1 / 23

CSCE 548 Secure Software Development Store and Protect Data Securely Information Leakage Error Handling

aitana
Download Presentation

CSCE 548 Secure Software Development Store and Protect Data Securely Information Leakage Error Handling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. CSCE 548 Secure Software Development Store and Protect Data Securely Information Leakage Error Handling

    2. CSCE 548 - Farkas 2 Information Protection

    3. CSCE 548 - Farkas 3 Access Control Protection objects: system resources for which protection is desirable Memory, file, directory, hardware resource, software resources, external devices, etc. Subjects: active entities requesting accesses to resources User, owner, program, etc. Access mode: type of access Read, write, execute

    4. CSCE 548 - Farkas 4 Access Control Requirement Cannot be bypassed Enforce least-privilege and need-to-know restrictions Enforce organizational policy

    5. CSCE 548 - Farkas 5

    6. CSCE 548 - Farkas 6

    7. CSCE 548 - Farkas 7 Discretionary Access Control Access control is based on User’s identity and Access control rules Most common administration: owner based Users can protect what they own Owner may grant access to others Owner may define the type of access given to others

    8. CSCE 548 - Farkas 8 Software and ACL Vulnerable languages: any C, C++, Java, .Net, etc. Vulnerable platforms: any Windows, UNIX, Linux, etc.

    9. CSCE 548 - Farkas 9 Problem Areas Too much access Not following least privilege Security violations Deny access – unavailability World readable – information disclosure Write for everyone – incorrect execution, denial of service, taking over the system

    10. CSCE 548 - Farkas 10 Recommendation Use the operating system’s security technologies Keep secrets out of harm’s way Use security technology (access control support, encryption, etc.) properly Scrub the memory securely once finished with secret data

    11. CSCE 548 - Farkas 11 Weak Access Control Set access control and grants write access to low privileged user Creates an object without setting access control and creates object in a place writable by low-privileged user Writes configuration information into a shared area Writes sensitive information into a shared area

    12. CSCE 548 - Farkas 12 Testing for Weak Access Control Design-level problem ?use threat modeling Use your brain Install application and check for access control on the created objects Monitor for security of the functions that create objects For binary code: reverse engineer and look for password-like code Use special tool designed for specific languages and platforms Consider context

    13. CSCE 548 - Farkas 13 Problem Areas Embedding secret in code Application code contains authentication, encryption keys, etc.

    14. CSCE 548 - Farkas 14 Information Leakage

    15. CSCE 548 - Farkas 15

    16. CSCE 548 - Farkas 16

    17. CSCE 548 - Farkas 17

    18. CSCE 548 - Farkas 18

    19. Other ways of information leakage CSCE 548 - Farkas 19

    20. CSCE 548 - Farkas 20

    21. CSCE 548 - Farkas 21

    22. CSCE 548 - Farkas 22

    23. CSCE 548 - Farkas 23

    24. CSCE 548 - Farkas 24

More Related