Embed Size (px)
Citation preview
FIT3056 FIT3056 Secure and Trusted software systemsSecure and Trusted software systems
Le, P.DLe, P.DFaculty of Information TechnologyFaculty of Information Technology
Monash University, AustraliaMonash University, Australia
[email protected]@infotech.monash.edu.au
2
AcknowledgementAcknowledgement
Most of the materials are prepared by me. Most of the materials are prepared by me. Some slides are borrowed from other Some slides are borrowed from other lecturers who previously taught this subject.lecturers who previously taught this subject.
3
Main objectives for this unitMain objectives for this unit
Demonstrate the importance of developing secure Demonstrate the importance of developing secure softwaresoftware
Introduce various security threats, vulnerabilities and Introduce various security threats, vulnerabilities and controls that need to be addressed during the controls that need to be addressed during the development of secure and trusted software (systems)development of secure and trusted software (systems)
Introduce secure programming principles and Introduce secure programming principles and practices (for constructing secure and trusted practices (for constructing secure and trusted software)software)
Motivate you as a software developer/security Motivate you as a software developer/security specialist to apply secure programming principles and specialist to apply secure programming principles and practices in your projectspractices in your projects
Gain knowledge of testing and verifying secure and Gain knowledge of testing and verifying secure and trusted software. trusted software.
4
Important InformationImportant Information
Examination (3 hours): 60%Examination (3 hours): 60% Two assignments (20% each).Two assignments (20% each). You need to pass the assignments and exam to You need to pass the assignments and exam to
pass the subject.pass the subject. Please let me know if you have difficulties with this Please let me know if you have difficulties with this
subject asap.subject asap. Do not sit down and program. Work out the solution Do not sit down and program. Work out the solution
logically before you start your work.logically before you start your work. Discuss with the lecturer and tutor how to learn this Discuss with the lecturer and tutor how to learn this
subject and start your assignments asap.subject and start your assignments asap.
5
Assignment AssessmentAssignment Assessment
A submission that meets all the basic A submission that meets all the basic requirements but does not extend beyond requirements but does not extend beyond this will receive a pass grade (P)this will receive a pass grade (P)
Some additional research or independent Some additional research or independent work may need to be demonstrated before a work may need to be demonstrated before a grade of C will be awardedgrade of C will be awarded
Grades of D or HD will be reserved for Grades of D or HD will be reserved for submissions that show a sound submissions that show a sound understanding and exceptional ability of understanding and exceptional ability of studentsstudents
6
Outline of the subjectOutline of the subject
Introduction to software design and implementation Introduction to software design and implementation and security. and security.
Computer system software problems Computer system software problems (vulnerabilities) and solutions (vulnerabilities) and solutions (2 lectures)(2 lectures)
Principles of secure software design and Principles of secure software design and implementation implementation (2 lectures)(2 lectures)
Concurrent and distributed secure software Concurrent and distributed secure software Building trusted software systemsBuilding trusted software systems Secure software testing and verification Secure software testing and verification Reading in Software Security and Trusted SystemsReading in Software Security and Trusted Systems RevisionRevision
7
Outline of lecture 1Outline of lecture 1
Structure of a program.Structure of a program. Fundamentals of software development.Fundamentals of software development. Why software security is important?Why software security is important? Why is it necessary to develop secure and trusted Why is it necessary to develop secure and trusted
software from the start?software from the start? What is the difference between an insecure piece of What is the difference between an insecure piece of
software and a secure one?software and a secure one? Some examples of good and bad code.Some examples of good and bad code.
8
Types of softwareTypes of software
Operating systems and middlewareOperating systems and middleware Stand-alone applications installed on a hard diskStand-alone applications installed on a hard disk
An app that prints letters to bank customers An app that prints letters to bank customers Qlock program (www.qlock.com - freeware)Qlock program (www.qlock.com - freeware)
Web-based applicationsWeb-based applications Run from a web serverRun from a web server Display in a web browserDisplay in a web browser Eg, web sites, web servicesEg, web sites, web services
Mobile and wireless applicationsMobile and wireless applications PDA, mobile phone appsPDA, mobile phone apps Mobile agentsMobile agents
Software componentsSoftware components COTS – COTS – CCommercial ommercial ooff-ff-tthe-he-sshelfhelf Open sourceOpen source
9
Software developmentSoftware development
A real world problem is specifiedA real world problem is specified A logical answer is produced after a number A logical answer is produced after a number
of design steps with or without security in of design steps with or without security in mindmind
A programming language is chosen to map A programming language is chosen to map the logical answer to a real one (a computer the logical answer to a real one (a computer program).program).
The program is tested and put it in useThe program is tested and put it in use
10
Where software security fits?Where software security fits?
