Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Software Security

Published byIlene Bailey Modified over 7 years ago

Similar presentations

Presentation on theme: "Introduction to Software Security"— Presentation transcript:

1 Introduction to Software Security
Dr. Shahriar Bijani Shahed University Fall 2016

2 Slide References Matt Bishop, Computer Security: Art and Science, the author homepage, 2004. Michael E. Whitman, Principles of Information Security: Chapter 1: Introduction to Information Security, 4/e, 2011. Chris Clifton, CS 526: Information Security course, Purdue university, 2010.

3 What is Security? Security /sɪˈkjʊərɪti/ noun
the state of being free from danger or threat. synonyms: certainty, safe future, assured future, safety, reliability, dependability, solidness, soundness

4 What is Security? A successful organization should have multiple layers of security in place: Physical security: to protect the physical items, objects, or areas of an organization from unauthorized access and misuse. Personal security: to protect the (group of) authorized individual. Operations security: to protect the details of a particular operation or series of activities. Communications security: to protect an organization’s communications media, technology, and content. Network security: to protect networking components, connections, and contents. Information security

5 Basic Components Confidentiality Integrity Availability
An Information System is secure if it supports CIA: Confidentiality Keeping data and resources hidden Integrity Data integrity (integrity) Origin integrity (authentication) Availability Enabling access to data and resources The CIA triangle Confidentiality: a good example is cryptography, which traditionally is used to protect secret messages. But cryptography is traditionally used to protect data, not resources. Resources are protected by limiting information, for example by using firewalls or address translation mechanisms. Integrity: a good example here is that of an interrupted database transaction, leaving the database in an inconsistent state (this foreshadows the Clark-Wilson model). Trustworthiness of both data and origin affects integrity, as noted in the book’s example. That integrity is tied to trustworthiness makes it much harder to quantify than confidentiality. Cryptography provides mechanisms for detecting violations of integrity, but not preventing them (e.g., a digital signature can be used to determine if data has changed). Availability: this is usually defined in terms of “quality of service,” in which authorized users are expected to receive a specific level of service (stated in terms of a metric). Denial of service attacks are attempts to block availability.

6 The History of Information Security
Began immediately following development first mainframes Developed for code-breaking computations During World War II Multiple levels of security were implemented Physical controls Elementary Mainly composed of simple document classification Defending against physical theft, espionage, and sabotage The History Of Information Security The need for computer security, or the need to secure the physical location of hardware from outside threats, began almost immediately after the first mainframes were developed. Groups developing code-breaking computations during World War II created the first modern computers . Badges, keys, and facial recognition of authorized personnel controlled access to sensitive military locations. In contrast, information security during these early years was elementary and mainly composed of simple document classification schemes. There were no application classification projects for computers or operating systems at this time, because the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage.

7 The 1960s Original communication by mailing tapes
Advanced Research Project Agency (ARPA) Examined feasibility of networked communications Larry Roberts developed ARPANET Plan Link computers Resource sharing Link 17 Computer Research Centers Cost 3.4M $ ARPANET is predecessor to the Internet The 1960s During the 1960s, the Department of Defence's Advanced Research Procurement Agency (ARPA) began examining the feasibility of a redundant networked communications system designed to support the military’s need to exchange information. Larry Roberts, known as the founder of the Internet, developed the project from its inception.

8 The 1970s and 80s ARPANET grew in popularity Potential for misuse grew
Fundamental problems with ARPANET security Individual remote sites were not secure from unauthorized users Vulnerability of password structure and formats No safety procedures for dial-up connections to ARPANET Non-existent user identification and authorization to system The 1970s and 80s During the next decade, the ARPANET grew in popularity and use, and so did its potential for misuse. In December of 1973, Robert M. Metcalfe indicated that there were fundamental problems with ARPANET security. Individual remote users’ sites did not have sufficient controls and safeguards to protect data against unauthorized remote users. There were no safety procedures for dial-up connections to the ARPANET. User identification and authorization to the system were non-existent. Phone numbers were widely distributed and openly publicized on the walls of rest rooms and phone booths, giving hackers easy access to ARPANET. Much of the focus for research on computer security centered on a system called MULTICS (Multiplexed Information and Computing Service). In mid-1969, not long after the restructuring of the MULTICS project, several of the key players created a new operating system called UNIX. While the MULTICS system had planned security with multiple security levels and passwords, the UNIX system did not. In the late 1970s the microprocessor brought in a new age of computing capabilities and security threats as these microprocessors were networked.

