SST Design principles

12 feb. 2013

Saltzer/Schroeder 8+2 design principles

Combine it with Star-Wars, can it get any better?
(See Applied Information Security - lecture 1)

  1. Economy of mechanism
  2. Fail-safe defaults
  3. Complete mediation
  4. Open design: But there might be things hard to change. Apply other measures like firewalls?
  5. Separation of privileges
  6. Least privilege
  7. Least common mechanism
  8. Psychological accessibility
  9. Work factor: Problem is when vulnerabilities are found, cost of usage is orders of magnitude easier to deploy then finding them in the first place
  10. Compromise recording: But it's difficult to separate good from bad usage

Java 7u10 vulnerability

See this presentation:

java_vulnerability_7u10
size 1.5 MiB
sha256: 53b4f31ca5...838d8210d3

Race conditions

Two examples: one with insecure usage of file in temporary folder and one with secure version.

res = access("/tmp/userfile", R_OK);
if (res!=0){
die("access");
/* Ok, we can read from /tmp/userfile */
/* What can happen between access() and open()? */
fd = open("/tmp/userfile", O_RDONLY);
/* And what would be the effect? */
}

if (lstat(fname, &stb1) >= 0){
if (!S_ISREG(stb1.st_mode) || (stb1.st_nlink>1)){
raise_error();
}
fd = open(fname, O_RDWR);
if (fd < 0 || fstat(fd, &stb2) < 0){
raise_error();
}
if (stb1.st_ino != stb2.st_ino || stb1.st_dev != stb2.st_dev || stb2.st_nlink > 1){
raise_error();
}
}
else {
fd = open(fname, O_RDWR | O_CREAT | O_EXCL, FMODE);
if (fd < 0){
raise_error();
}
}

See CERT secure coding standards