Presentation is loading. Please wait.

Presentation is loading. Please wait.

Design Principles and Security related problem

Published byLawrence Terry Modified over 6 years ago

Similar presentations

Presentation on theme: "Design Principles and Security related problem"— Presentation transcript:

1 Design Principles and Security related problem
For bim 6th Sem (

2

3 Design Principles of Secure System
Two Basic theme Simplicity Make design and interaction easy Easy to prove its safety Restriction Minimize the power of entities

4 Eight Principle of Design
Described by Saltzer and Schroeder Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability

5 Principle of least privilege
Entity should be given only those privilege needed to finish a task Temporary elevation of privilege should be abandoned immediately Details of privileges Append permission only for logging process

6 Principle of fail-safe defaults
Unless a subject is given explicit access to an object, it should be denied access to the object. Default access to an object is none Access Control Lists (ACLs), firewall Restricting privileges at the time of creation

7 Principle of economy mechanism
Security should be as simple as possible Fewer errors Testing and verification is easy Assumptions are less

8 Principle of complete mediation
All accesses to objects should be checked to ensure they are allowed Subject attempts to read object Operating should mediate the action First it determines if the subject is allowed to read the object If so allow it, if not deny it If again same subject attempts check again Eg: cokkies and cache

9 Principle of open design
Security of a mechanism should not depend upon secrecy of its design or implementation Secrecy != security Complexity!= security Cryptography and openness Hide key, -- not the enciphering and deciphering algorithm

10 Principle of separation of privilege
System should not grant permission based of single condition Eg: Bank may need sign of two officer for check over 5 lakhs To recover password on facebook or webmail you may have to pass more than one security question

11 Principle of Least Common Mechanism
Mechanism used to access resources should not be shared Sharing resources provides a channel along which information can be transmitted, and so much sharing should be minimized Restrictive because it limits sharing In practice virtual machine limits the sharing resource Violation: Denial of service attack

12 Principle of psychological acceptability
Security mechanism should not make the resource difficult to access Recognizes the most important element in computer security : Human

13 Example 1: Viruses cause havoc (Widespread destruction) because, any program or script that is downloaded or received as attachment, runs with the privileges of the user that runs them. Or worse the privileges of the application. What design principles are being exploited?

14 Answer 1 Principle of least privilege

15 Example 2: Unix password authentication
Which design principle is being adhered to mainly?

16 Answer 2 Principle of Fail-safe default

17 Question 3: “wifi-free” is the wireless LAN to be used by a University faculty, students and staff. However, even a guy at a nearby cafe could use it!!!!!! What design principles are being violated?

18 Answer 3 Principle of Fail-Safe Defaults

19 Question 4 Various cipher machines were developed and used during the two World Wars. For example, Enigma, Schlusselzusatz, Purple, etc. It was believed that keeping secret the design of the machines will help boost the security. Which principle is being violated?

20 Principle of open design

21 Question 5 Which principle is being violated?
Policy on password selection to access machines at a University: Use both uppercase and lowercase letters if the computer system considers an uppercase letter to be different from a lowercase letter when the password is entered. Include digits and punctuation characters as well as letters. Choose something easily remembered so it doesn't have to be written down. Use at least 8 characters. Password security is improved slightly by having long passwords. A password should be easy to type quickly so someone cannot follow what was typed by watching the keyboard. Use two or more short words and combine them with a special character or a number, like ROBOT4ME or EYE-CON. Put together an acronym that has special meaning to you, like NOTFSW (None Of This Fancy Stuff Works) or AVPEGCAN (All VAX Programmers Eat Green Cheese At Night). Which principle is being violated?

22 Principle of psychological acceptability

23

24 Common Security Related Programming Problem
Improper choice of initial protection domain, Improper Isolation of implementation detail, Improper change, Improper Naming, Improper de-allocation or deletion, Improper validation, Improper indivisibility, Improper Sequencing, Improper choice of operand or operation

25 Common Security Related Programming Problems
A) Improper Choice of Initial Protection Domain Flaws arise from incorrect setting of permissions or privileges 1) Process Privileges The principle of least privilege dictates that no process have more privileges than it needs to complete its task, but the process must have enough privileges to complete its task successfully Implementation Rule 1 Structure the process so that all sections requiring extra privileges are modules. The modules should be as small as possible and should perform only those tasks that require those privileges Management Rule 1 Check that the process privileges are set properly.

26 Common Security Related Programming Problems
2) Access Control File Permissions. Biba’s model emphasize that the integrity of the process relies on both the integrity of the program and integrity of the access control file. Verifying the integrity of the access control file is critical, because that file controls the access to role accounts. Management Rule 2 The program that is executed to create the process, and all associated control files, must be protected from unauthorized use and modification. Any such modification must be detected. Implementation Rule 2 Ensure that any assumptions in the program are validated. If it is not possible, document them for the installer and maintainers, so they know the assumptions that attackers will try to invalidate.

27 Common Security Related Programming Problems
3) Memory Protection Consider sharing memory. If two subjects can alter the contents of memory, then one could change data on which the second relies. This sharing poses a security problem because the modifying process can alter variables that control the action of the other process. Each process should have a protected, unshared memory space. Implementation Rule 3 Ensure that the program does not share objects in memory with any other program, and that other programs cannot access the memory of a privileged. Management Rule 3 Configure memory to enforce the principle of least privilege. If a section of memory is not contain executable instructions, turn execute permission off for that section of memory. If the contents of a section of memory are not be altered make that section read-only.

