Secure Software Development
Store and Protect Data Securely
Information Leakage
Error Handling
Docsity.com
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Guidelines and tips
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community
Ask the community for help and clear up your study doubts
University Rankings
Discover the best universities in your country according to Docsity users
Free resources
Our save-the-student-ebooks!
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
Secure Software Development: Access Control and Information Leakage, Slides of Software Engineering
An overview of secure software development, focusing on access control and information leakage. It discusses the importance of protecting data during transit, use, and storage, as well as access control components and policies. The document also covers problem areas, such as weak access control and information leakage through communication channels and error handling.
Typology: Slides
2012/2013
1 / 24
This page cannot be seen from the preview
Don't miss anything!
Related documents
Partial preview of the text
Download Secure Software Development: Access Control and Information Leakage and more Slides Software Engineering in PDF only on Docsity!
Secure Software Development
Store and Protect Data Securely
Information Leakage
Error Handling Docsity.com
Information Protection
During transit
During use
During storage
Access Control Requirement
- Cannot be bypassed
- Enforce least-privilege and need-to-know
restrictions
- Enforce organizational policy
Access Control
Access control : ensures that all direct accesses to
object are authorized
Protects against accidental and malicious threats
by regulating the reading, writing and execution of data and programs
Need:
- Proper user identification and authentication
- Information specifying the access rights is protected form modification
Discretionary Access Control
- Access control is based on
- User’s identity and
- Access control rules
- Most common administration: owner based
- Users can protect what they own
- Owner may grant access to others
- Owner may define the type of access given to others
Software and ACL
- Vulnerable languages: any
- C, C++, Java, .Net, etc.
- Vulnerable platforms: any
- Windows, UNIX, Linux, etc.
Recommendation
- Use the operating system’s security
technologies
- Keep secrets out of harm’s way
- Use security technology (access control
support, encryption, etc.) properly
- Scrub the memory securely once finished with
secret data
Weak Access Control
- Set access control and grants write access to low
privileged user
- Creates an object without setting access control and
creates object in a place writable by low-privileged user
- Writes configuration information into a shared area
- Writes sensitive information into a shared area
Problem Areas
- Embedding secret in code
- Application code contains authentication, encryption keys, etc.
Information Leakage
16
Communication Channels
Overt Channel : designed into a system and documented in the user's manual
- Information leakage: designers and developers DO NOT understand security needs of the application
Covert Channel : not documented. Covert channels may be deliberately inserted into a system, but most such channels are accidents of the system design.
- Information leakage: slow information flow to unauthorized recipient
17
Information Flow
Direct Flow:
- Bell-LaPadula example
Indirect flow:
- Covert channel
- Inference channel
TS-subject
S-object
read info- flow
TS-object
S-subject
write info- flow
OTHER WAYS OF INFORMATION
LEAKAGE
20