SRA111 L04 Protect Concerns and Controls

Malicious Code (Rogue Programs, Malware (Malicious Software))

(Dates back to the 1970s) The general name for programs or program parts planted by an agent (programs writer or distributor) with malicious intent to cause unanticipated or undesired effects. Malicious code can be directed at a specific user or class of users, or it can be anyone. Common Types of Malware: Virus Worm Trojan Horse

Program Flaws can have two kinds of security implications:

1. Cause integrity problems leading to harmful output or action. a. Incorrect operation is an integrity failure b. Inappropriately modify previously correct data, by overwriting or deleting the original data. c. Even if it had not been entered maliciously it can still cause harm. 2. Offer an opportunity for exploration by a malicious actor. a. Benign flaws cab be - often are- exploited for malicious impact. b. A simple and nonmalicious flaw can become part of a malicious attack.

Time-of-Check to Time-of-Use (TOTTOU) Countermeasures

1. Critical parameters are not exposed during any loss of control. The access-checking software must own the request data until the requested action is complete. 2. Ensure serial integrity, that is, to allow no interruption (loss of control) during the validation.

Implications of Overwriting Memory

1. If the extra character overflows into the user's data space, it simply overwrites an existing variable value WHICH can affect the program's results BUT affecting no other program or data. 2. If the extra character goes into the user's program area , it overlays an already executed instruction (that will not be executed again), the user should perceive no effect. 3. If it overlays an instruction that is not yet executed, the machine will try to execute an instruction with the operation code, the internal code for the character. BUT if there is not instruction with operation code the system will halt on an illegal instruction exception. 4. Otherwise the machine will use subsequent bytes as if they were the rest of the instruction, with success or failure depending on the meaning of the contents.

Key Ingredients For Testing

1. Product enterprise (understanding requirements and functionality) 2. Coverage (testing must be complete) 3. Risk Analysis (testing can not cover everything) 4. Domain Expertise (understand product being tested) 5. Common Vocabulary 6. Variation 7. Boundaries(concept of completeness)

Morris Worm

1988- The first widespread malware attack on the ARPPANET. 99 lines of code. The Maker was the first to be convicted under the computer fraud and abuse act.

Failure

A departure from the system's required behavior. It can be discovered before or after system delivery, during testing, or during operation and maintenance. Is in outside view of the system, a problem seen by the users. Every failure has at least one fault as its root cause.

Stack

A key data structure necessary for an interchange of data between procedures. Used mainly for nested call to procedures.

Bot (Short for Robot)

A kind of worm used in vast numbers by search engines. Their purpose is to scan accessible web content continuously and report back to their controller any new catalog, enabling the search engines to return these results in response to individual's queries.

Virus Hoaxes

A message warning the recipient of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipient to forward it to everyone they know.

Virus (Operates through a medium)

A program that replicates itself and passes on malicious code to other nonmalicious programs modifying them. Spreads copies of itself as a program that attaches to or embeds in other programs. Transient Virus- Has a life span that depends on the life of its host; the virus runs when the program to which it is attached executes and terminates when the attached program ends. Resident Virus- Locates itself in the memory; it can remain active or be activated as a stand-alone program, even after its attached program ends.

Worm (Operates through a network)

A program that spreads copies of itself through a network. Spreads copies of itself as a stand-alone program. Does not need human help to spread.

Program Counter

A register that holds the address of the next instruction to be fetched in the fetch-execute cycle. Conditional instructions such as IF(), branch instructions such as (WHILE, FOR) and unconditional transfer such as (GOTO, CALL) divert the flow of execution, causing hardware to put a new destination address into the program counter. Instructions move from the bottom (low addresses) of memory up. (code-->Static Data--> Heap--> Stack. Not all binary data items represent valid instructions.

Stack Frame

A section of the run-time stack holding the values of all variables for one invocation of a procedure. When one procedure calls another, the stack frame is pushed into the stack to allow the two procedures to exchange data and transfer control.

Application Programming Interface (API)

A set of software routines that allows one software system to work with another.

Encrypting Viruses

A simple variety of polymorphic virus that uses encryption under various keys to make the stored form of the virus different. Must contain three distinct parts: 1. A decryption key 2. Encrypted object code of the virus 3. The Unencrypted object code of the decryption routine

Buffer Underflow

A state occurring when a buffer used to communicate between two devices or processes is fed with data at a lower speed than the data is being read from it.

