System Complexity and Failures

Questions and Answers

What is the primary reason security is affected as systems expand to support multiple processes?

• Due to reliance on open-source software.
• Due to lack of employee training on new software.
• Due to increased hardware costs.
• Due to complexity arising from technical difficulty, size, and conflicting objectives. (correct)

In the context of system errors, what is the difference between a 'failure' and an 'error'?

• There is no practical difference; the terms are interchangeable.
• A 'failure' is an externally observable event when a system doesn't deliver its expected service, while an 'error' is an internal state that may lead to failure. (correct)
• A 'failure' is an internal state, while an 'error' is an external event.
• A 'failure' is caused by a fault, while an 'error' directly leads to a fault.

In the context of security failures, which of the following is an example of how an attacker might exploit a buffer overflow?

• Bypassing physical security measures to access the server room.
• Using social engineering to trick an employee into revealing their password.
• Sending an input stream larger than available storage, including executable code, to overwrite program logic. (correct)
• Exploiting a known vulnerability in the operating system to gain root access.

Why is it crucial for software engineers to be aware of the Common Weakness Enumeration (CWE)?

It describes specific weaknesses or underlying issues that may cause vulnerabilities. (C)

Why is it important to consider both functional and attacker perspectives when conducting a security analysis?

To identify all possible attack vectors and assess the impact on business functionality. (D)

What is the role of 'System behavior: component interactions' regarding categories of errors?

System behavior is strongly influenced by the interactions of the individual components. (B)

Why is 'Operations and usage' a frequent source of system failures?

Because unforeseen interactions and errors often arise during real-world use. (B)

How does an attacker typically try to circumvent a security control?

By convincing users or administrators to take an action that undermines the control. (D)

What is the significance of the functional perspective in security analysis?

It identifies the importance of an issue to the business functionality of the system and hence is a component of a risk assessment. (D)

In web services, what is the role of Security Assertion Markup Language (SAML)?

To share user identities and attributes. (D)

What is the impact of 'Social engineering' on attacker behaviour?

Social engineering exploits external events that put a system in a state that may not be accounted for by the usage models. (B)

According to the attacker perspective, what do web services use to implement their functionality?

Simple Object Access Protocol (SOAP). (C)

According to the attacker perspective on web services, what is Shirey's model used for?

Categorizing threats in terms of their impact as disclosure, deception, disruption, and usurpation. (B)

Flashcards

What is a failure in security?

An externally observable event where a system fails to deliver its expected service.

What is an error in security?

An internal state that can cause a failure if not handled correctly; a fault is the underlying cause.

What might an attacker exploit?

Sending a large input stream to exploit an error, potentially including executable code.

Where do most security vulnerabilities originate?

Errors in functional components, rather than security functions, such as authentication or authorization.

What is a common attack strategy?

When an attacker tries to put a system in a state that was not anticipated during development.

What is CVE(Common Weakness Enumeration)?

Specific programming flaws or underlying issues that cause vulnerabilities.

What are specific interface errors?

These control access to a service or component.

What are component-specific integration errors?

Problems due to conflicts in the design assumptions for the components.

What are architecture integration mechanisms?

A built-in capability from software vendors to integrate tools into systems.

What is system behavior?

It is strongly influenced by the interactions of its components.

What can Operations and usage lead to?

A frequent source of system failures.

What does modeling attacker behavior do?

Presenting significant challenges in software failure analysis.

What is an active agent?

Where the attacker can change the details of an attack in response to defensive actions.

What happens because of a consequence?

The validity of the authorization model becomes dependent on a security analysis of the data flow.

What is social engineering?

External events that put a system in a state that may not be accounted for by the usage models.

Functional Perspective

The functional perspective identifies the importance of an issue to the business functionality of the system and hence is a component of a risk assessment.

What is the attacker's perspective?

The attacker’s perspective considers the opportunities that business usage and the specifics of a technology create.

What do central services that consolidate authentication and authorization do?

To access business information assets.

What must an interface do?

To reflect the dynamically changing assurance associated with it.

What is key improvement for interface control?

To enhance the control points instead of firewall protection.

What does Identity management by web service do?

To support business requirements for the integration of geographically distributed systems.

What does Identity management do?

Concentrates on authentication and authorization across multiple systems.

Where are business processes?

Distributed among business divisions, suppliers, partners, and customers, with each participant having its own special needs for technology and automation.

What is the demand for?

The degree of interoperability among disparate information systems must be sustained as participants continually modify their systems in response to new or changing business requirements.

What does Web Services technology do?

technology uses messages (in the form of XML documents) that are passed among diverse, loosely coupled systems as the focal point for integration.

What are Web services?

Special case of the more general notion of service-oriented architecture (SOA).

What does Service-oriented do?

Represent interconnected systems or components as collections of cooperating services.

What is the goal of Web services technology?

To dramatically reduce the interoperability issues.

What is identity management?

Is an administrative system that deals with the creation, maintenance, and use of digital identities.

What is security risk assessments affected by?

Unanticipated risks, reduced visibility and errors.

What are conflicting goals?

Is is when desired product quality attributes or customer values conflict with one another.

What are Deep technical problems?

Appear to arise more frequently when the software development team focuses on Meeting the quality measures for reliability, performance, and security rather than satisfying a functional requirement.

What is needed to solve the problem?

Enable the technical staff to concentrate on such problems

Study Notes

Introduction

• Complexity in systems affects security due to technical difficulties, size, and conflicting objectives.
• Mitigation strategies and project management approaches are suggested, which includes planning for failure in web services and identity management.
• System development faces new and complex problems not represented in project plans.
• CORBA once received attention for integrating distributed systems; now, focus has shifted to Web services.
• The progression of solutions indicates the difficulty of challenges and progress in overcoming them.

Security Failures

• A failure is when a system doesn't deliver the expected service.
• An error is an internal state that may lead to failure, and a fault is the cause of an error.
• Buffer overflows are examples as the error may be in a component not checking user input size.
• Attackers can exploit errors by sending large input streams with executable code.
• The program logic accepting bad input may overwrite other parts of the program.
• Attackers then execute added code, bypassing authentication controls.
• Functional errors can be leveraged into security failures.
• Errors can cause exploitable failures
• Many security vulnerabilities are in functional components rather than security functions like authentication/authorization.
• Attackers may try to put systems in unanticipated states leading to crashes or bypassed security controls.
• Errors in less analyzed system parts or poor configurations due to focused effort can be exploited.
• Designs may need to mitigate operator and user errors.
• Software engineers should be aware of the ever-lengthening list of exploitable errors

Categories of Errors

• Errors can be categorized according to their occurrence in five system elements: specific interface, component-specific integration, architecture integration mechanisms, system behaviour: component interactions, operations and usage.
• A specific interface controls access to a service or component.
• Component-specific integration assembly problems arise from conflicts in the design assumptions for the components.
• Architecture integration mechanisms are where vendors provide built-in capabilities for purchasers to integrate tools and tailor functionality.
• System behavior: Component interactions are strongly influenced by its interactions.
• Operations and usage is a frequent source of system failures

Attacker Behavior

• Modeling attacker behavior presents challenges in software failure analysis.
• Analyze quality attributes.
• Model work processes for authentication/authorization requirements.
• Model the attacker as an active agent who can change their attack based on defenses.
• Buffer overflows show the complexity of security analysis regarding model interaction.
• Architects model authentication/authorization mechanisms to satisfy design requirements.
• Exploited code allows attackers to move outside implemented software controls.
• The validity of the authorization model depends on data flow security analysis.
• Social engineering involves external events that may not be accounted for in usage models.
• Attackers try to convince users/administrators to take actions that circumvent security.

