principles for secure design
play

Principles for secure design Some of the slides and content are - PowerPoint PPT Presentation

May 12, 2023 •120 likes •830 views

Principles for secure design Some of the slides and content are from Mike Hicks Coursera course Making secure software Flawed approach : Design and build software, and ignore security at first Add security once the functional

  1. Principles for secure design Some of the slides and content are from Mike Hicks’ Coursera course

  2. Making secure software • Flawed approach : Design and build software, and ignore security at first • Add security once the functional requirements are satisfied • Better approach : Build security in from the start • Incorporate security-minded thinking into all phases of the development process

  3. Development process Four common phases of development Security Requirements Abuse Cases Requirements • Architectural Risk Analysis Design • Security-oriented Design Implementation • Code Review (with tools) Testing/assurance • Risk-based Security Tests Penetration Testing Security activities apply to all phases

  4. Development process Four common phases of development Security Requirements Abuse Cases Requirements • Architectural Risk Analysis Design • Security-oriented Design Implementation • Code Review (with tools) Testing/assurance • Risk-based Security Tests Penetration Testing We’ve been talking 
 about these Security activities apply to all phases

  5. Development process Four common phases of development Security Requirements Abuse Cases This class is 
 Requirements • Architectural Risk Analysis about these Design • Security-oriented Design Implementation • Code Review (with tools) Testing/assurance • Risk-based Security Tests Penetration Testing We’ve been talking 
 about these Security activities apply to all phases

  6. Designing secure systems • Model your threats • Define your security requirements • What distinguishes a security requirement from a typical “software feature”? • Apply good security design principles

  7. Threat Modeling

  8. Threat Model • The threat model makes explicit the adversary’s assumed powers • Consequence: The threat model must match reality, otherwise the risk analysis of the system will be wrong • The threat model is critically important • If you are not explicit about what the attacker can do, how can you assess whether your design will repel that attacker?

  9. Threat Model • The threat model makes explicit the adversary’s assumed powers • Consequence: The threat model must match reality, otherwise the risk analysis of the system will be wrong • The threat model is critically important • If you are not explicit about what the attacker can do, how can you assess whether your design will repel that attacker? “This system is secure” means nothing in the absence of a threat model

  10. A few different network threat models Client Network Server Malicious user

  11. A few different network threat models Client Network Server Snooping Malicious user

  12. A few different network threat models Client Network Server Snooping Malicious user Co-located user

  13. A few different network threat models Client Network Server Snooping Malicious user Co-located user Compromised server

  14. Threat-driven Design • Different threat models will elicit different responses • Only malicious users: implies message traffic is safe • No need to encrypt communications • This is what telnet remote login software assumed • Snooping attackers: means message traffic is visible More on these 
 • So use encrypted wifi (link layer), encrypted network layer when we get 
 (IPsec), or encrypted application layer (SSL) to networking Which is most appropriate for your system? - In fact, even 
 • Co-located attacker: can access local files, memory encrypting them 
 • Cannot store unencrypted secrets, like passwords might not suffice! • Likewise with a compromised server (More later)

  15. Threat-driven Design • Different threat models will elicit different responses • Only malicious users: implies message traffic is safe • No need to encrypt communications • This is what telnet remote login software assumed • Snooping attackers: means message traffic is visible More on these 
 • So use encrypted wifi (link layer), encrypted network layer when we get 
 (IPsec), or encrypted application layer (SSL) to networking Which is most appropriate for your system? - In fact, even 
 • Co-located attacker: can access local files, memory encrypting them 
 • Cannot store unencrypted secrets, like passwords might not suffice! • Likewise with a compromised server (More later)

  16. Bad Model = Bad Security • Any assumptions you make in your model are potential holes that the adversary can exploit

  17. Bad Model = Bad Security • Any assumptions you make in your model are potential holes that the adversary can exploit • E.g.: Assuming no snooping users no longer valid • Prevalence of wi-fi networks in most deployments

  18. Bad Model = Bad Security • Any assumptions you make in your model are potential holes that the adversary can exploit • E.g.: Assuming no snooping users no longer valid • Prevalence of wi-fi networks in most deployments • Other mistaken assumptions • Assumption : Encrypted traffic carries no information

  19. Bad Model = Bad Security • Any assumptions you make in your model are potential holes that the adversary can exploit • E.g.: Assuming no snooping users no longer valid • Prevalence of wi-fi networks in most deployments • Other mistaken assumptions • Assumption : Encrypted traffic carries no information Not true! By analyzing the size and distribution of messages, you - can infer application state • Assumption : Timing channels carry little information Not true! Timing measurements of previous RSA implementations - could be used eventually reveal a remote SSL secret key

