grundlagen des software engineering - - tu … filegrundlagen des software engineering security...

Grundlagen des Software EngineeringSecurity Engineering

Alexander Pretschner, 20/01/2012Karlsruher Institut für TechnologieZertifizierbare Vertrauenswürdige Informatiksysteme

GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 2

Overview

► What is security?

► What is security engineering?


Goal of this lecture

► Get some understanding of what security engineering is all about

► Understand what makes it so difficult

► See how security relates to other SW engineering activities


Security Properties: CIA

► Confidentiality►Can non-authorized parties see data?

► Integrity►Has data been altered (and I should know this)?

► Availability► Is data always accessible?

► … of data , and then of the systems that process data (including humans)


More Security Properties

► Non-repudiation► Impossibility to inappropriately deny a transaction or having sent a

message

► Auditability► Ability to reconstruct (certain aspects of) earlier states of a system

► Accountability► Ability to hold an entity accountable for its actions. This is related to non-

repudiation and auditability

► Privacy► No clear definition. Refers to security of personal information. Privacy

means that a person has appropriate control over which information on him or her is generated, stored, processed, and deleted, and by whom.

► Anonymity► The identity of an entity is hidden; an aspect of privacy

Source: Ueli Maurer, Information Security


Does it Matter?

► Private data►Medical records►Loyalty cards►Mobile telephone data including location

► Commercial data►DRM► IP in distributed business processes

► Government data►military data ► intelligence


Relevance and Challenges

► New security-sensitive applications► eVoting, car2car communication, internet banking and payment,

DRM, …

► Security technologies are enablers and drivers

► Fight against► Vulnerabilities, vulnerabilities, vulnerabilities, ....► Increasing threats and potential damages► Potential cyber crime, hooliganism, terrorism

► National interests and secret services

► Privacy issues

► Lack of standards; lack of products/solutions

► Lack of understanding


Some Stories with criminal background

► Express Scripts, one of the largest medical data management companies, blackmailed with exposing millions of patient records (November 2008)http://phx.corporate-ir.net/phoenix.zhtml?c=69641&p=irol-newsArticle&ID=1223389&highlight=

► US DoD computers under attack with agent.btzworm that copies itself to flash drives (November 2008) http://archives.chicagotribune.com/2008/nov/30/nation/chi-cyberattack_bdnov30

► Several governmental computers, including some of NATO and those of the Dalai Lama infiltrated with malware that not only phishes but also can switch on camera/audio devices and transmit data (March 2009)http://www.nytimes.com/2009/03/29/technology/29spy.html?_r=1&hp


James NicholsonUS Dept. Of Veterans AffairsAsked to resign in May 2006: Loss of 26.5 M veteran‘s records

Relevance: Political Fallout

Patricia HewittUK Deptartment of HealthAsked to resign in May 2007: unencrypted doctor‘s records became publicly available

Paul GrayFormer Head of HM Revenue and CustomsResigned in November 07: Loss of 25M child benefit records

►Never-ending story►University of Göttingen lost 20000

student names (Oct 2008)►…

Klaus ZumwinkelFormer CEO of Deutsche PostResigned in February 08: Liechtenstein bank data became available

Philipp HummFormer CEO T-Mobile GermanyResigned in Nov 2008 (as CEO): Loss of 17M customer records


One Top-Ten List: Data Records Accessed

http://www.databreaches.net/?p=2862


Yet …

► Do we really want security?►Trade-off with functionality►Trade-off with users‘ liberties►Waive privacy for a cheese burger? ►Do you use facebook or studiVZ?► „I have nothing to hide“► „You have zero privacy anyway – get over it!“ (Scott

McNeal)

► Trade-off between interests of individuals and society►Terrorism

► Who pays for security?


What to do?

► Technically► Software and Systems Engineering► Cryptography► Physical at macro-level: access to buildings, secured areas (like

computercenters), shielding against electromagnetic radiation, etc.► Physical at micro-level: e.g. tamper-resistant devices, smart-cards► Biometric technology► Processor technology► Language security► Operating system security

► Organizationally► Security policies, classification of information, defining responsibilities, etc.

