Introduction to Assurance

Similar documents
L17: Assurance. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Amplifying. Only stack module can alter, read x So process doesn t get capability, but needs it when x is referenced a problem!

Amplifying. Examples

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

Chapter 13: Design Principles

Principles of Designing Secure Systems

Introduction to Software Engineering

Principles of Designing Secure Systems

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Steps for project success. git status. Milestones. Deliverables. Homework 1 submitted Homework 2 will be posted October 26.

Security as a Architectural Concern, Chrome Arch, and NFP Measurement Reid Holmes

Trusted OS Design CS461/ECE422

CAS 703 Software Design

Waterfall Life Cycle Model

T Salausjärjestelmät (Cryptosystems) Introduction to the second part of the course. Outline. What we'll cover. Requirements and design issues

CS 520 Theory and Practice of Software Engineering Fall 2018

A Data Modeling Process. Determining System Requirements. Planning the Project. Specifying Relationships. Specifying Entities

CS SOFTWARE ENGINEERING QUESTION BANK SIXTEEN MARKS

Software Engineering

Cloud Under Control. HyTrust Two-Man Rule Solution Brief

CMSC 435: Software Engineering Section 0201

CS6501: Great Works in Computer Science

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

CIS 700/002 : Special Topics : Protection Mechanisms & Secure Design Principles

OBJECT ORIENTED SYSTEM DEVELOPMENT Software Development Dynamic System Development Information system solution Steps in System Development Analysis

Design. Secure Application Development Modules 12, 13 Konstantin Beznosov. Copyright Konstantin Beznosov

Secure Design Principles. CSC 482/582: Computer Security Slide #1

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Blanket Encryption. 385 Moffett Park Dr. Sunnyvale, CA Technical Report

Specifying and Prototyping

Regression testing. Whenever you find a bug. Why is this a good idea?

Oracle API Platform Cloud Service

Systems Analysis & Design

Chapter 9. Software Testing

A VO-friendly, Community-based Authorization Framework

The requirements engineering process

Introduction to Computer Security

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Building Secure Systems: Problems and Principles. Dennis Kafura

Testing is a very big and important topic when it comes to software development. Testing has a number of aspects that need to be considered.

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

How to Deliver Privilege Access Management

Operating systems and security - Overview

Operating systems and security - Overview

Computer Security. Access control. 5 October 2017

Fundamentals to Creating Architectures using ISO/IEC/IEEE Standards

JUST WHAT THE DOCTOR ORDERED: A SOLUTION FOR SMARTER THERAPEUTIC DEVICES PLACEHOLDER IMAGE INNOVATORS START HERE.

T Salausjärjestelmät (Cryptosystems) Security testing. Security testing. Outline. Testing Final stages of life cycle

5 Mistakes Auditing Virtual Environments (You don t Want to Make)

Human Error Taxonomy

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

System Development Life Cycle Methods/Approaches/Models

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Develop Unified SNMP, XML, CLI, and Web-based Management for Embedded Real-Time Systems with MIBGuide

ISO/IEC Common Criteria. Threat Categories

Introduction and Statement of the Problem

RED HAT ENTERPRISE LINUX. STANDARDIZE & SAVE.

Shareware Redistribution of FOSS Software

19.1. Security must consider external environment of the system, and protect it from:

Condor Local File System Sandbox Requirements Document

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Up and Running Software The Development Process

University of Pittsburgh Security Assessment Questionnaire (v1.7)

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Lecture 15 Software Testing

The Design Patterns Matrix From Analysis to Implementation

RiskSense Attack Surface Validation for IoT Systems

Carbon Black PCI Compliance Mapping Checklist

Topic 01. Software Engineering, Web Engineering, agile methodologies.

