VM: Chapter 5 Guiding Principles for Software Security.
-
Upload
howard-wiggins -
Category
Documents
-
view
223 -
download
0
Transcript of VM: Chapter 5 Guiding Principles for Software Security.
VM: Chapter 5
Guiding Principles for Software Security
csci5233 computer security & integrity
2
The 10 Principles1. Secure the weakest link2. Practice defense in depth3. Fail securely4. Follow the principle of least privilege5. Compartmentalize6. KISS7. Promote Privacy8. Remember that hiding secrets is hard9. Be reluctant to trust10. Use your community resources
csci5233 computer security & integrity
3
Secure the weakest link
A chain is only as strong as the weakest link. Which is easier to be robbed? A convenience
store or a bank?
csci5233 computer security & integrity
4
Example: encrypted transmission
encrypted transmission
A B
plaintextplaintext
cyphertext
encryption
decryption
Where’s the weakest point?
csci5233 computer security & integrity
5
Risk Analysis
Identifying the weakest component of a system falls directly out of a good risk analysis.
Address the most serious risk first Question: How is the seriousness of a risk
determined?
csci5233 computer security & integrity
6
Social Engineering
An attack is launched by social manipulation to break into a system.
An example: A help desk worker dealing with a “frustrated” user who cannot get into his account (p.94)
A good strategy? Evaluate the “elaborate” scheme given on
page 95:
csci5233 computer security & integrity
7
2. Practice defense in depth Manage risk with diverse, redundant,
defensive strategies.
If one layer of defense is broken, another
layer hopefully prevents a full breach. The sum protection offered is far greater than
the protection offered by any single component.
An example: multiple layers of firewalls + encrypted data
csci5233 computer security & integrity
8
3. Fail securely A system failure may cause the system to
exhibit insecure behavior. When the system fails, the behavior of the
system is less secure than usual.
An example: Credit card authentication (p.98)
Another example: Support of legacy clients that
do not use encryption (backward compatibility)
Java’s RMI: server authentication with clients
(p.99)
csci5233 computer security & integrity
9
4. The principle of least privilege Only the minimum access necessary to
perform an operation should be granted. + That access should be granted only for the
minimum amount of time necessary. Keep windows of vulnerability as short as
possible. An example: The US government security
clearance system A program shall relinquish root privilege when
it no longer needs it.
csci5233 computer security & integrity
10
The Problem with default settings
Windows API (p.101)
Java applets (p.102)
Wireless network card: WEP encryption
File access permisions
csci5233 computer security & integrity
11
5. Compartmentalize
Break a system into small compartments, each of which can be sealed from the others.
Damage control Separation of privileges OS with compartmentalization: roles Reasonable compartmentalization
csci5233 computer security & integrity
12
6. KISS
“Keep it simple, sir.”
Complexity may introduce new vulnerability
and thus increases the risks.
Reuse tested, good quality software
components.
csci5233 computer security & integrity
13
Redundancy versus Simplicity
P.105 A balance between redundant security
features (principle 2) and simple security Choke points: small, easily controlled
interface No backdoors or secret entrance
csci5233 computer security & integrity
14
Usability Engineering
P.106
1. The user will not read documentation.– Provide security by default.
2. Talk to users to determine their security requirements.
3. Realize that users aren’t always right.
4. Users are lazy.
csci5233 computer security & integrity
15
7. Promote Privacy
User privacy is a security concern. Usability versus privacy protection
– Should credit card numbers be stored on the server?
– Should credit card numbers stored on a server be encrypted?
– Where should the encryption key be stored?
System information: Release as little system information as possible.
csci5233 computer security & integrity
16
8. Hiding secrets is hard
p.109 Security is often about keeping secrets. Is a secret kept in a binary format well
protected?– Copy protection– Java byte codes
Insider attacks are common and can cause serious damages.
csci5233 computer security & integrity
17
9. Be reluctant to trust
Servers and clients should be designed not to trust each other.
Many security products introduce more risks than they address.
Skepticism is always good, especially when it comes to security vendors.
Trust yourself? – Get objective, high-quality outside reviews
csci5233 computer security & integrity
18
10. Use your community resources
Public scrutiny Is a secret encryption algorithm better than a
publicly known one? Good cryptographic algorithms work because
they rely on keeping the key secret, not because the algorithm itself is secret.
Java developer community IETF RFC’s
csci5233 computer security & integrity
19
Next
Pf: Ch 2