Steganography

A technology that makes it possible to embed hidden information in documents, pictures, and music files. (Not easily detectable by virus scanners)

Spyware

A type of Malware that locates and saves data (logs key strokes, activity)from users without them knowing about it

Ransomware

A type of malicious software designed to block access to a computer system until a sum of money is paid. Spread through attached sent by unsolicited email or by clicking a link in an email from a bank or delivery company, also from peer to peer files sharing networks. Two types: File Coder: Encrypts the file Lock Screen: Locks the screen (sometimes will have a live screen of what webcam can see, or message from national police force requesting to pay a fine)

Scareware

A type of malware that is downloaded onto your computer and that tries to convince you that your computer is infected with a virus or other types of malware.

Polymorphic Virus

A virus that can change its own code or periodically rewrites itself to avoid detection.

Zero-Day Exploit

A vulnerability that is exploited before the software creator/vendor is even aware of its existence.

Zero-Day Attack

Active malware exploiting a product vulnerability for which the manufacturer has no countermeasure available.

Cohesion

All the elements of a component have a logical and functional reason for being there; every aspect of the component is tied to the component's single purpose. High Cohesion: High degree of focus of purpose Low Cohesion: Contents are an unrelated jumble of actions, often put together because of time dependencies or convenience

Clear-box Testing

Allows visibility, testers can examine the design and code directly, generating test cases based on the codes actual construction.

Penetrate-and-Patch

Analysts searched for and repaired flaws. Often a top quality Tiger Team would be convened to test a systems security by attempting to cause it to fail.

Static Code Analyer

Analyzes source code to detect unsafe conditions. Although such tools are not, and can never be perfect, several good ones exist.

Data Driven Attack

Are directed by specially chosen data that attacker feeds a program input. The harm occurs by the data the attacker sends.

Memory Overflow Attacks

Attacker's trick is to cause data to spill over into executable code and then select the data values such that they are interpreted as valid instructions to perform the attacker's goal.

The Institute of Electronics and Electrical Engineers (IEEE) suggests using a standard termonlogy (IEEE Standard 729) for describing

Bugs in out software products (IE83).

Malicious code writers very code in several ways

By does this there is no effect to the programs function, but they can mask their code. Rearrange the order of modules Rearrange the order of instructions Insert instructions Insert random strings Replace instructions with others of equivalent effect Insert instructions that are never executed

Design By Contract (Programming By Contract)

Can assist in identifying potential sources of error, Refers to documenting for each program module it preconditions, post conditions, and invariants. Pre and post conditions are conditions necessary to be true before and after the module begins and ends. Invariants are conditions necessary to be true throughout the module's execution. Options for action in the event of incorrect input: 1. Stop or signal an error condition and return. 2. Generate an error message and wait for user action 3. Generate an error message and reinvoke the calling routine from the top. (Appropriate if the action forces the user to enter a value for the faulty field) 4. Try to correct it if the error is obvious. (Although this choice should be taken only if there is one possible correction) 5. Continue with a default or normal value or continue computation without the erroneous value. 6. Do nothing, if the error is minor, superficial, and in certain not to cause further harm.

Bug

Can mean many different things depending on context: a mistake in interpreting a requirement, a syntax error in a piece of code, or the (as-yet-unknown) cause of a crash.

Performance Testing

Compares the system with the remainder of these software and hardware requirements.

Stack Memory (Smashing)

Construct that is made up of individually addressable buffers. Process-to-process communication takes place through the use of stacks.

Black-box Testing

Creates its system or its components as black boxes; testers can not see inside the system so they apply particular inputs and verify that they get the expected output.

Buffer Overflow

Data is written beyond the space allocated for it, causes crashes. A major security issue that is a well known flaw that is a basic problem and easy to describe, but preventing such difficulties is challenging. The impact can be subtle or disproportionate to the underlying oversight. Buffer overflows often come from innocent programmer oversights or failures to document and check for excessive data. Have existed almost as long as higher-level programming languages and arrays. Used by attackers as vehicles to cause first a system crash and then a controlled failure.

