grundlagen des software engineering - - tu … filegrundlagen des software engineering security...
TRANSCRIPT
Grundlagen des Software EngineeringSecurity Engineering
Alexander Pretschner, 20/01/2012Karlsruher Institut für TechnologieZertifizierbare Vertrauenswürdige Informatiksysteme
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 2
Overview
► What is security?
► What is security engineering?
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 3
Goal of this lecture
► Get some understanding of what security engineering is all about
► Understand what makes it so difficult
► See how security relates to other SW engineering activities
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 4
Security Properties: CIA
► Confidentiality►Can non-authorized parties see data?
► Integrity►Has data been altered (and I should know this)?
► Availability► Is data always accessible?
► … of data , and then of the systems that process data (including humans)
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 5
More Security Properties
► Non-repudiation► Impossibility to inappropriately deny a transaction or having sent a
message
► Auditability► Ability to reconstruct (certain aspects of) earlier states of a system
► Accountability► Ability to hold an entity accountable for its actions. This is related to non-
repudiation and auditability
► Privacy► No clear definition. Refers to security of personal information. Privacy
means that a person has appropriate control over which information on him or her is generated, stored, processed, and deleted, and by whom.
► Anonymity► The identity of an entity is hidden; an aspect of privacy
Source: Ueli Maurer, Information Security
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 6
Does it Matter?
► Private data►Medical records►Loyalty cards►Mobile telephone data including location
► Commercial data►DRM► IP in distributed business processes
► Government data►military data ► intelligence
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 7
Relevance and Challenges
► New security-sensitive applications► eVoting, car2car communication, internet banking and payment,
DRM, …
► Security technologies are enablers and drivers
► Fight against► Vulnerabilities, vulnerabilities, vulnerabilities, ....► Increasing threats and potential damages► Potential cyber crime, hooliganism, terrorism
► National interests and secret services
► Privacy issues
► Lack of standards; lack of products/solutions
► Lack of understanding
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 8
Some Stories with criminal background
► Express Scripts, one of the largest medical data management companies, blackmailed with exposing millions of patient records (November 2008)http://phx.corporate-ir.net/phoenix.zhtml?c=69641&p=irol-newsArticle&ID=1223389&highlight=
► US DoD computers under attack with agent.btzworm that copies itself to flash drives (November 2008) http://archives.chicagotribune.com/2008/nov/30/nation/chi-cyberattack_bdnov30
► Several governmental computers, including some of NATO and those of the Dalai Lama infiltrated with malware that not only phishes but also can switch on camera/audio devices and transmit data (March 2009)http://www.nytimes.com/2009/03/29/technology/29spy.html?_r=1&hp
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 9
James NicholsonUS Dept. Of Veterans AffairsAsked to resign in May 2006: Loss of 26.5 M veteran‘s records
Relevance: Political Fallout
Patricia HewittUK Deptartment of HealthAsked to resign in May 2007: unencrypted doctor‘s records became publicly available
Paul GrayFormer Head of HM Revenue and CustomsResigned in November 07: Loss of 25M child benefit records
►Never-ending story►University of Göttingen lost 20000
student names (Oct 2008)►…
Klaus ZumwinkelFormer CEO of Deutsche PostResigned in February 08: Liechtenstein bank data became available
Philipp HummFormer CEO T-Mobile GermanyResigned in Nov 2008 (as CEO): Loss of 17M customer records
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 10
One Top-Ten List: Data Records Accessed
http://www.databreaches.net/?p=2862
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 11
Yet …
► Do we really want security?►Trade-off with functionality►Trade-off with users‘ liberties►Waive privacy for a cheese burger? ►Do you use facebook or studiVZ?► „I have nothing to hide“► „You have zero privacy anyway – get over it!“ (Scott
McNeal)
► Trade-off between interests of individuals and society►Terrorism
► Who pays for security?
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 12
What to do?
► Technically► Software and Systems Engineering► Cryptography► Physical at macro-level: access to buildings, secured areas (like
computercenters), shielding against electromagnetic radiation, etc.► Physical at micro-level: e.g. tamper-resistant devices, smart-cards► Biometric technology► Processor technology► Language security► Operating system security
► Organizationally► Security policies, classification of information, defining responsibilities, etc.
► People-related► Selection, motivation, education, etc.
► Legally► Liability regulations, insurances, etc.
Source: Ueli Maurer, Information Security
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 13
Humans in the loop
► Social Engineering►Don‘t hack system; „hack“ people
► Impersonating IT staff
► Playing on users' sympathy
► Using intimidation tactics
► Shoulder surfing
► On a broad scale (internet banking data), and for single companies: spear phishing
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 14
… and system vulnerabilities
► Password Management Flaws► Weak passwords► Passwords easily accesible► Heavy re-use of passwords
► Fundamental Operating System Design Flaws► Default permit policies► Race conditions
► Software Bugs► Security holes as consequence of flawed design or implementation
► Unchecked User Input –► Buffer overflow attacks► SQL injections
► Badly set-up and managed IT infrastructures that combine the above
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 15
OWASP Top 10 vulnerabilities 2010
source: http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 16
OWASP top 10 vulnerabilities (2)
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 17
Vulnerabilities over the years
http://www.cert.org/stats/
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 18
Vulnerabilities everywhere …
Top 20 security risks 2007, http://www.sans.org/top20/
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 19
Security Engineering
► Security Engineering = Software Engineering + Information Security
► Software Engineering is the application of systematic, quantifiable approaches to the development, operation, and maintenance of software; i.e., the application of engineering to software.
