Secure software and COTS group Steve Gribble, Somesh Jha, Angelos Keromytis, Carl Landwehr, Peter Lee, Martin Rinard

1
Secure software and COTS groupSteve Gribble,
Somesh Jha, Angelos Keromytis, Carl Landwehr,
Peter Lee, Martin Rinard
Workshop on Resilient Financial Information
Systems March 2005
2
Findings

• Smaller companies use COTS, but some larger
  companies do extensive in-house development
• IT/business opportunities are often unique
• advantages in fast custom response
• Strong trend towards highly componentized
  software systems
• reinforced by trend towards web services
• Major issue is complexity
• not just of large system of components
• but also of multiple interacting systems, many of
  which not under control

3
Findings, contd

• Financial systems are over-engineered wrt
  controls
• required security level is not well understood,
  so systems are built conservatively
• Human errors are main source of failure
• By operators, developers, users
• not security break-ins
• but impact of errors can be magnified by security
  weakness
• reconciliation checks, redundancy, distributed
  component-based architecture greatly enhance
  resilience

4
Findings, contd

• Confidentiality is less understood
• concept of toxic combinations of privilege
• manual review of privilege combinations
• a form of business-rule discovery
• Some similarities to military, pharmaceutical,
  etc. environments
• HCI is a big deal and growing
• but lots of expertise and resources applied and
  apparently working

5
Findings, contd

• Business control requirements
• The rules by which automated system must operate
• Application security requirements
• traditional authentication/authorization
  requirements, for components and systems of
  components

6
Research themes

• Centrality of business rules
• Challenge of bringing it all together
• Smooth slope / starting out small

7
Possible research areas, 1

• Specification languages for describing / modeling
  business rules
• work at the semantic level of business control
  rules
• checking that a distributed collection of
  components respects the global rules
• static verification
• dynamic monitoring
• component abstraction and analysis of composed
  abstractions

8
Possible research areas, 2

• Access control consequence analysis
• do the privileges satisfy given business
  controls?
• analogy to model checking
• optimization of access controls?
• tradeoff with run-time checking
• change analysis
• how to additions/changes affect the system?

9
Possible research areas, 3

• Interactive debugging / root-cause analysis
• unify low-level (code failure) and high-level
  (business-rule violation) views of failures
• for debugging, root-cause analysis
• human-assisted and/or automated reaction
• traceability of low-level behavior and test
  results to high-level requirements

10
What about COTS?

• Um,