Security Architecture and Design Chapter 4 Part 1 Pages 297 to 319
Bugs and Flaws Security Bug – Vulnerability in the software Security Flaw – Vulnerability in the architecture or design About 50%-50%
Today’s Environment Security bug and flaws account for the majority of compromises We are better at protecting the perimeter with Firewalls, IPS, etc. More demands for functionality has made software more complex As complexity increases security decreases
Approaches Bake Security In from the start – From Architecture to Design to Implementation to Testing – Correct approach Bolt Security on at the end – Often not enough time – Much harder to do
Security “The security that a product provides must be evaluated based upon the availability, integrity, and confidentiality that it claims to provide.” Need to really understand how technology works to determine the proper level of security that is truly in place.
Waterfall Model Architect the system Write Specification Requirements Design Implement = code Test Deploy
System Architecture Conceptually understand the system structure and behavior and its relationship to its environment Outline the main goals the system must achieve Big picture
System Architecture Architectural Description for a software intensive system – ISO/IEC/IEEEE Security needs to be considered while architecting the system
Stakeholder Stakeholder – Individual, team, or organization with interest in the system View – representation of the system from a particular perspective “The architect needs to capture the goals that the system is supposed to accomplish for each stakeholder.”
Computer Architecture Computer hardware Operating system Network
Computers
Buses Most systems today have 64-bit address and data buses
CPU
Registers PC (Program Counter) – address of next instruction General Registers – Hold data Special Registers – SP (Stack pointer) – PSW (Program Status Word) Bit of negative result Bit for Zero result
PSW Bit for mode – User mode (where applications run) – Privileged (Kernel, Supervisor) mode for Operating System I/O
Stack Pointer Local Variables Return Address Parameters Local Variable Return Address Parameters
Multicore Processor
Multiprocessing (See page 311)
Process Program loaded in memory Multiprogramming OS – more than one process (program) can be loaded in memory (See page 319) Preemptive multitasking – time sharing
Figure 4-6 on Page 314
Process Table
Interrupts Timer Device – When a device needs to communicate with the CPU – Disk completed I/O operation
Interrupts
Threads Instructions generated by a process when it has a specific activity that needs to be carried out by the operating system. Microsoft Word – Open a file – Print a document – Save a file
Mulithreading
Code Injection Attack Attacker injects instructions into a running process. Keylogger, send out malware, If running at privilege mode OWASP Top Ten – Top_10 Top_10 – A9 Using Components with Known Vulnerabilities
Process Scheduling Responsibility of the operating system Process priorities – Low priority background process – High priority process hogging the system resources Denial of Services attack
Software Deadlock A has resources 1 and requests 2 B has resource 2 and requests 1