Software Security Karl Lieberherr
29 Slides56.00 KB
Software Security Karl Lieberherr
OMG-MOF MOF M3 layer Meta-metamodel UML Metamodel, etc. M2 layer Metamodels UML Models, etc. M1 layer Models Objects, etc. M0 layer Application objects
Technical Trends Affecting Software Security Software security risk management Malicious functionality that extends its primary, intended design. Malicious and flawed subsystems may remain invisible to unsuspecting users until it is too late.
Complexity Inherent, accidental. Makes systems hard to understand, analyze, and secure. May hide security risks.
Extensible systems Good: we can adapt them to our needs. Bad: risk of – Intentional introduction of malicious behavior. – Unintentional introduction of vulnerabilities. Risks are more pronounced now because of ubiquitous computer networks: an attacker no longer needs physical access to cause security problems.
Idea for home work: Extensibility through aspects Show them how an aspect can extend a system in a bad way. Print join point information: printing out the password. Health care system, patient privacy: charge more than services provided.
More risks More networks Complexity of software Extensibility of software Lack of diversity in popular computing environments
Ilities Security is like dependability, reliabilitiy and any other software ‘ility. Each ‘ility is a sytemwide emergent property that requires advanced planning and careful design. Better to design for security from scratch. Context is important: from proprietary networks to the internet. Internet-specific risks caused the systems to loose all their security properties.
What is Security Enforcing a policy that describes rules for accessing resources. Policy may be explicit or implicit. Better to use explicit policy.
Isn’t That Just Reliability? Reliability: measurement how robust software is with respect to some definition of a bug. Definition of a bug analogous to a security policy. Example: Know a remotely exploitable crasher in a web server: DOS attack.
Penetrate and Patch Security is not an add-on feature. Some vendors only start to worry about security after their product has been publically broken: Rush out a patch. In economic terms, finding and removing bugs in a software system before its release is orders of magnitude cheaper.
Alternative to penetrate and patch approach Designing system for security – See chapter 2 Carefully implement system Test system extensively before release
Security Goals Secure against what and from whom? Prevention threough design/implementation Traceability and Auditing: A system for accountability may disuade potential attackers. – Essential for forensics: show who did what, when. – Audit log is itself susceptible to attack. – Auditing is an essential part of software security (hw 1 on logging using AspectJ)
Security Goals Monitoring real-time auditing. – Intrusion detection. Danger of too many false alarms. – Assertions in the code itself. – Rarely practiced today. Should be used more.
Security Goals Privacy and confidentiality – Avoid storing secrets in your code. Multilevel security Anonymity – Often, technology that degrades anonymity and privacy turns out to be useful for law enforcement. – Software developers should think carefully about what may happen to data they collect. Does convenience outweigh potential privacy issues?
Security Goals Authentication – Who is it that is trying to do something to the what we want to protect.
Java Security at IBM Research (Larry Koved: manager) Automating Security Analysis of Java Components and Programs – Invocation graphs
HP/Sensorware The user injects the query into the network and the query unfolds to reach all the places where the distributed algorithm should execute.
LoD and Security Can execute software only if secret is known. Secret consists of set of keys, one per class. What is security policy? Each object only gets keys of its authenticated friends (who share the same concerns?). What are the benefits of such a security policy? Compartmentalize?
29 31 25
Modeling Secure Software Hansruedi Thomann
Secure Software Software security can be treated by modelling the software as an automaton with a bidirectional channel, an input and an output tape. The channel is defined in the usual manner, e.g., as a queue equipped with certain primitives. The attacker is an (inifinitely powerful) actor connected on the other end of the channel. He has full access to the channel, i.e. he receives the output and can send arbitrary messages.
Secure Software The automaton has the task to compute a certain transfer function of the inputs (input tape plus input channel) and, accordingly, to write results on the output tape and to return messages on the output channel.
Secure Software The security target is the integrity of the transfer function. I.e. the security objective is to enforce a certain functionality, i.e. to make sure that the automaton performs as intended. The attacker is successful, if he can make the automaton to compute a different function. Data integrity, access control, origin and entity authentication are special cases comprised in this definition, but not exhausting it.
Buffer overflow Have function
Model for security f: Input/channel input - Output/channel output Input Automaton channel Attacker Output Attacker can produce channel inputs and regular inputs. It can see the corresponding channel outputs and regular outputs.
Why the channel? The primary purpose of f is to map inputs to outputs. The attacker channel is used, e.g., to send illegal inputs with the hope to crash the automaton or with the hope to change the state so that a wrong f will be computed. The channel is also used to model collecting information about the system, e.g., to break pseudo random code generators.