1

2011 SANS Top 25 Most Dangerous Software Errors

Category 1: Insecure Interaction Between ComponentsThese weaknesses are related to insecure ways in which data is sent and receivedbetween separate components, modules, programs, processes, threads, or systems.

Category 2: Risky Resource ManagementThe weaknesses in this category are related to ways in which software does not

properly manage the creation, usage, transfer, or destruction of important system resources.

Category 3: Porous DefensesThe weaknesses in this category are related to defensive techniques that are often

misused, abused, or just plain ignored.

2

See http://www.sans.org/top25-software-errors/

ACM /u/Mallory /u/Bob /u/Carlos /

Mallory rwx

Bob rwx

Carlos rwx rwx rwx rwx

ACM’ /u/Mallory /u/Bob /u/Carlos /

Mallory rwx w

Bob rwx

Carlos rwx rwx rwx rwx

ACM Review

3

Mallory exploits a bug … … & gains ‘w’ on /u/Bob !

Security via Information Confinement

Information may only flow to those with the appropriate clearance and need-to-know.

4

ClearanceLevels {“Unclassified”, “Confidential”, “Secret”, “Top Secret” }

Unclassified

Top Secret

Secret

Confidential

Information Flow based on: ClearanceLevel c1 <= c2

5

Top Secret

Secret

Confidential

Unclassified

Adapted from Pfleeger & Pfleeger, Security in Computing, 4th ed.

Compartment 1 Compartment 2

Compartment 3

Compartments & Sensitivity Levels

6

Information Flow based on: Need-to-Know d1 subsetOf d2

7

Information Flow based on: ClearanceLevel c1 <= c2

Need-to-Know d1 Subset0f d2

8

Bell-LaPadula Model for Confidentiality

• Simple Security Propertyno-read-up rule: a subject can’t read data from an object “above” it.

• *-Property no-write-down rule: a subject that can read data in one class can’t write data to a lower class.

• Discretionary Security PropertyS can access O only if that access is allowed by the S-O entry of the current ACM

9

B-P *-Property

10

Biba Model for Integrity

• Simple integrity axiomsubject at one level of integrity may not read an object at a lower integrity level(no read down)

• *-integrity axiomsubject at one level of integrity may not write to an object at a higher integrity level.(no write up)

11

Problems with Biba

• How do you assign integrity levels?• What do integrity categories mean?• A high-integrity program is not allowed to

read and validate lower-integrity data …

but then isn’t that just what those programs should be capable of doing?

12

Bye-Bye Biba

• Java and ActiveX models of digitally signed code resemble the Biba model … however

– They still have no basis for assigning integrity level– Just because company X wrote and signed some code

doesn’t mean it’s secure or trustworthy.

• Pure Biba not used for much in the last 20 years.

13

14