28 Common Security Related Programming Problems
B) Improper Isolation of Implementation Detail This problem arises when an abstraction is improperly mapped into an implementation detail Implementation Rule 4 The error status of every function must be checked. Do not try to recover unless the cause of the error, and its effects, do not affect any security consideration. The program should restore the state of the system to the state before the process began, and then terminate.

29 Common Security Related Programming Problems
C) Improper Changes This category describes data and instructions that change over time. The danger is that the changed values may be inconsistent with the previous values. 1) Memory Any process that can access shared memory can manipulate data in the memory. Unless all processes that can access the shared memory implementation a concurrent protocol for managing changes one process can change data on which a second process relies This could cause the second process to violate the security policy.

30 Common Security Related Programming Problems
Implementation Rule 5 If a process interacts with other processes, the interactions should be synchronized. In particular, all possible sequences of interactions must be known and for all such interactions, the process must enforce the required security policy. Implementation Rule 6 Asynchronous exception handlers should not alter any variables excepts those that are local to the exception handling module. Exception handler should block all the exception Implementation Rule 7 Data that the process trusts and the data that it receives from un-trusted sources should be kept in separate areas of memory

31 Common Security Related Programming Problems
D) Improper Naming A It refers to an ambiguity in identifying an object If two different objects have the same name. The programmer intends the name to refer to one of the objects, but an attacker manipulates the environment and the process so that the name refers to a different object. Management Rule 5 Unique objects require unique names. Interchangeable objects may share a name. Implementation Rule 9 The process must ensure that the context in which an object is named identifies the correct object.

32 Common Security Related Programming Problems
E) Improper Deallocation or Deletion Failing to delete sensitive information raises the possibility of another process seeing that data at a later time. Cryptographic keywords, passwords and other authentication information should be discarded once they have been used. As a consequence of not deleting sensitive information is that dumps of memory, which may occur if the program receives an exception or crashes for some other reason. Implementation Rule 10 When the process finishes using a sensitive object, the object should be erased, the de- allocated or deleted. Any resources not needed should also be released.

33 Common Security Related Programming Problems
F) Improper Validation This problem arises when data is not checked for consistency and correctness. The process can check correctness only by looking for error codes or by looking for patently incorrect values. 1) Bounds Checking Errors of validation often occur when data is supposed to lie within bounds. Implementation Rule 11 Ensure that all array references access existing elements of the array. If a function that manipulates arrays cannot ensure that only valid elements are referenced, do not use that function. Find one that does, write a new version, or create a wrapper.

34 Common Security Related Programming Problems
2)Type Checking Failure to check types in another common validation problem. Implementation Rule 12 Check the type of function and parameters. Management Rule 6 When compiling programs, ensure that the compiler flags report inconsistencies in types. Investigate all such warnings an either fix the problem or document the warning and why it is spurious. 3) Error Checking Third common problem involving improper validation is failure to check return values of function.

35 Common Security Related Programming Problems
Implementation Rule 13 Check all function and procedure executions for errors. 4) Checking for valid, not invalid data. This principle requires that valid values be known and that all other values be rejected. Unfortunately, programmers often check for invalid data and assume that the rest is valid. Implementation Rule 14 Check that a variable's values are valid. Management Rule 7 If a trade-off between security and other factors results in a mechanism or procedure that can weaken security, document the reasons for the decision, the possible effects, and the situations in which the compromise method should be used.

36 Common Security Related Programming Problems
5) Checking Input All the data from the un-trusted sources must be checked Implementation Rule 15 Check all user input for both form and content. In particular, check integer for values that are too big or too small, and check character data for length and valid characters. (check that a variable’s values are valid.) 6) Designing for validation Sometimes data cannot be validated completely. Implementation Rule 16 Create data structure and function in such a way that they can be validated.

37 Common Security Related Programming Problems
G) Improper Indivisibility It arises when an operation is considered as one unit in the abstract but is implemented as two unit. Implementation Rule 17 If two operations must be performed sequentially without an intervening operation, use a mechanism to ensure that the two cannot be divided. H) Improper Sequencing Means that operations are performed in an incorrect order. Implementation Rule 18 Describe the legal sequences of operations on a resource or object. Check that all possible sequence of the programs involved match one legal sequences

38 Common Security Related Programming Problems
J) Improper choice of operand or operation Preventing errors of choosing the wrong operand or operation requires that the algorithms be thought through carefully. Management Rule 8 Use software engineering and assurance techniques to ensure that operations are operands are appropriate.

Download ppt "Design Principles and Security related problem"

Similar presentations

Lectures on File Management

Lectures on File Management
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Access Control Methodologies

Access Control Methodologies
1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.

1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.

Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏

(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
1 cs691 chow C. Edward Chow Design Principles for Secure Mechanisms CS591 – Chapter 5.4 Trusted OS Design CS691 – Chapter 13 of Matt Bishop.

1 cs691 chow C. Edward Chow Design Principles for Secure Mechanisms CS591 – Chapter 5.4 Trusted OS Design CS691 – Chapter 13 of Matt Bishop.
Lecture 10: Security Design Principles CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 10: Security Design Principles CS 436/636/736 Spring 2012 Nitesh Saxena.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Operating Systems Protection & Security.

Operating Systems Protection & Security.
CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.

The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
Software Security and Security Engineering (Part 2)

Software Security and Security Engineering (Part 2)

Similar presentations

Ads by Google