C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

Slides:

Advertisements

Similar presentations

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.

Advertisements

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

PlanetLab Operating System support* *a work in progress.

Chapter One The Essence of UNIX.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

1 cs691 chow C. Edward Chow Design Principles for Secure Mechanisms CS591 – Chapter 5.4 Trusted OS Design CS691 – Chapter 13 of Matt Bishop.

Lecture 10: Security Design Principles CS 436/636/736 Spring 2012 Nitesh Saxena.

Lesson 19: Configuring Windows Firewall

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

File Transfer Protocol (FTP)

Chapter 6: Hostile Code Guide to Computer Network Security.

1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Networked File System CS Introduction to Operating Systems.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

World Wide Web Hypertext model Use of hypertext in World Wide Web (WWW) WWW client-server model Use of TCP/IP protocols in WWW.

CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.

The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.

FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.

INSTALLATION HANDS-ON. Page 2 About the Hands-On This hands-on section is structured in a way, that it allows you to work independently, but still giving.

Software Security and Security Engineering (Part 2)

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.

Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.

Lecture 6: Sun: 8/5/1435 Distributed Applications Lecturer/ Kawther Abas CS- 492 : Distributed system & Parallel Processing.

Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.

Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏

Lecture 4 Mechanisms & Kernel for NOSs. Mechanisms for Network Operating Systems  Network operating systems provide three basic mechanisms that support.

Java Web Server Presented by- Sapna Bansode-03 Nutan Mote-15 Poonam Mote-16.

Design Principles and Common Security Related Programming Problems

Fall 2008CS 334: Computer SecuritySlide #1 Design Principles Thanks to Matt Bishop.

FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

1 Chapter 12: Design Principles Overview –There are principles for many kinds of design Generally, a design should consider: Balance, Rhythm, Proportion,

June 1, 2004© Matt Bishop [Changed by Hamid R. Shahriari] Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.

Slide #13-1 Design Principles CS461/ECE422 Computer Security I Fall 2008 Based on slides provided by Matt Bishop for use with Computer Security: Art and.

Software Security II Karl Lieberherr. What is Security Enforcing a policy that describes rules for accessing resources. Policy may be explicit or implicit.

1 Saltzer [1974] and later Saltzer and Schroeder [1975] list the following principles of the design of secure protection systems, which are still valid:

1 Design Principles CS461 / ECE422 Spring Overview Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction.

Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University

Lecture 10: Security Design Principles

Security+ All-In-One Edition Chapter 1 – General Security Concepts

Software Security II Karl Lieberherr.

Module 4 Remote Login.

Chapter 13: Design Principles

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

Chapter 27: System Security

How to Mitigate the Consequences What are the Countermeasures?

Design Principles and Security related problem

Computer Security: Art and Science, 2nd Edition

Chapter 29: Program Security

Chapter 13: Design Principles

Operating System Concepts

Preventing Privilege Escalation

Design Principles Thanks to Matt Bishop 2006 CS 395: Computer Security.

Presentation transcript:

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure Mechanisms By

Design Principles for Security Mechanisms  Based on the ideas of simplicity and restriction.  J. Saltzer and M. Schroeder Proceedings of IEEE 1975 describes 8 principles for security mechanism  Least Privileges  Fail-Safe Defaults  Economy of Mechanism  Complete Mediation  Open Design  Separation of Privilege  Least Common Mechanism  Psychological Acceptability

Overview  Simplicity makes designs and mechanisms easy to understand.  Simplicity reduces the potential for inconsistencies within a policy or set of policies.  Minimizing the interaction of system components minimizes the number of sanity checks on data being transmitted among components.  Restriction minimizes the power of an entity.  The entity can access only information it needs.  Only communicates with other entities when necessary, and in as few and narrow ways as possible.

