Presentation is loading. Please wait.

Presentation is loading. Please wait.

Outline Designing and Writing Secure Code –General principles for architects/managers –Example: sendmail vs qmail Compiler Prime: Run-time Environment.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Outline Designing and Writing Secure Code –General principles for architects/managers –Example: sendmail vs qmail Compiler Prime: Run-time Environment."— Presentation transcript:

1 Outline Designing and Writing Secure Code –General principles for architects/managers –Example: sendmail vs qmail Compiler Prime: Run-time Environment and Program Organization Buffer Overflow

2 General Principles Compartmentalization –Principle of least privilege –Minimize trust relationships Defense in depth –Use more than one security mechanism –Secure the weakest link –Fail securely Promote privacy Keep it simple Consult experts –Don’t build what you can easily borrow/steal –Open review is effective and informative Have you applied them in your design / evaluation?

3 Compartmentalization Divide system into modules –Each module serves a specific purpose –Assign different access rights to different modules Read/write access to files Read user or network input Execute privileged instructions (e.g., Unix root) Principle of least privilege –Give each module only the rights it needs Minimize trust relationships –Clients, servers should not trust each other Both can get hacked –Trusted code should not call untrusted code

4 Defense in Depth Failure is unavoidable – plan for it Have a series of defenses –If an error or attack is not caught by one mechanism, it should be caught by another Examples –Firewall + network intrusion detection Fail securely –Many, many vulnerabilities are related to error handling, debugging or testing features, error messages –Ensure that you handle errors –Do not expose system internals even in case of errors Stack traces, internal errors,... shown to clients –Test if your system fails securely

5 Defense in Depth Check security Application.dll Application.exe Check security Secure resource with an ACL Application.dll [MSDN]

6 Secure the weakest link Think about possible attacks –How would someone try to attack this? –What would they want to accomplish? Find weakest link(s) –Crypto library is probably pretty good –Is there a way to work around crypto? Data stored in encrypted form; where is key stored? Main point –Do security analysis of the whole system –Spend your time where it matters

7 Promote Privacy Discard information when no longer needed –No one can attack system to get information Examples –Don’t keep log of old session keys –Delete firewall logs –Don’t run unnecessary services (fingerd) Hiding sensitive information is hard –Information in compiled binaries can be found –Insider attacks are common

8 Keep It Simple Use standard, tested components –Don’t implement your own cryptography Don’t add unnecessary features –Extra functionality  more ways to attack Use simple algorithms that are easy to verify –A trick that may save a few instructions may Make it harder to get the code right Make it harder to modify and maintain code

9 Don’t reinvent the wheel Consult experts Allow public review Use software, designs that others have used Examples –Bad use of crypto: 802.11b –Protocols without expert review: early 802.11i –Use standard url parser, crypto library, good random number generator, …

10 Example: Mail Transport Agents Sendmail –Complicated system –Source of many vulnerabilities Qmail –Simpler system designed with security in mind –Gaining popularity Qmail was written by Dan Bernstein, starting 1995 $500 reward for successful attack; no one has collected

11 Simplified Mail Transactions mbox Mail User Agent Mail Delivery Agent Mail Transport Agent Mail User Agent Message composed using an MUA MUA gives message to MTA for delivery –If local, the MTA gives it to the local MDA –If remote, transfer to another MTA

12 Example: Qmail Compartmentalize –Nine separate modules –If one module compromised, others not Move separate functions into mutually untrusting programs Always validate input from other modules

13 THE BIG Qmail PICTURE tcpserver / tcp-env / inetd qmail-smtpdqmail-inject qmail-queue qmail-send qmail-rspawn qmail-remote qmail-lspawn qmail-local mbox / maildir / program delivery MUA remote mailserver SMTP from networkfrom local to local qmail-system forwarded message

14 Structure of qmail qmail-smtpd qmail-localqmail-remote qmail-lspawnqmail-rspawn qmail-send qmail-inject qmail-queue Incoming SMTP mail Other incoming mail

15 Structure of qmail qmail-smtpd qmail-localqmail-remote qmail-lspawnqmail-rspawn qmail-send qmail-inject qmail-queue Reads the message and creates an entry in the mail queue Signals qmail-send

16 Structure of qmail qmail-smtpd qmail-localqmail-remote qmail-lspawnqmail-rspawn qmail-send qmail-inject qmail-queue qmail-send signals –qmail-lspawn if local –qmail-remote if remote

