Post on 02-Jan-2016
description
Objectives
Software Flaws OSI Model Database Concepts Software Lifecycle Change Control OOP Expert Systems
Why Security is Lacking?
Software vendors rush to market Security professionals are not software
developers Public is used to software with bugs Software vendors not held liable Programmers not taught secure coding in
school Note: Average 10 bugs every 1K lines
Usual Steps
Buggy software released to market Hackers find vulnerabilities Web sites post vulnerabilities Vendors develop patches Sits on network administrators desks to be
tested and installed
Where to Implement
Security should be planned and managed throughout the lifecycle
Not to be added as an afterthought Should not be forsaken due to deliverable
deadlines Focus on security AND functionality
Functional Requirements
Specific system functionalities Consider how the parts of the system
should interoperate Deliverable from this phase of development
is a functional requirements document
Design
Determine how exactly the various parts of the system will interoperate
How the modular system structure will be laid out
Lay out initial timelines for completion of coding milestones
Deliverable is formal design documents
Code Review Walk-Through
Schedule several code walk through meetings
Involve only development personnel Look for problems in logical flow or security
System Testing
Perform the initial system tests using development personnel
Agree that the system meets all functional requirements
Deliverable is beta code
Certification/Accreditation
Normally required by defense contractors Certification is the comprehensive
evaluation of the technical and non-technical security features of an IT system
Accreditation is the formal declaration by the approved authority that an IT system is approved to operate in a particular security mode
Maintenance
Ensure continued operation in the face of changing operational, data processing, storage, and environmental requirements
Changes to the code be handled through a formalized change request/control process
Life Cycle Models
Formalized life cycle management process Royce and Boehm proposed several
software life cycle models In 1991, the Software Engineering Institute
introduced the Capability Maturity Model
Waterfall Model
Developed by Royce in 1970 Series of iterative activities 7 stages of development
– System requirements– Software requirements– Preliminary design– Detailed design– Code/debug– Testing– Maintenance
Waterfall Model
Allows development to return to previous phase to correct defaults discovered
1st comprehensive model to allow a step back.
Only allows the developers to step back one phase in the process
Spiral Model
Developed by Boehm in 1988 at TRW Multiple iterations Each loop of the spiral results in a system
prototype Allows developers to return to the planning
stage based on changing technical demands and customer requirements
Software Capability Maturity
Developed at CMU in 1991 Repeatable – reuse of code begins Defined – developers use formal processes Managed – quantitative measures utilized Optimized – process of continuous
improvement
Security Control Architecture
Process isolation– Fundamental security procedures put into place
during system design Hardware segmentation
– Process isolation at the hardware level by enforcing memory access constraints
Protection Rings
Layer 0 – where the OS kernel resides– Has full control of all system resources
Layer 1 & 2 – device drivers and OS interfaces– Most O/S do not implement these layers
Layer 3 – user applications and processes– Known as user mode– Not allowed direct access to system resources
Ring 0 – Reference Monitor
Must be tamperproof Must always be invoked Small enough to be analyzed Must be complete
Virus
Piece of code that requires a host application to reproduce– Macro– Boot sector– Compression– Stealth– Polymorphic– Multi-partite– Self-garbling
Virus
Fred Cohen wrote the 1st in 1983– Called the morris worm
Over 60,000 viruses today Main functions – propagation and
destruction
More Malware
Worms– Can reproduce on their own– Self contained
Logic bomb– Event triggers execution
Trojan horse– Disguised as another program– Uses program to exploit authorization process
Threats in Software Environment
Buffer Overflow Citizen Programmers Covert Channels: Storage and Timing Malware Malformed Input Object Reuse Mobile Code Time of Check/Time of Use
System Development Life Cycle
Project Initiation Functional Requirements System Design Develop Acceptance Installation Maintenance Revisions
Software Protections Mechanisms
Security Kernel (Monitor) Processor Privilege State Buffer Overflow Controls Incomplete Parameter Controls Memory Protection Covert Channel Controls Cryptography
Database Vulnerabilities
Aggregation Bypass Attacks Deadlocking Query Attacks Web Security Compromising Database Views
Database Protection
Lock Controls View Based Controls Grant/Revoke Controls Metadata Controls Data Contamination Controls
Distributed Components
Agents– Performs actions on behalf of user– Carries out activities unattended
Applets– Sent from server to client– Self contained mini-programs– Java (Sun) & ActiveX (MS)
Java ‘sandboxed’ but Active X is ring 0
Databases
Relational– Flat 2-dimensional table– # of rows is cardinality– # of columns is degree– Security available through views– Primary & secondary keys used
Data Warehouses & Data Mining
Expert Systems
Accumulated knowledge of expert on a specific subject– Knowledge base– Inference engine– Fuzzy logic
Neural networks
Programming
Interpreted versus compiled Fail-secure versus fail-open Reverse engineering White box testing versus black box testing
Password Attacks
Dictionary attacks– Against /etc/passwd in Unix– Compares hash values
Social engineering Brute force attacks Complex passwords
DOS Attacks
SYN flood DDOS
– Tribal Flood Network (TFN) DRDos attacks
– Smurf (ICMP– Fraggle (UDP)– Teardrop (fragmentation)– Land (tight loop for old systems)– Ping of Death (larger than 64K packets)