exploring software and hardware security

Secure system is a piece, or any combination of hardware, software or just an operation which protects an information block that is sensitive to the user. There are secure systems which are dedicated to perform only security related operations (such as safe storage, a dongle token, DRM system, firewalls, encryption device, etc). There are also systems which are designed to perform operations which work on sensitive information and thus require having security features implemented inside (such as online payment systems, ATMs, email clients/servers, messengers, etc). Independent of purpose of the system and the operations it allows to perform – the security engineers must threat them identically important and design the security of these systems by taking into account the state of art best practices and techniques.

This article is the first part of a series of articles dedicated to principles and best practices of designing secure systems. It will discuss the following topics:

• The wrong approach of designing security systems
• The right approach
• Assets, threats, security controls, vulnerabilities, attack vectors and risks

The wrong approach

Security design, as a standalone discipline, has been significantly evolved in the recent years. People have designed tools and techniques for thinking about security and design it more effectively. However this discipline and the knowledge associated with it hasn’t yet fully integrated into system engineering processes and in many cases security systems are designed with a big lack of professionalism. As a result such systems often implement unnecessary and inappropriate security controls, don’t protect the security properties of real assets and leave security holes in the system.

A classical mistake is when engineers start designing security features without first understanding the real assets they are going to protect, their security properties and the real threats that are going to affect the system.

As an example they might decide to encrypt confidential data with a strong cryptographic encryption algorithm but also decide to store the cryptographic key on the hard disc in clear text or use a global key and put it in an executable without understanding that it doesn’t make sense at all.

The usual flow of the wrong approach is demonstrated in the following diagram:

1. Engineers start designing security controls by analyzing inputs which are mainly based on intuition. Although intuition is sometimes very good source but is not an institutional way of engineering.
2. After creating the initial security design, it is being analyzed against different attacks, again based on intuition.

This is a wrong approach as it doesn’t use standardized techniques and doesn’t take into account best practices.

Let’s see what the right approach is in my opinion for doing such analysis.

The right approach

The reasons behind mistakes that engineers are facing while designing security systems are well known. They are also present in other engineering areas such as software engineering. In order to develop the required software, first engineers need to understand the requirements. In many cases software engineers start to design (even implement!) software without properly clarifying the requirements and at the end of the day they are coming with a product which doesn’t correspond to customer requirements.

In order to avoid such problems people invented different software development methodologies and best practices, which will help guide the engineer to take the appropriate steps while developing software.

Similar methodologies exist also for security system engineering although I would say they are not as popular and distinguished as it is for software engineering.

Assets, threats, security controls, vulnerabilities, attack vectors and risks

Let’s take a look at the diagram below:

There are several new “keywords” used in this diagram. Let’s define them carefully:

• Informational Asset
  • Asset is an information piece that needs to be protected. It may have four types of security properties – confidentiality, integrity, authenticity and availability.
  • Examples – user credentials, high-definition video, private information, etc
• Threat
  • Threat is anything that has the potential to cause harm to the security properties of an Asset.
  • Examples – stealing of user credentials, piracy of high-definition video, breach of privacy, etc
• Security Control
  • Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.
  • Examples – Authentication systems, DRM systems, encryption of private information, etc
• Vulnerability
  • Vulnerability is a weakness that could be used to causes harm the security properties of an Asset.
  • Examples – Weak passwords, global key in a DRM system, weak encryption function, etc
• Attack Vector
  • A set of steps which exploits vulnerability of a system to result in a successful threat execution.
  • Examples  – Using brute force to break weak password, Reverse engineer DRM system and obtain the global key, Crypt-analyze the weak encryption function and obtain the encryption key, etc
• Risk
  • Risk is the likelihood that something bad will happen that causes harm to the security properties of an Asset.
  • Examples – the potential of having broken authentication system because of weak passwords is a risk, the potential of having broken DRM system because of global key is a risk, the potential of having broken privacy because of weak encryption function is a risk for the entire system

So after defining the terms used in the diagram let’s go through the steps of the flow and understand what each step means:

1. Identify and understand your Information Assets:
   1. What is the valuable information of your system and what security properties does it have.
   2. Where will your assets be stored and where they need to be traveled.
   3. What security properties of your asset need to be maintained at each point of the system’s lifecycle
2. Identify Threats:
   1. Understand what the applicable threats are to your information assets and the future entire system.
   2. Research for known threats in the internet.
3. Start designing security controls:
   1. Consider using cryptography
   2. Consider using physical security
   3. Plan protection mechanism for software and hardware (if needed)
   4. Implement other security features
   5. etc
   6. Note that during design of security controls you will introduce new information assets and thus will need to go to step #1
4. Construct the attack vectors (also known as attack trees) of your system:
   1. Consider you in the place of the attacker and think different attack scenarios
   2. Research the internet and find applicable attacks
   3. Etc
5. Identify vulnerabilities of the system
   1. Attack vectors will result in finding vulnerabilities in your designed system
6. Understand the risks of the vulnerabilities:
   1. Evaluate the risk of having vulnerabilities in the system
   2. If the risk is high you might decide to implement new security controls or change existing ones
   3. goto step #3

This algorithm allows designing security systems which are measureable by the means of risks. Of course the main problem in security engineering is that during “Construct Attack Vectors” step there is no way to construct and understand all the possible attacks and thus you cannot identify all the vulnerabilities of your system, so you cannot completely measure your design. However the algorithm at least gives you a better understanding of what you are doing, gives the ability to better measure the risks you have in your system and finally – it allows using institutional approach for future analysis.

References

http://www.sse-cmm.org

http://msdn.microsoft.com/en-us/security/cc448177.aspx

http://en.wikipedia.org/wiki/Information_security

http://iac.dtic.mil/iatac/download/security.pdf