Date post: | 18-Jan-2018 |
Category: |
Documents |
Upload: | charla-butler |
View: | 219 times |
Download: | 0 times |
1
2011 SANS Top 25 Most Dangerous Software Errors
Category 1: Insecure Interaction Between ComponentsThese weaknesses are related to insecure ways in which data is sent and receivedbetween separate components, modules, programs, processes, threads, or systems.
Category 2: Risky Resource ManagementThe weaknesses in this category are related to ways in which software does not
properly manage the creation, usage, transfer, or destruction of important system resources.
Category 3: Porous DefensesThe weaknesses in this category are related to defensive techniques that are often
misused, abused, or just plain ignored.
2
See http://www.sans.org/top25-software-errors/
ACM /u/Mallory /u/Bob /u/Carlos /
Mallory rwx
Bob rwx
Carlos rwx rwx rwx rwx
ACM’ /u/Mallory /u/Bob /u/Carlos /
Mallory rwx w
Bob rwx
Carlos rwx rwx rwx rwx
ACM Review
3
Mallory exploits a bug … … & gains ‘w’ on /u/Bob !
Security via Information Confinement
Information may only flow to those with the appropriate clearance and need-to-know.
4
ClearanceLevels {“Unclassified”, “Confidential”, “Secret”, “Top Secret” }
Unclassified
Top Secret
Secret
Confidential
Information Flow based on: ClearanceLevel c1 <= c2
5
Top Secret
Secret
Confidential
Unclassified
Adapted from Pfleeger & Pfleeger, Security in Computing, 4th ed.
Compartment 1 Compartment 2
Compartment 3
Compartments & Sensitivity Levels
6
Information Flow based on: Need-to-Know d1 subsetOf d2
7
Information Flow based on: ClearanceLevel c1 <= c2
Need-to-Know d1 Subset0f d2
8
Bell-LaPadula Model for Confidentiality
• Simple Security Propertyno-read-up rule: a subject can’t read data from an object “above” it.
• *-Property no-write-down rule: a subject that can read data in one class can’t write data to a lower class.
• Discretionary Security PropertyS can access O only if that access is allowed by the S-O entry of the current ACM
9
B-P *-Property
10
Biba Model for Integrity
• Simple integrity axiomsubject at one level of integrity may not read an object at a lower integrity level(no read down)
• *-integrity axiomsubject at one level of integrity may not write to an object at a higher integrity level.(no write up)
11
Problems with Biba
• How do you assign integrity levels?• What do integrity categories mean?• A high-integrity program is not allowed to
read and validate lower-integrity data …
but then isn’t that just what those programs should be capable of doing?
12
Bye-Bye Biba
• Java and ActiveX models of digitally signed code resemble the Biba model … however
– They still have no basis for assigning integrity level– Just because company X wrote and signed some code
doesn’t mean it’s secure or trustworthy.
• Pure Biba not used for much in the last 20 years.
13
14