November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and.

Slides:



Advertisements
Similar presentations
Operating System Security
Advertisements

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Lecture # 2 : Process Models
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 1 Slide 1 المحاضرة الثانية.
1 Chapter 4 - Part 1 Software Processes. 2 Software Processes is: Coherent (logically connected) sets of activities for specifying, designing, implementing,
The software process A software process is a set of activities and associated results which lead to the production of a software product. This may involve.
Chapter 4 Quality Assurance in Context
Chapter 2 – Software Processes
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.
Introduction to Software Engineering Lecture 4 André van der Hoek.
Secure Operating Systems Lesson 0x11h: Systems Assurance.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.
June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #18-1 Chapter 18: Introduction to Assurance Overview Why assurance? Trust and.
6/17/2015 5:35 PM Lecture 11: Assurance James Hook CS 591: Introduction to Computer Security.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
©Ian Sommerville 2000 Software Engineering, 6th edition Slide 1 Software Processes l Coherent sets of activities for specifying, designing, implementing.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
May 25, 2004ECS 235Slide #1 Amplifying Allows temporary increase of privileges Needed for modular programming –Module pushes, pops data onto stack module.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.
©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.
Lecture 1.
Michael Solomon Tugboat Software Managing the Software Development Process.
Chapter 3 Software Processes.
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 30, 2003 Network Security Assurance Lecture.
Evolutionary Development and Rapid Prototyping By: Shelone Reid Amanda Smith.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and.
INTROSE Introduction to Software Engineering Raymund Sison, PhD College of Computer Studies De La Salle University Software: Definitions,
S/W Project Management Software Process Models. Objectives To understand  Software process and process models, including the main characteristics of.
CSI315 Web Applications and Technology Overview of Systems Development (342)
Chapter 2 The process Process, Methods, and Tools
CPIS 357 Software Quality & Testing I.Rehab Bahaaddin Ashary Faculty of Computing and Information Technology Information Systems Department Fall 2010.
IS2150/TEL2910: Introduction of Computer Security1 Nov 15, 2005 Assurance.
ISA 562 Internet Security Theory & Practice
G53SEC 1 Reference Monitors Enforcement of Access Control.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.
CS 360 Lecture 3.  The software process is a structured set of activities required to develop a software system.  Fundamental Assumption:  Good software.
©Ian Sommerville 2000, Mejia-Alvarez 2009 Slide 1 Software Processes l Coherent sets of activities for specifying, designing, implementing and testing.
Topic (1)Software Engineering (601321)1 Introduction Complex and large SW. SW crises Expensive HW. Custom SW. Batch execution.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 3 Slide 1 Software Processes l Coherent sets of activities for specifying, designing,
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Product Development Chapter 6. Definitions needed: Verification: The process of evaluating compliance to regulations, standards, or specifications.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 8 Slide 1 Software Prototyping l Rapid software development to validate requirements.
Software Engineering Management Lecture 1 The Software Process.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.
1 Software Engineering Ian Sommerville th edition Instructor: Mrs. Eman ElAjrami University Of Palestine.
Chapter 18: Introduction to Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
G53SEC 1 Reference Monitors Enforcement of Access Control.
Software Engineering - Abdul Majeed. What is software? Definition of Software Engineering Software Process Generic view of Software Engineering Software.
Chapter 2 – Software Processes Lecture 1 Chapter 2 Software Processes1.
CS223: Software Engineering Lecture 2: Introduction to Software Engineering.
Design Principles and Common Security Related Programming Problems
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
Chapter 1- Introduction Lecture 1. Topics covered  Professional software development  What is meant by software engineering.  Software engineering.
Software Development Process CS 360 Lecture 3. Software Process The software process is a structured set of activities required to develop a software.
Lectures 2 & 3: Software Process Models Neelam Gupta.
1 These courseware materials are to be used in conjunction with Software Engineering: A Practitioner’s Approach, 5/e and are provided with permission by.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
Slide #18-1 Introduction to Assurance CS461/ECE422 Fall 2008 Based on slides provided by Matt Bishop for use with Computer Security: Art and Science.
CS 310 Ch 4: Software Processes Software process: a set of activities that lead to a software system specification design and implementation validation.
Chapter 17 Building Secure and Trusted Systems
Introduction to Assurance
Introduction to Assurance
Introduction to Assurance
Chapter 18: Introduction to Assurance
Chapter 19: Building Systems with Assurance
How to Mitigate the Consequences What are the Countermeasures?
Introduction to Assurance
Chapter 4: Security Policies
Presentation transcript:

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and assurance Life cycle and assurance Building security in vs. adding security later

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-2 Overview Trust Problems from lack of assurance Types of assurance Life cycle and assurance Waterfall life cycle model Other life cycle models Adding security afterwards

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-3 Trust Trustworthy entity has sufficient credible evidence leading one to believe that the system will meet a set of requirements Trust is a measure of trustworthiness relying on the evidence Assurance is confidence that an entity meets its security requirements based on evidence provided by applying assurance techniques

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-4 Relationships

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-5 Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such as wiring and chip flaws 4.Software implementation errors, program bugs, and compiler bugs 5.System use and operation errors and inadvertent mistakes 6.Willful system misuse 7.Hardware, communication, or other equipment malfunction 8.Environmental problems, natural causes, and acts of God 9.Evolution, maintenance, faulty upgrades, and decommissions

