Defensive Programming Dawn Song dawnsong cs berkeley edu 1 Review Attackers will exploit any and all flaws Buffer overruns format string usage errors implicit casting TOCTTOU Trusted Computing Base TCB System portion s that must operate correctly for system security goals to be assured 2 Goals for Today Three principles in crypto design Conservative Design Kerkhoff s Principle Proactively Study Attacks Principles for building secure systems 13 other principles Principles are neither necessary nor sufficient to ensure a secure system design but they are often very helpful Goal is to explore what you can do at design time to improve security 3 Three Principles in Crypto Design Three principles widely accepted in crypto community that seem useful in computer security Conservative Design Kerkhoff s Principle Proactively Study Attacks 4 1 Conservative Design Systems should be evaluated according to worst plausible security failure under assumptions favorable to attacker If you find such circumstance where the system can be rendered insecure then you should seek a more secure system 5 2 Kerkhoff s Principle Cryptosystems should remain secure even when the attacker knows all internal details of the system The key should be the only thing that must be kept secret If your secrets are leaked it is a lot easier to change the key than to change the algorithm 6 3 Proactively Study Attacks We must devote considerable effort to trying to break our own systems How we can gain confidence in their security Other reasons In security game attacker gets last move Very costly if a security hole is discovered after wide system deployment Pays to try to identify attacks before bad guys find them Gives us lead time to close security holes before they are exploited in the wild 7 Principles for Secure Systems General principles for secure system design Many drawn from a classic 1970s paper by Saltzer and Schroeder 1 Security is Economics No system is 100 secure against all attacks Only need to resist a certain level of attack No point buying a 10K firewall to protect 1K worth of trade secrets Often helpful to quantify level of effort an attacker would expend to break the system Adi Shamir once wrote There are no secure systems only degrees of insecurity A lot of the science of computer security comes in measuring the degree of insecurity 8 Economics Analogy Safes come with a security level rating Consumer grade safe Rated to resist attack for up to 5 minutes by anyone without tools High end safe might be rated TL 30 Secure against burglar with safecracking tools and less than 30 minutes access We can hire security guards with a less than 30 minute response time to any intrusion 9 Corollary of This Principle Focus your energy on securing weakest links Security is like a chain it is only as secure as the weakest link Attackers follow the path of least resistance and will attack system at its weakest point No point in putting an expensive high end deadbolt on a screen door Attacker isn t going to bother trying to pick the lock when he can just rip out the screen and step through 10 2 Least Privilege Minimize how much privilege you give each program and system component Only give a program the minimum access privileges it legitimately needs to do its job Least privilege is a powerful approach Doesn t reduce failure probability but can reduce expected cost of failures Less privilege a program has less harm it can do if it goes awry or runs amok Computer age version of shipbuilder s notion of watertight compartments Even if one compartment is breached we minimize damage to rest of system s integrity 11 Principle of Least Privilege Examples Can help reduce damage caused by buffer overruns or other program vulnerabilities Intruder gains all the program s privileges Fewer privileges a program has less harm done if it is compromised How is Unix in terms of least privilege Answer Pretty lousy Program gets all privileges of invoking users I edit a file and editor receives all my user account s privileges read modify delete Strictly speaking editor only needs access to file being edited to get job done 12 Principle of Least Privilege Examples How is Windows in terms of least privilege Answer Just as lousy Arguably worse as many users run as Administrator and many Windows programs require Administrator access to run Every program receives total power over the whole computer Microsoft s security team recognizes this risk Advice Use limited privilege account and Run As 13 3 Use Fail Safe Defaults Use default deny polices Start by denying all access then allow only that which has been explicitly permitted Ensures that if security mechanisms fail or crash default will be secure behavior Example Packet filter is a router Failure means no packets will be routed Fail safe behavior Fail open behavior much more dangerous Attacker just waits for packet filter to crash or induces crash and then the fort is wide open 14 Non Fail Safe Defaults Examples SunOS machines used to ship with in etc hosts equiv file Allowed anyone with root access on any machine on the Internet to log into your machine as root Irix machines used to ship with xhost in their X Windows configuration files Allowed anyone to connect to Xserver 15 4 Separation of Responsibility Split up privilege No one person or program has complete power Require more than one party to approve before access is granted Two party rule examples Movie theater pay teller and get ticket stub then separate employee tears ticket in half collects a half of it and puts it in lockbox Helps prevent insider fraud under over charge Most companies purchases over certain amount must be approved by both requesting employee and a purchasing officer Helps prevent insider fraud in vendor choice 16 Nuclear Two Party Rule Minuteman nuclear missile launch control ctr Underground control of ten nuclear missiles Two launch officers must agree to launch missiles Five control ctrs for squadron of 50 missiles Decommissioned center preserved at Whiteman AFB Missouri 17 5 Defense in Depth A closely related principle You can recognize a security guru because they re wearing both a belt and a set of suspenders Principle is that with multiple redundant protections all of them have to be breached to endanger system security 18 6 Psychological Acceptability Important that users buy into security model Examples Company FW admin capriciously blocks apps that engineers need to get their jobs done They view FW as
View Full Document
Unlocking...