Professional Documents
Culture Documents
Hendayun
2013
Software Security
What is security?
System correctness
If user supplies expected input, system generates desired
output
Security
If attacker supplies unexpected input, system does not fail
in certain ways
System correctness
Good input Good output
Security
Bad input Bad output
Security properties
Confidentiality
Information about system or its users cannot be
learned by an attacker
Integrity
The system continues to operate properly, only
reaching states that would occur if there were no
attacker
Availability
Actions by an attacker do not prevent users from
having access to use of the system
General picture
System
Romlah
Security is about
Honest user (e.g., Romlah, Juned, )
Dishonest Attacker
How the Attacker
Disrupts honest users use of the system (Integrity,
Availability)
Learns information intended for Alice only
(Confidentiality)
Attacker
Network Security
System
Romlah
Network
Attacker
Intercepts and
controls
network
communicatio
n
Web Security
System
Web Attacker
Romlah
Sets up
malicious site
visited by
victim; no
control of
network
OS Attacker
Romlah
Controls
malicious files
and applications
System
Romlah
Attacker
Confidentiality: Attacker does not learn Romlahs secrets
Integrity: Attacker does not undetectably corrupt systems function
for Romlah
Security of Data
Data
Confidentiality
Data
Integrity
Data
Secure Data
Data
Availability
A threat is a danger
which could affect the
security (confidentiality,
integrity, availability) of
assets, leading to a
potential loss or
damage.
Interruption
Interception
Modification
Fabrication
Functionality vs Security
Software Assurance
The level of confidence that software is
free from vulnerabilities, either
intentionally designed into the software or
accidentally inserted at any time during its
life cycle, and that the software functions
in the intended manner.
(U.S. Committee on National Security Systems )
Software Assurance
Software reliability (also known as software fault
tolerance)
Software safety
Software security
Software Reliability
The probability of failure-free (or otherwise
satisfactory) software operation for a
specified/expected period/interval of time,
or for a specified/expected number of
operations, in a specified/expected
environment under specified/expected
operating conditions.
Software Safety
The persistence of dependability in the
face of accidents or mishapsthat is,
unplanned events that result in death,
injury, illness, damage to or loss of
property, or environmental harm
Software Security
The ability of software to resist, tolerate,
and recover from events that intentionally
threaten its dependability.
The main objective of software security is
to build more-robust, higher-quality,
defect-free software that continues to
function correctly under malicious attack.
Security Concepts