Presentation is loading. Please wait.

Presentation is loading. Please wait.

6/17/2015 5:35 PM Lecture 11: Assurance James Hook CS 591: Introduction to Computer Security.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "6/17/2015 5:35 PM Lecture 11: Assurance James Hook CS 591: Introduction to Computer Security."— Presentation transcript:

1 6/17/2015 5:35 PM Lecture 11: Assurance James Hook CS 591: Introduction to Computer Security

2 6/17/2015 5:35 PM Objectives Introduce Assurance as a concept/goal Introduce methods to increase assurance

3 6/17/2015 5:35 PM Why do you trust an Airplane? Which of these do you trust more? Why? NASA images from web site: http://www.dfrc.nasa.gov/Gallery/Photo/http://www.dfrc.nasa.gov/Gallery/Photo/ Boeing images from web site: http://www.boeing.com/companyoffices/gallery/flash.html

4 6/17/2015 5:35 PM Discussion points: Who’s flying? How long have the airframes been in service? Risk/benefit: If you want to go into space you don’t have a lot of choices –Best to limit to “apples to apples”

5 6/17/2015 5:35 PM Trusting Commercial Aircraft Specification integrity –Clear scope of project; goal of aircraft Design integrity –State of the art engineering analysis of design –Extensive modeling (physical and simulation) based on established best-practices of a mature engineering discipline –FAA review Manufacturing integrity –Extensive process controls and tests for all components –Rigor appropriate to risk (entertainment system vs. autopilot)

6 6/17/2015 5:35 PM Trusting Commercial Aircraft Operational integrity –Maintenance is performed by certified mechanics –Maintenance performed on schedule –Maintenance includes diagnostic measurements confirming conformance to design specifications –Pilot is licensed to fly –Pilot inspects aircraft prior to flight (and she’s on the plane!) –Pilot does not perform maintenance (Separation of duty) Feedback –Independent investigation of failures –If design defects or manufacturing defects are identified the entire fleet can be grounded or repaired

7 6/17/2015 5:35 PM Are all Aircraft Trustworthy? Federal regulations reflect risk Crudely: Level of assurance increases as potential cost of failure increases Commercial aviation is “high assurance”

8 6/17/2015 5:35 PM Can you trust systems that include software? Some modern aircraft are “fly by wire” How do we trust them? FAA –Lots of testing –Lots of review –Lots of process-based controls of both Techniques that work for high assurance embedded systems are hard to scale

9 6/17/2015 5:35 PM Trusting Information Systems How can we trust an information system? What can we trust it to do? Can we trust a mechanism to implement a policy? How well does the analogy to aviation apply?

10 6/17/2015 5:35 PM The Analogy Key factor of trust of commercial airplanes is that we trust the engineering processes used to design, build, maintain, and improve them Assurance techniques for information systems are predicated on software engineering practices –Is our discipline a sufficiently mature engineering discipline to earn the trust that the public has placed in us? Sullivan and Bishop’s presentation builds on what are accepted as best practices in Software Engineering Anderson’s presentation is a little more skeptical

11 6/17/2015 5:35 PM Assurance & Trust Sullivan builds on three related ideas: –Trustworthy: sufficient credible evidence that the system will meet … requirements –Trust: a measure of trustworthiness –Security Assurance: confidence that an entity meets its security requirements, based on evidence provided by the application of assurance techniques E.g.: development methodology; formal methods; testing; … So what’s the difference between “trustworthy” and “security assurance”? –Does a system have to be correct to be secure?

12 6/17/2015 5:35 PM Ross Anderson on Assurance “Fundamentally, assurance comes down to the question of whether capable, motivated people have beat up on the system enough. But how do you define enough? And how do you define the system? How do you deal with people who protect the wrong thing, … out of date or plain wrong? … allow for human failures?”

13 6/17/2015 5:35 PM Engineers: Avoid Previous Failures Sullivan proposes 9 classes of failures 1.Requirements definition, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws (wiring, chip) 4.Software implementation errors (bugs, compiler bugs) 5.System use and operation errors 6.Willful system misuse 7.Hardware, communication, or equipment malfunction 8.Environmental problems, natural, acts of God 9.Evolution Maintenance, faulty upgrades, decommissions

14 6/17/2015 5:35 PM Study Previous Failures RISKs community documents failures Sullivan presents three “war stories” to support that the list is reasonable We will never prove such a list is sufficient As a mature discipline, we will be able to change “best practices” if list is insufficient –Tacoma Narrows Bridge

15 6/17/2015 5:35 PM Relevant Tools and Techniques Design Assurance: 1, 2, and 6 Implementation Assurance: –Hardware/software errors 3, 4, 7 –Maintenance & upgrades 9 –Willful misuse 6 –Environment 8 Operational Assurance –Operational errors 5 –Willful misuse 6 1. Requirements definition, omissions, and mistakes 2. System design flaws 3. Hardware implementation flaws 4. Software implementation errors (bugs, compiler bugs) 5. System use and operation errors 6. Willful system misuse 7. Hardware, communication, or equipment malfunction 8. Environmental problems, natural, acts of God 9. Evolution Maintenance, faulty upgrades, decommissions

16 6/17/2015 5:35 PM Software Engineering Taxonomy of failures and design methods presupposes Software Engineering Principles –Classic lifecycle view of SE posits: Requirements Design Implementation Integration and Test Operation and Maintenance

17 6/17/2015 5:35 PM Design Assurance (broad) Requirements: statements of goals that must be satisfied For Security assurance, requirements should determine the security policy, or the space of possible security policies (security model), for the system –E.g. What is the access control mechanism? What are the subjects? What are the objects? What are the rights? –Is the access control policy mandatory? Discretionary? Originator controlled? The tools introduced in class to date provide a vocabulary for expressing security models, policies, and mechanisms