Countermeasures For Security

Design Principles for Security 1. Less privilege- Each user and program should operate using as few privileges as possible. 2. Economy of Mechanism- The design of the protection system should be small, simple, and straight forward. 3. Open Design- The protection mechanism must not depend on the ignorance of potential attackers; the mechanism should be public, depending on secrecy of relatively few key items, such as a password table. 4. Complete Mediation- Every access attempt must be checked. 5. Permission-Based- Default condition should be denial of access. 6. Separation of Privilege- Access to objects should depend on more than one condition. 7. Least Common Mechanism- Shared objects provide potential channels for information flow. Systems employing physical or logical separation reduce the risk from sharing. 8. Ease of Use- if a protection mechanism is easy to use, it is unlikely to be avoided. Secure Coding Practices 1. Validate Input 2. Heed Compiler Warnings 3. Architect and Design for Security Policies 4. Keep It Simple 5. Default to Deny 6. Adhere to the Principle of Least Privilege 7. Sanitize Data Sent to Other Systems 8. Practice Defence in Depth 9. Use Effective Quality Assurance Techniques 10. Adopt a Secure Coding Standard Penetration Testing 1. A system that fails has faults 2. A system that passes only known to have faults that the system has not been tested for. 3. Used under real-life conditions Proof of Program Correctness- Making sure there is not halting problem through the use of program verification. Hindered by Several Factors: 1. Correctness Proofs- Depend on a programmers ability to translate a program's statements into logical implications. 2. Deriving The Correctness Proof- From the initial assertions and the implications of statements is difficult, and the local engine to generate proofs runs slowly. 3. Too often people focus on the formalization and on deriving a formal proof that they ignore the underlying security properties to be ensured. 4. The current state of program verification is less well developed than code production. Validation A Program Can Be Validated in Several Ways: 1. Requirements Checking 2. Design and Code Reviews 3. System Testing Defensive Testing- Defenders have to counter all possible attacks, whereas attackers have only to find one weakness to exploit. Program designers must not only write correct code ut must also anticipate what could go wrong. Trustworthy Computing Initiative- Analysis and process plan by Microsoft in which all developers underwent security training, and secure software development practices were instituted throughout the company. Design By Contract- Can assist in identifying potential sources of error, Refers to documenting for each program module it preconditions, postconditions, and invariants. Pre and post conditions are conditions necessary to be true before and after the module begins and ends. Invariants are conditions necessary to be true throughout the module's execution. Options for action in the event of incorrect input: 1. Stop or signal an error condition and return. 2. Generate an error message and wait for user action 3. Generate an error message and reinvoke the calling routine from the top. (Appropriate if the action forces the user to enter a value for the faulty field) 4. Try to correct it if the error is obvious. (Although this choice should be taken only if there is one possible correction) 5. Continue with a default or normal value or continue computation without the erroneous value. 6. Do nothing, if the error is minor, superficial, and in certain not to cause further harm.

Unit Testing

Done so the test team can feed a predetermined set of data to the component being tested and observe what output actions and data are produced.

Regression Testing

Ensures that all remaining functions are still working and that performance has not been degraded by the change.

Damage Estimates

Estimating the cost of an incident is hard. That does not mean the is zero or insignificant, just hard to determine.

Function Testing

Evaluates the system to determine whether the functions described by the requirements specification are actually performed by the integrated system.

Malicious Exploration of Buffer Overflows

Examples of a multi-step approach: Attacker overrun allocated space to to execute instructions to achieve the next step of the attack. Overflow is not the goal, but a stepping stone to a larger purpose.

Assertions

Explicit statements about modules.

Privilege Escalation

Exploiting a vulnerability in software to gain access to resources that the user would normally be restricted from obtaining. Executing attack code with higher system permission is a bonus for the attacker.

Data Overflow

Falls strictly within a data space or it spills over into an adjacent area. The data end up on top of one of: Another piece of your data Affect computing that can be egregious or subtle failure. From a security standpoint, few system control protects from this kind of error. Sometimes this error lies dormant for a long time. An instruction of yours- If a stored string that does not represent a valid or permitted instruction, the program may generate a fault and halt, returning control to the operating system. May have no effect, null effect, or an unnoticed or readily noticed effect. Data or code belonging to another program (SEE BELOW) Data or code belonging to the operating system-When an attacker has access they can plant permanent code that is reactivated each time a machine is restarted. Or the attack may expose data that the operating system is entrusted to safeguard. If the attacker can overwrite the program counter, doing so will redirect program execution after the procedure returns. Overflow into system space can redirect execution immediately or on exit from the current call procedure.