9 The 1970s and 80s‏ … Rand Report R-609
Paper that started the study of computer security Information Security as we know it began‏ Scope of computer security grew from physical security to include: Safety of data Limiting unauthorized access to data Involvement of personnel from multiple levels of an organization The Paper that Started the Study of Computer Security It began with Rand Report R-609, sponsored by the Department of Defence, which attempted to define multiple controls and mechanisms necessary for the protection of a multilevel computer system. The scope of computer security grew from physical security to include: Safety of the data itself Limiting of random and unauthorized access to that data Involvement of personnel from multiple levels of the organization At this stage, the concept of computer security evolved into the more sophisticated system we call information security.

10 The 1990s Networks of computers became more common
Need to interconnect networks grew Internet became first demonstration of a global network of networks Initially based on de facto standards In early Internet deployments, security was treated as a low priority The 1990s At the close of the 20th century, as networks of computers became more common, so too did the need to connect the networks to each other. This gave rise to the Internet, the first manifestation of a global network of networks. There has been a price for the phenomenal growth of the Internet, however. When security was considered at all, early Internet deployment treated it as a low priority. As the requirement for networked computers became the dominant style of computing, the ability to physically secure that physical computer was lost, and the stored information became more exposed to security threats.

11 2000 to Present Millions of computer networks communicate
Many of the communication unsecured Ability to secure a computer’s data influenced by the security of every computer to which it is connected Growing threat of cyber attacks has increased the need for improved security The Present Today, the Internet has brought millions of unsecured computer networks into communication with each other. Our ability to secure each computer’s stored information is now influenced by the security on each computer to which it is connected.

12 Key Information Security Concepts
Subjects / Objects Access Asset Control, Safeguard, or Countermeasure Exploit Exposure Hack Loss Risk Vulnerability Threat Attack Compromise Security Blueprint Key Terms Access - a subject or object’s ability to use, manipulate, modify, or affect another subject or object. Asset - the organizational resource that is being protected. Attack - an act that is an intentional or unintentional attempt to cause damage or compromise to the information and/or the systems that support it. Control, Safeguard, or Countermeasure - security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization. Exploit - to take advantage of weaknesses or vulnerability in a system. Exposure - a single instance of being open to damage. Hack - Good: to use computers or systems for enjoyment; Bad: to illegally gain access to a computer or system. Object - a passive entity in the information system that receives or contains information. Subject - an active entity that interacts with an information system and causes information to move through the system for a specific end Risk - the probability that something can happen. purpose Threats - a category of objects, persons, or other entities that represents a potential danger to an asset. Threat Agent - a specific instance or component of a more general threat. Vulnerability - weaknesses or faults in a system or protection mechanism that expose information to attack or damage. Security Blueprint - the plan for the implementation of new security measures in the organization. Security Model - a collection of specific security rules that represents the implementation of a security policy. Security Posture or Security Profile - a general label for the combination of all policies, procedures, technologies, and programs that make up the total security effort currently in place.

13 Attack An attack occurs when someone attempts to exploit a vulnerability Type of attacks Passive (e.g., eavesdropping) Active (e.g., password guessing, DoS) A compromise occurs when an attack is successful

14 Relationships of Security Concepts
From Lecture slides prepared by Dr Lawrie Brown, “Computer Security: Principles and Practice”, by William Stallings and Lawrie Brown, Chapter 1 “Overview”.

15 Key Information Security Concepts
Computer can be subject or object of an attack When the subject of an attack An active tool to conduct attack When the object of an attack An entity being attacked Key Information Security Concepts When considering the security of information systems components, it is important to understand the concept of the computer as the subject of an attack as opposed to the computer as the object of an attack. When a computer is the subject of an attack, it is used as an active tool to conduct the attack. When a computer is the object of an attack, it is the entity being attacked.

