Secure Design Patterns

Slides:



Advertisements
Similar presentations
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Advertisements

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Database Administration and Security Transparencies 1.
Access Control Methodologies
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Chapter 7 HARDENING SERVERS.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
Designing Active Directory for Security
Security Architecture
CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.
Module 7: Fundamentals of Administering Windows Server 2008.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
CSC8320. Outline Content from the book Recent Work Future Work.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Database Role Activity. DB Role and Privileges Worksheet.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Module 11: Designing Security for Network Perimeters.
Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar.
Web Services Security Patterns Alex Mackman CM Group Ltd
SCSC 455 Computer Security Chapter 3 User Security.
CSCE 201 Identification and Authentication Fall 2015.
Module 7: Designing Security for Accounts and Services.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
1 Example security systems n Kerberos n Secure shell.
Securing Network Servers
Configuring and Troubleshooting Routing and Remote Access
Server Concepts Dr. Charles W. Kann.
Security in Networking
Lesson 16-Windows NT Security Issues
Announcement Project 2 Due Project 3 will be out this weekend.
Security.
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Introduction to Network Security
BACHELOR’S THESIS DEFENSE
PLANNING A SECURE BASELINE INSTALLATION
Operating System Concepts
Preventing Privilege Escalation
6. Application Software Security
Presentation transcript:

Secure Design Patterns James Walden Northern Kentucky University

CSC 666: Secure Software Engineering Topics Design Patterns Security Patterns MTA Architecture Example OpenSSH Architecture Example PatternShare Patterns CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Design Patterns A solution to a problem in context that can be re-used in different ways in software. Standard name Concise summary of problem Description of solution, usually with UML Examples of pattern in use Pattern variations Architectural patterns Antipatterns Pattern languages CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Security Patterns A solution to a recurring security problem. Often are not design patterns with UML. Scope Design principle Architectural Procedural Design CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Mail Transport Agent MTA Requirements Receive mail from local users Receive mail from remote users Deliver mail to local users Send mail to remote users From The Security Architecture of qmail CSC 666: Secure Software Engineering

Security Requirements of a MTA Administrative access required for Opening port 25 for SMTP. Delivery of mail to local users. Administrative or group account needed to Create files in mail queue. Delete files from mail queue. CSC 666: Secure Software Engineering

Architecture of Sendmail Monolithic program performs all tasks Always runs as root. Drops privilege when unnecessary. Large code base. Complex configuration files. Security history Debug command exploited by Morris worm. Many remote root exploits. Last root exploit in 2006. CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Architecture of qmail From The Security Architecture of qmail CSC 666: Secure Software Engineering

Pattern: Compartmentalization Problem: A security failure in one part of a system allows another part of the system to be exploited. Solution: Put each part in a separate security domain. Even when the security of one part is compromised, the other parts remain secure. CSC 666: Secure Software Engineering

Pattern: Distributed Responsibility Problem: A security failure in a compartment can cahnge any data in that compartment. A compartment has both an interface that is at risk of a security failure and data that needs to be secure. Solution: Partition responsibility across compartments such that compartments that are likely to fail do not have data that needs to be secure. Assign responsibilities in such a way that several of them need to fail in order for the whole system to fail. AKA: Distributed Delegation CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering qmail queue All messages stored in queue first. Queue is accessible only by qmailq user. Subdirectories pid: initial location of messages; files named after process ID of qmail-queue process mess: second location of messages; files named after inode to ensure uniqueness intd: contains envelopes for each message todo: links to envelopes to be delivered CSC 666: Secure Software Engineering

Pattern: Unique Atomic Chunks Problem: Many processes need to add information to a database concurrently. How do we ensure that multiple write operations are handled correclty and even if there is a crash no trace is left of the failure? Solution: Ensure that every write request is to a different location. Thus, different processes are never writing to the same file at the same time. CSC 666: Secure Software Engineering

