Transcript Building Secure Software

Building Secure Software
Chapter 3
Selecting Technologies
Choosing a Language
• Most important technology choice is which programming
•
•
•
•
•
language to use.
For efficiency-some choose C or C++
For representational power- some choose LISP,ML, or
Scheme
Don’t choose a language based largely on familiarity and
comfort
Don’t choose a language without consideration of
software security
Note that software reliability can have a significant
impact on security when it comes to denial-of-service
attacks.
Choosing a Language (con’t)
• The FUZZ program is one of the best to test reliability of C
•
•
•
•
•
programs-few programs allow arbitrarily long inputs
In languages like JAVA programmers usually fail to catch every
possible exceptional condition
The more error checking a language can do, the more reliable the
programs in that in that language- thus, JAVA better than C and
C++
Another security concern is buffer overflows and input checking
mistakes
Security features of a JAVA program are managed by the Security
Manager-enforce a security policy by moderating access to
resources (sandboxing)
Perl is another language with a significant security featuredynamically monitors variables to see if untrusted user input leads
to security violation
Choosing a Language (con’t)
• Most object-oriented languages offer “information
•
•
•
hiding” mechanisms to control access to data members
Running Java applets enforces protection since they are
checked at runtime.
Some high-level languages do not protect against
moving sensitive data out of memory. Need to prevent
swapping of data such as using mlock() in C.
Many high-level data structures are immutable, i.e.
programmers cannot explicitly copy over the memory
Choosing a Distributed Object
Platform
• Client/server applications use software based
•
•
•
upon distributed objects like COBRA (common
object request broker architecture) and RMI
(Java remote method invocation)
Provide more easily for remote availability of
resource, redundancy, and parallelism
COBRA is better than RMI in that it can easily
integrate disparate code written in multiple
programming languages
RMI is better due to relatively simple technology
Choosing a Distributed Object
Platform (con’t)
• COBRA-uses security service based on specs of the Object
•
•
•
•
•
•
Management Group’s (OMG) standards
These standards define 2 levels of service-Level 1 for apps that
need to be secure but not the code itself. All security handled by
object request broker (ORB).
Level 2 supports advanced security features and the application
knows this
COBRA security features use network protocol: Internet Inter-Orb
Protocol (IIOP)
IIOP allows for secure communications using cryptography.
Encryption algorithms can be used by graphic user interface (GUI)
or a configuration file
COBRA provides authentication services and restrictions to access a
particular operation-keeps arbitrary users from accessing an admin
interface to a COBRA server
COBRA offers wide array of options for choosing how to manage
privileges in a distributed system .
Choosing a Distributed Object
Platform (con’t)
• Assume object A calls B, then B calls object C.
•
•
•
Object A has the following choices:
(1) Object A can choose not to extend its
credentials to object B at all.
(2) Object A may pass its credentials to object B,
and allow object B to do anything with them,
including passing them to object C
(3) Object A can force composite delegation,
where if object B wants to use object A’s
credentials, it must also pass its own.
Choosing a Distributed Object
Platform (con’t)
• (4) Object A can force combined delegation,
•
where if object B wants to use objects A’s
credentials, it must create a new credential that
combines its own with objects A’s.
(5) Object A can force traced delegation, in
which all clients are required to pass all
credentials to anyone they call. Then when a
decision is to be made, the entire set of
credentials is examined.
Choosing a Distributed Object
Platform (con’t)
• DCOM is Microsoft’s Distributed Component Object Model
•
•
•
•
technology- competes with COBRA (Unix based)
In DCOM authentication, data integrity, and secrecy exist in single
property called the authentication level
DCOM has 7 levels of authentication: None, on connection, by
default, by every method call in an object, packet-level, packet
integrity-level, and packet privacy-level (encryption)
Higher levels can inherit weaknesses of lower levels-level 7 not
much better than level 2 as LAN Manager-based authentication is
poor and level 7 does not much better.
In DCOM server objects may not act on behalf of the client
(impersonation). Levels of impersonation are identity level (remote
machine gets identity info but can not be client), anonymous level
(server can not get authentication info about client), and delegate
level (server gives 3rd parties authority to act for client).
Choosing a Distributed Object
Platform (con’t)
• EJB (enterprise java beans) is Java’s distributed object
•
•
•
platform. It uses Java’s RMI (remote method invocation)
implementations for communication
Goals of EJB access control system are to move access
control decisions to the (security) person assembling the
application
EJB implementations are on top of RMI which has poor
reputation for security
Don’t use EJB for high-security systems unless dynamic
downloading of all stub classes is turned off
Choosing an Operating System
• OS are divided into system kernel and user-level code (user space)
• Kernel has security model that manages access to devices, files,
•
•
•
•
processes, and objects
Programs in user space have process space protection: no access to
memory allocated to another process or memory designated as inuse by OS
Standard user-level protections state that processes can’t directly
access devices attached to the computer without special permission.
Device driver software in kernel protect devices.
Early systems were not concerned with security as they rarely are
connected to a network. Some basic security functionality has been
added but this is more a reliability mechanism than security
mechanism.
Kernels tend not to protect against themselves. Not done since it is
difficult and has a large impact on performance
Authentication Technology
• Authentication problems are the most pervasive class of security problems if
•
•
•
•
•
•
software bugs are ignored.
Authenticate network connections using Internet Protocol (IP) address
attached to the connection or Domain Name Service (DNS) names
Some authentication techniques use the Medium Access Control (MAC)
address of remote host network card or any sort of unique ID for machine
Host-based authentication is quick and dirty way to raise the bar: It is
useless as relying on MAC addresses, processor IDs, or cookies are based
upon self-reported untrusted clients
IP spoofing occurs when an attacker forges the IP address in packets going
out from the attacking box so packets appear to come from a valid address
IP spoofing requires that (1) fake packets are routed to target, (2) if
packets get to target, responses are routed to forged IP address, (3)
difficult to execute (4) attacker break into local network
DNS (domain name service) authentication can be defeated with IP
spoofing. DNS can be attacked by cache poisoning attack where malicious
hacker relies on flaws to hijack domain names
Authentication Technologies (con’t)
• Authentication using physical tokens such as a key, a credit card, or
•
•
•
•
a smart card
Problems with physical tokens: (1) need input device for every
client, (2) can be lost or stolen, (3) can duplicate without stealing
token, and (4) using only ATM is not safe
Biometric authentication is measuring physical or behavioral
characteristics of a human: fingerprints, features of the eye, and
facial features
Behavioral biometrics include handwritten signatures and voice
prints: convenient technology, not likely to forget information, need
physical input device to authenticate
Behavioral biometrics require security of the input device, can be
fickle, identifiers are unique but not secret, and can not be changed
Authentication Technologies (con’t)
• Cryptographic authentication uses mathematics and a digital secret
•
•
•
•
to authenticate users: digital analog to having a physical token
The only viable strategy for authenticating users is to apply the
defense-in-depth principle mixing a number of authentication
techniques
Defense-in depth can be used to protect cryptographic
authentication information (key)
Using cryptographic keys in a server environment (host-to-host not
user-to host authentication) requires using keys in automated
fashion without user intervention
Consider no encryption of key, save password elsewhere if key is
encrypted, manual intervention at program startup storing
decrypted key in memory