • Reading MIME Mail: fear is user sets mail reader to display attachment using Postscript engine – Has mechanism to execute system-level commands – Embed a file deletion command in attachment … • Janus configured to disallow execution of any subcommands by Postscript engine – Above attempt fails May 19, 2017 ECS 235B Spring Quarter 2017 Slide #25

  26. Examples Limiting Environment • Java virtual machine – Security manager limits access of downloaded programs as policy dictates • Sidewinder firewall – Type enforcement limits access – Policy fixed in kernel by vendor • Domain Type Enforcement – Enforcement mechanism for DTEL – Kernel enforces sandbox defined by system administrator May 19, 2017 ECS 235B Spring Quarter 2017 Slide #26

  27. Program Modification • Idea is to change program itself to comply with a stated security policy • Program can be rewritten to embed constraints in it • Compiler can apply constraints as program being compiled – Same for interpreter • Loader can apply constraints as program is loaded for execution May 19, 2017 ECS 235B Spring Quarter 2017 Slide #27

  28. Rewriting Program Software fault isolation • Untrusted modules go into virtual segments • Flow of control remains in the segment • All memory accesses from within the segment go to locations within the segment May 19, 2017 ECS 235B Spring Quarter 2017 Slide #28

  29. Implementations • Put each module in separate segment – Unsafe instruction access address that can’t be verified to be in the segment • Statically analyze program, identify all unsafe instructions • When executed, check address is in segment – Check segment identifier of (virtual) address – Replace segment identifier of (virtual) address with identifier of the segment May 19, 2017 ECS 235B Spring Quarter 2017 Slide #29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Design of Thread-Safe Classes 1 Topic Outline Thread-Safe Classes Principles Confinement

Design of Thread-Safe Classes 1 Topic Outline Thread-Safe Classes Principles Confinement

Design of Thread-Safe Classes 1 Topic Outline Thread-Safe Classes Principles Confinement Delegation Synchronization policy documentation 2 Thread-safe Class Design Process Identify the objects state (variables)

601 views • 20 slides
Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement problem Covert channels Isolation: virtual machines, sandboxes March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-1 Matt Bishop, UC

322 views • 30 slides
QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks

QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks

QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks in Nature [but quarks could combine with a fundamental coloured scalar] (ii) observable particles are colour singlets [but this confuses

1.58k views • 130 slides
May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

313 views • 27 slides
Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles

Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles

Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles Recap: Psychological principles 1. User sees what they expect to see. 2. Users have difficulty focusing on more than one activity at a time. 3. It

843 views • 55 slides
UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

Principles of VLSI Design Introduction CMPE 413/CMSC 711 Principles of VLSI Design Instructor: Professor Jim Plusquellic Text: Principles of CMOS VLSI Design: A Systems Perspective, by Neil H.E. Weste and Kamran Eshraghian. Supplementary

752 views • 21 slides
Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles

Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles

Principles of Software Construction: Objects, Design, and Concurrency API Design 2: principles Josh Bloch Charlie Garrod 17-214 1 Administrivia Homework 4c due Thursday, 10/29, 11:59pm EST Homework 5 coming soon Team sign-up

620 views • 47 slides
SunyoungKim,PhD Last class Psychological design principles Recap. Psychological

SunyoungKim,PhD Last class Psychological design principles Recap. Psychological

Human-Computer Interaction 17. Design Design Principles (2) SunyoungKim,PhD Last class Psychological design principles Recap. Psychological principles 1. User sees what they expect to see. 2. Users have difficulty focusing on more

963 views • 57 slides
Design principles for m-learning Outcome : To determine basic design principles for mobile

Design principles for m-learning Outcome : To determine basic design principles for mobile

Design principles for m-learning Outcome : To determine basic design principles for mobile learning and identify the key limitations to the design and development of mobile instruction. 1 Needs Assessment Before you start the design True

343 views • 10 slides
Tetraquarks in the Steiner tree model of confinement available at

Tetraquarks in the Steiner tree model of confinement available at

Introduction Symmetry breaking and tetraquarks The additive model of tetraquark confinement The Steiner-tree model of confinement Conclusions Tetraquarks in the Steiner tree model of confinement available at

644 views • 20 slides
Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles

Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles

Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles Recap. Usability Usability is a measure of the effectiveness, efficiency and satisfaction with which specified users can achieve specified goals in a

826 views • 68 slides
Laboratorio Nacional de Fusin, CIEMAT, Spain 1/ 31 CORE TRANSPORT EMPIRICAL ACTUATORS

Laboratorio Nacional de Fusin, CIEMAT, Spain 1/ 31 CORE TRANSPORT EMPIRICAL ACTUATORS

SUMMARY SESSION EX/C Magnetic Confinement experiments (Confinement) EX/D Magnetic Confinement Experiments: Plasma-material interactions PPC -Plasma Overall Performance and Control I. CORE TRANSPORT II. EDGE TRANSPORT III. PLASMA-WALL IV.

591 views • 31 slides
Design Principles The goals of good design Goals What kind of devices do we want to make?

Design Principles The goals of good design Goals What kind of devices do we want to make?

Design Principles The goals of good design Goals What kind of devices do we want to make? Useful vs. usable 2 CS 349 - Design Principles 3 CS 349 - Design Principles 4 CS 349 - Design Principles http://www.tvhistory.tv 5 CS 349 -

813 views • 62 slides
Design Principles for Security-conscious Systems 1 Overview Design principles from Saltzer

Design Principles for Security-conscious Systems 1 Overview Design principles from Saltzer

Design Principles for Security-conscious Systems 1 Overview Design principles from Saltzer & Schroeders 1975 paper A few case studies What did Saltzer-Schroeder overlook? (Personal opinions) 2 Saltzer and Schroeders

780 views • 45 slides
4 OO Package Design Principles 4.1 Packages Introduction 4.2 Packages in UML 4.3 Three

4 OO Package Design Principles 4.1 Packages Introduction 4.2 Packages in UML 4.3 Three

4 OO Package Design Principles 4.1 Packages Introduction 4.2 Packages in UML 4.3 Three Package Design Principles 4.4 Development Environment (Three more principles) 4.5 Summary OO Package Design Principles Stefan Kluth 1 4.1 Packages

392 views • 36 slides
Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University

Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University

Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University Object confinement: what is it? Object confinement is concerned with the encapsulation , or protection, of object references Code boundaries

412 views • 24 slides
Students Successful Stories Arthur Kung It was 2012 when I joined Shrewsbury School at sixth

Students Successful Stories Arthur Kung It was 2012 when I joined Shrewsbury School at sixth

Students Successful Stories Arthur Kung It was 2012 when I joined Shrewsbury School at sixth form, studying Maths, Further Maths, Physics and Chemistry at A-levels. Throughout my time at Shrewsbury, I was given lots of opportunities to explore

221 views • 3 slides
Boycott as Resistance The Moral Dimension Closing the door to Oppression Omar Barghouti PACBI

Boycott as Resistance The Moral Dimension Closing the door to Oppression Omar Barghouti PACBI

Resisting Israeli Apartheid Conference December 5, 2004 University of London - SOAS Boycott as Resistance The Moral Dimension Closing the door to Oppression Omar Barghouti PACBI Where is the world? Is it dead? exclaimed the bereaved

339 views • 18 slides
Distributed Storage vs. Local Market Clive Tomlinson 05/06/2015 1 Two questions Energy

Distributed Storage vs. Local Market Clive Tomlinson 05/06/2015 1 Two questions Energy

Distributed Storage vs. Local Market Clive Tomlinson 05/06/2015 1 Two questions Energy markets tend to be constrained Historical/technical reasons Local markets for many other goods are unconstrained Would an unconstrained

619 views • 15 slides
Time Matters Minimizing Garbage Collection Overhead with Minimal Effort Gnther Blaschek

Time Matters Minimizing Garbage Collection Overhead with Minimal Effort Gnther Blaschek

Time Matters Minimizing Garbage Collection Overhead with Minimal Effort Gnther Blaschek Philipp Lengauer 2015-11-05 Configuration Hell OpenJDK 8 681 VM parameters (1300+ including tracing and debugging flags) ~ 10 205 configurations

329 views • 14 slides
Hardware Platform Considerations R. Halsall, K. Manolopoulos, C. Shepherd-Themistocleous

Hardware Platform Considerations R. Halsall, K. Manolopoulos, C. Shepherd-Themistocleous

Hardware Platform Considerations R. Halsall, K. Manolopoulos, C. Shepherd-Themistocleous Rutherford Appleton Laboratory DUNE Hardware Requirements Minimum hardware requirements for a FPGA platform Be able to fit at least 1 APA onto a

393 views • 5 slides
Monocle3 Tutorial Welcome! Download all data, slides, and scripts at: http://sta ff

Monocle3 Tutorial Welcome! Download all data, slides, and scripts at: http://sta ff

Monocle3 Tutorial Welcome! Download all data, slides, and scripts at: http://sta ff .washington.edu/hpliner/ Pace and content: We will move fairly fast - we hope experienced R users will be able to keep up, but expect newer users will follow the

565 views • 42 slides
Image warping and stitching Tues Mar 20 Kristen Grauman UT Austin Last time Feature-based

Image warping and stitching Tues Mar 20 Kristen Grauman UT Austin Last time Feature-based

CS 376 Computer Vision: lecture 15 3/19/2018 Image warping and stitching Tues Mar 20 Kristen Grauman UT Austin Last time Feature-based alignment 2D transformations Affine fit RANSAC Robust feature-based alignment Source:

556 views • 26 slides
physics of the big bang! Image from: http://abyss.uoregon.edu/~js/images/cmb_scatter.jpg Work

physics of the big bang! Image from: http://abyss.uoregon.edu/~js/images/cmb_scatter.jpg Work

CMB limits our (EM) view on the early universe Using gravitational waves we can peer through the fog of the CMB to probe the physics of the big bang! Image from: http://abyss.uoregon.edu/~js/images/cmb_scatter.jpg Work at first order

379 views • 13 slides

More recommend