南京大学：《网络安全与入侵检测 Network Security and Intrusion Detection》课程教学资源（课件讲稿）02 Security Principles

Security Principles Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University

Security Principles Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University

Security Principles Variations of lists of security principles Security vulnerabilities often exploit violations of these principles ■ Good security solutions or countermeasures follow these principles Some overlap some tension between principles More generally,checklists are useful for security These principles can be applied at many levels,e.g.,in source code of an application,between applications on a machine at OS level,at network level,within an organization,between organizations Here we give 16 principles Main Source:software security principles by Gary McGraw and John Viega ■CSE825 2

CSE825 2 Security Principles  Variations of lists of security principles  Security vulnerabilities often exploit violations of these principles  Good security solutions or countermeasures follow these principles  Some overlap & some tension between principles  More generally, checklists are useful for security  These principles can be applied at many levels, e.g., in source code of an application, between applications on a machine at OS level, at network level, within an organization, between organizations  Here we give 16 principles  Main Source: software security principles by Gary McGraw and John Viega

Principle 1:Securing the weakest Security is a chain;a system is only as secure as the weakest link Spend your efforts on improving the security of the weakest part of a system,as this is where attackers will attack Bank vs.convenience store -Firewall vs.application visible through firewall Social engineering:a common weak link -Software can be weak,surrounding infrastructure can be weaker. -Typical scenario:a service center gets a call from a sincere-sounding user Educating users may be best investment to improve security,eg.,think of phishing attacks,weak passwords Table ll.Character composition information about each password dataset a-zA- Dataset a-z+A-Z+A-Za-z+0-9]+ [a-z+ a-z+1 a-zA-Z+ T0-9]+ T0-9]+ Z0-9]+ [0-9]+ [0-9]+[a-zA-Z]+ [a-z]+ Tianya 9.966 0.18% 10.29% 63.776 98.059% 14.63% 0.12% 15.64% 4.379% 4.11% Dodonew 8.79% 0.27% 9.37% 20.49% 82.88% 40.81% 1.39% 42.94% 7.31% 6.95% CSDN 11.64% 0.47% 12.35% 45.01% 96.31% 26.14% 0.24% 28.45% 6.46% 5.88% Duowan 10.30% 0.09% 10.52%52.84% 97.59% 23.97% 0.37% 24.84% 6.04% 5.83% Myspace 7.18% 0.31% 7.66% 0.71%89.95% 65.66% 18.24% 69.779% 6.02% 5.66% Singles.org 60.20% 1.92% 65.829%6 9.58%99.78% 17.77% 2.73% 19.68% 1.92% 1.77% Faithwriters 54.40% 1.16% 59.04% 6.35% 99.57% 22.82% 4.13% 25.45% 2.73% 2.37% Hak5 18.61% 0.27% 20.39% 5.56%92.13% 16.57% 2.01% 31.80% 1.44% 1.21% -CSE825 3

CSE825 3 Principle 1: Securing the weakest  Security is a chain; a system is only as secure as the weakest link.  Spend your efforts on improving the security of the weakest part of a system, as this is where attackers will attack. ─ Bank vs. convenience store ─ Firewall vs. application visible through firewall  Social engineering: a common weak link. ─ Software can be weak, surrounding infrastructure can be weaker. ─ Typical scenario: a service center gets a call from a sincere-sounding user ─ Educating users may be best investment to improve security, eg., think of phishing attacks, weak passwords