16 Information Security vs. Access
Perfect security is impossible Security is a process Security should be considered balance between protection and availability Must allow reasonable access, yet protect against threats Security and Access Balancing When considering information security, it is important to realize that it is impossible to obtain perfect security. Security is not an absolute; it is a process not a goal. Security should be considered a balance between protection and availability. To achieve balance, the level of security must allow reasonable access yet protect against threats.

17 Information Security vs. Access
This graphic intends to show the trade-offs between security and access.

18 Vulnerabilities

19 Threats A threat is a potential violation of security.
تهدید: امکان بالقوه نقض امنیت

20 Classes of Threats Interruption (Disruption) Interception / Disclosure
interruption or prevention of correct operation DOS attack: Denial of Service Interception / Disclosure Unauthorized access to information Snooping: the unauthorized interception of information Modification An unauthorized party not only gains access to but modify an asset. Masquerading or spoofing: an impersonation of one entity by another. Fabrication An unauthorized party inserts fake objects into the system. Snooping : an example is passive wiretapping, where the attacker monitors communications. Modification: an example is active wiretapping, where the attacker injects something into a communication or modifies parts of the communication. Modification is sometimes called alteration. Spoofing: delegation is basically authorized spoofing. The difference is that the ones to which authority is delegated does not impersonate the delegator; she simply asserts authority to act as an agent for the delegator. Delay: Denial of service: this may not be due to an attack, but due to limits of resources. However, the effect here is critical. If you define security in terms of what users need to access, the inability to access is a security problem regardless of whether the reason is intentional (an attack) or unintentional (not an attack). Usurpation: To take over or occupy without right

21 Classes of Threats Snooping : an example is passive wiretapping, where the attacker monitors communications. Modification: an example is active wiretapping, where the attacker injects something into a communication or modifies parts of the communication. Modification is sometimes called alteration. Spoofing: delegation is basically authorized spoofing. The difference is that the ones to which authority is delegated does not impersonate the delegator; she simply asserts authority to act as an agent for the delegator. Delay: Denial of service: this may not be due to an attack, but due to limits of resources. However, the effect here is critical. If you define security in terms of what users need to access, the inability to access is a security problem regardless of whether the reason is intentional (an attack) or unintentional (not an attack). Usurpation: To take over or occupy without right

22 The scope of computer security
As mentioned, the assets of a computer system can be categorized as hardware, software, data, and communication lines and networks. We briefly describe these four categories and relate these to the concepts of integrity, confidentiality, and availability, as illustrated here in Figure 1.3. Hardware - A major threat = is the threat to availability. Hardware is the most vulnerable to attack and the least susceptible to automated controls. Threats include accidental and deliberate damage to equipment as well as theft. Theft of CDROMs and DVDs can lead to loss of confidentiality. Physical and administrative security measures are needed to deal with these threats. Software - includes the operating system, utilities, and application programs. A key threat is an attack on availability. Software is often easy to delete. Software can also be altered or damaged to render it useless. Careful software configuration management can maintain high availability. A more difficult problem is software modification (e.g. from virus/worm) that results in a program that still functions but that behaves differently than before, which is a threat to integrity/authenticity. Data - involves files and other forms of data controlled by individuals, groups, and business organizations. Security concerns with respect to data are broad, encompassing availability, secrecy, and integrity. In the case of availability, the concern is with the destruction of data files, which can occur either accidentally or maliciously. The obvious concern with secrecy is the unauthorized reading of data files or databases. A less obvious secrecy threat involves the analysis of data and manifests itself in the use of so-called statistical databases, which provide summary or aggregate information. Finally, data integrity is a major concern in most installations. Modifications to data files can have consequences ranging from minor to disastrous.

