Return to book
Review this book
About the author
Introduction
1. Access Control
2. Authentication
3. Biometrics
4. Crypto Engineering
- 4.1. Software Crypto
- 4.2. Hardware Crypto
5. Malware
- 5.1. Virus
- 5.2. Worm
- 5.3. Trojan Horse
- 5.4. Writing Virus
- 5.5. Rootkits
- 5.6. Anti-virus software
- 5.7. Inside popular software
6. Protecting Clients
7. Security and Usability
- 7.1. User Interface (UI)
- 7.2. Passwords
- 7.3. Cognitive Experiment
- 7.4. Insider Attacks
8. Secure Programming
- 8.1. Buffer overflow
  - 8.1.1. Buffer Overflow Protections
  - 8.1.2. Exploit Buffer Overflow
- 8.2. Secure C practice
- 8.3. secure-sensitive program
9. Physical Security
10. (Web Service) Architecture
- 10.1. Contents and Scripts
11. Confinements
- 11.1. chroot
- 11.2. JVM
- 11.3. Network Identity
- 11.4. Virtual Machine
- 11.5. Sandbox
12. Program Structure
- 12.1. Case study: 4.3BSD FTP Daemon
- 12.2. Case study: mailer
- 12.3. Case study: Web Browser
13. Security Analysis
- 13.1. Construction vs. Destruction
- 13.2. Analyze individual programs
- 13.3. Analyze overall system
- 13.4. Software Engineering Code of Ethics
- 13.5. Tools part 1: OS system calls
- 13.6. Tools part 2: fuzzing and more
- 13.7. Reconnaissance
14. The Internet of Things
- 14.1. Embedded Systems (Smart Devices)
- 14.2. Internet of Things Architecture
- 14.3. Case study: Thermostat
15. Logging
- 15.1. Loggin in practice
- 15.2. Log Incidents
- 15.3. Case study: PHP4 web server attack
16. After An Attack
- 16.1. Analyze a hacked system
- 16.2. Deleted Files
- 16.3. Monitor Intrusion
- 16.4. Conclusion
17. System Structure
- 17.1. Case study: build an e-commerce
- 17.2. Network Operation Center
- 17.3. Router Link Weakness
- 17.4. Remote Access
- 17.5. Question: store credit card number in database?
- 17.6. General Principle
18. Exams
- 18.1. Fall 2014 Midterm
- 18.2. Fall 2013 Midterm
- 18.3. Fall 2010 Midterm
- 18.4. Fall 2008 Midterm

Security Architecture and Engineering

Case study: mailer

Requirements

Sending mail (through trusted site)
Receiving mail
Saving mail
Sandboxed (isolation)
- Opening attachments
- Click URLs $\iff$ browser sandbox

Question Suppose the mailer can encrypt, decrypt, and digitally sign email. What privilege level should be used for those operations.

Answer Root should not be used

In any of these circumstances. Encryption and encryption can be done by a normal user (you could write an AES algo on a remote machine for example). Having separate UIDs for the tasks might be useful depending on the circumstance.

Most of time you absolutely need root is because of some outdated design decision on Unix (e.g. bind to port 80).

Encryption and Decryption

Encrypt private key with user-typed passphrase

Sometimes we can crypto with hardware assistance
Where are the decryption and sigining done?
When is encryption done?
When is decryption done?
- Think about environment
- Decryption should NOT know the identity of sender, don't want to expose user signature.
- Neither encryption nor decryption should happen at the Geataway.
Some content (eg. corporate emails), are public content

Should emails content be stored as encrypted?

Signing message

Do I need to sign every message? How to balance between signing every and signing none message.

Caching keys

Cache keys are exposed in the mailer, can be exposed via bugs.

Size of mailer program

Mailer programs are BIG.

Security hole rates go up as the square of the code size.

Thunderbird - 6000 KLOC

Evolution - 2500 KLOC

Why are mailers so big?

Mail formats are complex:

MIME
Multigingual
GUIs

Mailer features are complex:

HTML rendering
Calendar embedding
Inline editor

How to separate keys from mailer application?

Outboard Key Manager (Keyring, keyring manager)

Make manager simple and entrusted with few responsibility

GNOME Keyring 150 KLOC

GNOME Keyring manager 97 KLOC

GPG 717 KLOC

Managing the key Manager

The mailer still tells the key manager what to decrypt or sign. Hard to predict what's really being signed or decrypted. Tradeoff: balance between security and convenience
- Enhance security by adding more process
- More process means more inconvenience

TODO: DKIM (Anti-spam mechanism)