1 2013-05-07] concepts of trustworthy software © copyright tsi 2003-2013 generic bsc courseware...

1

2013-05-07]

Concepts of Trustworthy

Software

© Copyright TSI 2003-2013

Generic BSc CoursewareVersion 2 DRAFT B

[DMU/CSC/TS/2013/025

Concepts of Trustworthy Software© Copyright TSI 2003-2013

Concepts of Trustworthy Software• Future Information and Communications Technology

(ICT) specialists need to have an understanding of all aspects of the profession

• One such consideration is Trustworthy Software• The UK’s two leading professional bodies for ICT are

therefore supporting the provision of course material for all relevant UK University Courses

• British Computer Society (BCS)• Institute of Engineering & Technology (IET)

• The responsibility for coordinating this material lies with a public-private partnership “Trustworthy Software Initiative” (TSI)

[TSI/2013/025 Draft B]© Copyright 2003-2013

2


Requirements (1)• Typical Customers only really understand and/or care

about Explicit (Functional) Requirements• For instance, a Local Authority may want a Bridge


3

• The expressed Functional Requirement may only be:• Vector (end points direction, length)• Capacity (number of lanes)

New

Bridge


Requirements (2)• In most industries, in addition to meeting Functional

Requirements, Supplier gives due weight to all relevant guidance {c.f. Ethical Principles}, including Non-Functional Requirements (NFR)

• For the Bridge, this will include:• Strength (of components and overall)• Clearance required over river• Known Failures modes - - - - - - - - - - >

• The software industry does not have a good track record of addressing the NFR for Trustworthiness

[TSI/2012/295]© Copyright 2003-2013

4

1st Tacoma Narrows Bridge 1940-11-07


Trustworthiness


5


A Bit of History• Babylonian Code of Hammurabi (~1780BCE) is earliest

known example of code of conduct for craftsmen, engineers and builders

• Hippocrates - ancient Greek philosopher and “father of medicine” lays out the Oath - a moral framework for the conduct of doctors and other healthcare professionals in late 5th Century BCE

• Collapse of the 1st Quebec Bridge - part of Canada's National Transcontinental Railway project - on 29 August 1907 was traced to lack of due diligence in design, implementation and compliance Emergence of Codes of Ethics in Professional Engineering bodies


6


UK’s Engineering Principles• UK’s Royal Academy of Engineering and Engineering

Council publish consolidated Statement of Ethical Principles

• This includes: – Acting in a reliable and trustworthy manner– Giving due weight to all relevant facts and published

guidance, and the wider public interest– Identifying, evaluating, and quantifying risks– Being alert to ways in which work might affect others,

holding health and safety paramount


7


Risk• Risk can be summarised as:

• The chances – and consequences – of something you don’t want to happen occurring

• Risk is often based on Uncertainties

• Risk Management is application of Pragmatic, Appropriate and Cost Effective (PACE) actions to address these challenges


8


Software and ICT Context


9


Software Reuse


10


Software Incident Impact• Software problems are high cost to economy:

– US Government National Institute of Standards & Technology (NIST) ~$60 billion / year to US alone

– No definitive figure for UK / worldwide• Software a major source of IT project failure:

– University of Oxford Saïd Business School / McKinsey 2011; Standish Chaos Reports 2004 onwards; et al

• Software bugs “source of 90% of ICT Incidents”– (GovCERT-UK, 2012-09)


11


Mitre’s Common Weakness Enumeration (CWE)

• A maintained list of generic software weakness types – 918 distinct CWEs detected by v2.4– Most common is cross-site scripting

• “exploits known vulnerabilities in web-based applications, their servers, or plug-in systems they rely on and put malicious content into the content being delivered from the compromised site”

12


Mitre/SANS CWE Top 25 (1)Rank ID Name1 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')2 CWE-89 Improper Sanitization of Special Elements used in an SQL Command

('SQL Injection')3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')4 CWE-352 Cross-Site Request Forgery (CSRF)5 CWE-285 Improper Access Control (Authorization)6 CWE-807 Reliance on Untrusted Inputs in a Security Decision7 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path

Traversal')8 CWE-434 Unrestricted Upload of File with Dangerous Type9 CWE-78 Improper Sanitization of Special Elements used in an OS Command

('OS Command Injection')10 CWE-311 Missing Encryption of Sensitive Data11 CWE-798 Use of Hard-coded Credentials12 CWE-805 Buffer Access with Incorrect Length Value13 CWE-98 Improper Control of Filename for Include/Require Statement in PHP

Program ('PHP File Inclusion')

13



Mitre/SANS CWE Top 25 (2)Rank ID Name

14 CWE-129 Improper Validation of Array Index

15 CWE-754 Improper Check for Unusual or Exceptional Conditions16 CWE-209 Information Exposure Through an Error Message

17 CWE-190 Integer Overflow or Wraparound

18 CWE-131 Incorrect Calculation of Buffer Size

19 CWE-306 Missing Authentication for Critical Function

20 CWE-494 Download of Code Without Integrity Check

21 CWE-732 Incorrect Permission Assignment for Critical Resource22 CWE-770 Allocation of Resources Without Limits or Throttling