► People-related► Selection, motivation, education, etc.

► Legally► Liability regulations, insurances, etc.

Source: Ueli Maurer, Information Security


Humans in the loop

► Social Engineering►Don‘t hack system; „hack“ people

► Impersonating IT staff

► Playing on users' sympathy

► Using intimidation tactics

► Shoulder surfing

► On a broad scale (internet banking data), and for single companies: spear phishing


… and system vulnerabilities

► Password Management Flaws► Weak passwords► Passwords easily accesible► Heavy re-use of passwords

► Fundamental Operating System Design Flaws► Default permit policies► Race conditions

► Software Bugs► Security holes as consequence of flawed design or implementation

► Unchecked User Input –► Buffer overflow attacks► SQL injections

► Badly set-up and managed IT infrastructures that combine the above


OWASP Top 10 vulnerabilities 2010

source: http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf


OWASP top 10 vulnerabilities (2)


Vulnerabilities over the years

http://www.cert.org/stats/


Vulnerabilities everywhere …

Top 20 security risks 2007, http://www.sans.org/top20/


Security Engineering

► Security Engineering = Software Engineering + Information Security

► Software Engineering is the application of systematic, quantifiable approaches to the development, operation, and maintenance of software; i.e., the application of engineering to software.

► Information Security focuses on methods and technologies to reduce risks to Information Assets.

► More refined (adopted from Anderson, Security Engineering)► Security Engineering is about building systems that remain

dependable in the face of malice, error, or mischance. As a discipline, it focuses on the tools, processes, and methods needed to design, implement, test, and evolve systems.

► Security Engineering is not a mature discipline yet!


Security Engineering and Complexity


Security Engineering and Complexity

MOI: millions of object-code instructionsEWSD: electronic dial system Digital

1960 1970 1980 1990 200060

MOI

50 MOI

40 MOI

30 MOI

20 MOI

10 MOI

EWSD forBB-ISDN

SPACESHUTTLE

APOLLOEWSD-APSWM4.2

LUNARMISSIONCONTROL

GEMINI

MERCURY

EWSD-APSDBP-14

7% annual increaseof productivity

Source: http://www.informatik.hu-berlin.de/swt/intkoop/jcse/meetings/0409/Topic01.ppt


Security and safety?

► Safety considered in the realm of traditional software engineering

► Is there anything special about security?

► Safety: failures materialize as a consequence of „normal“ operations that are – potentially – stochastic processes

► Security: failures materialize as a consequence of a hacker whose main objective is to trigger the failure

► Is this a fundamental difference?


Safety and Security

► Many think so. I, personally, and like some others, am of a different opinion. My guess (to be proved or disproved) is that a community of hackers can be modeled as a stochastic process, too.►That is, I also believe that there can be (and in fact,

there are) insurances for computer security: insurances are based on probabilities and expected losses (see insurances for physical safes)

► See the plethora of incident lists that classify vulnerabilities and sometimes their occurrences (www.cert.org, www.osvdb.org, http://nvd.nist.gov )►Want to learn about the detection of vulnerabilities (and

countermeasures against respective threats)? Attend my class on Security Engineering


Safety and Security

► Yet, even if there might not be a fundamental difference, there is a lot of domain knowledge to be gained

► … writing code for a washing machine also is not fundamentally different from writing code for an autopilot or a tax report software or a spreadsheet►But experience matters



► Information Security Topics► Cryptography and cryptographic protocols ► Applications: digital signatures, encrypted mail (PGP/s-MIME) ► Access and Usage Control ► Information Flow

► Software Engineering meets Security ► Security Requirements ► Design-level Security ► Implementation-level Security ► Security Testing ► Security Patterns for Software and Systems

► Risk and system analysis; risk assessment ► Risk analysis ► BSI baseline protection

► Evaluation Criteria: The Common Criteria


Overview

Requirements Eng.

Fundamentals of Information Security

Risk Assessment and Management

Evaluation Criteria

Design

Implementation

V&V

Op&Maintenance


Cryptography and Cryptographic Protocols

► Ipx dbo xf qspufdu ebub?

