memory safe) ➡ Pure Lisp, pure Java, ADA, ML … Some languages isolate potentially unsafe code ➡ Modula-3, Java with native methods, C# … Some languages are hopeless ➡ Assembly languages, C …
other programming languages are “memory safe”, why are we not using them instead? ➡ Because C and assembly code are used when a program requires high performances (audio, vide, calculus …) or when dealing with hardware directly (OS, drivers ….)
Programming Approach 1. Adopting good programming practices 2. Being security aware programmer Proactive Approach 3. Using security libraries 4. Performing penetration testing Formal Approach 5. Using formal methods to verify a program 6. Using formal methods to generate a program
for separate functionalities ✓ Easier to find security flaws when components are independent Encapsulation ➡ Limit the interaction between the components ✓ Avoid wrong usage of the components Information hiding ➡ Hide the implementation ๏ Black box model does not improve security
between components that belongs to the same application (mutual suspicion) ✓ Be “fault tolerant” by having a consistent policy to handle failure (managing exceptions) ✓ Reuse known and widely used code by using design patterns and existing libraries
the stack has not been altered when a function returns ➡ If it has been altered, the program exits with a segmentation fault ✓ Verification embedded into the program by the compiler
test, Integration test, Performance test and so on … Testing the security ✓ Penetration tests ➡ Try to make the software fail by pushing the limits of a “normal” usage i.e test what the program is not supposed to do
- analyzing the code to detect security flaws • Control flow - analyzing the sequence of instructions • Data flow - analyzing how the date are accessed • Data structure - analyzing how data are organized ➡ Abstract interpretation [Cousot] ✓ Verification of critical embedded software in Airbus aircrafts
(VHDL, Verilog) ✓ Used by semi-conductor companies such as Intel Critical embedded software (B/Z, Lustre/Esterel) ✓ Urban Transportation (METEOR Metro Line 14 in Paris by Alstom) ✓ Rail transportation (Eurostar) ✓ Aeronautic (Airbus, Eurocopter, Dassault) ✓ Nuclear plants (Schneider Electric)
than a mathematical proof ➡ A code “proven safe” is safe ๏ Development is time and effort (and so money) consuming ➡ Should be motivated by the risk analysis ๏ Do not prevent from specification bugs ➡ Example of network protocols
same address space • They should not access memory addresses that has not been allocated to them • When a program tries to access to an authorized memory address, an exception is raised ➡ The well known “segmentation fault”
into pieces (segments) that can be located dynamically wherever in the memory (useful for caching) ✓ A program can access a segment only if it appears in the segment table ๏ But Shellcode are located in the same segment table
during execution ✓ Data in a buffer cannot be turned into a instructions like in buffer overflow attacks • Processors implementing this technique Intel XD (EDB) or AMD64 NX (EVP) • Operating Systems using it OpenBSD and OSX
on the stack dynamically ✓ Attacker cannot guess the return address as it expires rapidly • Operating Systems using this technique • OpenBSD • Linux (since 2.6.12) • Windows (since Vista) • Mac OSX (fully supported since 10.7 Lion) • iOS (since 4.3) • Android (since 4.0 Ice Cream Sandwich)
of resources for untrusted programs to run in ➡ Sandboxing servers - virtual machines ➡ Sandboxing programs • Chroot and AppArmor in Linux • Sandbox in MacOS Lion • Metro App Sandboxing in Windows 8 ➡ Sandboxing applets - Java and Flash in web browsers
Host-based Intrusion Prevention systems (IPS) ✓ Based on signatures (well known programs) ✓ Based on behaviors (unknown programs) ➡ Example : Syslog and Systrace on Linux ๏ Vulnerable to malicious programs residing in the kernel called “rootkits”
about security assurance? ➡ If you think we should not care about security you have been sitting in the wrong class for half a semester How to evaluate the security of a product/system? ➡ evaluate the person making the product ➡ or evaluate the product itself
➡ Certifications based on Standards Who should run the evaluation? Who delivers the certification? ➡ A certification authority (trusted third-party) called a registrar
Evaluate and certify a product or a system • TCSEC (“The Orange Book”) (1983-1999) was the American standard • ITSEC (1991-2001) was the European standard • ISO/IEC 15408 (“The Common Criteria”) (since 1998) is the actual international standard
organization submit an evaluation plan to the registrar 2. The registrar runs the first audit and grant the certification 3. The registrar keeps on auditing the organization to guarantee the certification
(ISO/IEC 27002) ➡ List of 133 candidate control objectives and controls ➡ Each control must be addressed one by one in the evaluation plan (extras can be added)
Wheel (PDCA) run a risk analysis and define the security policy design and build security solutions (called controls) improve the security assurance measure the security solutions
the risk analysis) • Security policy • Organization of information security (governance) • Asset management (inventory and classification of information assets) • Human resources protection (security aspects for employees joining, moving and leaving an organization) • Physical and environmental security (protection of computer facilities)
the activity) • Access Control (restrictions of access rights) • Information systems acquisition, development and maintenance (result of the activity) • Information security incident management (CERT) • Compliance (ensuring conformance with security policies, standards, laws and regulations)
Defining the set of security functionalities • Defining a set of assurance requirements • Determining whether the product or system meet the assurance requirements • Determining a measure of the evaluation results Evaluation Assurance Level (EAL) ➡ Technical Evaluation based on security assurance methods • Testing and penetration testing • Formal development and/or formal verification
classify computer systems (i.e. OS) regarding the storage, retrieving and processing of sensitive data ➡ Initiated by the US DOD in the 70's photo from Wikipedia
be explicit and enforceable by a computer system • Two kind of policies are considered DAC and MAC Introduce the concept of accountability • Users must be identified and authenticated • Each access must be logged
protection ➡ No security requirements Class C - discretionary security protection ➡ Multi-user environment and data with different sensitivity levels Class B - mandatory security protection ➡ Object labels, user clearance levels and multilevel security policy Class A - verified protection ➡ Formal design and verification
and the security requirements of the product/system ➡ Written by the system consumer Security Target - identifies the security properties ➡ Written by the software designer in response to the protection profile Let’s look at some protection profiles on http://www.commoncriteriaportal.org/pps/
Requires a documentation of the security functions vouching for a minimum confidence regarding their correction but threats are not considered as serious EAL 2 - Structurally Tested ➡ Requires the delivery of test procedures and test results EAL 3 - Methodically Tested and Checked ➡ Requires the developers to be aware of good software engineering practices
and Reviewed ➡ Requires good commercial developments methods to ensure good software engineering practices EAL 5 - Semi-formally Designed and Tested ➡ Requires rigorous commercial development practices supported by a security expert
and Tested ➡ Requires a rigorous development environment EAL 7 - Formally Verified and Tested ➡ Requires a rigorous security-oriented development environment Let's see some certified products on http://www.commoncriteriaportal.org/products/
is a long time effort ➡ The product is obsolete once certified 2. Going through such an evaluation is a costly process ➡ The return on investment is not necessarily a more secure product 3. The evaluation is performed on the documentation and not on the product itself ➡ A good EAL does not prevent from security flaws
auditor evaluating an organization or a product and delivering the certification • a consultant helping to write the documents needed to pass the certification What do you need to know/do? • CS and IT systems in general • the standards • get certified as an auditor or a consultant and get hired by a registrar
thierrysans
akihiro_kokubo
rasagy
lauravandoore
notwaldorf
thoeni
frankvandijk
codingconduct
sarafernandez
mkilby
marketingsoph
mayunak
bluesmoon