23 Some Threat Categories

24 Examples of threats

25 Challenges of computer security
Computer security is not simple One must consider potential (unexpected) attacks Must decide where to deploy mechanisms Involve algorithms and secret info (keys) A battle between attacker / admin It is not perceived on benefit until fails Requires constant monitoring Too often incorporated after the design is complete (not integral) Regarded as a barrier to using system Computer security is both fascinating and complex. Some of the reasons follow: 1. Computer security is not as simple as it might first appear to the novice. The requirements seem to be straightforward, but the mechanisms used to meet those requirements can be quite complex and subtle. 2. In developing a particular security mechanism or algorithm, one must always consider potential attacks (often unexpected) on those security features. 3. Hence procedures used to provide particular services are often counterintuitive. 4. Having designed various security mechanisms, it is necessary to decide where to use them. 5. Security mechanisms typically involve more than a particular algorithm or protocol, but also require participants to have secret information, leading to issues of creation, distribution, and protection of that secret information. 6. Computer security is essentially a battle of wits between a perpetrator who tries to find holes and the designer or administrator who tries to close them. 7. There is a natural tendency on the part of users and system managers to perceive little benefit from security investment until a security failure occurs. 8. Security requires regular monitoring, difficult in today's short-term environment. 9. Security is still too often an afterthought - incorporated after the design is complete. 10. Many users / security administrators view strong security as an impediment to efficient and user-friendly operation of an information system or use of information.

26 Policies and Mechanisms
Policy says what is, and is not, allowed This defines “security” for the site/system/etc. Mechanisms enforce policies Composition of policies If policies conflict, inconsistencies may create security vulnerabilities Policy: may be expressed in natural language, which is usually imprecise but easy to understand; mathematics, which is usually precise but hard to understand; policy languages, which look like some form of programming language and try to balance precision with ease of understanding Mechanisms: may be technical, in which controls in the computer enforce the policy; for example, the requirement that a user supply a password to authenticate herself before using the computer procedural, in which controls outside the system enforce the policy; for example, firing someone for ringing in a disk containing a game program obtained from an untrusted source The composition problem requires checking for inconsistencies among policies. If, for example, one policy allows students and faculty access to all data, and the other allows only faculty access to all the data, then they must be resolved (e.g., partition the data so that students and faculty can access some data, and only faculty access the other data).

27 Goals of Security Prevention(پیشگیری) Detection (تشخیص)
Prevent attackers from violating security policy Detection (تشخیص) Detect attackers’ violation of security policy Recovery (ترمیم) Stop attack, assess and repair damage Continue to function correctly even if attack succeeds Prevention is ideal, because then there are no successful attacks. Detection occurs after someone violates the policy. The mechanism determines that a violation of the policy has occurred (or is underway), and reports it. The system (or system security officer) must then respond appropriately. Recovery means that the system continues to function correctly, possibly after a period during which it fails to function correctly. If the system functions correctly always, but possibly with degraded services, it is said to be intrusion tolerant. This is very difficult to do correctly; usually, recovery means that the attack is stopped, the system fixed (which may involve shutting down the system for some time, or making it unavailable to all users except the system security officers), and then the system resumes correct operations.

28 Trust and Assumptions Underlie all aspects of security Policies
Unambiguously partition system states Correctly capture security requirements Mechanisms Assumed to enforce policy Support mechanisms work correctly All security policies and mechanisms rest on assumptions; we’ll examine some in later chapters, most notably Chapter 22, Malicious Logic. Here is a taste of the assumptions. Policies: as these define security, they have to define security correctly for the particular site. For example, a web site has to be available, but if the security policy does not mention availability, the definition of security is inappropriate for the site. Also, a policy may not specify whether a particular state is “secure” or “non-secure.” This ambiguity causes problems. Mechanisms: as these enforce policy, they must be appropriate. For example, cryptography does not assure availability, so using cryptography in the above situation won’t work. Further, security mechanisms rely on supporting infrastructure, such as compilers, libraries, the hardware, and networks to work correctly. Ken Thompson’s modified C preprocessor (see the example on p. 615) illustrates this point very well.

29 Computer Security: Art and Sciece
Types of Mechanisms secure precise broad A reachable state is one that the computer can enter. A secure state is a state defined as allowed by the security policy. The left figure shows a secure system: all reachable states are in the set of secure states. The system can never enter (reach) a non-secure state, but there are secure states that the system cannot reach. The middle figure shows a precise system: all reachable states are secure, and all secure states are reachable. Only the non-secure states are unreachable. The right figure shows a broad system. Some non-secure states are reachable. This system is also not secure. set of reachable states set of secure states Computer Security: Art and Sciece © Matt Bishop