Interpretive Data

File that is not executable by itself, but causes activity in the program that handles it.

Time-of-Check to Time-of-Use (TOTTOU)

Flaw concerns medication that is performed with a "bait and switch" in the middle.

Program Fault

Happens when trying to execute a privileged instruction when not in the proper mode. When hardware generates a program fault, it stops current thread execution and transfers control code that will take recovery action.

Computer System

Hardware Software Data People Processes Networks

Four Aspects of Malicious Code Infections

Harm- How they affect users and systems Nondestructive (Spreading panic) Destructive (Corrupts) Commercial or Criminal Intent (Takes Control ) Transmission and Propagation- How they are transmitted and replicate, and how they cause further transmission (Setup and installer program transmission, attached file, document viruses, autorun, propagation, appended virus, viruses that surround a program, intergrated and replacements) Activation- How they gain control and install themselves so that they can reactivate (one-time execution, memory-resident viruses) Stealth-How they hide to avoid detection (avoiding detection during installation, while executing, or even at rest in storage) (concealing their action, not announcing their presence, and disguising their appearance)

Federal Trade Commission (FTC)

Has many resources for developers for how they can build security to their development practices. Lack of adequate training can lead to questionable design decisions and software vulnerabilities. Failing to follow a platforms guidelines for secure development this can expose sensitive consumer details (like bank and login information). Verify that all privacy and security features work before a product goes live. Access applications for well known weaknesses this can prevent attackers from obtaining data.

Malware writers techniques to avoid detection and eradication

Hide file in a lower-level directory Attach to a critical system file Replace a noncritical system file Hide copies of the executable code in more than one location Hide copies of the executable code in different locations on different systems so no single eradication procedure can work Modify the system registry so that the malware is always executed or malware detection is disabled

Threats to Programs

Human Causes Benign Intent Developer Oversight Malicious Intent Malware

Error

Human made mistakes in performing some software activity which may lead to a fault. A single error can lead to many faults.

Cybersercurity Framework

Identify- Know yourself, know your enemy, risk analysis Protect- Detect Respond Recover

There is no reason to leave sensitive data under the control of an untrusted user;

If the data can be changed, assume that it has been changed.

Independent Testing

Increases the likelihood that a test will expose the effect of a hidden feature.

Security failures can result from

Intentional or nonmalicious causes; both can cause harm.

Penetration Testing (Ethical Hacking)

Involves the use of a team of experts trying to crack the system bring tested.

Buffer

Is an array or string of space in which data can be held. Resides in memory, because memory is finite a buffer's capacity is finite. A programmer must declare buffer's max size so that the compiler can set aside that amount of space.

Encapsulation

Keeping details (like data and procedures) together in one part of a program so that programmers working on other parts of the program don't need to know about them.

Malware Toolkits

Let novice attackers probe for many vulnerabilities at the press of a button.

Program Verification

Making initial assertions about the program's inputs and then checking to see if the desired output is generated.

Trojan Horse

Malicious code that, in addition to its primary effect, has a second non-obvious, malicious effect. This slips inside a program undetected and produces unwelcomed effects later on. Looks like a useful program with extra. undocumented (malicious) features.

Viruses sometimes have a multipartiteform

Meaning they install themselves in several pieces in distinct locations, sometimes to carry out different objectives.

Address Space Layout Randomization (ASLR)

Memory protection mechanism used by some operating systems. The addresses used by components of a process are randomized so that it is harder for an attacker to exploit specific memory vulnerabilities.

Overflow Countermeasures

No single countermeasure will prevent them. To protect from overflow: Check lengths before writing Confirm that array subscripts are within limits Double-check boundary condition code to catch possible off-by-one errors Monitor input and accept only as many characters as can be handled Use string utilities that transfer only bounded amount of data Check procedures that might overrun their space Limit programers' privileges, so if a piece of code is overtaken maliciously, the violator does not acquire elevated system privileges as part of that compromise.

Code Hygiene

Not engaging in behavior that permits malicious code contamination. this is done by avoinding points of contamination and blocking avenues of vulnerability.

Integer Overflow

Occurs because a storage location is so fixed, finite size and therefore can contain only integers up to a certain limit.

