Professional Documents
Culture Documents
(CT-6662)
Introduction:
• The building and deployment of safe, secure, dependable, resilient, and
reliable software systems remains so important.
• Top class software development shops display high levels of
sophistication, structure, and control throughout their software
development life cycle processes, some accomplishing the highest levels
of capability maturity.
• Perhaps the best-known example of a process improvement approach is
the Capability Maturity Model Integration (CMMI) process introduced by
the Software Engineering Institute(SEI) of Carnegie Mellon University.
Terms/phrases:
- systems engineers, hardware engineers, software engineers
- systems engineering, software engineering,
- security engineering, safety engineering
- software systems engineering, systems software engineering
- software safety engineers, software security engineers
- security-critical software systems, safety-critical software systems
…
• systems engineers pay relatively little attention to software systems
engineering;
• Systems engineers dealing with entire systems seem to pay little attention to
software considerations.
• software engineers appear to ignore both the guidance that can be gleaned
from systems engineering on the one hand, and the nonfunctional aspects of
software systems, such as security, safety, and resiliency on the other hand.
or
A system is a collection of related or associated entities that together accomplish
... one or more specific objectives.
Or
• Software is further split into its functional and nonfunctional characteristics. This
is a common way to divide software characteristics. The usual set of
nonfunctional software characteristics is as follows:
• Security;
• Safety;
• Performance;
• Reliability;
• Compliance.
…
• The distinction between safety-critical and security-critical software systems:
• Safety-critical software: the software must not harm the world.
• Security-critical software: the world must not harm the software.
• That is to say, software systems that are judged to be safety-critical must not
present a hazard to human life or the environment. This is an outward-
looking perspective.
• On the other hand, security-critical software systems are inward-looking to
the extent that it is necessary to protect the software and any sensitive data
such as nonpublic personal information and intellectual property from
misuse, damage, or destruction from attacks by external or internal persons
or computer applications.
• it is this divergence of viewpoint between software safety engineers and
software security engineers that leads to major software systems engineering
issues, particularly when there is a requirement to combine both safety-
critical and security-critical software-intensive systems into what are
increasingly termed cyber-physical systems.
…
• Engineering can be defined as follows:
… the creative application of scientific principles to design or develop
structures, machines, apparatus, or manufacturing processes, or works
utilizing them singly or in combination; or to construct or operate the same
with full cognizance of their design; or to forecast their behavior under
specific operating conditions; all as respects an intended function,
economics of operation and safety to life and property.
Or,
Engineering is the designing, testing and building of machines, structures
and processes using maths and science.
• When systems are aggregated into systems of systems, what terms should be
used to describe the characteristics of the much more complex combinations of
systems?
The combination of safety-critical systems and security-critical systems, such
as is occurring with the so-called smart grid, produces issues well beyond the
reach of the individual systems.
• The table in Figure bellow, can be used to assist with explaining the definitions
and the relationships among components. For example, we see “systems
engineering” in the first line of the table, “software engineering” in the second
line, and “software systems engineering” in the third line.
• If we were to reverse Columns 2 and 4 in the third line, we would get “systems
software engineering,” which has a completely different meaning from “software
systems engineering.”
…
.
…
Systems software engineering relates to the engineering of systems software.
Software systems engineering refers to the application of systems engineering
practices to all types of software intensive products.
Systems software is a category of software that lies below the applications software
layer and performs many of the administrative functions that support the
applications. It includes operating systems and utilities, such as sort algorithms.
• Clearly these definitions suggest a life cycle process that begins with the
identification of user needs and should end up with one or more systems that
meet those needs.
…
What Is Software?
• In simple terms, software consists of computer program code, usually written
in high-level computer languages, such as C, C++, and Java. The resulting
source code, of which much software is comprised, is then converted into
code that is understood by computers by interpretation or compilation.
• Some restrict firmware to program code and data that cannot be changed
once burned into a chip. For example, some define firmware as unalterable
software burned into read-only memory chips.
• ... the combination of a hardware device and computer instructions and data
that reside as read-only software on that device.
• However, today much firmware can be easily updated due to the ready
availability of inexpensive nonvolatile memory devices.
