1 2013-05-07] concepts of trustworthy software © copyright tsi 2003-2013 generic bsc courseware...
TRANSCRIPT
1
2013-05-07]
Concepts of Trustworthy
Software
© Copyright TSI 2003-2013
Generic BSc CoursewareVersion 2 DRAFT B
[DMU/CSC/TS/2013/025
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Concepts of Trustworthy Software• Future Information and Communications Technology
(ICT) specialists need to have an understanding of all aspects of the profession
• One such consideration is Trustworthy Software• The UK’s two leading professional bodies for ICT are
therefore supporting the provision of course material for all relevant UK University Courses
• British Computer Society (BCS)• Institute of Engineering & Technology (IET)
• The responsibility for coordinating this material lies with a public-private partnership “Trustworthy Software Initiative” (TSI)
[TSI/2013/025 Draft B]© Copyright 2003-2013
2
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Requirements (1)• Typical Customers only really understand and/or care
about Explicit (Functional) Requirements• For instance, a Local Authority may want a Bridge
[TSI/2013/025 Draft B]© Copyright 2003-2013
3
• The expressed Functional Requirement may only be:• Vector (end points direction, length)• Capacity (number of lanes)
New
Bridge
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Requirements (2)• In most industries, in addition to meeting Functional
Requirements, Supplier gives due weight to all relevant guidance {c.f. Ethical Principles}, including Non-Functional Requirements (NFR)
• For the Bridge, this will include:• Strength (of components and overall)• Clearance required over river• Known Failures modes - - - - - - - - - - >
• The software industry does not have a good track record of addressing the NFR for Trustworthiness
[TSI/2012/295]© Copyright 2003-2013
4
1st Tacoma Narrows Bridge 1940-11-07
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Trustworthiness
[TSI/2013/025 Draft B]© Copyright 2003-2013
5
Concepts of Trustworthy Software© Copyright TSI 2003-2013
A Bit of History• Babylonian Code of Hammurabi (~1780BCE) is earliest
known example of code of conduct for craftsmen, engineers and builders
• Hippocrates - ancient Greek philosopher and “father of medicine” lays out the Oath - a moral framework for the conduct of doctors and other healthcare professionals in late 5th Century BCE
• Collapse of the 1st Quebec Bridge - part of Canada's National Transcontinental Railway project - on 29 August 1907 was traced to lack of due diligence in design, implementation and compliance Emergence of Codes of Ethics in Professional Engineering bodies
[TSI/2013/025 Draft B]© Copyright 2003-2013
6
Concepts of Trustworthy Software© Copyright TSI 2003-2013
UK’s Engineering Principles• UK’s Royal Academy of Engineering and Engineering
Council publish consolidated Statement of Ethical Principles
• This includes: – Acting in a reliable and trustworthy manner– Giving due weight to all relevant facts and published
guidance, and the wider public interest– Identifying, evaluating, and quantifying risks– Being alert to ways in which work might affect others,
holding health and safety paramount
[TSI/2013/025 Draft B]© Copyright 2003-2013
7
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Risk• Risk can be summarised as:
• The chances – and consequences – of something you don’t want to happen occurring
• Risk is often based on Uncertainties
• Risk Management is application of Pragmatic, Appropriate and Cost Effective (PACE) actions to address these challenges
[TSI/2013/025 Draft B]© Copyright 2003-2013
8
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Software and ICT Context
[TSI/2013/025 Draft B]© Copyright 2003-2013
9
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Software Reuse
[TSI/2013/025 Draft B]© Copyright 2003-2013
10
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Software Incident Impact• Software problems are high cost to economy:
– US Government National Institute of Standards & Technology (NIST) ~$60 billion / year to US alone
– No definitive figure for UK / worldwide• Software a major source of IT project failure:
– University of Oxford Saïd Business School / McKinsey 2011; Standish Chaos Reports 2004 onwards; et al
• Software bugs “source of 90% of ICT Incidents”– (GovCERT-UK, 2012-09)
[TSI/2013/025 Draft B]© Copyright 2003-2013
11
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Mitre’s Common Weakness Enumeration (CWE)
• A maintained list of generic software weakness types – 918 distinct CWEs detected by v2.4– Most common is cross-site scripting
• “exploits known vulnerabilities in web-based applications, their servers, or plug-in systems they rely on and put malicious content into the content being delivered from the compromised site”
12
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Mitre/SANS CWE Top 25 (1)Rank ID Name1 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')2 CWE-89 Improper Sanitization of Special Elements used in an SQL Command
('SQL Injection')3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')4 CWE-352 Cross-Site Request Forgery (CSRF)5 CWE-285 Improper Access Control (Authorization)6 CWE-807 Reliance on Untrusted Inputs in a Security Decision7 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')8 CWE-434 Unrestricted Upload of File with Dangerous Type9 CWE-78 Improper Sanitization of Special Elements used in an OS Command
('OS Command Injection')10 CWE-311 Missing Encryption of Sensitive Data11 CWE-798 Use of Hard-coded Credentials12 CWE-805 Buffer Access with Incorrect Length Value13 CWE-98 Improper Control of Filename for Include/Require Statement in PHP
Program ('PHP File Inclusion')
13
[TSI/2013/025 Draft B]© Copyright 2003-2013
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Mitre/SANS CWE Top 25 (2)Rank ID Name
14 CWE-129 Improper Validation of Array Index
15 CWE-754 Improper Check for Unusual or Exceptional Conditions16 CWE-209 Information Exposure Through an Error Message
17 CWE-190 Integer Overflow or Wraparound
18 CWE-131 Incorrect Calculation of Buffer Size
19 CWE-306 Missing Authentication for Critical Function
20 CWE-494 Download of Code Without Integrity Check
21 CWE-732 Incorrect Permission Assignment for Critical Resource22 CWE-770 Allocation of Resources Without Limits or Throttling
23 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
24 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
25 CWE-362 Race Condition
14
[TSI/2013/025 Draft B]© Copyright 2003-2013
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Software Fault Case Study (1)
• NatWest Banking Systems
• http://www.telegraph.co.uk/news/newsvideo/9914467/NatWest-customer-left-stranded-by-latest-system-failure.html – happened recently, in 2012
[TSI/2013/025 Draft B]© Copyright 2003-2013
15
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Software Fault Case Study (2)
• Buick cars…• Cars are growing more and reliant on software for their
basic functions– occasionally means bugs in the system
• Recent recall of 33,700 2013 Buick LaCrosse sedans and Cadillac SRX SUVs:– because of a glitch, the transmission may unintentionally shift
from manual to automatic– not the best thing to happen if you're out on the road…
[TSI/2013/025 Draft B]© Copyright 2003-2013
16
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Software Fault Case Study (3)• Safety: Los Angeles Airport, 9/14/2004 about 5 p.m
– Traffic controllers lost voice contact with 400 planes they were tracking over the SW United States
• Planes started to head toward one another…– not normally a problem
• under careful control of the air traffic controllers, who keep airplanes safely apart. ...