Countermeasures That DO NOT Work

Penetrate-and-Patch- Fails because it is hurried, misses the context of the fault, and focuses on one failure, not the complete system. Security by Obscurity- The ineffective countermeasure of assuming the attacker will not find the vulnerability. The belief that a system can be secure as long as no body outside its implementation group is told anything about its internal mechanism. A Perfect Good-Bad Code Separator- Can detect some bad programs just not all of them.

Modular

Pieces that are well defined with no dependencies on other pieces. A key principle of software engineering is to create a design code in small, self-contained units.

Integration Testing

Process of verifying that the system components work together as described in the system and program design specifications.

Heap

Provides space for dynamic data, that is, for data items whose size is not known when a program is compiled. Grows and shrinks as memory is allocated and freed for dynamic data structures.

Easter Egg

Refers to an undocumented, yet benign, hidden feature, that launches by entering a set of special commands, key combinations or mouse clicks.

Countermeasures for Devlopers

Software Engineering Techniques: Molecularity- the process of dividing a task into subtasks. The goal is for each component to meet four conditions: 1. Single-purpose performs one function 2. Small, consists of an amount of information for which a human can readily grasp both structure and content 3. Simple is of a low degree of complexity s that a human can readily understand the purpose and structure of the module 4. Independent performs a task isolated from other modules ADVANTAGES 1. Maintenance 2. Understandability 3. Reuse 4. Correctness 5. Testing Encapsulation- Hides a component's implementation details, but not necessarily mean complete isolation. Boundaries can be translucent or transparent as needed. Information Hiding- Describing what a module does, not how. Malicious developers cannot easily alter the components of others if they do not know how the components work. Mutual Suspicion- Operates as if other routines in the system were malicious or incorrect. Confinement- Strictly limited in what system resources it can access. If a program is not trustworthy, the data it can access is strictly limited. Simplicity- Simple solutions are easy to understand, leaves less room for error, and are easier to review faults. Genetic Diversity- Having many components of a system come from one source. Diversity reduces the number of targets susceptible to one attack type. Testing- Concentrates on product quality, seeks to locate potential product failures before they occur. Types of Testing Module Testing (Component Testing, Unit Testing)- Tested on its own. Verify that the component functions properly with the types of inputs excepted from a study of the components design. Unit Testing- Done so the test team can feed a predetermined set of data to the component being tested and observe what output actions and data are produced. Integration Testing- Process of verifying that the system components work together as described in the system and program design specifications. Function Testing- Evaluates the system to determine whether the functions described by the requirements specification are actually performed by the integrated system. Performance Testing- Compares the system with the remainder of these software and hardware requirements. Acceptance Testing- The system is checked against the customer's requirements description. Installation Testing- To make sure the system is still functioning as it should. Regression Testing- Ensures that all remaining functions are still working and that performance has not been degraded by the change. Black-box Testing- Creates its system or its components as black boxes; testers can not see inside the system so they apply particular inputs and verify that they get the expected output. Clear-box Testing- Allows visibility, testers can examine the design and code directly, generating test cases based on the codes actual construction. Independent Testing- Increases the likelihood that a test will expose the effect of a hidden feature. The Effectiveness of Testing- Figure out what is right for each particular system. The Limitations of Testing- Conclusions based on testing are limited because: 1. Testing can demonstrate the existence of a problem, but passing tests does not demonstrate the absence of problems. 2. Testing equality within reasonable tie or effort is difficult. 3. Testing only observable effects, not the internal structure of a product, does not ensure any degree of completeness. 4. Testing the internal structure of a product involves modifying the product by adding code 5. Testing real-time or complex systems requires keeping track of all states and triggers.

Confined Program

Strictly limited in what system resources it can access.

Programs

String of commands that tell computers what to do. FORTRAN-1957- First higher-level language COBAL-1959- Programming for business

Module Testing (Component Testing, Unit Testing)

Tested on its own. Verify that the component functions properly with the types of inputs excepted from a study of the components design.

Work Factor

The amount of effort necessary for an adversary to defeat a security control.

Validation

The assurance that a product, service, or system meets the needs of the customer and other identified stakeholders. It often involves acceptance and suitability with external customers. Contrast with verification.

Coupling

The degree to which two software components depend on how the other implements its function. Low or loose coupling is better than high or tight because loosely coupled components are free from unwitting interference from other components.

Security by Obscurity or Through Obscruity

The ineffective countermeasure of assuming the attacker will not find the vulnerability. The belief that a system can be secure as long as nobody outside its implementation group is told anything about its internal mechanism.

