Security Architecture and Design
Chapter 4Part 1
Pages 297 to 319
Bugs and Flaws
• Security Bug– Vulnerability in the software
• Security Flaw– Vulnerability in the architecture or design
• About 50%-50%
Today’s Environment
• Security bug and flaws account for the majority of compromises
• We are better at protecting the perimeter with Firewalls, IPS, etc.
• More demands for functionality has made software more complex
• As complexity increases security decreases
Approaches
• Bake Security In from the start– From Architecture to Design to Implementation to
Testing– Correct approach
• Bolt Security on at the end– Often not enough time– Much harder to do
Security
• “The security that a product provides must be evaluated based upon the availability, integrity, and confidentiality that it claims to provide.”
• Need to really understand how technology works to determine the proper level of security that is truly in place.
Waterfall Model
• Architect the system• Write Specification Requirements• Design• Implement = code• Test• Deploy
System Architecture
• Conceptually understand the system structure and behavior and its relationship to its environment
• Outline the main goals the system must achieve
• Big picture
System Architecture
• Architectural Description for a software intensive system– ISO/IEC/IEEEE 42010
• Security needs to be considered while architecting the system
Stakeholder
• Stakeholder – Individual, team, or organization with interest in the system
• View – representation of the system from a particular perspective
• “The architect needs to capture the goals that the system is supposed to accomplish for each stakeholder.”
Computer Architecture
• Computer hardware• Operating system• Network
Computers
Buses
• Most systems today have 64-bit address and data buses
CPU
Registers
• PC (Program Counter) – address of next instruction
• General Registers – Hold data• Special Registers– SP (Stack pointer)– PSW (Program Status Word)• Bit of negative result • Bit for Zero result
PSW
• Bit for mode– User mode (where applications run)– Privileged (Kernel, Supervisor) mode for Operating
System• I/O
Stack Pointer
• Local Variables• Return Address• Parameters• Local Variable• Return Address• Parameters
Multicore Processor
Multiprocessing (See page 311)
Process
• Program loaded in memory• Multiprogramming OS – more than one
process (program) can be loaded in memory (See page 319)
• Preemptive multitasking – time sharing
Figure 4-6 on Page 314
Process Table
Interrupts
• Timer• Device – When a device needs to
communicate with the CPU – Disk completed I/O operation
Interrupts
Threads
• Instructions generated by a process when it has a specific activity that needs to be carried out by the operating system.
• Microsoft Word– Open a file– Print a document– Save a file
Mulithreading
Code Injection Attack
• Attacker injects instructions into a running process.
• Keylogger, send out malware, • If running at privilege mode• OWASP Top Ten– https://
www.owasp.org/index.php/Top_10_2013-Top_10– A9 Using Components with Known Vulnerabilities
Process Scheduling
• Responsibility of the operating system• Process priorities– Low priority background process– High priority process hogging the system
resources• Denial of Services attack
Software Deadlock
• A has resources 1 and requests 2• B has resource 2 and requests 1
Top Related