Pattern: Checkpointed System Problem: A component failure can result in loss or corruption of state information maintained by the failed compmonent. How can we design a system so that its state can be recovered and restored to a known valid state in case a component fails? Solution: Design the system as a finite state machine. Make the state information persistent. Use configurations that provide ability to restart system from known valid state. CSC 666: Secure Software Engineering

Architecture of Postfix Uses many of same patterns as qmail. Compartmentalization Distributed responsibility Adds focus on compatibility Uses mbox as well as maildir format. Violates Unique Atomic Chunks in mbox mode. Adds focus on performance Qmail uses processes for single delivery. Postfix processes last longer. Uses Secure Preforking pattern. CSC 666: Secure Software Engineering

Pattern: Secure Preforking Problem: The consequences of security compromise are worse in the case of daemon processes because they have a long lifetime. How can the vulnerability associated with daemon processes be reduced? Solution: Limit the lifetime of daemon processes and fork them again after a configurable, short lifetime. Run the daemons in a contained environment to minimize the exploits. CSC 666: Secure Software Engineering

Architecture of OpenSSH SSH login requires privileges to Open port 22. Access host key and password information. Open new pseuo-terminal devices. Change UID to that of user logging in. Privilege separation Divide SSH into multiple processes. Operate at root, user, and unprivileged levels. Limit scope of exploit. CSC 666: Secure Software Engineering

Architecture of OpenSSH Monitor Privileged FSM that accepts requests from child for privileged actions. Unprivileged Handles auth requests. User-privileged Runs as user once user authenticated. Image from http://www.citi.umich.edu/u/provos/ssh/privsep.html CSC 666: Secure Software Engineering

Architecture of OpenSSH Patterns Followed Compartmentalization Least Privilege Reducing the TCB Comparisons Much more interaction btw priv/unpriv than qmail or postfix. Very Secure FTPd (vsftpd) follows a privilege separation approach too. CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Broad classification using information organizing table Viewpoint PatternShare Template – Pattern Name Interrogative Classification Key: Hierarchical classification key Problem The problem statement of the pattern. Solution The solution provided by the pattern. The template slides and 5 patterns were excerpted from Munawar Hafiz’ OOPSLA tutorial, available from https://netfiles.uiuc.edu/mhafiz/www/research/patterns/index.htm Known Uses. Example implementation of the pattern. Related Patterns. Patterns that are related. Munawar Hafiz, Security Patterns and Secure Architecture, OOPSLA ‘06 Source: Source Repository Tags: Tags for identifying the pattern CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Viewpoint PatternShare Legends Interrogative Viewpoints Business Arch. – CEO – Integration Arch. – Ent. Arch. - Application Arch. – Arch. – Application Arch. Design - Application Arch. – Developer - Operational Arch. – Sys. Arch. - Interrogatives Function – Data - Network - Test - Everything - CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Application Architecture Pattern Application Arch. – Design Audit Interceptor Data Problem Classification Key: Core Security, Repudiation A security audit allows auditors to reconcile actions or events that have taken place in the application with the policies that govern those actions. The audit logs have to be checked periodically to ensure that the actions that users have taken are in accordance with the actions allowed by the user’s privileges. The most important part is to record an audit trail and making sure that the audit trail helps proper auditing of appropriate events and user actions associated. Deviations must be identified from the audit reports and corrective actions have to be taken so that the deviations do not recur, either through code fixes or policy changes. How can you make an auditing framework to easily support additions or changes to the auditing events? Solution Intercept business tier requests and responses. Create audit events based on the information in the request response pair using declarative mechanisms defined externally to the application. The declarative approach is crucial to maintainability of the application. This makes it easy to keep up with the changed corporate policies. Known Uses. Audit interceptor with a JMS store to store audit information. Source: Sun Book Tags: Audit Pattern 4 CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Application Architecture Pattern Application Arch. - Design Authenticator Function Classification Key: Perimeter Security, Spoofing Problem A malicious attacker might try to impersonate a legitimate user to have access to the user's resources. This could be even more serious if the impersonated user has a high level of privilege. How to prevent agents who are not allowed from entering the system? Solution Create a single point of access to receive the interactions of a subject and apply a protocol to verify the identity of the subject. Create a proof of identity if subject is successfully authenticated. Known Uses. Centralized authentication service in RADIUS. Related Patterns. Single Access Point, Policy Enforcement Point. Source: Wiley Book Tags: Authentication, Component Pattern 5 CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Application Architecture Pattern Application Arch. - Design Client Data Storage Data Classification Key: Core Security, Tampering Problem In a client server system, there may be necessity to store data on the client. This data storage is necessitated for load-balancing, session management, single sign on etc. The client should not have access to view the data. How can the data be protected from unauthorized access of the client? Solution Use encryption to protect the data that is stored on the client. Keep a hash value of the data to detect that the content is not tampered with. Use lightweight symmetric key to protect the data. Change the session key often to protect against guessing attacks. Known Uses. Amazon.com, Buy.com etc store encrypted cookie in the client. Related Patterns. Encrypted Storage. Source: Kienzle et. al. Repository Tags: Client Server, Access Control Pattern 10 CSC 666: Secure Software Engineering

