Transcript lec1-security-f04.ppt

Software Security II
Karl Lieberherr
What is Security
• Enforcing a policy that describes rules for
accessing resources.
• Policy may be explicit or implicit. Better to
use explicit policy.
Security Goals
• Authentication
– Who is it that is trying to do something to the
what we want to protect.
– URL authentication: is yourFriendlyBank.com
really a friendly bank?
Security Criteria
• SALTZER, J. H., AND SCHROEDER, M. D.
The protection of information in computer
systems.
Proceedings of the IEEE 63, 9 (Sept. 1975),
1278-1308.
Security Criteria derived from
Saltzer/Schroeder
• Economy of mechanism
Designs which are smaller and simpler are easier to
inspect and trust.
• Fail-safe defaults
By default, access should be denied unless it is
explicitly granted.
• Complete mediation
Every access to every object should be checked.
• Least privilege
Every program should operate with the minimum set
of privileges necessary to do its job. This prevents
accidental mistakes becoming security problems.
Security Criteria derived from
Saltzer/Schroeder
• Least common mechanism
Anything which is shared among different programs
can be a path for communication and a potential
security hole, so as little data as possible should be
shared. (LoD)
• Accountability
The system should be able to accurately record ``who''
is responsible for using a particular privilege.
• Psychological acceptability
The system should not place an undue burden on its
users.
Security criteria
• Performance
• We must consider how our designs constrain system
performance. Security checks which must be performed
at run-time will have performance costs.
• Compatibility
• We must consider the number and depth of changes
necessary to integrate the security system with the
existing Java virtual machine and standard libraries.
Some changes may be impractical.
• Remote calls
• If the security system can be extended cleanly to remote
method invocation, that would be a benefit for building
secure, distributed systems.
Extra slides
Java Security at IBM Research
(Larry Koved: manager)
• Automating Security Analysis of Java
Components and Programs
– Invocation graphs
LoD and Security
• Can execute software only if secret is
known.
• Secret consists of set of keys, one per class.
• What is security policy? Each object only
gets keys of its authenticated friends (who
share the same concerns???).
• What are the benefits of such a security
policy? Compartmentalize?
LoD and security