Software Security Principles

Software security aims to allow intended use and prevent unintended use that could cause harm.
Key security principles include Confidentiality, Integrity, and Availability.
Accountability/non-repudiation is a fundamental concept that prevents denial of message transmission or receipt.

Security analysis for a software system depends on factors such as the attack surface, the assets, and the goals of the attacker.
The attack surface needs to be assessed to determine potential vulnerabilities that attackers could exploit.
Assets within a software system represent the potential targets for an attack (hardware, software, data, communication facilities & networks)
Understanding attacker goals provides insight into how attackers might act and target assets.

Computer systems have several types of assets including hardware, software, data, and communication facilities/networks.
Hardware assets encompass servers, workstations, mobile devices, peripheral equipment, and removable media.
Key concerns regarding hardware assets include loss or damage, disruption due to malfunction, and the time it takes to replace hardware or repair damages.

Software assets encompass applications, operating systems, virtualization software (virtual machine and container), networking software (SDN and NFV), database management systems, file systems, and client/server software.
Availability is a vital concern for software assets, accounting for potential disruption losses and expenses that may occur due to vulnerabilities.

IT assets include data stored in databases and filesystems, whether on-site or in the cloud.
ITU-T X.1055 defines categories of information assets, such as communication data, routing information, subscriber information, blacklist information, registered services, and operational information, among others.

Understanding the attack surface is crucial for security analysis.
The attack surface is categorized in terms of layering, being either deep or shallow.
The attack surface is also categorized by its size, small or large.
Attack surfaces have a security risk that is categorized as either low, medium, or high.

Attack models define the types of attacks that need to be prevented.
Attack models identify attacker capabilities, impact, and scope of attacks to assess potential vulnerabilities.
Defenses address specific attack/threat models at a general or a specific level.

Threat models define the abilities and resources of an attacker, enabling structured reasoning about how the system can be compromised.
Essential steps in creating a threat model are to acknowledge entry points and threats, decompose applications by identifying structure, determining and ranking threats, and determining countermeasures/mitigation.

In a trust land scenario, no need for locking your safe.
An attacker could pick your lock, use a torch, advanced technology, or access your keys.

Malicious extensions inject attacker-controlled drivers into the OS.
Bootkits compromise boot processes (BIOS, boot sector).
Memory corruption involves software/hardware bugs like spatial/temporal memory safety errors or rowhammer
Data leakage occurs when the OS accidentally leaks confidential data.
Concurrency bugs lead to TOCTOU issues, an issue occurring when resource state changes between permission checks and use.
Side channels cause indirect leaks via shared resources (hardware caches) or software techniques like page deduplication.
Resource depletion or deadlocks stop legitimate computations by blocking access.

Security incurs overhead, which could be expensive to develop, may have performance overhead, and could be inconvenient to users.

Isolation isolates components from each other, enabling access only through defined APIs.
Least privilege limits components to the minimal privileges necessary for functionality, restricting potential of privileges.
Fault compartments isolate components to limit the impact of possible faults.
Trust and correctness ensures components trust, rely on given specifications to operate correctly.

Operating System (OS) abstractions and hardware abstractions are essential components.
The operating system (OS) provides process abstraction through well-defined APIs for access of hardware resources.
The OS enforces access permissions of hardware and resources by using user/group/ACL restrictions to restrict attackers.
OS process isolation protects the memory (code, data, etc.) of a process from other processes via memory protection, addressing memory spaces through virtual memory, using page tables and an MMU.

Various OS design models exist: single-domain, monolithic, micro-kernel, and library OS.
Single-domain OS has one layer without isolation, offering high performance, suitable for embedded systems.
Monolithic OS has two layers, operating system and applications, for access of resources, and applications require access request from the operating system.
Micro-kernel OS has many layers, with processes as separate privileged entities.
Library OS has few layers for flat structure of OS services, with each application bringing its necessary components.

Hardware abstraction hides raw hardware interfaces, exposing abstracted interfaces for applications.
Virtual memory and DMA through MMU/OS provides access to raw physical memory only to the operating system.
ISA enforces privilege abstraction by restricting access through ring protection levels.

Authentication mechanisms include username/password, biometrics, or something other.
Authorization handles access control, including different policies and types
Mandatory Access Control (MAC) is a centralized policy for access control.
Discretionary Access Control (DAC) gives object owners control over access policies.
Role-Based Access Control (RBAC) defines access policies based on user roles.

Security models include Access Control Lists, Capabilities, Bell-LaPadula, and information flow.

Access control matrix defines access rights between subjects (users, groups, etc.) and objects.
Provides a way to define how different entities have access to information in a system.
Security requires careful consideration of various factors throughout the software development lifecycle for protecting the system.