Qualities for Embedding: Homes for Malware

The malicious code is hard to detect The malicious code is not easily destroyed or deactivated The malicious code spreads infection widely The malicious code can reinfect its home program or other programs The malicious code is easy to create The malicious code is machine independent and operating system independent

Off-By-One Error

The mistake of executing a loop one more or less time.

In memory , code is indistinguishable from data.

The origin of code (respected source or attacker) is also not visible.

Fault

The outcome of human mistakes. In incorrect step, command, process, or data definition in a computer program, design, or documentation. Can reside in any documentation in any development or maintenance product. Is in inside view of the system, as seen by the developers. Not every fault corresponds to a failure.

Interpreter

The program that executes the instructions from an interpretive data file.

Acceptance Testing

The system is checked against the customer's requirements description.

Halting Problem

The theoretical problem of determining whether a computer program will halt (produce an answer) or loop forever on a given input. Asks whether a computer program stops execution or runs forever.

Effects from an Overflow attack

These attack methods allow attackers to use overflow data as code the victim will execute. Overwrite the program counter stored in stack so that when this routine exits, control transfer to the address pointed at by the modified program counter address. Overwrite part of the code in low memory, substituting the attacker's instructions for previous program statements. Overwrite the program counter and data in the stack so that the program counter now points into the stack, causing the data overwritten into the stack to be executed.

Installation Testing

To make sure the system is still functioning as it should.

Rare Condition (Serialization Flaw)

Two processes are competing within the same time interval, and the race affects the integrity or correctness of the computing tasks. The situation in which program behavior depends on the order in which two procedures execute. The security issue comes into play by being inconsistent, undesired and therefore wrong outcomes- a failure in integrity.

Null Terminated

Typically used in C, means the end of the string is denoted by a null byte, or 0x00. Representing strings this way can lead to buffer overflows because the processing program determines the end of the string, and hence its length, only after having received the entire string.

Backdoor (Trapdoor)

Undocumented access point, such an entry can transfer control to any point with any privileges the programmer wanted. Secret backdoors are eventually found. Security cannot depend on such secrecy.

Program Procedures

Use both: Local Data- Data used strictly within one procedure. Shared or Common or Global Data- Data that is shared between two or more procedures.

Flaw

Used by security engineers to describe both faults and failures. Flaws can be insignificant or catastrophic.

Countermeasures for Users

User Vigilance Use only commercial acquired from reliable, well-established vendor Test all new software on an isolated computer Open attachments-and other potentially infected data files- only when you already know them to be safe Install software- and other potentially infected executable files-only when you already know them to be safe Recognize that web site that can be potentially harmful Make a recoverable system image and store it safely Make and retain backup copies of executable system files Blocking- As new vulnerabilities, become known apply patches Virus Detectors- Tools that look for signs of malicious code infection. Scanning memory and long-term storage, monitoring execution and watching for telltale patterns that can be found by a program that looks for it. Two major limitations: 1. Looks for patterns of known infections 2. They are static Virus Signatures-Scanning for telltale patterns for viruses Code Analysis- Detecting an infection is to analyze the code to determine what it does, how it propagates and perhaps even where it originated. It is difficult because researcher normally has only the end product to look at. Storage Patterns- Always located at the same position relative to its attached file.

Mediation

Verifying that the subject is authorized to perform the operation on an object. Incomplete Mediation- Occurs when access is not checked universally. Complete Mediation is comprised of: 1. Small and simple enough to give confidence of correctness 2. Unbypassable 3. Always invoked

Information Hiding (Characteristic of Modular Software)

When information is hidden, each component hides precise implementation or some other design decision from the others.

Privileged instructions

When running in protected mode, it helps operating systems implement security some hardware by recognizing more than one mode of instructions.

Canary Value

Wrapping each stack frame in a protected layer. Basically, surrounding the return address with a tamper-detecting value.

Unchecked data values represent

a serious potential vulnerability.

By tracing through system memory allocation tables

can you learn where your program and data appear in memory.

Hardware can separate code from

data areas and the operating system.

Modular testing usually has

high cohesion and low coupling.

Users make errors from

ignorance, misunderstanding, distraction; users errors should not cause program failures.

Fixed or easily determined location distinguishes

operating system routines (especially most critical ones) from a user's code and data.