30 Assurance (اطمینان) Assurance is a measure of how well the system meets its requirements Specification Requirements analysis Statement of desired functionality Design How system will meet specification Implementation Programs/systems that carry out design Assurance is a measure of how well the system meets its requirements; more informally, how much you can trust the system to do what it is supposed to do. It does not say what the system is to do; rather, it only covers how well the system does it. Specifications arise from requirements analysis, in which the goals of the system are determined. The specification says what the system must do to meet those requirements. It is a statement of functionality, not assurance, and can be very formal (mathematical) or informal (natural language). The specification can be high-level or low-level (for example, describing what the system as a whole is to do vs. what specific modules of code are to do). The design architects the system to satisfy, or meet, the specifications. Typically, the design is layered by breaking the system into abstractions, and then refining the abstractions as you work your way down to the hardware. An analyst also must show the design matches the specification. The implementation is the actual coding of the modules and software components. These must be correct (perform as specified), and their aggregation must satisfy the design. Note the assumptions of correct compilers, hardware, etc.

31 Operational Issues Cost-Benefit Analysis Risk Analysis
Is it cheaper to prevent or recover? Risk Analysis Should we protect something? How much should we protect this thing? Laws and Customs Are desired security measures illegal? Will people do them? Security does not end when the system is completed. Its operation affects security. A “secure” system can be breached by improper operation (for example, when accounts with no passwords are created). The question is how to assess the effect of operational issues on security. Cost-Benefit Analysis: this weighs the cost of protecting data and resources with the costs associated with losing the data. Among the considerations are the overlap of mechanisms’ effects (one mechanism may protect multiple services, so its cost is amortized), the non-technical aspects of the mechanism (will it be impossible to enforce), and the ease of use (if a mechanism is too cumbersome, it may cost more to retrofit a decent user interface than the benefits would warrant). Risk Analysis: what happens if the data and resources are compromised? This tells you what you need to protect and to what level. Cost-benefit analyses help determine the risk here, but there may be other metrics involved (such as customs). Laws and Customs: these constrain what you can do. Encryption used to be the biggie here, as the text indicates. How much that has changed is anybody’s guess. Customs involve non-legislated things, like the use of urine specimens to determine identity. That is legal, at least in the US in some cases; but it would never be widely accepted as an alternative to a password.

32 Human Issues Organizational Problems People problems
Power and responsibility Financial benefits People problems Outsiders and insiders Social engineering Organizations: the key here is that those responsible for security have the power to enforce security. Otherwise there is confusion, and the architects need not worry if the system is secure because they won’t be blamed if someone gets in. This arises when system administrators, for example, are responsible for security, but only security officers can make the rules. Preventing this problem (power without responsibility, or vice versa) is tricky and requires capable management. What’s worse is that security is not a direct financial incentive for most companies because it doesn’t bring in revenue. It merely prevents the loss of revenue obtained from other sources. People problems are by far the main source of security problems. Outsiders are attackers from without the organization; insiders are people who have authorized access to the system and, possibly, are authorized to access data and resources, but use the data or resources in unauthorized ways. It is speculated that insiders account for 80-90% of all security problems, but the studies generally do not disclose their methodology in detail, so it is hard to know how accurate they are. (Worse, there are many slightly different definitions of the term “insider,” causing the studies to measure slightly different things!) Social engineering, or lying, is quite effective, especially if the people gulled are inexperienced in security (possibly because they are new, or because they are tired).

33 Tying Together Threats Policy Specification Design Implementation
The point to this slide is that each step feeds into the earlier steps. In theory, each of these should only affect the one before it, and the one after it. In practice, each affects all the ones that come before it. Feedback from operation and maintenance is critical, and often overlooked. It allows one to validate the threats and the legitimacy of the policy. Implementation Operation

Download ppt "Introduction to Software Security"

Similar presentations

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.

1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Principles of Information Security, 2nd Edition1 Introduction.

Principles of Information Security, 2nd Edition1 Introduction.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Chapter 1:Introduction Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus - 2007.

Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Chapter 1:Introduction Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus
Introduction (Based on Lecture slides by J. H. Wang)

Introduction (Based on Lecture slides by J. H. Wang)
Cryptography and Network Security

Cryptography and Network Security
Network Security Essentials Chapter 1

Network Security Essentials Chapter 1

Similar presentations

Ads by Google