Principle 1:Securing the weakest link Table IV.Top 10 most popular passwords of each dataset Rank Tianya Dodonew CSDN Duowan Myspace Singles.org Faithwriters Hak5 123456 123456 123456789 123456 passwordl 123456 123456 QsEfTh22 2 111111 a123456 12345678 111111 abe123 jesus writer 3 000000 123456789 11111111 123456789 fuckyou password jesusl timosha Top 3(%) 5.58% 1.49% 8.15% 5.01% 0.40% 2.10% 1.03% 4.62% 4 123456789 111111 dearbook 123123 monkey1 12345678 christ ike02banaA 5 123123 5201314 00000000 000000 iloveyoul christ blessed 123456 6 123321 123123 123123123 5201314 myspacel love john316 zxczxc 7 5201314 a321654 1234567890 123321 fuckyoul princess jesuschrist 123456789 8 12345678 12345 88888888 a123456 numberl jesusl password westside 9 666666 000000 111111111 suibian footballl sunshine heaven ZVjmHgC355 10 111222tianya 123456a 147258369 12345678 nicolel 1234567 faithwriters Kj7Gt65F Top10(%) 7.42% 3.28% 10.44% 6.78% 0.78% 3.409% 2.17% 7.20% Credit card example -threats to credit card numbers include: eavesdropping on the network stealing from customer database me loosing my wallet-weakest link Solution:risk analysis. -CSE825 4

CSE825 4 Principle 1: Securing the weakest link  Credit card example - threats to credit card numbers include: ● eavesdropping on the network ● stealing from customer database ● me loosing my wallet – weakest link  Solution: risk analysis

Principle 2:Defense in depth If one layer fails,hopefully another layer can succeed. No single point of failure. Why is bank more secure than convenience store? -Redundant security measures:security guard,bulletproof glass, electronically locked doors,vault protecting the rest and requiring the presence of two individuals who are rarely at the bank at the same time, security camera,... Well-known principle even beyond security -Have a series of defenses so that if an error isn't caught by one,it will probably be caught by another.(From Bruce MacLennan's Principles of Programming Languages. Securing the weakest link applies to nonoverlapping functions. Defense in depth applies to same function. -CSE825 5

CSE825 5 Principle 2: Defense in depth  If one layer fails, hopefully another layer can succeed.  No single point of failure.  Why is bank more secure than convenience store? ─ Redundant security measures: security guard, bulletproof glass, electronically locked doors, vault protecting the rest and requiring the presence of two individuals who are rarely at the bank at the same time, security camera,…  Well-known principle even beyond security ─ Have a series of defenses so that if an error isn't caught by one, it will probably be caught by another. (From Bruce MacLennan's Principles of Programming Languages.)  Securing the weakest link applies to nonoverlapping functions.  Defense in depth applies to same function

Principle 2:Defense in depth (cont. Example 1:have a firewall and secure web application software, and run web application with minimal privileges Example 2:use OS access control to restrict access to sensitive files,and encrypt them,especially when files are stored on removable media such as USB sticks,laptops,or PCs which might be disposed. Counterexample:on UNIX systems,the password file, /etc/passwd,which contains hashed passwords,was world readable. -Solution:enforce tight access control to the file. Counterexample:having a firewall,and only having firewall -a user bringing in a laptop circumvents firewall Counterexample:firewall unencrypted data within network CSE825 6

CSE825 6 Principle 2: Defense in depth (cont.)  Example 1: have a firewall and secure web application software, and run web application with minimal privileges  Example 2: use OS access control to restrict access to sensitive files, and encrypt them, especially when files are stored on removable media such as USB sticks, laptops, or PCs which might be disposed.  Counterexample: on UNIX systems, the password file, /etc/passwd, which contains hashed passwords, was world readable. ─ Solution: enforce tight access control to the file.  Counterexample: having a firewall, and only having firewall ─ a user bringing in a laptop circumvents firewall  Counterexample: firewall + unencrypted data within network

Principle 3:Secure failure When systems fail,they should not revert to insecure behavior. Otherwise,attacker only need to invoke the right failure. Incorrect handling of unexpected errors is major cause of security breaches Example:careful handling of exceptions in JAAS (Java Authentication and Authorization Service)module code! isAdmin true;//enter Admin mode try something that may throw SomeException catch(SomeException ex){ /∥should we log? log.write(ex.toString()); /how should we proceed? isAdmin false; /∥or should we exit? } -CSE825 7