  20. Bad Model = Bad Security Assumption : Encrypted traffic carries no information Skype encrypts its packets, so we’re not revealing anything, right? But Skype varies its packet sizes…

  21. Bad Model = Bad Security Assumption : Encrypted traffic carries no information Skype encrypts its packets, so we’re not revealing anything, right? But Skype varies its packet sizes… …and different languages have different 
 word/unigram lengths…

  22. Bad Model = Bad Security Assumption : Encrypted traffic carries no information Skype encrypts its packets, so we’re not revealing anything, right? But Skype varies its packet sizes… …and different languages have different 
 word/unigram lengths… …so you can infer what language two 
 people are speaking based on packet sizes !

  23. Finding a good model • Compare against similar systems • What attacks does their design contend with? • Understand past attacks and attack patterns • How do they apply to your system? • Challenge assumptions in your design • What happens if an assumption is untrue? What would a breach potentially cost you? - • How hard would it be to get rid of an assumption, allowing for a stronger adversary? What would that development cost? -

  24. You have your threat model. Now let’s define what we need to defend against. Security Requirements

  25. Security Requirements • Software requirements typically about what the software should do • We also want to have security requirements Security-related goals (or policies ) • Example : One user’s bank account balance should not be learned - by, or modified by, another user, unless authorized Required mechanisms for enforcing them • Example : - 1.Users identify themselves using passwords, 2.Passwords must be “strong,” and 3.The password database is only accessible to login program.

  26. Typical Kinds of Requirements • Policies • Confidentiality (and Privacy and Anonymity) Integrity • Availability • • Supporting mechanisms Authentication • Authorization • Audit-ability • Encryption •

  27. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability

  28. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability How can a system 
 tell who a user is

  29. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability How can a system 
 tell who a user is What we know What we have 
 What we are > 1 of the above = 
 Multi-factor authentication

  30. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability How can a system 
 How can a system 
 tell who a user is tell what a user is 
 allowed to do What we know What we have 
 What we are > 1 of the above = 
 Multi-factor authentication

  31. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability How can a system 
 How can a system 
 tell who a user is tell what a user is 
 allowed to do What we know Access control policies What we have 
 (defines) 
 What we are + > 1 of the above = 
 Mediator Multi-factor authentication (checks)

  32. Supporting mechanisms These relate identities (“ principals ”) to actions Authentication Authorization Audit-ability How can a system 
 How can a system 
 How can a system 
 tell who a user is tell what a user is 
 tell what a user did allowed to do What we know Access control policies What we have 
 (defines) 
 What we are + > 1 of the above = 
 Mediator Multi-factor authentication (checks)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets say basically the same thing Confinement, non-VM isolation Library operating systems Sandboxes Program modification Covert

584 views • 30 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles Introduction to Computer Security Day 7: Defensive programming and design, part 1 Software engineering for security Stephen McCamant Announcements

355 views • 7 slides
Outline More secure design principles Software engineering for security CSci 5271 Introduction

Outline More secure design principles Software engineering for security CSci 5271 Introduction

Outline More secure design principles Software engineering for security CSci 5271 Introduction to Computer Security Secure use of the OS Defensive programming and design, contd Announcements intermission Stephen McCamant Bernsteins

535 views • 8 slides
Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera course Making secure software Flawed approach : Design and build software, and ignore security at first Add security once the functional

2.04k views • 152 slides
Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera course Making secure software Making secure software Flawed approach : Design and build software, and ignore security at first Add security once

1.27k views • 109 slides
Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design

Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design

Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design principles Introduction to Computer Security Software engineering for security Defensive programming 2 (combined lecture) Announcements intermission

632 views • 9 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods -

SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods -

SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods - Endava @eoinwoodz 1 BACKGROUND Eoin Woods CTO at Endava (technology services, 3300 people) 10 years in product development - Bull,

453 views • 31 slides
Design Principles for Secure Systems Systems Driving Ideas for Security Principles Saltzer

Design Principles for Secure Systems Systems Driving Ideas for Security Principles Saltzer

1 Design Principles for Secure Systems Systems Driving Ideas for Security Principles Saltzer and Schroeder (1975) defined 8 principles that are based on the ideas of simplicity and restriction are based on the ideas of simplicity and

468 views • 17 slides
Main principles of secure OS

Main principles of secure OS

Main principles of secure OS Trusted Flexible Secure Versatile modular Internet security

490 views • 26 slides
Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles

Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles

CSE 127: Computer Security Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles for building secure systems Understand mechanisms used to build secure systems Principles of secure design

1.1k views • 64 slides
Outline Saltzer & Schroeders principles CSci 5271 Announcements intermission