Functional and Attacker Perspectives for Security Analysis

• Security analysis must consider both the functional and attacker's perspective.
• Functionality identifies business importance, which is a component of risk assessment.
• Attacker's perspective considers business usage and technology.
• Interfaces must be monitored to reflect dynamically changing assurance.
• Enhance control points instead of relying solely on firewall protection.
• Identity management by web services supports business requirements for integrating geographically distributed systems.
• Identity management concentrates on authentication and authorization across multiple systems.
• Management should concentrate on the functional perspective and the attacker's perspective.

Web Services: Functional Perspective

• Business processes are distributed among business divisions, suppliers, partners, and customers, each with technology and automation needs.
• A high degree of interoperability among disparate information systems must be sustained.
• Web services technology uses XML messages passed among diverse, loosely coupled systems.
• Web services are a special case of service-oriented architecture (SOA).
• Service-oriented architectures represent interconnected systems or components as cooperating services.
• Web services technology aims to reduce interoperability issues dramatically.
• Web services messages contains the ordering data.
• Web services messages provide mechanisms for the necessary authentication and authorization.
• Encryption may be used by the sender to restrict access.
• Signing can confirm data integrity and identify message authors.
• SAML can be used to share user identities and attributes.

Web Services: Attacker Perspective

• Web services are implemented using SOAP.
• SOAP is an XML-based protocol for exchanging information.
• Exchanged info could be business data or process instructions.
• Relies on Shirey's model, categorizing threats as disclosure, deception, disruption, and usurpation.
• Service-level and message-level threats categorize the threats further: the former is common to distributed systems, and the latter affects Web services XML messages.

Identity Management: Functional Perspective

• Identity Management (IM) is an administrative system managing the creation, maintenance, and use of digital identities.
• IM includes business processes, computing infrastructure, operating systems, specific applications, database management systems, digital identity and implemented access, control mechanisms, and policies.
• For identity management. the functional perspective is represented by interoperability and access control across systems
• Difficult technical challenges include access control, audit and reporting, identity mapping, and domain provisioning services.

Identity Management: Attacker Perspective

• Identity information is a prized target due to its centrality to many security decisions and application functionality.
• Identity information needs extra diligence from government, regulatory bodies, and users.
• Related architectural constituents of this kind of information should be held to a higher standard.
• During all phases of SDLC, examine identity services & stores to ensure the strongest systems links.
• General mitigations for identity management risks are availability, hardened servers/services, incident response, and usability endpoint attacks.

Identity Management and Software Development

• Development teams lack plans for adopting standard representation and consumption patterns for authentication, attribute query/update, and authorization.
• The current state of identity may have numerous domain-specific technologies, policies, and organizational domains.
• Identity solutions are unreviewed by a wider audience.
• Identity information propagates and integrates throughout software systems and is used for access control decisions.

System Complexity Drivers and Security

• Security risk assessments are affected by unanticipated risks, reduced visibility, and errors.
• Consequences of expanded scope for security include unanticipated threats, reduces visibility, wider spectrum of failures, less development freedom, incremental & evolutionary development, and conflicting/changing goals.

Incremental and Evolutionary Development

• Organizations use approaches to manage risks associated with system complexity such as operational monitoring, consolidation of failure analysis/mitigations, and generalization of the problem.
• System development depends on integrating existing systems like Web services and identity management.
• Size complexity can be mitigated by commercial products, sharing software services, and reusing components/systems.
• Security issues in multisystem computing support designs are similar to large system design in typical IT environments.

Conflicting or Changing Goals Complexity

• Conflicting goals occur when desired product quality attributes or customer values conflict.
• There may be conflicts between portability, performance, security, and ease-of-use requirements
• Meeting cost requirements for new features might increase operational costs.
• Changes in goals can generate equivalent problems and inconsistencies.
• Implementing new objectives can conflict with earlier design tradeoffs.
• Goals change due to business requirements, usage of functionality, or customer understanding of needs.

Deep Technical Problem Complexity

• Deep technical problems arise when focusing on quality measures(reliability, performance, security) over satisfying functional requirements.

How To Solve Problem

• Enable the technical staff to concentrate on such problems
• The project manager needs to consider risk mitigations