Part 5. Verification and Validation

Incremental development A.Y. 2018/2019

Analyzing Systems. Steven M. Bellovin November 26,

Rich Powell Director, CIP Compliance JEA

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

May 1: Integrity Models

10 Steps to Building an Architecture for Space Surveillance Projects. Eric A. Barnhart, M.S.

Software Development Methodologies

Cursul Aprilie

...high-performance imaging data and video over Ethernet

Chapter 18: Evaluating Systems

CSC Advanced Object Oriented Programming, Spring Overview

Software Processes. Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 4 Slide 1

Secure Development Lifecycle

Overview. State-of-the-Art. Relative cost of error correction. CS 619 Introduction to OO Design and Development. Testing.

Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED

GP Power Tools. What are the benefits. (AKA: How it solves your pain points) Last Updated: 24-Apr-18

Certification Report

Securing Content in the Department of Defense s Global Information Grid

Feature: Online App Builder Studio

Basic Definitions: Testing

6.001 Notes: Section 8.1

Module 10A Lecture - 20 What is a function? Why use functions Example: power (base, n)

ANATOMY OF AN ATTACK!

Making the Impossible Possible

e-pg Pathshala Subject : Computer Science Paper: Embedded System Module: Embedded System Design Process Module No: CS/ES/33 Quadrant 1 e-text

*ANSWERS * **********************************

Second. Incremental development model

Architecture and Design Evolution

Information Security Controls Policy

Transcription:

Introduction to Assurance Overview Why assurance? Trust and assurance Life cycle and assurance April 1, 2015 Slide #1

Overview Trust Problems from lack of assurance Types of assurance Life cycle and assurance Waterfall life cycle model Other life cycle models April 1, 2015 Slide #2

Building an Email Server Examine assurance in the context of building something Goal: design and build an email server that scans email for bad things (computer viruses, proprietary data, etc.) Gathers statistics on what is found, sends to vendor for distribution Alerts other email servers about what it finds April 1, 2015 Slide #3

What Do We Need? Need to trust email server to correctly analyze, locate things to block Need to trust email server to forward mail to correct destination (except as above) Implies it will also accept email for delivery Need to trust email server not to change email contents Note it blocks, not strips out, bad things April 1, 2015 Slide #4

Questions What exactly is trust? How do we tell if something is trustworthy? What exactly does trustworthy mean? How do we measure it? April 1, 2015 Slide #5

Trust Trustworthy entity has sufficient credible evidence leading one to believe that the system will meet a set of requirements Trust is a measure of trustworthiness relying on the evidence Assurance is confidence that an entity meets its security requirements based on evidence provided by applying assurance techniques April 1, 2015 Slide #6

What Are the Rules? What are policies controlling movement of email? What email does it accept? What email does it block? What email does it forward? How do we implement these policies? How do we know this works? How do we know the policies are the right ones? How do we know the implementation correctly enforces the policy? April 1, 2015 Slide #7

Relationships Policy Statement of requirements that explicitly defines the security expectations of the mechanism(s) Provides justification that the mechanism meets policy Assurance through assurance evidence and approvals based on evidence Mechanisms Executable entities that are designed and implemented to meet the requirements of the policy April 1, 2015 Slide #8

Where Might Problems Arise? Let s look at general places, then focus on our email server April 1, 2015 Slide #9

Problem Sources 1. Requirements definitions, omissions, and mistakes 2. System design flaws 3. Hardware implementation flaws, such as wiring and chip flaws 4. Software implementation errors, program bugs, and compiler bugs 5. System use and operation errors and inadvertent mistakes 6. Willful system misuse 7. Hardware, communication, or other equipment malfunction 8. Environmental problems, natural causes, and acts of God 9. Evolution, maintenance, faulty upgrades, and decommissions April 1, 2015 Slide #10

Some Real Examples Challenger explosion Sensors removed from booster rockets to meet accelerated launch schedule Deaths from faulty radiation therapy system Hardware safety interlock removed Flaws in software design Bell V22 Osprey crashes Failure to correct for malfunctioning components; two faulty ones could outvote a third Intel 486 chip Bug in trigonometric functions April 1, 2015 Slide #11