S/w runs on o/s and abides by its
security rules
S/w runs on o/s and abides by its
security rules
S/w that uses a db must connect to and interact with the db securely
S/w that uses a db must connect to and interact with the db securely
S/w uses encryption to ensure data
confidentiality, integrity and non-repudiation
S/w uses encryption to ensure data
confidentiality, integrity and non-repudiation
S/w sends/receives data across inherently
insecure networks
S/w sends/receives data across inherently
insecure networks
Databasesecurity
Softwaresecurity
Networksecurity
OperatingSystemsecurity
InformationSecurity
Established areas of security
Borrowed this slide from other lecturers
11
Ideas about computer programsIdeas about computer programs
Program:Program:
- a static description of what you would like to - a static description of what you would like to happen (you describe what you would like to happen (you describe what you would like to happen as an algorithm – the algorithm is then happen as an algorithm – the algorithm is then mapped into a sequence of statements of a mapped into a sequence of statements of a programming language)programming language)
Process:Process:
- Is a program in execution. It is self-contained - Is a program in execution. It is self-contained running program with its own address spacerunning program with its own address space
- Is an active entity in the system which executes - Is an active entity in the system which executes the algorithm (program).the algorithm (program).
12
Programs & ProcessesPrograms & Processes
A program can become a process and the A program can become a process and the process can then spawn new processes to process can then spawn new processes to run the same or other programs.run the same or other programs.
Each process has its own unique address Each process has its own unique address space (stack + global variable space + heap space (stack + global variable space + heap space) space)
If two processes are created from the same If two processes are created from the same executable, they still have different address executable, they still have different address spaces.spaces.
A process is associated with a privilege.A process is associated with a privilege.
13
Processes (e.g.)Processes (e.g.)
A process can clone itself using “fork” under UNIX, but that A process can clone itself using “fork” under UNIX, but that also creates a separate address spacealso creates a separate address space
int x = 1;int pid;main() { pid = fork(); x = x + 1;}
Create a new processUnder Unix (who created this process is important – who wrote
the code is not important – why?)
14
ThreadsThreads
A thread is a single sequential flow of A thread is a single sequential flow of execution within a process.execution within a process.
Threads in the same process share the Threads in the same process share the same address space.same address space.
15
Processes/Threads under OSProcesses/Threads under OS
Data Code
OS Process
Descriptor
Thread 1 Thread 2 Thread n
Stack Stack Stack
Descriptor Descriptor
Descriptor
- A process is represented by its code, data and the state of the machine registers, given in a descriptor. - A process can support many threads of control, and it has multiple stacks, one for each thread.
16
Programming languages and securityProgramming languages and security
Some programming language such as C Some programming language such as C (programming (programming
efficiency and code length are more important than security)efficiency and code length are more important than security) or C+ or C++ + (programming efficiency, code length and object-oriented (programming efficiency, code length and object-oriented
programming features)programming features) are more important than security) are more important than security) were not designed for secure software were not designed for secure software development.development.
Other language such as Ada and Java was Other language such as Ada and Java was designed with some security considerations.designed with some security considerations.
Some programming language you cannot enhance Some programming language you cannot enhance security much no matter how smart you are such as security much no matter how smart you are such as assembly language.assembly language.
17
What we need to know about programs What we need to know about programs before considering software securitybefore considering software security
Do we need programs which require no Do we need programs which require no input or output?input or output?
Are there many programs which require Are there many programs which require input and/or output?input and/or output?
Are there programs running on the same Are there programs running on the same computer?computer?
Are there programs running on different Are there programs running on different computers connected by a network?computers connected by a network?
18
What we need to know about programs before What we need to know about programs before considering software security (con’t)considering software security (con’t)
Are there programs which you can run with Are there programs which you can run with higher privileges than yours?higher privileges than yours?
What does it mean by user-space processes What does it mean by user-space processes and kernel-space processes?and kernel-space processes?
Do you know how to build applications that Do you know how to build applications that can transmit confidential data for you on can transmit confidential data for you on request?request?
Can you build applications that can provide Can you build applications that can provide you confidentiality and integrity over the you confidentiality and integrity over the communications?communications?
19
Why software security is important?Why software security is important?
Compromised software can lead to:Compromised software can lead to: Loss of productivityLoss of productivity
Eg, DoS attacks, loss of dataEg, DoS attacks, loss of data Loss of trustLoss of trust
““It’s hard to build and easy to lose: a single violation of It’s hard to build and easy to lose: a single violation of trust can destroy years of slowly accumulated trust can destroy years of slowly accumulated credibility.” - Jakob Nielsencredibility.” - Jakob Nielsen
Loss of moneyLoss of money Loss of business due to loss of trust or competitive Loss of business due to loss of trust or competitive
advantageadvantage Expense of fixing the damageExpense of fixing the damage Expense of fixing security vulnerabilitiesExpense of fixing security vulnerabilities
20
Why is it important to develop secure and trusted Why is it important to develop secure and trusted software from the start?software from the start?