Outline Saltzer & Schroeders principles CSci 5271 Announcements intermission

Outline Saltzer & Schroeders principles CSci 5271 Announcements intermission Introduction to Computer Security Day 7: Defensive programming and design, More secure design principles part 1 Software engineering for security Stephen

571 views • 9 slides
Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles

Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles

Human-Computer Interaction 12. Design Principles (2) Last class Psychological design principles Recap: Psychological principles 1. User sees what they expect to see. 2. Users have difficulty focusing on more than one activity at a time. 3. It

843 views • 55 slides
Principles for Secure Software Following these doesnt guarantee security But they touch

Principles for Secure Software Following these doesnt guarantee security But they touch

Principles for Secure Software Following these doesnt guarantee security But they touch on the most commonly seen security problems Thinking about them is likely to lead to more secure code Lecture 13 Page 1 CS 236 Online 1.

439 views • 22 slides
UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

Principles of VLSI Design Introduction CMPE 413/CMSC 711 Principles of VLSI Design Instructor: Professor Jim Plusquellic Text: Principles of CMOS VLSI Design: A Systems Perspective, by Neil H.E. Weste and Kamran Eshraghian. Supplementary

752 views • 21 slides
Program Partitioning Program Partitioning for Secure E xecution for Secure E xecution Cha rle

Program Partitioning Program Partitioning for Secure E xecution for Secure E xecution Cha rle

Program Partitioning Program Partitioning for Secure E xecution for Secure E xecution Cha rle s W. O Do nne ll G. E dwa rd Suh Srini De va da s Se pte mb e r 24, 2004 4 th MI T CSAI L Co mpute r Arc hite c ture Wo rksho p

189 views • 15 slides
Fermilab LBNF CF Far Detector BSI Facilities Engineering Services Section 8/26/2015

Fermilab LBNF CF Far Detector BSI Facilities Engineering Services Section 8/26/2015

WIRING DEVICES POWER SINGLE LINE DIAGRAM FIRE ALARM SYMBOLS ABBREVIATIONS ABBREVIATIONS SYMBOL DESCRIPTION SYMBOL DESCRIPTION SYMBOL DESCRIPTION SYMBOL DESCRIPTION SYMBOL DESCRIPTION SYMBOL DESCRIPTION R A, AMP AMPERE OC ON

313 views • 10 slides
KREONET SOFTWARIZATION - KREONET SD-WAN Deployment based on ONOS- Dongkyun Kim, KISTI

KREONET SOFTWARIZATION - KREONET SD-WAN Deployment based on ONOS- Dongkyun Kim, KISTI

KREONET SOFTWARIZATION - KREONET SD-WAN Deployment based on ONOS- Dongkyun Kim, KISTI mirr@kisti.re.kr Open Networking Summit 2016 Introduction & Background KREONET -S* as the Next KREONET Deployment Status of KREONET -S*

490 views • 25 slides
ACT-IAC Evolving the Workforce COI July 9, 2020 ACT-IAC Evolving the Workforce COI Leadership

ACT-IAC Evolving the Workforce COI July 9, 2020 ACT-IAC Evolving the Workforce COI Leadership

ACT-IAC Evolving the Workforce COI July 9, 2020 ACT-IAC Evolving the Workforce COI Leadership Team Andrew McCoy, Industry Chair Terri Shaffer, Government Chair Christina Vay, Government Vice-Chair Ronna Garrett, Industry Vice-Chair Robert

389 views • 16 slides
Video recording lectures: blending the quarantini. Matthew Jones & Nick Sharples TALMO

Video recording lectures: blending the quarantini. Matthew Jones & Nick Sharples TALMO

Video recording lectures: blending the quarantini. Matthew Jones & Nick Sharples TALMO workshop: Engagement and Interaction. 3rd September 2020 October 2018 - maths stafg were issued with ipads, pencils + dongles. Workfmow: Prepare slides

750 views • 23 slides
MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin Marc Newlin Security Researcher @ Bastille Networks ((Mouse|Key)Jack|KeySniffer) Wireless mice and keyboards 16 vendors

1.14k views • 86 slides
Updates on Camera & Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco

Updates on Camera & Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco

Updates on Camera & Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco Pietropaolo, Stephen Pordes, Serhan Tufanli HV system consortium meeting 07/10/2018 Signal Readout Port Port Item Number 1 Ground plane

302 views • 6 slides
Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012

Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012

Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012 Background Company WAREHOUSE IN 2008 Regulatory work Since 2008 Since 2010 Since 2011 Since 2011 UK USA Europe Singapore United Kingdom United

268 views • 22 slides

More recommend