First Step Say precisely what the email server must do Don t worry about how it will do these things yet Just figure out what the customer will want (and what you will want, too) Let s make this a bit more precise April 1, 2015 Slide #12

Role of Requirements Requirements are statements of goals that must be met Vary from high-level, generic issues to lowlevel, concrete issues Security objectives are high-level security issues Security requirements are specific, concrete issues April 1, 2015 Slide #13

Measuring Conformance We want the server to meet its requirements Especially its security requirements How do we measure this and what is this? Policy? Design? Implementation? Operation? April 1, 2015 Slide #14

Types of Assurance Policy assurance is evidence establishing security requirements in policy is complete, consistent, technically sound Design assurance is evidence establishing design sufficient to meet requirements of security policy Implementation assurance is evidence establishing implementation consistent with security requirements of security policy April 1, 2015 Slide #15

Types of Assurance Operational assurance is evidence establishing system sustains the security policy requirements during installation, configuration, and day-to-day operation Also called administrative assurance April 1, 2015 Slide #16

Where Do We Worry About This? Look at the software life cycle Where in that life cycle? Beginning? End? Throughout? April 1, 2015 Slide #17

Security: Built In or Add On? Think of security as you do performance You don t build a system, then add in performance later Can tweak system to improve performance a little Much more effective to change fundamental algorithms, design You need to design it in Otherwise, system lacks fundamental and structural concepts for assurance Version 19G-1 Computer Security: Art and Science Slide #18

Life Cycle Security requirements 1 Design and implementation refinement 2 Design 3 Assurance justification 4 Implementation April 1, 2015 Slide #19

Building the Server Look at development and deployment Why is this server worth building? Who will we sell it to? How will we distribute it? How will we maintain it? Not the traditional life cycle model We will discuss software engineering models in a bit April 1, 2015 Slide #20

Steps Conception Manufacture Deployment Fielded Product Life April 1, 2015 Slide #21

Conception Why is the server worth doing? Because existing servers do not communicate what they block among themselves to alert one another to potential threats Also, they don t aggregate statistics across servers Will it sell? People becoming more security conscious Uses information gathered from many sources April 1, 2015 Slide #22

Conception Idea Decisions to pursue it Proof of concept See if idea has merit High-level requirements analysis What does secure mean for this concept? Is it possible for this concept to meet this meaning of security? Is the organization willing to support the additional resources required to make this concept meet this meaning of security? April 1, 2015 Slide #23

Who Makes It? System folks To assemble the components for the system To configure the system Software folks To write the email server programs Analysts To develop the rules for blocking and the statistics to be gathered April 1, 2015 Slide #24

Manufacture Develop detailed plans for each group involved May depend on use; internal product requires no sales Implement the plans to create entity Includes decisions whether to proceed, for example due to market needs April 1, 2015 Slide #25

Distribution Once built, we need to get it to customers Need to distribute finished version (not intermediate one!) Track masters of software carefully Also need to create manuals and training material Especially relating to security April 1, 2015 Slide #26

Deployment Delivery Assure that correct masters are delivered to production and protected Distribute to customers, sales organizations Installation and configuration Ensure product works appropriately for specific environment into which it is installed Service people know security procedures April 1, 2015 Slide #27

What Can Go Wrong? Problems in deployed systems Customer service to answer questions Help with customer misconfigurations Distribute updates, patches Provide assistance when customer needs to transition to another system Preferably one of our new ones J Even if not, this builds good will Encourage customers to form user groups April 1, 2015 Slide #28

Fielded Product Life Routine maintenance, patching Responsibility of engineering in small organizations Responsibility may be in different group than one that manufactures product Customer service, support organizations Retirement or decommission of product April 1, 2015 Slide #29

Development Models Which model of software engineering should we use? Let s examine them, with security in mind April 1, 2015 Slide #30

