1 / 23

CSE350 Software Design and Engineering

CSE350 Software Design and Engineering. University of Pennsylvania http://www.cis.upenn.edu/~jms Office: 254 Moore GRW, Phone: 8-9509 April 9 th , 2002. Administrative: Lectures. Today: Engineering Trustworthy Software (the POSSE project) 4/16 (last class): Semester Summary.

robert-pickett
Download Presentation

CSE350 Software Design and Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE350 Software Design and Engineering University of Pennsylvania http://www.cis.upenn.edu/~jms Office: 254 Moore GRW, Phone: 8-9509 April 9th, 2002

  2. Administrative: Lectures • Today: Engineering Trustworthy Software (the POSSE project) • 4/16 (last class): Semester Summary

  3. Outline of Talk • The need for trustworthy software • The classical software engineering approach • Distributed development with open source • A new DARPA initiative – CHATS • Portable Open Source Security Elements (POSSE) • Questions

  4. What’s the worry??? • It’s not a world of spreadsheets anymore… • Software is used to control major portions of infrastructure such as rail, power and water • Reliability and security are intimately related • There have been huge efforts and corresponding monies spent on building highly reliable systems (NASA, telephone switching software) and highly secure systems (US and other militaries) • Why aren’t COTS systems secure?

  5. The need for trustworthy software(and why we should start with the O.S.) “Any and all security features implemented in application software, and any and all security application programs (including firewalls, intrusion detection systems, authentication program, etc.) can be rendered useless and of no protective effect by an attack which results in seizureof control of the computer’s operating system” - Randall Sandone, Argus Systems Group, Inc. “It doesn’t matter what else you do if it’s all built on untrusted operating systems” - Steve Kent, Defense Science Board, 5/2000 “Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems. In reality, the need for secure operating systems is growing in today’s computing environment due to substantial increases in connectivity and data sharing. The threats posed by the modern computing environment cannot be addressed without secure operating systems. Any security effort which ignores this fact can only result in a ‘fortress built upon sand’.” - NSA Operating System Security Paper, NISSC, October 1998

  6. Features, Security and Engineering • Security is not about features • It is about delivering features reliably • Meeting expectations with no unexpected (and exploitable) behavior(s) • We have done a very poor job of delivering secure software because we are not willing to expend the “grunt work” (such as use of formal methods and audits) that delivering secure software requires • When traditional software development is used, the freeze for proof/audit causes TOAD (Technically Obsolete at Delivery :-) software

  7. Trusted Computer System Evaluation Criteria: Summary

  8. 1965-1975 Experimentation w/MULTICS, PSOS, KSOS 1975-1985 Specification and Evaluation Criteria Development (see TCSEC slide earlier) Techniques for assessing assurance levels - failed because of static models 1985-1992 Compartmented Mode Workstation (CMW) Secure Solaris: SUN spent $34M over 5 years; commercial flop 1995-Today Open Source Development Model 1 1 1 1 2 2 2 2 3 3 3 3 4 4 4 4 5 5 5 5 6 6 6 6 7 7 7 7 8 8 8 8 9 9 9 9 US DoD, the last 40 years: 1960 1970 1980 1990 2000 DSB “Orange Book” Task Force Unix DoD Computer Security Center SCOMP Rated A1 MULTICS Starts XENIX 3.0 Rated B2 Anderson Report XTS-300 Rated B3 Ware Report Approx. 100 MULTICS sites Project MAC funded by DARPA Provably Secure Operating Systems (PSOS) Start DoD Computer Security Initiative Gemini Trusted Network Processor Rated A1 “Orange Book” DoD 5200.28 Last MULTICS site shutdown Provably Secure Operating Systems (PSOS) Ends MULTICS Version 11.0 Rated B2

  9. DARPA Composable High Assurance Trusted Systems (CHATS) program • Concept: Doug Maughan, dmaughan@darpa.mil • Experimental research into open source development methodology • See whether it works (for a problem that really matters to US Defense…) • Utilize existing open source communities • Goal: GOTS (vs. COTS) systems with more trust and assurance

  10. Experienced People Direction and Focus Viable Marketplace DOD Customer Net Centric Fabric Security Architecture Security Interest OS Knowledge Base Assurance Knowledge Robust Open Source Process for CHATS COMMUNITY DARPA Window of Opportunity Magnifying Glass Secure Systems Results

  11. Why is DARPA doing this? • Any incremental improvement in Assurance is a gain for DoD • Any incremental improvement will readily be shared across a wide OS development community • Any codified incremental improvement available for contract and procurement requirements • Non-proprietary worked examples available to the marketplace • Existing individual OS developments can continue with specific specification activities • The community will take over once DARPA provides the direction and focus • ROI-orientation of marketplace inhibits commercial progress