– but controllers lost contact with the planes• the main voice communications system shut down unexpectedly
– to make matters worse, a backup system designed to take over in such an event crashed within a minute (!)
– outage disrupted about 800 flights across the country.
[TSI/2013/025 Draft B]© Copyright 2003-2013
17
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Software Fault Case Study (4)
• USS Yorktown: 9/1997 • computer failure that left the Aegis cruiser USS Yorktown dead
in the water for several hours• On Sept. 21, 1997, the Yorktown experienced what the Navy
called an engineering LAN casualty• A systems administrator fed bad data into the ship's Remote
Database Manager– caused a buffer overflow when the software tried to divide by zero– overflow crashed computers on the LAN and caused the Yorktown to
lose control of its propulsion system
[TSI/2013/025 Draft B]© Copyright 2003-2013
18
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Software Faults• Mitre’s Common Weakness Enumeration (CWE) is a
community developed, formal list of software weakness types created to:– Serve as a common language for describing software
weaknesses in architecture, design, or code– Serve as a standard measuring stick for software tools
targeting these weaknesses– Provide a common baseline standard for weakness
identification, mitigation, and prevention efforts• Currently 810 distinct CWE entries identified• Most of more commonly encountered weaknesses are
“repeat offenders”
[TSI/2013/025 Draft B]© Copyright 2003-2013
19
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Due Diligence
• Many of concepts and practices needed for Trustworthy Software have existed for many years
• “Due Diligence” implies software should be reasonably trustworthy, although implementations vary with Audiences and Assurance Requirements
[TSI/2013/025 Draft B]© Copyright 2003-2013
20
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Pareto Weakness Mitigation
• TSI focuses on Pareto (“80:20”) approaches to Making Software Better, iteratively using existing learnings and interpreting them for common good
• Many of common “repeat offender” weaknesses as summarised in “SANS Top 25” can be ameliorated by simply Switching On and Acting On Compiler Warning Flags
21
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Trustworthy Software Requirement• Requirements for Trustworthy Software can arise from
• Explicit (Functional) Requirement for Trustworthiness• Implicit (Non Functional) Requirement (NFR) for
Trustworthiness• Direct NFR for software under consideration• As Collateral NFR from other software in environment
• Requirements cover whole ICT domain (including ICS) and activities (Specification, Realisation and Use)
• Assurance requirements range from Due Diligence (all software) to Comprehensive
[TSI/2013/025 Draft B]© Copyright 2003-2013
22
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Trustworthy Software Framework (TSF) - Structure
[TSI/2013/025 Draft B]© Copyright 2003-2013
23
Level 0
Level 1
Level 2
Level 3
Level 4
Citations Methods Data Sharing
Existence Title
Concepts
Principles
Techniques
Repository
7 Areas
31 Groups
Unlimited
135 Controls
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Benefits of HarmonisedSoftware Trustworthiness
• To Demand-side– de facto or de jure expression of specification, providing
risk reduction– Target for compliance
• To Supply-side – Level playing field, with improved business opportunities– Avoidance of nugatory effort, and reduced cost of doing
business – Target for compliance
• To Corpus-production side– de facto or de jure repository of knowledge– Target for compliance
[TSI/2013/025 Draft B]© Copyright 2003-2013
24
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Trustworthy Software Framework (TSF) – Example of Use
[TSI/2013/025 Draft B]© Copyright 2003-2013
25
Level 0Title
Level 1Areas
Level 2Groups
Level 3Control Consensus
Level 4 Repository
e.g. Citations
e.g. TE – Technical
e.g. TE.02 – Appropriate Tool Choice
e.g. TE.02.10 – Programming Language(s)
e.g. ISO/IEC 24772 “Guidance on language selection”
Trustworthy Software Framework (TSF)
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Risk SegmentationPotential
FlawImpact
Market Size
Niche
Disbursed
Collateral
Mainstream
[TSI/2013/025 Draft B]© Copyright 2003-2013
26
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Any Questions ?
www.uk-tsi.org
[TSI/2013/025 Draft B]© Copyright 2003-2013
27
Concepts of Trustworthy Software© Copyright TSI 2003-2013
Further Information
Trustworthy Software Initiative
TSI OfficeGateway House pp4.30
De Montfort University - Cyber Security CentreThe Gateway, Leicester, LE1 9BH, England
[email protected] +44 33 0001 0479
www.uk-tsi.org (Twitter: @uktsi)
[TSI/2013/025 Draft B]© Copyright 2003-2013
28