18 6/17/2015 5:35 PM Policy Assurance Evidence that the set of security requirements is complete, consistent and technically sound –Complete: Logic: complete means every sentence is either true or false Security: every system state can be classified as “safe” or “unsafe” –Consistent: Logic: there is no sentence that is both true and false, or, equivalently that the sentence “false” is not a theorem Security: no system state is both “safe” and “unsafe”. –Technically sound: Logic: a rule is sound if it does not introduce inconsistencies ? I think the author intends a necessarily informal notion that the model is appropriate to the situation

19 6/17/2015 5:35 PM Policy Assurance Examples The original BLP papers show that the model is complete and consistent The Volpano, Irvine and Smith paper shows that the Denning and Denning Information Flow Security concepts can be made sound –That analysis is necessarily incomplete (halting problem) Many Policy Assurance arguments are carried out using –“rigorous mathematics” (I.e. pencil and paper proofs) –some use theorem provers (machine checked proofs)

20 6/17/2015 5:35 PM Design Assurance (strict) Design is sufficient to meet the requirements of the policy –What is a design? Architecture Hardware software components Communication mechanisms Use-cases? Threat profile?

21 6/17/2015 5:35 PM Implementation Assurance Evidence establishing the implementation is consistent with the requirements and policy –Generally this is done by showing the implementation is consistent with the design, which is consistent with requirements and policy… Considerations –Design implemented correctly –Evidence that appropriate tools and practices used to avoid introducing vulnerabilities (e.g. code insertion/buffer overflow) –Testing –Proof of correctness –Documentation

22 6/17/2015 5:35 PM Operational Assurance Evidence the system sustains the security policy requirements during installation, configuration, and day-to-day operation Text mentions documentation Usability testing is also key –Human-Computer Interaction studies are underutilized in mainstream assurance practices!

23 6/17/2015 5:35 PM Coverage? Design Assurance: 1, 2, and 6 Implementation Assurance: –Hardware/software errors 3, 4, 7 –Maintenance & upgrades 9 –Willful misuse 6 –Environment 8 Operational Assurance –Operational errors 5 –Willful misuse 6 1. Requirements definition, omissions, and mistakes 2. System design flaws 3. Hardware implementation flaws 4. Software implementation errors (bugs, compiler bugs) 5. System use and operation errors 6. Willful system misuse 7. Hardware, communication, or equipment malfunction 8. Environmental problems, natural, acts of God 9. Evolution Maintenance, faulty upgrades, decommissions All are tasked with 6, do any do an adequate job?

24 6/17/2015 5:35 PM Bishop Chapter 17 (Contributed by Elizabeth Sullivan)Chapter 17

25 6/17/2015 5:35 PM Assurance Myth or Reality? Are we behaving like good engineers and avoiding the Failures of Past? –Or are we alchemists promising to make gold out of manure? If we really cared about code insertion attacks would we use C for routine programming 18 years after the Morris worm?

26 6/17/2015 5:35 PM Confounding Issue In Software Engineering which matters more: –People –Tools –Process All evidence of which I am aware says people matter more than tools or process Given this, can we achieve assurance by mandating tools and process?

27 6/17/2015 5:35 PM Looking Forward Next Lecture: –Evaluation –Reading: Bishop Chapter 18 RA Chapter 23 NB: The two texts have strongly contrasting views; please review both!

Download ppt "6/17/2015 5:35 PM Lecture 11: Assurance James Hook CS 591: Introduction to Computer Security."

Similar presentations

Operating System Security

Operating System Security
Virtual University - Human Computer Interaction 1 © Imran Hussain | UMT Imran Hussain University of Management and Technology (UMT) Lecture 16 HCI PROCESS.

Virtual University - Human Computer Interaction 1 © Imran Hussain | UMT Imran Hussain University of Management and Technology (UMT) Lecture 16 HCI PROCESS.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and.
Software Engineering 1. Software development – the grand view 2. Requirements engineering.

Software Engineering 1. Software development – the grand view 2. Requirements engineering.
5/1/2015 1:53 AM Lecture 11: Assurance & Evaluation James Hook CS 591: Introduction to Computer Security.

5/1/2015 1:53 AM Lecture 11: Assurance & Evaluation James Hook CS 591: Introduction to Computer Security.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
Building Reliable Software Requirements and Methods.

Building Reliable Software Requirements and Methods.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #18-1 Chapter 18: Introduction to Assurance Overview Why assurance? Trust and.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #18-1 Chapter 18: Introduction to Assurance Overview Why assurance? Trust and.
Sources of Risks CIT304 University of Sunderland.

Sources of Risks CIT304 University of Sunderland.
Software Processes: Traditional CSCI102 - Systems ITCS905 - Systems MCS9102 - Systems.

Software Processes: Traditional CSCI102 - Systems ITCS905 - Systems MCS Systems.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Project Life Cycle Jon Ivins DMU. Introduction n Projects consist of many separate components n Constraints include: time, costs, staff, equipment n Assets.

Project Life Cycle Jon Ivins DMU. Introduction n Projects consist of many separate components n Constraints include: time, costs, staff, equipment n Assets.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Software Engineering For Beginners. General Information Lecturer, Patricia O’Byrne. – Times: –See noticeboard outside.

Software Engineering For Beginners. General Information Lecturer, Patricia O’Byrne. – Times: –See noticeboard outside.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
1 Software Testing and Quality Assurance Lecture 1 Software Verification & Validation.

1 Software Testing and Quality Assurance Lecture 1 Software Verification & Validation.
Introduction to Software Testing

Introduction to Software Testing
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

Similar presentations

Ads by Google