



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Computer Security Principles of Secure Software, Lecture Notes - Computer Science - Prof. David Wagner.pdf, University of California (CA) - UCLA, United States of America (USA), Prof. David Wagner, Computer Science, Computer Security, Principles of Secure Software, Trusted Computing Base, TCB, Principles for Secure Systems
Typology: Study notes
1 / 7
This page cannot be seen from the preview
Don't miss anything!




This lecture will show you a number of principles for building secure systems. First, we will show one powerful concept, the notion of a trusted computing base (TCB); then, we will describe thirteen useful principles. The principles are neither necessary nor sufficient to ensure the design of a secure system, but they are often very helpful nonetheless.
This lecture focuses primarily on what you can do at design time to improve security. How can you choose an architecture that will help reduce the likelihood of flaws in your system, or increase the likelihood that you will be able to survive such flaws? That’s the focus of this lecture. We reserve the question of what to do at implementation time until next lecture.
Earlier in this class we introduced the notion of trusted and trustworthy components. A trusted component is a part of the system that we rely upon to operate correctly, if the whole system is to be secure; to turn it around, a trusted component is one that is able to violate our security goals. A trustworthy component is a part of the system that we would be justified in trusting, i.e., where we’d be justified in expecting it to operate correctly. For instance, on Unix systems the super-user (root) is trusted; hopefully she is also trustworthy, or else we are in trouble.
In any system, the trusted computing base (TCB) is that portion of the system that must operate correctly, for the security goals of the system to be assured. We have to rely on every component in the TCB to work correctly. However, anything that is outside the TCB isn’t relied upon in any way: even if it misbehaves or operates maliciously, it cannot defeat the system’s security goals. Indeed, we can take the latter statement as our definition of the TCB: the TCB must be large enough so that nothing outside the TCB can violate security.
Example: Suppose the security goal is that only authorized users are allowed to log into my system using SSH. What is the TCB? Well, the TCB includes the SSH daemon, since it is the one that makes the au- thentication and authorization decisions—if it has a bug (say, a buffer overrun), or if it was programmed to behave maliciously (say, the SSH implementor has included a backdoor in it), then it will be able to violate my security goal (e.g., by allowing access to unauthorized users). That’s not all. The TCB also includes the operating system, since the operating system has the power to tamper with the operation of the SSH daemon (e.g., by modifying its address space). Likewise, the CPU is in the TCB, since we are relying upon the CPU to execute the SSH daemon’s machine instructions correctly. Suppose a web browser application is installed on the same machine; is the web browser in the TCB? Hopefully not! If we’ve built the system in a way that is at all reasonable, the SSH daemon is supposed to be protected (by the operating system’s memory protection) from interference by unprivileged applications, like a web browser.
Another example: Suppose that we deploy a firewall at the network perimeter to enforce the security goal
that only authorized connections should be permitted into our internal network. Then, in this case, the firewall is the TCB for this security goal.
A third example: When we build access control into a system, there is always some mechanism that is re- sponsible for enforcing the access control policy. As you may remember from the lecture notes on firewalls, this mechanism is known as a reference monitor. The reference monitor is the TCB for security goal of ensuring that the access control policy is followed. Basically, the notion of a reference monitor is just the idea of a TCB, specialized to the case of access control.
In fact, the three guiding principles for a reference monitor also apply to TCB. We repeat them here. A TCB should be:
Keeping the TCB simple and small is good practice. The less code you have to write, the less chances you have to make a mistake or introduce some kind of implementation flaw. Industry standard error rates are 1– defects per thousand lines of code. Thus, a TCB containing 1000 lines of code might have 1–5 defects, while a TCB containing 100,000 lines of code might have 100–500 defects. I know which I’d pick. (Windows XP consists of about 40 million lines of code, all of which is in the TCB. Yikes!) The lesson is to shed code: design your system so that as much of the code can be moved outside the TCB.
Who cares about all this esoteric stuff about TCBs? Actually, the notion of a TCB is a very powerful and pragmatic one. The concept of a TCB allows a primitive yet effective form of modularity. It lets us separate the system into two parts: the part that is security-critical (the TCB), and everything else.
This separation is a big win for security. Security is hard. It is really hard to build systems that are secure and correct. The more pieces the system contains, the harder it is to assure its security. If we are able to identify a clear TCB, then we will know that only the parts in the TCB must be correct for the system to be security. Thus, when thinking about security, we can focus our effort where it really matters. And, if the TCB is only a small fraction of the system, we have much better odds at ending up with a secure system: the less of the system we have to rely upon, the less likely that it will disappoint.
Let’s do a concrete example. You’ve been hired by the National Archives to help with their email retention system. They’re chartered with saving a copy of every email ever sent by government officials. They want to ensure that, once a record is saved, it cannot be subsequently deleted or destroyed. For instance, if someone is investigated, they are worried about the threat that someone might try to destroy embarassing or incriminating documents previously stored in the archives. The security goal is to prevent this kind of after- the-fact document destruction.^1 So, you need to build a document storage system which is “append-only”:
(^1) Assume that you don’t have to worry about the problem of making sure that documents are entered into the archive in the first place. Maybe users will mostly comply initially, and we’re only really worried about a “change of mind.” Or, maybe it is someone else’s job to ensure that the necessary documents get into the archive.
Here are some general principles for secure system design.^2
Example: Suppose the company firewall administrator gains a reputation for capriciously, for no good reason, blocking applications that the engineers need to use to get their job done. Pretty soon, the engineers are going to view the firewall as damage and route around it, maybe setting up tunnels, or bypassing it in any number of other ways. This is not a game that the firewall administartor is going to win. No system can remain secure for long when all its users actively seek to subvert it. Example: The system administrator issues an edict that, henceforth, all passwords will be automati- cally generated unmemorizable strings that are at least 17 characters long, and must be changed once a month. What’s likely to happen is that users will simply write down their password on a yellow sticky attached to their monitor, visible to anyone who looks. Such well-intentioned edicts can ultimately turn out to be counter-productive.
executable code, and it is tedious but not all that difficult to disassemble and reverse-engineer such code. Also problematic is that it is very difficult to assess, with any confidence, the chances that the secret will leak or the difficulty of learning the secret. Moreover, it’s a real bummer if this secret ever leaks: it is often hard to update widely-deployed systems, so there may be no recourse if someone ever succeeds in reverse-engineering the code. Historically, security through obscurity has a lousy track record: many systems that have relied upon the secrecy of their code or design for security have failed miserably. This doesn’t mean that open-source applications are necessarily more secure than closed-source appli- cations. But it does mean that you shouldn’t trust any system that relies on security through obscurity, and you should probably be skeptical about claims that keeping the source code secret makes the system significantly more secure.
Finally, I’ll end with three principles that are widely accepted in the cryptographic community (although not often articulated), and that seem useful in computer security as well.
(^4) I thank Doug Gwyn for this formulation.