DOC PREVIEW
USC CSCI 599 - Week10_c

This preview shows page 1-2-3-4 out of 13 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 13 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 13 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 13 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 13 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 13 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Software Engineering for Security: a RoadmapOverviewRequirements and PoliciesRe-engineering for securitySoftware Piracy and ProtectionPiracy: Approaches to Protection(Contd..)Trusting Software ComponentsVerification of SystemsSecure Software DeploymentSecure ComputationStrengths/WeaknessesRelevance to Embedded SystemsThank YouSoftware Engineering for Security: a RoadmapBy:PremKumar T. Devanbu (UC Davis)Stuart Stubblebine (CertCo)Overview•Paper tries to highlight Interactions between SE and Security.•Structured like waterfall approach•Main points of focus include:–Security Policy & Requirements–Re-engineering for security and related challenges–Software Piracy & Protection issues–Trusting Software Components–Verification of Systems–Secure Software DeploymentRequirements and Policies•Security, like beauty, is in the eye of beholder.•Policy = Requirements ?•Security Models and Policies–Mandatory Access Control (MAC)–Discretionary Access Control (DAC) e.g Capabilities in Amoeba–Multilevel Security model•Challenges:–Unifying Security with Systems Engineering–Unifying Security and system Models•Unified system and security policy design•Modularity, compactness and reuse in policy representation•Leverage of existing standards based toolsRe-engineering for security•Security is an afterthought•Challenges:–Legacy Security Mismatches•E.g. UNIX and CORBA ?•Wrappers and sandboxes–Separating the Security “Aspect”•AOP / Crosscutting concerns / Aspect Weavers•Component/ConnectorsSoftware Piracy and Protection•Adversary Economics)(*)(**1111nCnPCnCCnchbbCCost of one itemhCCost of first hack the copy protectioncCCost of each item after hacked11PRisks of getting caught(prosecution Prob.)11CPossibly subjective cost of each item(fine)Good things in life are for free For rest, you pay a license fee !Piracy: Approaches to Protection(Contd..)•Hardware and Software Tokens–Dongle/Dynamic tokens ( raise Ch )–Problems: Code Patching•Dynamic Decryption of Code–Problems: Memory monitoring / nobody uses it•Watermarking – Stealth and Resilience–Static and Dynamic approaches–More successful in digital image and sound•Code Partitioning–ROM (address Instruction map)–Secure Server (Performance and Privacy)–Smart Cards (Space/Processor)•Challenge: Attacker Cost ModelTrusting Software Components•Related to increasing use of COTS•Black box Approaches•Grey Box Approaches–Cryptographic Coverage Verification•Unbiased Coin Flip–Tamper Resistant Hardware•Proof Checker on a smart card•Challenge: More Grey box approachesVerification of Systems•Important due to increase in use of COTS•Formal methods:–Significant human labour  Expensive–Based in specs rather then implementation–Hence, “confidence subjected to fidelity and completeness of specs and their relation to final implementation”–Don’t guarantee complete elimination of defects•Challenge: Implementation-based verification methodsSecure Software Deployment•Post Deployment Configuration Management (PDCM)•Challenges:–Controlled Delegation•Multiple sites with varying levels of trust•User may rely upon PDCM admin to identify trusted sources–Privacy ProtectionSecure Computation•Test Oracle required - Proof of Correctness of test results•Proof Checkers•Quorum’s for distributing trust – Performance Issues•Secure Data Structures •Proof carrying answers – either prove correct or prove violationStrengths/Weaknesses•Strengths–Merges the two fields of SE and Security well by pointing various commons grounds and challenges–Brings to focus imp issue of security being after thought•Weaknesses–Inconsistent at times (Formal proofs and verification)–Some approaches suggested not practical (Smart cards)–All sections not very clear (Secure Computing)Relevance to Embedded Systems•Security always a general concern.•Afterthought may not be possible in Embedded systems•Talks of Smart Cards / Temper resistant hardware as solution to many problems•Formal Verification methods are imp for safety critical embedded softwareThank


View Full Document

USC CSCI 599 - Week10_c

Documents in this Course
Week8_1

Week8_1

22 pages

Week2_b

Week2_b

10 pages

LECT6BW

LECT6BW

20 pages

LECT6BW

LECT6BW

20 pages

5

5

44 pages

12

12

15 pages

16

16

20 pages

Nima

Nima

8 pages

Week1

Week1

38 pages

Week11_c

Week11_c

30 pages

afsin

afsin

5 pages

October5b

October5b

43 pages

Week11_2

Week11_2

20 pages

final

final

2 pages

c-4

c-4

12 pages

0420

0420

3 pages

Week9_b

Week9_b

20 pages

S7Kriegel

S7Kriegel

21 pages

Week4_2

Week4_2

16 pages

sandpres

sandpres

21 pages

Week6_1

Week6_1

20 pages

4

4

33 pages

fft

fft

18 pages

LECT7BW

LECT7BW

19 pages

24

24

15 pages

14

14

35 pages

Week9_c

Week9_c

24 pages

Week11_67

Week11_67

22 pages

Week1

Week1

37 pages

LECT3BW

LECT3BW

28 pages

Week8_c2

Week8_c2

19 pages

Week5_1

Week5_1

19 pages

LECT5BW

LECT5BW

24 pages

Week10_b

Week10_b

16 pages

Week11_1

Week11_1

43 pages

Week7_2

Week7_2

15 pages

Week5_b

Week5_b

19 pages

Week11_a

Week11_a

29 pages

LECT14BW

LECT14BW

24 pages

T7kriegel

T7kriegel

21 pages

0413

0413

2 pages

3

3

23 pages

C2-TSE

C2-TSE

16 pages

10_19_99

10_19_99

12 pages

s1and2-v2

s1and2-v2

37 pages

Week10_3

Week10_3

23 pages

jalal

jalal

6 pages

1

1

25 pages

T3Querys

T3Querys

47 pages

CS17

CS17

15 pages

porkaew

porkaew

20 pages

LECT4BW

LECT4BW

21 pages

Week10_1

Week10_1

25 pages

wavelet

wavelet

17 pages

October5a

October5a

22 pages

p289-korn

p289-korn

12 pages

2

2

33 pages

rose

rose

36 pages

9_7_99

9_7_99

18 pages

Week10_2

Week10_2

28 pages

Week7_3

Week7_3

37 pages

Load more
Download Week10_c
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Week10_c and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Week10_c 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?