Configuring Software and Systems for Defense-in-Depth
| Title | Configuring Software and Systems for Defense-in-Depth |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Jaeger, Trent |
| Conference Name | Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense |
| Date Published | October 2016 |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-4566-8 |
| Keywords | defense in depth, i-o systems security, i/o systems security, io systems security, pubcrawl, Scalability, security configuration, software security, Systems Security |
| Abstract | The computer security community has long advocated defense in depth, building multiple layers of defense to protect a system. Realizing this vision is not yet practical, as software often ships with inadequate defenses, typically developed in an ad hoc fashion. Currently, programmers reason about security manually and lack tools to validate assurance that security controls provide satisfactory defenses. In this keynote talk, I will discuss how achieving defense in depth has a significant component in configuration. In particular, we advocate configuring security requirements for various layers of software defenses (e.g., privilege separation, authorization, and auditing) and generating software and systems defenses that implement such configurations (mostly) automatically. I will focus mainly on the challenge of retrofitting software with authorization code automatically to demonstrate the configuration problems faced by the community, and discuss how we may leverage these lessons to configuring software and systems for defense in depth. |
| URL | https://dl.acm.org/doi/10.1145/2994475.2994483 |
| DOI | 10.1145/2994475.2994483 |
| Citation Key | jaeger_configuring_2016 |