Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering Secure Software. Key Principles  Principle of Least privilege  Defense in Depth  Obviously No Vulnerabilities (vs. No Obvious)  i.e. Assume.

Published byRosanna Howard Modified over 8 years ago

Similar presentations

Presentation on theme: "Engineering Secure Software. Key Principles  Principle of Least privilege  Defense in Depth  Obviously No Vulnerabilities (vs. No Obvious)  i.e. Assume."— Presentation transcript:

1 Engineering Secure Software

2 Key Principles  Principle of Least privilege  Defense in Depth  Obviously No Vulnerabilities (vs. No Obvious)  i.e. Assume they get past that other defenses, how do we: Protect the inner parts of the system? Limit the capabilities of the attacker? Believe our critical subsystems are secure?  Note: in this lecture “process” == “executing program” ©2015 Andrew Meneely

3 Permissions Challenges  When programs are executed, the code has permissions (via executing user, setuid, setgid, etc.)  Many programs need elevated (root) permissions to function Web servers: listen & respond on HTTP, e.g. port 80 Email servers: listen & respond on SMTP, e.g. port 25 Mobile apps: listening for text messages vs. displaying previews What permissions are truly needed, and when?  Some programs have entirely separate functions that should not impact each other Browsers: one web page should not impact the others  Solution: design your architecture around your permissions needs

4 Distrustful Decomposition  Decompose the system into separate processes with separate permissions i.e. fork() NOT threads. Threads still have shared memory.  Communicate via inter-process communication (see next slides)  Each process distrusts the other i.e. validate the input from the other process i.e. re-check credentials and integrity mechanisms  Simplify the root-level subsystems to an extreme extent  Outcomes Complex code gets sandboxed  reduce impact of an exploit More security checks get incorporated throughout the code Incorporate distrust at the architecture level

5 Inter-Process Communication: Simple Techniques  Files Simplest for most developers Locking on files must be respected (concurrency challenges  complexity!!)  Signals Simple messaging, not for transferring data Pre-defined by OS (Unix has ~30 of these) e.g. SIGINT, SIGTERM, SIGKILL, SIGSEGV, SIGPOLL  Clipboard Can set and get clipboard programmatically Users don’t like you messing with this… …but you see it increasingly used in Web apps today

6 IPC: Advanced Techniques  Named pipes a.k.a. a FIFO buffer Define a “virtual file” that one process can write to and another process reads from Supported at the OS (file system) level $ mkfifo --mode=0640 /tmp/irc_packets BTW: stdin and stdout are part of using unnamed pipes! Pro: fast!! Con: on the same system  Sockets Write to a traditional networked socket via the OS network interface Sockets can be set to “loop back” to the original machine if needed Pro: scalable to multiple systems! Con: slower  MANY more IPC strategies: message passing, message queues, technology-specific solutions (e.g. Java RMI), memory-mapped files Constantly evolving ecosystem due to security, reliability, simplicity, etc.

7 e.g. QMail Remote email server Root-level SMTP sending VERY SMALL & SIMPLE User-level operations Queue management CLI processing Error handling Configuration Virtual domains Delivery to client etc. Trust & Machine boundaries Trust boundary IPC via files, SIGPOLL Root-level SMTP listening VERY SMALL & SIMPLE IPC via files

8 e.g. Sorta DD: Google Chrome  Each browser tab is a separate process IPC is accomplished primarily through files via their own IPC subsystem Some IPC OS-specific mechanisms for synchronous message passing Restrict rendering processes to their individual tabs  BUT! Not exactly “Distrustful” OS-level file permissions are not employed Still a lot of threads and shared memory for performance Vulnerabilities can occur where direct file access results in effective IPC

9 e.g. Gone Wrong: Stage Fright  Stage Fright Android Vulnerability of 2015 Buffer overflow in video transcoding function that produces a preview thumbnail on Android text messages Send a crafted video to a phone  arbitrary code execution No user intervention required (i.e. previews are automatically generated)  BUT! Process listening to text messages requires root privs Process for producing thumbnails also ran as root Arbitrary code execution as root  cover your tracks  Lesson: Separate complex, non-root functionality Avoid buffer overflows, of course.

10 Design & Project Implications  Distrustful Decomposition is not something you want to do procrastinate Easier to build upon than bolt on Introduces distrust at key points in the system Introduces necessary complexity into your system  IPC abstracted into a subsystem is often the next step after DD Requires input validation and output normalization/sanitization Requires defining the communication protocols Conway’s Law may even help: separate duties among developers along process lines

Download ppt "Engineering Secure Software. Key Principles  Principle of Least privilege  Defense in Depth  Obviously No Vulnerabilities (vs. No Obvious)  i.e. Assume."

Similar presentations

Categories of I/O Devices

Categories of I/O Devices
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
CGS 3763 Operating Systems Concepts Spring 2013 Dan C. Marinescu Office: HEC 304 Office hours: M-Wd 11:30 - 12:30 AM.

CGS 3763 Operating Systems Concepts Spring 2013 Dan C. Marinescu Office: HEC 304 Office hours: M-Wd 11: :30 AM.
Reza hooshangi (8811253). short history  One of the last major challenges for the web is to enable human communication via voice and video: Real Time.

Reza hooshangi ( ). short history  One of the last major challenges for the web is to enable human communication via voice and video: Real Time.
Chorus Vs Unix Operating Systems Overview Introduction Design Principles Programmer Interface User Interface Process Management Memory Management File.

Chorus Vs Unix Operating Systems Overview Introduction Design Principles Programmer Interface User Interface Process Management Memory Management File.
ECE 4450:427/527 - Computer Networks Spring 2015 Dr. Nghi Tran Department of Electrical & Computer Engineering Lecture 8: Application Layer Dr. Nghi Tran.

ECE 4450:427/527 - Computer Networks Spring 2015 Dr. Nghi Tran Department of Electrical & Computer Engineering Lecture 8: Application Layer Dr. Nghi Tran.
Introduction to Operating Systems CS-2301 B-term 20081 Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.

1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.
Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.

Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.

3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
3.5 Interprocess Communication

3.5 Interprocess Communication
Networking Support In Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

Networking Support In Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Communication in Distributed Systems –Part 2

Communication in Distributed Systems –Part 2
CS-3013 & CS-502, Summer 2006 Network Input & Output1 CS-3013 & CS-502, Summer 2006.

CS-3013 & CS-502, Summer 2006 Network Input & Output1 CS-3013 & CS-502, Summer 2006.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
Basic Networking & Interprocess Communication Vivek Pai Nov 27, 2001.

Basic Networking & Interprocess Communication Vivek Pai Nov 27, 2001.

Similar presentations

Ads by Google