SSecurity is not a feature to be added at any timeecurity is not a feature to be added at any time Security as an after thought is badSecurity as an after thought is bad
By then, time constrains prevent a through security By then, time constrains prevent a through security testing and reviewtesting and review
Reviewing existing code and fixing any bugs add Reviewing existing code and fixing any bugs add extra time and costs to the development cycleextra time and costs to the development cycle
External security reviewers cannot guarantee that all External security reviewers cannot guarantee that all bugs will be found and fixed, because they lack bugs will be found and fixed, because they lack intimate understanding of the systemintimate understanding of the system
Automated tools can only pick up some known Automated tools can only pick up some known vulnerabilities and overlooking many others.vulnerabilities and overlooking many others.
Production environments may not allow Production environments may not allow vulnerabilities to be discovered.vulnerabilities to be discovered.
21
Code, bugs and you – Who is the winner?Code, bugs and you – Who is the winner?
Software complexity is measured in lines of code, Software complexity is measured in lines of code, programming style, and programming language programming style, and programming language platform.platform.
Some estimates that there is likely to have at least Some estimates that there is likely to have at least a bug per 100 lines of C code.a bug per 100 lines of C code.
Typical operating systems such as your favourite Typical operating systems such as your favourite Windows have few millions lines of code.Windows have few millions lines of code.
CERT statistics says that they discover roughly CERT statistics says that they discover roughly 5000 bugs per year, so it will take approximately 4 5000 bugs per year, so it will take approximately 4 years to fix all the bugs in your favourite OS!. Then years to fix all the bugs in your favourite OS!. Then the new release gives you more bugs. When can the new release gives you more bugs. When can you fix all of them?you fix all of them?
22
Evaluating trust in computer systems and Evaluating trust in computer systems and softwaresoftware
Evaluation Evaluation is a formal methodology and set of is a formal methodology and set of procedures used to measure the degree of trust procedures used to measure the degree of trust that can be placed on a systemthat can be placed on a system
Empirical or qualitative evaluation are commonly Empirical or qualitative evaluation are commonly used methodsused methods
The most popular evaluation schemes in use are:The most popular evaluation schemes in use are: The Orange BookThe Orange Book The Common CriteriaThe Common Criteria European ITSEC criteria (not discussed here) – (refer European ITSEC criteria (not discussed here) – (refer
to the sources for further reading.)to the sources for further reading.)
23
Microsoft’s Trustworthy Computing (eg.)Microsoft’s Trustworthy Computing (eg.)
Microsoft’s 5-10 year vision to address Microsoft’s 5-10 year vision to address security, privacy, and reliability issuessecurity, privacy, and reliability issues
Increased investment in MS ResearchIncreased investment in MS Research Their goal is for the users to be able to say: Their goal is for the users to be able to say:
I can trust this productI can trust this product I can trust this supplierI can trust this supplier This product is This product is securesecure, , reliablereliable, and my , and my
privacyprivacy is respected (can we have all those?) is respected (can we have all those?)
24
Goals of Trustworthy ComputingGoals of Trustworthy Computing
GoalsGoals The basis for a customer's decision to trust a systemThe basis for a customer's decision to trust a system
SecuritySecurity The customer can expect that systems are resilient The customer can expect that systems are resilient to attack, and that the confidentiality, integrity, and to attack, and that the confidentiality, integrity, and availability of the system and its data are protected.availability of the system and its data are protected.
PrivacyPrivacy The customer is able to control data about The customer is able to control data about themselves, and those using such data adhere to themselves, and those using such data adhere to fair information principlesfair information principles
Reliability Reliability The customer can depend on the product to fulfill The customer can depend on the product to fulfill its functions when required to do so.its functions when required to do so.
Business Business IntegrityIntegrity
The vendor of a product behaves in a responsive The vendor of a product behaves in a responsive and responsible manner.and responsible manner.
(source: Trustworthy Computing: Microsoft White Paperhttp://download.microsoft.com/download/a/f/2/af22fd56-7f19-
47aa-8167-4b1d73cd3c57/twc_mundie.doc)
25
Security by Design before Software Security by Design before Software DevelopmentDevelopment
Establish a security teamEstablish a security team Require security trainingRequire security training Develop Develop threat modelsthreat models during design during design Adhere to Adhere to design and coding guidelinesdesign and coding guidelines Regularly revise the guidelinesRegularly revise the guidelines Develop Develop regression testsregression tests for all previously for all previously
fixed vulnerabilities.fixed vulnerabilities. Simplify the code and the security modelSimplify the code and the security model Perform Perform penetration analysispenetration analysis before before
shippingshipping