  12. What is DARPA actually doing? • CHATS is ca. 12 projects, spread across OpenBSD, FreeBSD (TrustedBSD) and Linux • Industrial participation – Microsoft has been invited to, and attended (Butler Lampson, Steve Lipner) CHATS workshops. SGI, IBM, Apple involved. Not uncritical, but… • Ca. $10 million for 18 months, start Summer ’01 • Additional increments of $20-40 million if evidence of success • First round therefore “low-hanging fruit” vs. really hard problems

  13. Portable Open Source Security Elements (POSSE) • Must keep security in the development mainstream • Generate a community of open source security expertise, by demonstration and code sharing • Accelerate the introduction of security technologies in both OpenBSD and across all open projects; collaborations with TrustedBSD, etc. • Apply OpenBSD audit methodology to OpenSSL • Document the audit process to disseminate techniques more widely

  14. The Model FreeBSD (Trusted) OpenBSD Linux/ SE Linux POSSE Security-Focused Community Security Training/ Audit Training Portable Software

  15. OpenBSDas platform • BSD license – attractive to companies • Open Source - 4.4 BSD based - split from NetBSD • Central focus of project issecurity! Development characterized by continuous audit • Widely used in security products (e.g., IDS) and embedded systems • See http://www.openbsd.org

  16. POSSE project goals • Audit OpenSSL • Hardware Crypto Support • Both symmetric and asymmetric support • Important for OpenSSL • /dev/policy kernel interface for policy rules • Prototype policy daemon/kernel done for D.F. • Means of importing many SE Linux features • File system attributes • Persistent meta-data for objects (ACLs, labels, capabilities) • Absorb from TrustedBSD work – R. Watson • Secure Bootstrap (SEBOS) – W. Arbaugh

  17. Accomplishments so far • OpenBSD-influenced OpenSSL crypto framework • OpenSSL hardware crypto support now working on many varieties of hifn (7951/7811) card • PowerPC support • New pf(4) packet filter • TCP ISN randomization • Stack offset randomization (helps with buffer overflows) • randomly sized gap is placed at the top of user stack • Apache policy module (based on KeyNote) • EAFS in OpenBSD 3.1 release, Summer 2002 • APIs lockstepped with Trusted BSD

  18. Technology Transition / Commercial Uptake • OpenSSH • Next release of Solaris ships with OpenSSH-derivative • Apple’s new UNIX ships with OpenSSH • IBM, HP and SGI all enqueued • Driver Support • GTGI will use Hifn 7811 software in PowerCrypt XL • GTGI crediting DARPA (i.e., POSSE) • Avaya uses OpenBSD Hifn support in VSU-1000 VOIP appliance (400 Mbps) • Many Network Security Appliance vendors…

  19. Deliverables and Timeline - POSSE Audit OpenSSL HW crypt for SSL OpenBSD releases /dev/policy OpenSSH progress Continue and Document Audit Enhanced File Sys Absorb SE Linux OpenBSD releases SEBOS OpenBSD releases Year 1 Start Year 2

  20. Longer-term questions • Research Issues • Does “open source” review necessarily result in a “more assured” end product? What “processes” need to be established to ensure community-wide critical review? • Current evaluation methodologies are based on “static” configurations. How must these change to deal with dynamic reconfigurability and be accomplished in very short timeframes? • Spawn new research areas for compiler and programming languages which can enable trusted system development and assist auditors (such as recent work of Dawson Engler, Spiros Mancoridis, John Viega and David Wagner)

  21. POSSE Personnel • PI, Jonathan Smith (Penn) • Theo de Raadt (OpenBSD project) • Michael Greenwald (Penn) • Angelos Keromytis (Columbia University) • Ben Laurie (AL Group, Ltd.) • Dale Rahn (Penn) • Jason Wright (Penn) • Todd Miller (Penn) • Stefan Miltchev (Penn) • Sotiris Ioannidis (Penn)

  22. It will require a commitment …to release software…that prevents a hacker or an intruder from …executing or causing to be executed any malicious code on the target machine. - Kevin Mitnick, convicted felon Credits • Some slides from Doug Maughan of DARPA • CHATS is his initiative • Effort sponsored by the Defense Advanced Research Projects Agency and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537 • Many, many contributors to software base…

  23. Independent Studies • Anyone who gets an “A” in CSE350 can do an independent study or Senior Project with me • POSSE and similar projects are currently what I am interested in • Other ideas entertained… 

More Related