► Information Security focuses on methods and technologies to reduce risks to Information Assets.
► More refined (adopted from Anderson, Security Engineering)► Security Engineering is about building systems that remain
dependable in the face of malice, error, or mischance. As a discipline, it focuses on the tools, processes, and methods needed to design, implement, test, and evolve systems.
► Security Engineering is not a mature discipline yet!
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 20
Security Engineering and Complexity
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 21
Security Engineering and Complexity
MOI: millions of object-code instructionsEWSD: electronic dial system Digital
1960 1970 1980 1990 200060
MOI
50 MOI
40 MOI
30 MOI
20 MOI
10 MOI
EWSD forBB-ISDN
SPACESHUTTLE
APOLLOEWSD-APSWM4.2
LUNARMISSIONCONTROL
GEMINI
MERCURY
EWSD-APSDBP-14
7% annual increaseof productivity
Source: http://www.informatik.hu-berlin.de/swt/intkoop/jcse/meetings/0409/Topic01.ppt
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 22
Security and safety?
► Safety considered in the realm of traditional software engineering
► Is there anything special about security?
► Safety: failures materialize as a consequence of „normal“ operations that are – potentially – stochastic processes
► Security: failures materialize as a consequence of a hacker whose main objective is to trigger the failure
► Is this a fundamental difference?
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 23
Safety and Security
► Many think so. I, personally, and like some others, am of a different opinion. My guess (to be proved or disproved) is that a community of hackers can be modeled as a stochastic process, too.►That is, I also believe that there can be (and in fact,
there are) insurances for computer security: insurances are based on probabilities and expected losses (see insurances for physical safes)
► See the plethora of incident lists that classify vulnerabilities and sometimes their occurrences (www.cert.org, www.osvdb.org, http://nvd.nist.gov )►Want to learn about the detection of vulnerabilities (and
countermeasures against respective threats)? Attend my class on Security Engineering
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 24
Safety and Security
► Yet, even if there might not be a fundamental difference, there is a lot of domain knowledge to be gained
► … writing code for a washing machine also is not fundamentally different from writing code for an autopilot or a tax report software or a spreadsheet►But experience matters
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 25
Security Engineering
► Information Security Topics► Cryptography and cryptographic protocols ► Applications: digital signatures, encrypted mail (PGP/s-MIME) ► Access and Usage Control ► Information Flow
► Software Engineering meets Security ► Security Requirements ► Design-level Security ► Implementation-level Security ► Security Testing ► Security Patterns for Software and Systems
► Risk and system analysis; risk assessment ► Risk analysis ► BSI baseline protection
► Evaluation Criteria: The Common Criteria
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 26
Overview
Requirements Eng.
Fundamentals of Information Security
Risk Assessment and Management
Evaluation Criteria
Design
Implementation
V&V
Op&Maintenance
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 27
Security Engineering
► Information Security Topics► Cryptography and cryptographic protocols ► Applications: digital signatures, encrypted mail (PGP/s-MIME) ► Access and Usage Control ► Information Flow
► Software Engineering meets Security ► Security Requirements ► Design-level Security ► Implementation-level Security ► Security Testing ► Security Patterns for Software and Systems
► Risk and system analysis; risk assessment ► Risk analysis ► BSI baseline protection
► Evaluation Criteria: The Common Criteria
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 28
Cryptography and Cryptographic Protocols
► Ipx dbo xf qspufdu ebub?
► Symmetric cryptography: AES, DES, Blowfish►One shared key
► Asymmetric cryptography►One private and one public key
► Cryptographic protocols: authentication, key establishment, …► IPsec, Kerberos, TLS, …
► Digital signatures, secure mailing systems
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 29
Asymmetric Cryptography (metaphorically speaking)
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 30
Asymmetric Cryptography (metaphorically speaking)
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 31
Asymmetric Cryptography (metaphorically speaking)
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 32
Access and Usage Control
► Govern access to and usage of data
► Authentication, authorization, audit
► Discretionary access control, mandatory access control
► Conceptually and technically: models, architectures, hardware
► Multilevel security►Bell – LaPadula: no read-up; no write-down
(integrity and confidentiality)► Biba (integrity only) – Windows Vista
► Multilateral security: Chinese Wall Policies
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 33
Information Flow
► A priest is new in town. His first confessor is … a murderer. At a party, the priest meets Bob and tells him that, what a city, his first confessor was a murderer. Bob later meets Charlie, and Charlie tells him that he really likes the priest, and that he was the first to confess with him.