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-6 Examples Challenger explosion –Sensors removed from booster rockets to meet accelerated launch schedule Deaths from faulty radiation therapy system –Hardware safety interlock removed –Flaws in software design Bell V22 Osprey crashes –Failure to correct for malfunctioning components; two faulty ones could outvote a third Intel 486 chip –Bug in trigonometric functions

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-7 Role of Requirements Requirements are statements of goals that must be met –Vary from high-level, generic issues to low- level, concrete issues Security objectives are high-level security issues Security requirements are specific, concrete issues

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-8 Types of Assurance Policy assurance is evidence establishing security requirements in policy is complete, consistent, technically sound Design assurance is evidence establishing design sufficient to meet requirements of security policy Implementation assurance is evidence establishing implementation consistent with security requirements of security policy

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-9 Types of Assurance Operational assurance is evidence establishing system sustains the security policy requirements during installation, configuration, and day-to-day operation –Also called administrative assurance

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-10 Life Cycle

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-11 Life Cycle Conception Manufacture Deployment Fielded Product Life

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-12 Conception Idea –Decisions to pursue it Proof of concept –See if idea has merit High-level requirements analysis –What does “secure” mean for this concept? –Is it possible for this concept to meet this meaning of security? –Is the organization willing to support the additional resources required to make this concept meet this meaning of security?

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-13 Manufacture Develop detailed plans for each group involved –May depend on use; internal product requires no sales Implement the plans to create entity –Includes decisions whether to proceed, for example due to market needs

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-14 Deployment Delivery –Assure that correct masters are delivered to production and protected –Distribute to customers, sales organizations Installation and configuration –Ensure product works appropriately for specific environment into which it is installed –Service people know security procedures

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-15 Fielded Product Life Routine maintenance, patching –Responsibility of engineering in small organizations –Responsibility may be in different group than one that manufactures product Customer service, support organizations Retirement or decommission of product

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-16 Waterfall Life Cycle Model Requirements definition and analysis –Functional and non-functional –General (for customer), specifications System and software design Implementation and unit testing Integration and system testing Operation and maintenance

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-17 Relationship of Stages

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-18 Models Exploratory programming –Develop working system quickly –Used when detailed requirements specification cannot be formulated in advance, and adequacy is goal –No requirements or design specification, so low assurance Prototyping –Objective is to establish system requirements –Future iterations (after first) allow assurance techniques

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-19 Models Formal transformation –Create formal specification –Translate it into program using correctness-preserving transformations –Very conducive to assurance methods System assembly from reusable components –Depends on whether components are trusted –Must assure connections, composition as well –Very complex, difficult to assure

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-20 Models Extreme programming –Rapid prototyping and “best practices” –Project driven by business decisions –Requirements open until project complete –Programmers work in teams –Components tested, integrated several times a day –Objective is to get system into production as quickly as possible, then enhance it –Evidence adduced after development needed for assurance

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-21 Security: Built In or Add On? Think of security as you do performance –You don’t build a system, then add in performance later Can “tweak” system to improve performance a little Much more effective to change fundamental algorithms, design You need to design it in –Otherwise, system lacks fundamental and structural concepts for high assurance

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-22 Reference Validation Mechanism Reference monitor is access control concept of an abstract machine that mediates all accesses to objects by subjects Reference validation mechanism (RVM) is an implementation of the reference monitor concept. –Tamperproof –Complete (always invoked and can never be bypassed) –Simple (small enough to be subject to analysis and testing, the completeness of which can be assured) Last engenders trust by providing assurance of correctness

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-23 Examples Security kernel combines hardware and software to implement reference monitor Trusted computing base (TCB) is all protection mechanisms within a system responsible for enforcing security policy –Includes hardware and software –Generalizes notion of security kernel

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-24 Adding On Security Key to problem: analysis and testing Designing in mechanisms allow assurance at all levels –Too many features adds complexity, complicates analysis Adding in mechanisms makes assurance hard –Gap in abstraction from requirements to design may prevent complete requirements testing –May be spread throughout system (analysis hard) –Assurance may be limited to test results

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-25 Example 2 AT&T products –Add mandatory controls to UNIX system –SV/MLS Add MAC to UNIX System V Release 3.2 –SVR4.1ES Re-architect UNIX system to support MAC

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-26 Comparison Architecting of System –SV/MLS: used existing kernel modular structure; no implementation of least privilege –SVR4.1ES: restructured kernel to make it highly modular and incorporated least privilege

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-27 Comparison File Attributes (inodes) –SV/MLS added separate table for MAC labels, DAC permissions UNIX inodes have no space for labels; pointer to table added Problem: 2 accesses needed to check permissions Problem: possible inconsistency when permissions changed Corrupted table causes corrupted permissions –SVR4.1ES defined new inode structure Included MAC labels Only 1 access needed to check permissions

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-28 Key Points Assurance critical for determining trustworthiness of systems Different levels of assurance, from informal evidence to rigorous mathematical evidence Assurance needed at all stages of system life cycle Building security in is more effective than adding it later

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.