CSE825 7 Principle 3: Secure failure  When systems fail, they should not revert to insecure behavior. Otherwise, attacker only need to invoke the right failure.  Incorrect handling of unexpected errors is major cause of security breaches  Example: careful handling of exceptions in JAAS (Java Authentication and Authorization Service) module code! isAdmin = true; // enter Admin mode try { something that may throw SomeException } catch (SomeException ex) { // should we log? log.write(ex.toString()); // how should we proceed? isAdmin = false; // or should we exit? }

Principle 3:Secure failure (cont.) Counterexample:old version software did not use encryption, new version does;for backward compatibility,when new version talks to old version,new version disables encryption. -Attack:when new version talks to new version,attackers can tamper message on the wire to make both think the other is over version. 一 Solution:new version notifies old version to download patches from a secure place that the old version knows. Question:what about old version downloads patches from new version? -Security problem:then new version is not authenticated. Counterexample-Remote Method invocation(RMI) -When a client and server want to communicate over RMI,if the server wants to use an encryption protocol that client does not support,the client downloads the protocol implementation from the server at runtime. Security problem:if the client fails to establish a secure connection(a failure),it will establish a connection using whatever protocol an untrusted entity gives it. CSE825 8

8 Principle 3: Secure failure (cont.)  Counterexample: old version software did not use encryption, new version does; for backward compatibility, when new version talks to old version, new version disables encryption. ─ Attack: when new version talks to new version, attackers can tamper message on the wire to make both think the other is over version. ─ Solution: new version notifies old version to download patches from a secure place that the old version knows. ─ Question: what about old version downloads patches from new version? ─ Security problem: then new version is not authenticated.  Counterexample - Remote Method invocation (RMI) ─ When a client and server want to communicate over RMI, if the server wants to use an encryption protocol that client does not support, the client downloads the protocol implementation from the server at runtime. ─ Security problem: if the client fails to establish a secure connection (a failure), it will establish a connection using whatever protocol an untrusted entity gives it. CSE825

Principle 4:Least privilege Only the minimum access necessary to perform an operation should be granted,and that access should be granted only for the minimum amount of time necessary. Example:you go vacation,ask a friend to pick up mail Example:U.S.government--the policy of "need to know." Counterexample:famous violations of least privilege exist in UNIX systems (--needs root privilege for running a service on a port number less than 1024) Some e-mail servers is that they don't give up their root permissions once they have grabbed the mail port(Sendmail is a classic example). Counterexample:device drivers having to run in kernel mode Counterexample:Several calls in the Windows API for accessing objects that grant all access if you pass "O"as an argument. -Programmers are lazy. -CSE825 9

CSE825 9 Principle 4: Least privilege  Only the minimum access necessary to perform an operation should be granted, and that access should be granted only for the minimum amount of time necessary.  Example: you go vacation, ask a friend to pick up mail  Example: U.S. government -- the policy of “need to know.”  Counterexample: famous violations of least privilege exist in UNIX systems (-- needs root privilege for running a service on a port number less than 1024) ─ Some e-mail servers is that they don't give up their root permissions once they have grabbed the mail port (Sendmail is a classic example).  Counterexample: device drivers having to run in kernel mode  Counterexample: Several calls in the Windows API for accessing objects that grant all access if you pass "0" as an argument. ─ Programmers are lazy

Principle 4:Least privilege (cont.) In organization don't give everyone access to root passwords -don't give everyone administrator rights On computer -Run process with minimal set of privileges -For example,don't run web application as root or administrator for Java application:not the default policy grant codeBase "ile:$java.ext.dirs)/*"{ permission java.security.AllPermission, but minimum required grant codeBase "file:./forum/*" permission java.security.FilePermission; "/home/forumcontent/*","read/write";}; -CSE825 10

CSE825 10 Principle 4: Least privilege (cont.)  In organization ─ don’t give everyone access to root passwords ─ don’t give everyone administrator rights  On computer ─ Run process with minimal set of privileges ─ For example, don’t run web application as root or administrator  for Java application: not the default policy grant codeBase "file:${{java.ext.dirs}}/*" { permission java.security.AllPermission; }; but minimum required grant codeBase "file:./forum/*" { permission java.security.FilePermission; "/home/forumcontent/*","read/write";};