During the development process, we completed the project in two phases a design and implementation phase. During the design phase, we considered the functional and non-functional requirements of the system and domain. Then, we considered the security implications of these features. We wanted to follow the best practice advice of academics and leading experts. We choose the open web application security project as well as Saltzer and Schroeder Security Principles as important references for guidance. During the design phase - and development of the design document- we considered the attack surfaces of our design. We identified the database, REST API, command-line interface, authentications systems as well as Python itself and the library’s used as attack surfaces worth attention. At this point in the project, we documented mitigations we thought appropriate. When we reached the implementation stage, we re-evaluated this result and used it as the starting point for implementing security features.
Our system features have two locations, earth and the ISS. Our system has two types of users: ground control staff and astronauts. The ISS has an inventory of resources – such as oxygen and food supplies - required to keep the space station running. There are two types of flights between earth and the ISS: manned and unmanned (NASA, 2010). Interfaces between the space station, ground control and the server will use secure facilities. The project will be developed as a distributed client-server web application, and will also run as a monolithic project (Al-Debagy & Martinek, 2018).
In reality, the location of the ISS during its orbit has an effect upon which system options are available, such as when a shuttle can be launched (NASA, 2007). In our system, we will assume the ISS is always at a convenient location for shuttle launch and communication.
Functional requirements:
Non-Functional requirements:
We will use the HTTPS secure protocol for communications to the server because this protocol enables secure communications (Krishna Madasu & Eltaeib, 2015).
Web applications that are not properly secured threaten the data and privacy of users. We have made use of the OWASP Top Ten security risks (OWASP, 2017) to help us identify security threats relevant to our system:
Surface | Vulnerability | Mitigation(s) |
---|---|---|
Database | We plan to use an SQL database; this would be vulnerable to injection attacks. The ‘principle of least privilege’ will be applied to ensure all code modules and users only have access to what is necessary. | We will encrypt data so it is useless to anyone without the key. We will make use of a database layer that enforces correct usage. Additionally, we plan to use the ‘salting’ (hashing with additional characters) technique for password storage (Bambang Sugiantoro, 2019). |
REST Api | We plan to use a Flask Rest API. This REST API would be vulnerable to denial-of-service attacks | We will encrypt the communications between the client and server. We will use monitoring to monitor the request frequency of API calls to try and identify DOS (denial of service) attacks (Prakash et al, 2016). |
Authentication | The users of our system have a lot of responsibility when organizing flights and resources. It is of paramount importance that our system has adequate restrictions for authenticated users. | Different levels of access control will be provided to different user types. We will use multi-factor authentication to avoid broken authentication. |
Command-line interface | Our system will allow users to share data entered through the interface. This opens a vulnerability to cross-site scripting where malicious users can inject malicious code through the client interfaces. | We will use input validation on any user input. We will also be careful that our input validation itself is not susceptible to attacks such as a Regular expression Denial of Service attack (Kirrage et al, 2013). |
Python and additional library's | Python has known vulnerabilities such as its dangerous ‘pickling’ features. We will make use of third-party libraries to develop our system. These libraries can have their own vulnerability's. | We will research any vulnerabilities of libraries and python features we use. |
We decide to use this non-exhaustive list of tools and libraries for our project:
Our system will be designed to work in a client-server architecture as well as a monolithic architecture. Both designs will make use of a three-tier architecture for the separation of concerns (IBM Cloud Education, 2020). The three tiers will be, interface, business and data storage. Monolith designs require the whole system to be updated at once, the client-server architecture, however, will allow either of the clients or the server to be updated individually. We will avoid ‘anti-patterns’ in our code (Jaafar et al, 2015). We will use design patterns to allow us to create modular code that is extensible and easily understood by other developers. Appropriate Design Patterns:
During design and implementation, we will ensure compliance with the GDPR (General Data Protection Regulation) (Hoofnagle, Sloot and Borgesius, 2019)(Knott, 2018). As such, the following protocols will be put in place:
We consider the users passwords, exercise performance metrics and the ISS inventory to be critically sensitive data (Gholami & Laure, 2016). Data such as shuttle location are considered less sensitive. We have highlighted that the data and measurement of the oxygen are mission-critical and mistakes could cause serious harm. We have decided to use a system watchdog (Lou et al, 2019) that will monitor the performance to make sure the software is working as expected. This watchdog will monitor that the data changes at the expected rate, I.e., The oxygen level reduces.
In our design, we used UML modeling and then, we implemented that design. On the left, we can see the class diagram.
click on the image to make it bigger
On the right hand side, we can see how we created the activity and entity relationship diagrams.
click on the image to make it bigger
The Logging part is important to the creation of a secure software system. Logs can provide insight into the operation of the system and can aid debugging exercises. We have decided to log all calls to the server to provide information about the system's usage. We have implemented a vulnerability assessment as part of the live system. The system routinely executes a vulnerability assessment of the python packages used. This check involves comparisons with a vulnerability database. The result of this assessment is stored in a file called 'safteylog.txt'.
We have used the HTTPS secure communications protocol to securely communicate over the network. HTTPS builds upon the HTTP protocol and uses either TLS or SSL for transport layer security. This protocol uses a form of public-private key encryption. Our client applications have access to a public certificate that signs our requests. Access to many of the endpoints is further restricted to only users that have been granted an 'advanced privilege key'. This key is only transferred to the user when they provide a correct pair of email and passwords. The key is sent over the network secured by the use of HTTPS and stored for the duration of the session on the client. The only two endpoints that do not require this key's authorization are the two endpoints required for the user to log in.
For the data access layer, we have used SQL constraints in data access layer to further secure our data’s integrity. The use of constraints seen here such as NOT NULL and foreign id references ensures only valid data is inserted. It is important to validate that the users’ input is within the 'acceptable' range. In this code example, we see that users' email input is validated with a control structure that requires a server check of whether the account exists. RESTful interfaces are vulnerable to denial-of-service attacks over the internet. We have a monitoring feature that displays in real-time the number of calls being made to the server. If this frequency of calls is extraordinarily high, then we display a warning here to indicate an attack may be underway. We have set the threshold to 60 calls per 15 mins.
To prevent SQL Injection attacks, we have used SQL parameterised queries so that all the users' input is automatically escaped. This prevents malicious users SQL queries from being executed on the database. We have also used cryptography to help protect the database attack surface we identified. If the database is exposed the password contents is encrypted so that is not readily accessible. The contents can still be revealed if the attackers use a rainbow table to decrypt the stolen password information. The encryption however adds an extra layer of security and will at the very minimum provide additional time for other mitigations to be taken - for example notifying users of the breach.
If we would take this project further, here are few points we were thinking about: