1 / 35

SEng 5861: Software Architecture

SEng 5861: Software Architecture. Lecture 10 Dr. Michael Whalen Fall 2010. Topics for Today. Product Line Engineering Security Perspective. Security perspective. Security.

cruz
Télécharger la présentation

SEng 5861: Software Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SEng 5861: Software Architecture Lecture 10 Dr. Michael Whalen Fall 2010 SEng 5861 - Mike Whalen

  2. Topics for Today • Product Line Engineering • Security Perspective SEng 5861 - Mike Whalen

  3. Security perspective SEng 5861 - Mike Whalen

  4. Security Security is the set of processes and technologies that allow the owners of resources in the system to reliably control who can perform actions on particular resources Policy Mechanism Threat Systems Uses Executes Tasks Reads/ Modifies Information SEng 5861 - Mike Whalen

  5. Security is Risk Management SEng 5861 - Mike Whalen

  6. Security Policies • Defines different kinds of principals • Defines different kinds of resources • Defines a matrix of access rights from principals to resources • Enterprise-level policies become very large • May involve: • Inheritance (manager is a employee) and • Delegation: (while Alice is gone, Bob can act as manager) • Time Windows: Bob can act as manager only until December 1st A security policy defines security-related constraints that the system should enforce. SEng 5861 - Mike Whalen

  7. Security Policy Activities • Identify the Principals • Identify the Sensitive Resource Classes • Identify Actions on Sensitive Resources • Identify Sensitive System Operations • Create the Access Control Matrix • Identify Integrity Requirements SEng 5861 - Mike Whalen

  8. Access Control Matrix Each cell defines a list of allowed activities for this principal on this resource. Examples would include {read, write, execute, update, audit, migrate, resize, etc} Resources may be objects the system manipulates or may be configuration / supervisory aspects of the system itself SEng 5861 - Mike Whalen

  9. Security Threats • It may also document a rationale as to why • Identify (as much as possible) threats to security policy • Password cracking • Network attacks • Denial of service • Exploitation of software bugs (buffer overflows) • Social Engineering • Malicious Insider A security threat describes a possible way that an attacker may breach security constraints. SEng 5861 - Mike Whalen

  10. Security Threat Activities • Start from list of sensitive resources • Attempt to determine, for each resource: • Who is likely to try to infringe the security policy? • How will they try to do so? • What are the attackers’ main characteristics? • Motivation, sophistication, resources • What are the consequences? SEng 5861 - Mike Whalen

  11. Attack Tree Models • Provide well documented method of exploring every possibility an adversary has (technical and non-technical). • Data presentation in tree format allows: • Easy gap identification • Selective elaboration based on location in the tree • Ability to assign attributes for nodes of the tree: • Impact of the attack • Ease of attack execution • Cost of the attack • Presence of countermeasures (such as best practices) • Access/trust requirements to conduct attack http://www.ddj.com/documents/s=896/ddj9912a/9912a.htm http://www.cert.org/archive/pdf/01tn001.pdf from: www.ietf.org/proceedings/55/slides/rpsec-3/rpsec-3.ppt

  12. Attack Tree Example Attack: OR1. Unlock door with key OR1. Steal Key 2. Social Engineering OR1. Borrow key 2. Convince locksmith to unlock door 2. Pick lock 3. Break window 4. Follow authorized individual into building OR1. Act like you belong and follow someone else 2. Befriend someone authorized outside a building 3. Appear in need of assistance (such as carrying a large box) AND4. Wear appropriate clothing for the location Goal: Gain unauthorized physical access to building from: www.ietf.org/proceedings/55/slides/rpsec-3/rpsec-3.ppt

  13. Security Mechanisms • Authentication: password, biometric, key card, public/private key • Network: Virtual private networks • Database: DB authentication • Detection: Logging and audit, data mining, statistical analysis The security mechanisms in a system are the set of technologies, configurations settings, and procedures required to enforce the rules established by the security policy SEng 5861 - Mike Whalen

  14. Security Mechanisms • Define mitigations for the risks identified as threats • There are many possible mitigation activities depending on the identified threats SEng 5861 - Mike Whalen

  15. How would you mitigate against the following? Attack: OR1. Unlock door with key OR1. Steal Key 2. Social Engineering OR1. Borrow key 2. Convince locksmith to unlock door 2. Pick lock 3. Break window 4. Follow authorized individual into building OR1. Act like you belong and follow someone else 2. Befriend someone authorized outside a building 3. Appear in need of assistance (such as carrying a large box) AND4. Wear appropriate clothing for the location Goal: Gain unauthorized physical access to building from: www.ietf.org/proceedings/55/slides/rpsec-3/rpsec-3.ppt

  16. Security Mechanism Notes • Many mitigations require social rather than technological solutions • Make sure people think about security • Have occasional assessments of social aspects of security • Mitigations should include identification of possible attacks SEng 5861 - Mike Whalen

  17. Airport parking Security example SEng 5861 - Mike Whalen

  18. Airport Parking Controller • You are asked to build the automated parking system at MSP airport • Support ePark: • Also support ticketed parking: user receives a ticket and pays either by credit card or cash Simply insert your credit or debit card into the card reader at the ramp entrance. This will record the time you entered airport parking. Use the same credit or debit card to pay at an ePark® exit lane. The system is fully automated; there is no waiting in line for a cashier. SEng 5861 - Mike Whalen

  19. Determine sensitive data • Determine principals • Determine operations on sensitive data • Create ACM • Create attack tree for one piece of sensitive data SEng 5861 - Mike Whalen

  20. Mapping security to perspectives SEng 5861 - Mike Whalen

  21. SEng 5861 - Mike Whalen Slide from: Eoin Woods, Viewpoints and Perspectives, SATURN 2008 (www.eoinwoods.info)

  22. SEng 5861 - Mike Whalen Slide from: Eoin Woods, Viewpoints and Perspectives, SATURN 2008 (www.eoinwoods.info)

  23. SEng 5861 - Mike Whalen Slide from: Eoin Woods, Viewpoints and Perspectives, SATURN 2008 (www.eoinwoods.info)

  24. SEng 5861 - Mike Whalen Slide from: Eoin Woods, Viewpoints and Perspectives, SATURN 2008 (www.eoinwoods.info)

  25. SEng 5861 - Mike Whalen Slide from: Eoin Woods, Viewpoints and Perspectives, SATURN 2008 (www.eoinwoods.info)

  26. SEng 5861 - Mike Whalen Slide from: Eoin Woods, Viewpoints and Perspectives, SATURN 2008 (www.eoinwoods.info)

  27. Assess Risks SEng 5861 - Mike Whalen

  28. Security Risk Assessment • For each security risk: • Estimate cost for successful attack • Estimate likelihood (%) of successful attack • Attack tree can be used to “roll up” number • Likelihood should be over some time period • Notional cost = (cost estimate) * likelihood • Determine whether notional risk is acceptible • If not, determine add’l mitigations SEng 5861 - Mike Whalen

  29. security tactics SEng 5861 - Mike Whalen

  30. Apply Recognized Security Principles • Principle of least privilege • Secure the weakest link • Defend in depth • Separate and compartmentalize • KISS • Avoid obscurity • Use secure defaults • Fail secure • Assume external entities are untrusted • Audit SEng 5861 - Mike Whalen

  31. Authenticate Principals • Principals (roles), not users • Same person may require multiple logins depending on desired privilege • E.g. root vs. ‘normal’ user • Determine mechanism to ensure principal is authentic based on risk • May be different depending on principal class • Critical thing: each principal can be reliably identified during system use SEng 5861 - Mike Whalen

  32. Authorize Access • Verify principal’s right to access sensitive resource for each sensitive operation • Ensure that access mechanisms correctly implement access control matrix • Software/system testing • Ensure access control matrix ensures security policy • Organizational review SEng 5861 - Mike Whalen

  33. Ensure Information Secrecy • Secrecy: only principals allowed by access control matrix can read information • Problem: Information is often transmitted within the system • The ‘system’ may exist across organizational boundaries or the internet • Sensitive information must be protected (encrypted) once it moves outside the authorization control of the system in which it is stored. SEng 5861 - Mike Whalen

  34. Ensure Information Integrity SEng 5861 - Mike Whalen

  35. Ensure Accountability • Many systems require users to be accountable for their actions • Two forms of accountability • Auditing: record logs of operations that can be used to establish user actions • Non-repudiation: ability to definitively identify message sender in such a way as to not be plausibly deniable • Digital signing / PKI SEng 5861 - Mike Whalen

More Related