Examples Sendmail reads configuration data from a binary file, compiled (freezing) from a text version of the configuration file. 3 interfaces: The mechanism that edits the text configuration file. The mechanism that compiles (freezes) the text file. The mechanism sendmail used to read the binary (frozen) file. Version control problem. What if text configuration file is newer than the binary file. Sendmail warns the user? Should sendmail recheck the parameters in the configuration file? If the compiler allows the string name as default UID (daemon) while the sendmail accepts only integer as UID, the input routine of sendmail will read “daemon” and return error value 0. 0 as UID is root!

Example for Avoiding Inconsistency in Policies Policy rule1: TA needs to report any cheating. Policy rule2: ensure the privacy of student files. Case: TA reminds student that the file was not submitted. Student asks the TA to look for files in the student’s directory. TA finds two files. Unsure about which files. TA reads the first file, it turns out to be written by other student. TA reads the 2 nd file, it turns out to be identical except for names. TA reports the cheating. Student charges TA with violating his privacy by reading the first set of files.

Principle of Least Privilege  A subject should be given only those privileges that it needs in order to complete its task.  Exception case: for certain actions, a subject’s access right can be augmented but relinquished immediately on completion of the action.  In practice, most systems do not have the granularity of privileges and permissions required to apply this principle precisely.  The designers of mechanisms try to do their best.

Example of Tomcat User Access Control Files User with Admin role can start/shutdown the Tomcat web server. User with Manager role can insert/delete web applications. User with cs526stu role can read cs526 web pages. When the user first accesses the web site, the user will be asked for the username and password.

Mail Server Access Rights Mail server accepts mail from Internet and copies the msgs to a spool directory. A local server will complete delivery. Mail server needs rights to access network port 25, To create files in the spool directory To alter those files (copy msg to file, rewrite delivery address if needed) It should surrender the right when finished. It should not access the users’ files. Local server only has read and delete access to the spool directory. The admin should only be able to access subjects and objects involved in mail queuing and delivery.

Principle of Fail-Safe Defaults  Unless a subject is given explicit access to an object, it should be denied access to that object.  If the subject is not able to complete its action/task, it should undo those changes it made in the security state of the system before it terminates. If the program fails, the system is still safe.  Mail server should not write msg to a different directory than spool (if it is full). It should just close the network connection, issue an error msg and stop.

Principle of Economy of Mechanism  Security mechanisms should be as simple as possible.  Fewer errors; less checking and testing  Bad example: Mechanism on host A allows access based on the ident protocol.  Ident protocol sends the user name associated with a process that has a TCP connection to a remote host. A compromised host can send any identity.  Interface to other modules are particular suspect.  Example of DoS attack using Finger protocol. It returns infinite streams of characters. Client will crash.

Principle of Complete Mediation  All accesses to objectsshould be checked to ensure that they are allowed.  Unfortunately, most OS will check the access right when the object was “open”ed, but will not check access right again when the client program reads. The OS cached the results of the first check.  If the owner disallows reading the file after the file descriptor is issued, the kernel will still allow the client process to read.

Principle of Open Design  The security of a mechanism should not depend on the secrecy of its design or implementation.  Attacks such as disassembly and analysis, dumpster-diving for source code.  To Avoid this we use cryptograph software, algorithms.  Should be open for scrutiny by the community

Principle of Separation of Privilege  A system should not grant permission based on a single condition.  Access to objects should depend on more than one condition being satisfied  Separation of duty principle. example: Berkeley Unix allows a user to change to root if  The user knows root password and user is in the wheel group.

Principle of Least Common Mechanism Minimize the amount of mechanism common to more than one user and depended on by all users Every shared mechanism is a potential information path Mechanisms used to access resources should not be shared. Virtual machine/memory concept follows this. How to restrict the attackers’ access to the segment of Internet connected to a web site? Purdue SYN intermediary system. Secure Collective Defense Project.

Principle of Psychological Acceptability Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present. User interface must be easy to use, so that users routinely and automatically apply the mechanisms correctly. Otherwise, they will be bypassed Security mechanisms should not add to difficulty of accessing resource Example SSH. This does not allow access after 3 tries.

Thank you ! Questions ?