Waterfall Life Cycle Model Requirements definition and analysis Functional and non-functional General (for customer), specifications System and software design Implementation and unit testing Integration and system testing Operation and maintenance April 1, 2015 Slide #31

Relationship of Stages Requirements definition and analysis System and software design Implementation and unit testing Integration and system testing Operation and maintenance April 1, 2015 Slide #32

Models Exploratory programming Develop working system quickly Used when detailed requirements specification cannot be formulated in advance, and adequacy is goal No requirements or design specification, so low assurance Prototyping Objective is to establish system requirements Future iterations (after first) allow assurance techniques April 1, 2015 Slide #33

Models Formal transformation Create formal specification Translate it into program using correctness-preserving transformations Very conducive to assurance methods System assembly from reusable components Depends on whether components are trusted Must assure connections, composition as well Very complex, difficult to assure April 1, 2015 Slide #34

Models Agile (extreme) programming Rapid prototyping and best practices Project driven by business decisions Requirements open until project complete Programmers work in teams Components tested, integrated several times a day Objective is to get system into production as quickly as possible, then enhance it Evidence adduced after development needed for assurance April 1, 2015 Slide #35

Which One? Security will be our key selling point Waterfall model, as it allows us to design security in, and feed back problems to earlier layers, where we can tune them April 1, 2015 Slide #36

Key Points Assurance critical for determining trustworthiness of systems Different levels of assurance, from informal evidence to rigorous mathematical evidence Assurance needed at all stages of system life cycle April 1, 2015 Slide #37

Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Least Astonishment April 1, 2015 Slide #38

Overview Simplicity Less to go wrong Fewer possible inconsistencies Easy to understand Restriction Minimize access Inhibit communication April 1, 2015 Slide #39

Least Privilege A subject should be given only those privileges necessary to complete its task Function, not identity, controls Rights added as needed, discarded after use Minimal protection domain April 1, 2015 Slide #40

Related: Least Authority Principle of Least Authority (POLA) Often considered the same as Principle of Least Privilege Some make distinction: Permissions control what subject can do to an object directly Authority controls what influence a subject has over an object (directly or indirectly, through other subjects) April 1, 2015 Slide #41

Fail-Safe Defaults Default action is to deny access If action fails, system as secure as when action began April 1, 2015 Slide #42

Economy of Mechanism Keep it as simple as possible KISS Principle Simpler means less can go wrong And when errors occur, they are easier to understand and fix Interfaces and interactions April 1, 2015 Slide #43

Complete Mediation Check every access Usually done once, on first action UNIX: access checked on open, not checked thereafter If permissions change after, may get unauthorized access April 1, 2015 Slide #44

Open Design Security should not depend on secrecy of design or implementation Popularly misunderstood to mean that source code should be public Security through obscurity Does not apply to information such as passwords or cryptographic keys April 1, 2015 Slide #45

Separation of Privilege Require multiple conditions to grant privilege Separation of duty Defense in depth April 1, 2015 Slide #46

Least Common Mechanism Mechanisms should not be shared Information can flow along shared channels Covert channels Isolation Virtual machines Sandboxes April 1, 2015 Slide #47

Least Astonishment Security mechanisms should be designed so users understand why the mechanism works the way it does, and using mechanism is simple Hide complexity introduced by security mechanisms Ease of installation, configuration, use Human factors critical here April 1, 2015 Slide #48

Related: Psychological Acceptability Security mechanisms should not add to difficulty of accessing resource Idealistic, as most mechanisms add some difficulty Even if only remembering a password Principle of Least Astonishment accepts this Asks whether the difficulty is unexpected or too much for relevant population of users April 1, 2015 Slide #49

Key Points Principles of secure design underlie all security-related mechanisms Require: Good understanding of goal of mechanism and environment in which it is to be used Careful analysis and design Careful implementation April 1, 2015 Slide #50

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback