Secure by design
Encyclopedia
Secure by design, in software engineering
, means that the software has been designed from the ground up to be secure. Malicious practices are taken for granted and care is taken to minimize impact when a security vulnerability is discovered or on invalid user
input.
Generally, designs that work well do not rely on being secret
. It is not mandatory, but proper security
usually means that everyone is allowed to know and understand the design because it is secure. This has the advantage that many people are looking at the code, and this improves the odds that any flaws will be found sooner (Linus's law
). Of course, attackers can also obtain the code, which makes it easier for them to find vulnerabilities as well.
Also, it is very important that everything works with the least amount of privileges possible (principle of least privilege
) . For example a Web server
that runs as the administrative user
(root or admin) can have the privilege to remove files and users that do not belong to itself. Thus, a flaw in that program could put the entire system at risk. On the other hand, a Web server that runs inside an isolated environment
and only has the privileges for required network
and filesystem functions, cannot compromise the system it runs on unless the security around it is in itself also flawed.
Two examples of insecure design are allowing buffer overflow
s and format string vulnerabilities
. The following C program demonstrates these flaws:
#include
int main
{
char buffer[100];
printf("What is your name?\n");
gets(buffer);
printf("Hello, ");
printf(buffer);
printf("!\n");
return 0;
}
Because the gets function in the C standard library
does not stop writing bytes into
, typing more than 99 characters at the prompt constitutes a buffer overflow. Allocating 100 characters for
execution.
The second flaw is that the program tries to print its input by passing it directly to the
as needed. Thus, if a malicious user entered "%d" instead of his name, the program would attempt to print out a non-existent integer
value, and undefined behavior would occur.
A related mistake in Web programming is for an online script not to validate its parameters. For example, consider a script that fetches an article by taking a filename, which is then read by the script and parsed. Such a script might use the following hypothetical URL to retrieve an article about dog food
:
http://www.example.net/cgi-bin/article.sh?name=dogfood.html
If the script has no input checking, instead trusting that the filename is always valid, a malicious user could forge a URL to retrieve configuration files from the webserver:
http://www.example.net/cgi-bin/article.sh?name=../../../../../etc/passwd
Depending on the script, this may expose the /etc/passwd file, which on Unix-like
systems contains (among others) user IDs
, their login names, home directory
paths and shells. (See SQL injection
for a similar attack.)
could compromise communications.
Often the easiest way to break the security of a client/server system is not to go head on to the security mechanisms but instead to go around them. A man in the middle attack is a simple example of this, because you can use it to collect details to impersonate a user. Which is why it is important to consider encryption, hashing, and other security mechanisms in your design to ensure that information collected from a potential attacker won't allow access.
Another key feature to client-server security design is general good-coding practices. For example, following a known software design structure such as client and broker can help in designing a well built structure with a solid foundation. Further more that if the software is modified in the future it is even more important that it follows a logical foundation of separation between the client and server. This is because if a programmer comes in and can not clearly understand the dynamics of the program they may end up adding or changing something that can add a security flaw. Even with the best design this is always a possibility, but the better standardized the design the less chance there is of this occurring.
Software engineering
Software Engineering is the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software, and the study of these approaches; that is, the application of engineering to software...
, means that the software has been designed from the ground up to be secure. Malicious practices are taken for granted and care is taken to minimize impact when a security vulnerability is discovered or on invalid user
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
input.
Generally, designs that work well do not rely on being secret
Security through obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
. It is not mandatory, but proper security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
usually means that everyone is allowed to know and understand the design because it is secure. This has the advantage that many people are looking at the code, and this improves the odds that any flaws will be found sooner (Linus's law
Linus's Law
There are two statements named Linus's Law: one by Eric S. Raymond concerning software bug detection by a community, and the other by Linus Torvalds about the motivations of programmers.- By Eric Raymond :...
). Of course, attackers can also obtain the code, which makes it easier for them to find vulnerabilities as well.
Also, it is very important that everything works with the least amount of privileges possible (principle of least privilege
Principle of least privilege
In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only the...
) . For example a Web server
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
that runs as the administrative user
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
(root or admin) can have the privilege to remove files and users that do not belong to itself. Thus, a flaw in that program could put the entire system at risk. On the other hand, a Web server that runs inside an isolated environment
Sandbox (computer security)
In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites....
and only has the privileges for required network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
and filesystem functions, cannot compromise the system it runs on unless the security around it is in itself also flawed.
Security by design in practice
Many things, especially input, should be distrusted by a secure design. A fault-tolerant program could even distrust its own internals.Two examples of insecure design are allowing buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
s and format string vulnerabilities
Format string attack
Uncontrolled format string is a type of software vulnerability, discovered around 1999, that can be used in security exploits. Previously thought harmless, format string exploits can be used to crash a program or to execute harmful code...