Tags: Access Control, Policy Application Architecture Pattern Application Arch. – Arch. Single Access Point Function Classification Key: Perimeter Security, Information Disclosure Problem A security model is difficult to validate when there are multiple ways for entering the application. How can we secure a system from outside intrusion? Solution Set up only one way to get into the system and if necessary, create a mechanism to decide which sub-application to launch. Typically most applications use a log in screen to accomplish the single access point. Known Uses. Login window in Windows, Unix, MacOS. Related Patterns. Policy Enforcement Point, Security Session. Source: Wiley Book Tags: Access Control, Policy Pattern 78 CSC 666: Secure Software Engineering

Tags: Resource Limit, DoS. Application Architecture Pattern Application Arch. – Design Small Processes Function Classification Key: Perimeter Security Problem A program memory processes can be limited by the memory used by the processes. If the processes grow unbounded, then there is a potential Denial of Service scenario. How can a program with many processes be made safe from resource exhaustion? Solution Make the processes small. Each process should perform one task. This will ensure that processes allocate limited memory. Known Uses. qmail processes are very small and they only perform the required task. Related Patterns. DoS Safety. Source: Hafiz et. al. Tags: Resource Limit, DoS. Pattern 82 CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering References Daniel J. Bernstein, "Some thoughts on security after ten years of qmail 1.0", Proceedings of the 2007 ACM workshop on Computer security architecture, 2007. Munawar Hafiz, Ralph Johnson and Raja Afandi, "Security architecture of qmail." Proceedings of the 11th Pattern Language of Programs, PLoP 2004. Munawar Hafiz, "Security Patterns and Secure Software Architecture," OOPSLA Tutorial 51, OOPSLA ’06, 2006. Darrel M. Kienzle and Matthew C. Elder, "Final Technical Report: Security Patterns for Web Application Development," available at http://www.scrypt.net/~celer/securitypatterns/, 2002. Niels Provos, Markus Friedl and Peter Honeyman, “Preventing Privilege Escalation,”12th USENIX Security Symposium, Washington, DC, August 2003. Jermone H. Saltzer and Michael D. Schroeder, "The Protection of Information in Computer Systems," 1278-1308. Proceedings of the IEEE 63, 9 (September 1975). Markus Schumacher at. al., Security Patterns—Integrating Security and Systems Engineering, Wiley, 2006. Joseph Yoder and Jeffrey Barcalow, "Architectural Patterns for Enabling Application Security." Proceedings of the 4th Conference on Patterns Language of Programming (PLoP’97), 1997. CSC 666: Secure Software Engineering

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.