23 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

24 CWE-327 Use of a Broken or Risky Cryptographic Algorithm

25 CWE-362 Race Condition

14



Software Fault Case Study (1)

• NatWest Banking Systems

• http://www.telegraph.co.uk/news/newsvideo/9914467/NatWest-customer-left-stranded-by-latest-system-failure.html – happened recently, in 2012


15



• Buick cars…• Cars are growing more and reliant on software for their

basic functions– occasionally means bugs in the system

• Recent recall of 33,700 2013 Buick LaCrosse sedans and Cadillac SRX SUVs:– because of a glitch, the transmission may unintentionally shift

from manual to automatic– not the best thing to happen if you're out on the road…


16


Software Fault Case Study (3)• Safety: Los Angeles Airport, 9/14/2004 about 5 p.m

– Traffic controllers lost voice contact with 400 planes they were tracking over the SW United States

• Planes started to head toward one another…– not normally a problem

• under careful control of the air traffic controllers, who keep airplanes safely apart. ...

– but controllers lost contact with the planes• the main voice communications system shut down unexpectedly

– to make matters worse, a backup system designed to take over in such an event crashed within a minute (!)

– outage disrupted about 800 flights across the country.


17



• USS Yorktown: 9/1997 • computer failure that left the Aegis cruiser USS Yorktown dead

in the water for several hours• On Sept. 21, 1997, the Yorktown experienced what the Navy

called an engineering LAN casualty• A systems administrator fed bad data into the ship's Remote

Database Manager– caused a buffer overflow when the software tried to divide by zero– overflow crashed computers on the LAN and caused the Yorktown to

lose control of its propulsion system


18


Software Faults• Mitre’s Common Weakness Enumeration (CWE) is a

community developed, formal list of software weakness types created to:– Serve as a common language for describing software

weaknesses in architecture, design, or code– Serve as a standard measuring stick for software tools

targeting these weaknesses– Provide a common baseline standard for weakness

identification, mitigation, and prevention efforts• Currently 810 distinct CWE entries identified• Most of more commonly encountered weaknesses are

“repeat offenders”


19


Due Diligence

• Many of concepts and practices needed for Trustworthy Software have existed for many years

• “Due Diligence” implies software should be reasonably trustworthy, although implementations vary with Audiences and Assurance Requirements


20


Pareto Weakness Mitigation

• TSI focuses on Pareto (“80:20”) approaches to Making Software Better, iteratively using existing learnings and interpreting them for common good

• Many of common “repeat offender” weaknesses as summarised in “SANS Top 25” can be ameliorated by simply Switching On and Acting On Compiler Warning Flags

21


Trustworthy Software Requirement• Requirements for Trustworthy Software can arise from

• Explicit (Functional) Requirement for Trustworthiness• Implicit (Non Functional) Requirement (NFR) for

Trustworthiness• Direct NFR for software under consideration• As Collateral NFR from other software in environment

• Requirements cover whole ICT domain (including ICS) and activities (Specification, Realisation and Use)

• Assurance requirements range from Due Diligence (all software) to Comprehensive


22


Trustworthy Software Framework (TSF) - Structure


23

Level 0

Level 1

Level 2

Level 3

Level 4

Citations Methods Data Sharing

Existence Title

Concepts

Principles

Techniques

Repository

7 Areas

31 Groups

Unlimited

135 Controls


Benefits of HarmonisedSoftware Trustworthiness

• To Demand-side– de facto or de jure expression of specification, providing

risk reduction– Target for compliance

• To Supply-side – Level playing field, with improved business opportunities– Avoidance of nugatory effort, and reduced cost of doing

business – Target for compliance

• To Corpus-production side– de facto or de jure repository of knowledge– Target for compliance


24


Trustworthy Software Framework (TSF) – Example of Use


25

Level 0Title

Level 1Areas

Level 2Groups

Level 3Control Consensus

Level 4 Repository

e.g. Citations

e.g. TE – Technical

e.g. TE.02 – Appropriate Tool Choice

e.g. TE.02.10 – Programming Language(s)

e.g. ISO/IEC 24772 “Guidance on language selection”

Trustworthy Software Framework (TSF)


Risk SegmentationPotential

FlawImpact

Market Size

Niche

Disbursed

Collateral

Mainstream


26


Any Questions ?

www.uk-tsi.org


27


Further Information

Trustworthy Software Initiative

TSI OfficeGateway House pp4.30

De Montfort University - Cyber Security CentreThe Gateway, Leicester, LE1 9BH, England

[email protected] +44 33 0001 0479

www.uk-tsi.org (Twitter: @uktsi)


28

1 2013-05-07] concepts of trustworthy software © copyright tsi 2003-2013 generic bsc courseware...

Documents

software industry

trustworthy manner

draft b dmucscts2013025

engineering council

quebec bridge

relevant guidance

tacoma narrows bridge

relevant facts