► Symmetric cryptography: AES, DES, Blowfish►One shared key

► Asymmetric cryptography►One private and one public key

► Cryptographic protocols: authentication, key establishment, …► IPsec, Kerberos, TLS, …

► Digital signatures, secure mailing systems


Asymmetric Cryptography (metaphorically speaking)


Access and Usage Control

► Govern access to and usage of data

► Authentication, authorization, audit

► Discretionary access control, mandatory access control

► Conceptually and technically: models, architectures, hardware

► Multilevel security►Bell – LaPadula: no read-up; no write-down

(integrity and confidentiality)► Biba (integrity only) – Windows Vista

► Multilateral security: Chinese Wall Policies


Information Flow

► A priest is new in town. His first confessor is … a murderer. At a party, the priest meets Bob and tells him that, what a city, his first confessor was a murderer. Bob later meets Charlie, and Charlie tells him that he really likes the priest, and that he was the first to confess with him.

► What is „information flow“?►Explicit flow: data flow► Implicit flow: branching over secrets

► Covert channels►Heat, CPU cycles consumed, time, …

► Formalization and application this notion: the models of Goguen-Meseguer and Rushby


A Teaser: Information Flow

► Assume there‘s sensitive (high) and non-sensitive (low) input

► No information flow takes place if output is identical for different high inputs►For all runs

► Practically difficult: almost everything depends on everything, that is everything has an impact on the output►Label creep►Quantitative information flow


Information Flow II: Explicit Flow


Implicit Information Flow

cond1 |→ isrich

cond1 |→ taxdisc

… monitor also untaken branch!


Security Requirements; Design

► Misuse cases and attack trees; comparison with classical analysis techniques from safety analysis

► A first grasp at risk analysis

► Software Design►Model-Driven Security: model-driven software

engineeriung for both functionality and access control►Patterns such as Policy Enforcement Points/Policy

Decision Points; Security Monitors

► Systems Design►Patterns such as demilitarized zones; Security Monitors


Implementation-Level Security

► SQL injections►SELECT fieldlist FROM table WHERE field = '$EMAIL';►Set $EMAIL = anything' OR 'x'='x►… which yields

SELECT fieldlist FROM table WHERE field = ' anything' OR 'x'='x ';

► Cross-site scripting

► Buffer-overflow attacks►Overwrite return addresses


Buffer Overflow Attacks

Taken from P. Schaller, Tutorial: Buffer Overflows, 2005


A Teaser: Buffer Overflows



Buffer Overflows: Idea behind Exploit



Security Testing

► Vulnerability scanners

► Constructing test cases for web apps►OWASP testing guide

► Security reviews for systems and code

► http://www.owasp.org/index.php/Category:OWASP_Project


Risk Analysis and Assessment

► 100% security is► Unrealistic (nothing is 100% in life)► Too expensive► How safe is a (physical) safe?

► Risk: probability of incident * expected loss + cost of countermeasure► Different forms of loss: money, IP, reputation

► How can we prioritize security goals and countermeasures so that we get „just right security“?► And does this really make sense?

► Can we re-use knowledge on prior system analyses to analyze our own system?► Vulnerability catalogs► BSI baseline protection


Common Criteria

► Is there a standard way to assess the „security“ of a product or a subsystem?

► Can I use this to convince customers and possibly juries?


What I think you have to learn

► Get the fundamental concepts of information security

► Know about the fundamental security problems at different levels

► Know about the most common tools, catalogs, information resources

► Be able to protect your programs/systems against a limited class of attacks►Understand there‘s more than

1: code2: improve and fix3: goto 1

► Get aware of data protection issues!


Conclusions

► Security is about protecting C-I-A (and NR)►Sometimes nasty, but an indispensable enabler and

driver

► Software Engineering is about building, maintaining, and managing huge software systems

► Security Engineering combines both

► You need to understand both►Fundamentals of information security►Security flaws and countermeasures during different

activities of the software development process

► Attend my class on security engineering


Literature

► Ross Anderson, Security Engineering, 2nd ed. Wiley, 2008

grundlagen des software engineering - - tu … filegrundlagen des software engineering security...

Documents