► What is „information flow“?►Explicit flow: data flow► Implicit flow: branching over secrets
► Covert channels►Heat, CPU cycles consumed, time, …
► Formalization and application this notion: the models of Goguen-Meseguer and Rushby
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 34
A Teaser: Information Flow
► Assume there‘s sensitive (high) and non-sensitive (low) input
► No information flow takes place if output is identical for different high inputs►For all runs
► Practically difficult: almost everything depends on everything, that is everything has an impact on the output►Label creep►Quantitative information flow
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 35
Information Flow II: Explicit Flow
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 36
Implicit Information Flow
cond1 |→ isrich
cond1 |→ taxdisc
… monitor also untaken branch!
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 37
Security Engineering
► Information Security Topics► Cryptography and cryptographic protocols ► Applications: digital signatures, encrypted mail (PGP/s-MIME) ► Access and Usage Control ► Information Flow
► Software Engineering meets Security ► Security Requirements ► Design-level Security ► Implementation-level Security ► Security Testing ► Security Patterns for Software and Systems
► Risk and system analysis; risk assessment ► Risk analysis ► BSI baseline protection
► Evaluation Criteria: The Common Criteria
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 38
Security Requirements; Design
► Misuse cases and attack trees; comparison with classical analysis techniques from safety analysis
► A first grasp at risk analysis
► Software Design►Model-Driven Security: model-driven software
engineeriung for both functionality and access control►Patterns such as Policy Enforcement Points/Policy
Decision Points; Security Monitors
► Systems Design►Patterns such as demilitarized zones; Security Monitors
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 39
Implementation-Level Security
► SQL injections►SELECT fieldlist FROM table WHERE field = '$EMAIL';►Set $EMAIL = anything' OR 'x'='x►… which yields
SELECT fieldlist FROM table WHERE field = ' anything' OR 'x'='x ';
► Cross-site scripting
► Buffer-overflow attacks►Overwrite return addresses
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 40
Buffer Overflow Attacks
Taken from P. Schaller, Tutorial: Buffer Overflows, 2005
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 41
A Teaser: Buffer Overflows
Taken from P. Schaller, Tutorial: Buffer Overflows, 2005
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 42
Buffer Overflows: Idea behind Exploit
Taken from P. Schaller, Tutorial: Buffer Overflows, 2005
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 43
Security Testing
► Vulnerability scanners
► Constructing test cases for web apps►OWASP testing guide
► Security reviews for systems and code
► http://www.owasp.org/index.php/Category:OWASP_Project
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 44
Security Engineering
► Information Security Topics► Cryptography and cryptographic protocols ► Applications: digital signatures, encrypted mail (PGP/s-MIME) ► Access and Usage Control ► Information Flow
► Software Engineering meets Security ► Security Requirements ► Design-level Security ► Implementation-level Security ► Security Testing ► Security Patterns for Software and Systems
► Risk and system analysis; risk assessment ► Risk analysis ► BSI baseline protection
► Evaluation Criteria: The Common Criteria
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 45
Risk Analysis and Assessment
► 100% security is► Unrealistic (nothing is 100% in life)► Too expensive► How safe is a (physical) safe?
► Risk: probability of incident * expected loss + cost of countermeasure► Different forms of loss: money, IP, reputation
► How can we prioritize security goals and countermeasures so that we get „just right security“?► And does this really make sense?
► Can we re-use knowledge on prior system analyses to analyze our own system?► Vulnerability catalogs► BSI baseline protection
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 46
Security Engineering
► Information Security Topics► Cryptography and cryptographic protocols ► Applications: digital signatures, encrypted mail (PGP/s-MIME) ► Access and Usage Control ► Information Flow
► Software Engineering meets Security ► Security Requirements ► Design-level Security ► Implementation-level Security ► Security Testing ► Security Patterns for Software and Systems
► Risk and system analysis; risk assessment ► Risk analysis ► BSI baseline protection
► Evaluation Criteria: The Common Criteria
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 47
Common Criteria
► Is there a standard way to assess the „security“ of a product or a subsystem?
► Can I use this to convince customers and possibly juries?
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 48
What I think you have to learn
► Get the fundamental concepts of information security
► Know about the fundamental security problems at different levels
► Know about the most common tools, catalogs, information resources
► Be able to protect your programs/systems against a limited class of attacks►Understand there‘s more than
1: code2: improve and fix3: goto 1
► Get aware of data protection issues!
GSE - Security Engineering, 20/01/2012, Alexander Pretschner, Karlsruher Institut für Technologie 49
Conclusions
► Security is about protecting C-I-A (and NR)►Sometimes nasty, but an indispensable enabler and
driver
► Software Engineering is about building, maintaining, and managing huge software systems
► Security Engineering combines both
► You need to understand both►Fundamentals of information security►Security flaws and countermeasures during different
activities of the software development process
► Attend my class on security engineering