Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Secure Software Development: Access Control and Information Leakage, Slides of Software Engineering

An overview of secure software development, focusing on access control and information leakage. It discusses the importance of protecting data during transit, use, and storage, as well as access control components and policies. The document also covers problem areas, such as weak access control and information leakage through communication channels and error handling.

Typology: Slides

2012/2013

Uploaded on 04/26/2013

sharad_984
sharad_984 🇮🇳

4.5

(13)

146 documents

1 / 24

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Secure Software Development
Store and Protect Data Securely
Information Leakage
Error Handling
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18

Partial preview of the text

Download Secure Software Development: Access Control and Information Leakage and more Slides Software Engineering in PDF only on Docsity!

Secure Software Development

Store and Protect Data Securely

Information Leakage

Error Handling Docsity.com

Information Protection

 During transit

 During use

 During storage

Access Control Requirement

  • Cannot be bypassed
  • Enforce least-privilege and need-to-know

restrictions

  • Enforce organizational policy

Access Control

Access control : ensures that all direct accesses to

object are authorized

 Protects against accidental and malicious threats

by regulating the reading, writing and execution of data and programs

 Need:

  • Proper user identification and authentication
  • Information specifying the access rights is protected form modification

Discretionary Access Control

  • Access control is based on
    • User’s identity and
    • Access control rules
  • Most common administration: owner based
    • Users can protect what they own
    • Owner may grant access to others
    • Owner may define the type of access given to others

Software and ACL

  • Vulnerable languages: any
    • C, C++, Java, .Net, etc.
  • Vulnerable platforms: any
    • Windows, UNIX, Linux, etc.

Recommendation

  • Use the operating system’s security

technologies

  • Keep secrets out of harm’s way
  • Use security technology (access control

support, encryption, etc.) properly

  • Scrub the memory securely once finished with

secret data

Weak Access Control

  • Set access control and grants write access to low

privileged user

  • Creates an object without setting access control and

creates object in a place writable by low-privileged user

  • Writes configuration information into a shared area
  • Writes sensitive information into a shared area

Problem Areas

  • Embedding secret in code
    • Application code contains authentication, encryption keys, etc.

Information Leakage

16

Communication Channels

Overt Channel : designed into a system and documented in the user's manual

  • Information leakage: designers and developers DO NOT understand security needs of the application

Covert Channel : not documented. Covert channels may be deliberately inserted into a system, but most such channels are accidents of the system design.

  • Information leakage: slow information flow to unauthorized recipient

17

Information Flow

 Direct Flow:

  • Bell-LaPadula example

 Indirect flow:

  • Covert channel
  • Inference channel

TS-subject

S-object

read info- flow

TS-object

S-subject

write info- flow

OTHER WAYS OF INFORMATION

LEAKAGE

20

Yielding Too Much Information

 Error message carries information that can

be misused by the attacker

 Avoid: do not tell the user why his input

failed

 Problem: reduces usability