. The following C program demonstrates these flaws:
#include
int main
{
char buffer[100];
printf("What is your name?\n");
gets(buffer);
printf("Hello, ");
printf(buffer);
printf("!\n");
return 0;
}
Because the gets function in the C standard library
C standard library
The C Standard Library is the standard library for the programming language C, as specified in the ANSI C standard.. It was developed at the same time as the C POSIX library, which is basically a superset of it...
does not stop writing bytes into
buffer
until it reads a newline character or EOFEnd-of-file
In computing, end of file is a condition in a computer operating system where no more data can be read from a data source...
, typing more than 99 characters at the prompt constitutes a buffer overflow. Allocating 100 characters for
buffer
with the assumption that almost any given name from a user is no longer than 99 characters doesn't prevent the user from actually typing more than 99 characters. This can lead to arbitrary machine codeMachine code
Machine code or machine language is a system of impartible instructions executed directly by a computer's central processing unit. Each instruction performs a very specific task, typically either an operation on a unit of data Machine code or machine language is a system of impartible instructions...
execution.
The second flaw is that the program tries to print its input by passing it directly to the
printfPrintfPrintf format string refers to a control parameter used by a class of functions typically associated with some types of programming languages. The format string specifies a method for rendering an arbitrary number of varied data type parameter into a string...
function. This function prints out its first argument, replacing conversion specifications (such as "%s", "%d", et cetera) sequentially with other arguments from its call stackCall stack
In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, control stack, run-time stack, or machine stack, and is often shortened to just "the stack"...
as needed. Thus, if a malicious user entered "%d" instead of his name, the program would attempt to print out a non-existent integer
Integer (computer science)
In computer science, an integer is a datum of integral data type, a data type which represents some finite subset of the mathematical integers. Integral data types may be of different sizes and may or may not be allowed to contain negative values....
value, and undefined behavior would occur.
A related mistake in Web programming is for an online script not to validate its parameters. For example, consider a script that fetches an article by taking a filename, which is then read by the script and parsed. Such a script might use the following hypothetical URL to retrieve an article about dog food
Dog food
Dog food refers to food specifically intended for consumption by dogs. Though technically omnivorous, dogs exhibit a natural carnivorous bias, have sharp, pointy teeth, and have short gastrointestinal tracts better suited for the consumption of meat...
:
If the script has no input checking, instead trusting that the filename is always valid, a malicious user could forge a URL to retrieve configuration files from the webserver:
Depending on the script, this may expose the /etc/passwd file, which on Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
systems contains (among others) user IDs
User identifier (Unix)
Unix-like operating systems identify users within the kernel by an unsigned integer value called a user identifier, often abbreviated to UID or User ID...
, their login names, home directory
Home directory
A Home directory is a file system directory on a multi-user operating system containing files for a given user of the system. The specifics of the home directory is defined by the operating system involved; for example, Windows systems between 2000 and 2003 keep home directories in a folder...
paths and shells. (See SQL injection
SQL injection
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
for a similar attack.)
Server/client architectures
In server/client architectures, the program at the other side may not be an authorised client and the client's server may not be an authorised server. Even when they are, a man-in-the-middle attackMan-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
could compromise communications.
Often the easiest way to break the security of a client/server system is not to go head on to the security mechanisms but instead to go around them. A man in the middle attack is a simple example of this, because you can use it to collect details to impersonate a user. Which is why it is important to consider encryption, hashing, and other security mechanisms in your design to ensure that information collected from a potential attacker won't allow access.
Another key feature to client-server security design is general good-coding practices. For example, following a known software design structure such as client and broker can help in designing a well built structure with a solid foundation. Further more that if the software is modified in the future it is even more important that it follows a logical foundation of separation between the client and server. This is because if a programmer comes in and can not clearly understand the dynamics of the program they may end up adding or changing something that can add a security flaw. Even with the best design this is always a possibility, but the better standardized the design the less chance there is of this occurring.
See also
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- Hardening
- Multiple Independent Levels of SecurityMultiple Independent Levels of SecurityMultiple Independent Levels of Security/Safety is a high-assurance security architecture based on the concepts of separation and controlled information flow; implemented by separation mechanisms that support both untrusted and trustworthy components; ensuring that the total security solution is...
- Secure by defaultSecure by defaultSecurity by default, in software, means that the default configuration settings are the most secure settings possible, which are not necessarily the most user friendly settings. In many cases, security and user friendliness is waged based on both risk analysis and usability tests. This leads to the...
- Security through obscuritySecurity through obscuritySecurity through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
- Software Security AssuranceSoftware Security AssuranceSoftware security assurance is a process that helps design and implement software that protects the data and resources contained in and controlled by that software...
- Cyber security standardsCyber security standardsCyber security standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cyber security attacks. These guides provide general outlines as well as specific techniques for implementing cyber security. For certain specific...