17 Structure of qmail qmail-smtpd qmail-local qmail-lspawn qmail-send qmail-inject qmail-queue qmail-lspawn –Spawns qmail-local –qmail-local runs with ID of user receiving local mail

18 Structure of qmail qmail-smtpd qmail-local qmail-lspawn qmail-send qmail-inject qmail-queue qmail-local –Handles alias expansion –Delivers local mail –Calls qmail-queue if needed

19 Structure of qmail qmail-smtpd qmail-remote qmail-rspawn qmail-send qmail-inject qmail-queue qmail-remote –Delivers message to remote MTA

20 Least Privilege in Qmail Each module uses least privileges necessary Each runs under different non-privileged UID in four groups: qmaild, qmailr, qmails, and qmailq –Except one as root Only one run as root: qmail-lspawn (except qmail- start) –Spawns the local delivery program under the UID and GID of the user being delivered to –Always changes effective uid to recipient before running user-specified program

21 Principles, sendmail vs qmail Do as little as possible in setuid programs –Of 20 recent sendmail security holes, 11 worked only because the entire sendmail system is setuid –Only qmail-queue is setuid Its only function is add a new message to the queue Do as little as possible as root –The entire sendmail system runs as root Operating system protection has no effect –Only qmail-start and qmail-lspawn run as root.

22 Least privilege qmail-smtpd qmail-localqmail-remote qmail-lspawnqmail-rspawn qmail-send qmail-inject qmail-queue root setuid

23 Keep it simple Parsing –Limited parsing of strings Minimizes risk of security holes from configuration errors –Modules do parsing are isolated and run with user privilege Libraries –Avoid standard C library, stdio Small code is more secure –Plug in interposing modules rather than complicating the core code

24 Backup Slides

25 Security by Obscurity … Information in compiled binaries can be found –Reverse engineering –Disassembler: machine code to assembly –Discomplier: machine code to high-level language Insider attacks are common –Firewalls do not protect against inside attacks Assume an attacker knows everything you know Why? –If attacker has 1-in-a-million chance, and there are a million attackers, you are out of luck Is NOT Secure !!!

26 Designing and Writing Secure Code

27 Secure Programming Techniques: An Abstract View of Program Avoid buffer overflow Secure software design Language-specific problems Application-specific issues Program Component Validate input Respond judiciously Call other code carefully

28 Secure Programming Validate all your inputs –Command line inputs, environment variables, CGI inputs, … –Don't just reject “bad” input, define “good” and reject all else Avoid buffer overflow Carefully call out to other resources –Check all system calls and return values

29 Comparison LinesWordsCharsFiles qmail-1.011602844331370123288 sendmail-8.8.852830179608121811653 zmailer-2.2e10575952055241423624227 smail-3.2623312461401701112151 exim-1.90677782720842092351127

30 Comparison with other MTAs MTAMaturitySecurityFeaturesPerform ance Modular QmailMediumHigh Yes SendmailHighLowHighLowNo PostfixMediumHighMediumHighYes

Download ppt "Outline Designing and Writing Secure Code –General principles for architects/managers –Example: sendmail vs qmail Compiler Prime: Run-time Environment."

Similar presentations

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Outline Designing and Writing Secure Code –General principles –Example: sendmail vs qmail Compiler Prime: Run-time Environment and Program Organization.

Outline Designing and Writing Secure Code –General principles –Example: sendmail vs qmail Compiler Prime: Run-time Environment and Program Organization.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
Outline Designing and Writing Secure Code –General principles for architects/managers –Example: sendmail vs qmail (optional in backup slides) Buffer Overflow.

Outline Designing and Writing Secure Code –General principles for architects/managers –Example: sendmail vs qmail (optional in backup slides) Buffer Overflow.
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.
Secure Design Principles  secure the weakest link  reduce the attack surface  practice defense in depth  minimize privilege  compartmentalize  fail.

Secure Design Principles  secure the weakest link  reduce the attack surface  practice defense in depth  minimize privilege  compartmentalize  fail.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Announcement Project 2 Due Project 3 will be out this weekend.

Announcement Project 2 Due Project 3 will be out this weekend.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Outline Designing and Writing Secure Code

Outline Designing and Writing Secure Code
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Yan Chen Dept. of Computer Science Northwestern University Information Security Curriculum Development in Northwestern.

Yan Chen Dept. of Computer Science Northwestern University Information Security Curriculum Development in Northwestern.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.

Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.

1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Secure Architecture Principles Isolation and Least Privilege

Secure Architecture Principles Isolation and Least Privilege

Similar presentations

Ads by Google