…
What is Software Systems Engineering?
…
• Software Systems Engineering is an arm of systems engineering that
addresses the development of complex software-intensive systems.
It involves analyzing, designing, developing, testing, and maintaining a broad
range of software based on specific user needs, while taking into
consideration the quality, time, and budget required.
Year of
Approach Major Advantages Major Disadvantages
Origin *
- Facilitates understanding of factors, such as look
and feel of user interface
Prototyping - Helps to identify and mitigate risks
May not be cost-effective in certain cases
Proof of 1983 - May be able to reuse some of prototype code
concept - Avoids the cost and difficulty of modifying completed
software
- Comprehensive approach
- Includes aspects not included in other methods such
Overkill for small projects
Unified 1999 as business case
- Quite mature and widely used
- Demonstrable results
- Developers may be more motivated - Problematic for larger projects
Agile 2001 - Better specification of requirements by users - Documentation suffers
• Never forget that there is no silver bullet solution for security: Not even
fuzzing can guarantee that there are no flaws left in the software.
…
Security Incident
• The main motivation for software security is to avoid security incidents:
- events where someone can compromise the security of a system
through and active attack, and
- where data can be disclosed or destroyed through mistakes made by
people, or due to natural disasters such as floods or tornadoes.
2. Partial disclosure:
This is the most common means of disclosure in the industry. The
problem with partial disclosure is that hackers can reverse-engineer the
corrections even when limited information is given.
3. Full disclosure:
All details of the vulnerability, including possible exploitation techniques,
are disclosed publicly. In this model, each reader with enough skill can
analyze the problem and prioritize it accordingly.
…
Attack Surfaces and Attack Vectors
• Attack surface has several meanings, depending on what is analyzed.
- To some, attack surface means the source code fingerprint that can be
accessed through externally accessible interfaces. This is where either
remote or local users interact with applications, like loading a document
into a word processor, or checking email from a remote mail server.
- From a system testing standpoint, the total attack surface of a system
can comprise all of the individual external interfaces it provides. It can
consist of various network components, various operating systems and
platforms running on those devices, and finally, all client applications and
services.
• Attack vectors- The various routes into a system, whether they are remote
or local, are called attack vectors.
- A local vector means that an attacker already has access to the system to
be able to launch the attack. For instance, the attacker may possess a
user-name and password, with which he or she can log into the system
locally or remotely.
…
• As examples a local attack vector can consist of any of the following:
1. Graphical user interface (GUI);
2. Command line user interface (CLI);
3. Application Programming interfaces (API);
4. Files;
5. Local network loops (RPC, Unix sockets or pipes, etc.);
6. Physical hardware access.
• Much more interesting interfaces are those that are accessible remotely.
Those are the ones on which fuzzing has traditionally focused.
Most common categories of remote interfaces that fuzzers test are:
- Web applications - Web forms are still the most common attack vector.
- Digital media -
- Network protocols –
- Wireless infrastructure -
…
Reasons Behind Security Mistakes
• The core reason is that the fast evolution of communications technologies
has made software overwhelmingly complex.
• Even the developers of the software may not understand all of the
dependencies in the communication infrastructure. Integration into off-
the-shelf frameworks, third-party libraries, components and operating
systems brings along with it unnecessary network services that should be
shut down or secured before deploying the products and services.
• One could argue that security scanners (or vulnerability scanners) are also
proactive security tools. However, security scanners are based on known
attacks and exhibit the same problems as other reactive security solutions.
A security scanner cannot find a specific vulnerability unless the
vulnerability is publicly known.
• A proactive solution will look for vulnerabilities and try to resolve them
before anyone else learns of them and before any attacks take place.
…
Security Requirements
• We have discussed fuzzing and its uses, but the truth is not all software is
security-critical, and not all software needs fuzzing. Introducing fuzzing
into development or deployment processes needs to be based on the
requirement set for the system.
• Typical and perhaps the most common subset of security requirements or
security goals consists of the following:
- confidentiality,
- integrity, and
- availability.
“The planned and systematic set of activities that ensure that software
lifecycle processes and products conform to requirements, standards, and
procedures”