Information Security Principles and Practices

Slides:



Advertisements
Similar presentations
Trusted System Elements and Examples CS461/ECE422 Fall 2011.
Advertisements

Information Flow and Covert Channels November, 2006.
Operating System Security
Chapter 6 Security Kernels.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
Security Models and Architecture
Secure Operating Systems Lesson 0x11h: Systems Assurance.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Information Systems Security Security Architecture Domain #5.
CS4315A. Berrached:CMS:UHD1 Operating System Structures Chapter 3.
Chapter 2 Introduction to Systems Architecture. Chapter goals Discuss the development of automated computing Describe the general capabilities of a computer.
Gurpreet Dhillon Virginia Commonwealth University
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 20 October 28, 2004.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
Trusted System? What are the characteristics of a trusted system?
ISA 562 Internet Security Theory & Practice
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
G53SEC 1 Reference Monitors Enforcement of Access Control.
The Architecture of Secure Systems Jim Alves-Foss Laboratory for Applied Logic Department of Computer Science University of Idaho By, Nagaashwini Katta.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
Ihr Logo Operating Systems Internals & Design Principles Fifth Edition William Stallings Chapter 2 (Part II) Operating System Overview.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Domain 6 Security Architecture and Models Domain Objective The objective of this domain is to understand: security models in terms of confidentiality,
Operating Systems Security
Trusted Operating Systems
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Dr. Jeff Teo Class 4 July 2, Deliverables Lecture on Trusted Computing: Evolution and Direction Review of students’ blogs and assignments Summarize.
Chapter 8: Principles of Security Models, Design, and Capabilities
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Chap5: Designing Trusted Operating Systems.  What makes an operating system “secure”? Or “trustworthy”?  How are trusted systems designed, and which.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Chapter 2 Operating System Overview Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William.
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
Computer System Structures
Dr. Ir. Yeffry Handoko Putra
CS457 Introduction to Information Security Systems
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
CS4222 Principles of Database System
Software Project Configuration Management
Chapter 2: Computer-System Structures(Hardware)
Chapter 2: Computer-System Structures
2. OPERATING SYSTEM 2.1 Operating System Function
Security Models and Designing a Trusted Operating System
Outline Types of Databases and Database Applications Basic Definitions
Operating System Structure
Oracle Solaris Zones Study Purpose Only
Official levels of Computer Security
Chapter 19: Building Systems with Assurance
Chapter 2: System Structures
THE ORANGE BOOK Ravi Sandhu
Computer-System Architecture
Chapter 2: Operating-System Structures
Introduction to Operating Systems
Outline Chapter 2 (cont) OS Design OS structure
Chapter 29: Program Security
Chapter 6: Integrity Policies
Chapter 2: Computer-System Structures
Chapter-1 Computer is an advanced electronic device that takes raw data as an input from the user and processes it under the control of a set of instructions.
Chapter 2: Computer-System Structures
Chapter 2: Operating-System Structures
Presentation transcript:

Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models

© Pearson Education Information Security: Principles and Practices Chapter 5: Security Architecture and Models © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Objectives Summarize the concept of a trusted computing base (TCB) Illustrate the concept of rings of trust Distinguish among the protection mechanisms used in a TCB Defend the purpose of security assurance testing Apply the Trusted Computer Security Evaluation Criteria (TCSEC) for software evaluations © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Objectives cont. Apply the Trusted Network Interpretation of the TCSEC Categorize the role of the Federal Criteria for Information Technology Security Apply the Common Criteria for Information Security Evaluation Summarize the principles behind confidentiality and integrity models and their role in security architecture © Pearson Education Information Security: Principles and Practices

Defining the Trusted Computing Base is the totality of protection mechanisms within a computer system including hardware, firmware, and software consists of one or more components that together enforce a unified security policy over a product or system describes the isolation of objects on which the protection is based, following the concept of the reference monitor © Pearson Education Information Security: Principles and Practices

Defining the Trusted Computing Base cont. Reference Monitor a software model or abstract machine that mediates all access from any subject (user or other device) to any object (resource, data, and so forth) and cannot be bypassed security kernel is an implementation of a reference monitor for a specific hardware base such as Sun Solaris, Red Hat Linux, or Mac OS X Reference monitor should be complete in that it mediates every access isolated from modification by other system entities (objects and processes) verifiable in that it only does what it’s programmed to do and cannot be circumvented by malicious acts or programmer error © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Rings of Trust Trust in a system moves from the outside to the inside in a unidirectional mode © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Rings of Trust cont. Rings of trust in stand-alone systems To help determine the hierarchy of the rings, some questions must be answered: ■ Is the host in a physically secured computer room? ■ Does the host have normal (as opposed to privileged) user accounts? ■ Is this host at a remote site and hence less trustworthy than the ones in the central computer room? ■ Does this host operate software that relies on data obtained from the Internet? ■ Does this host provide mission-critical services? How many people in the company would be affected by downtime on this host? © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Rings of Trust cont. Rings of trust in networked environments The following general rules apply to constructing rings of trust in networked systems: ■ Each host trusts those hosts in a more inner ring than itself. ■ No host trusts any host in a more outer ring than itself. ■ Each host may trust those hosts in the same ring as itself. ■ Where a ring has been segmented into separate subnetworks, a host in one segment does not trust hosts in other segments. © Pearson Education Information Security: Principles and Practices

Protection Mechanisms in a Trusted Computing Base Process isolation is a design objective in which each process has its own distinct address space for its application code and data prevents data or information leakage and prevents modification of the data while it is memory Principle of least privilege dictates that a process (program) has no more privilege than what it really needs in order to perform its functions Hardware segmentation relates to the segmentation of memory into protected segments prevents user processes from being able to access both another process’s allocated memory and system memory © Pearson Education Information Security: Principles and Practices

Protection Mechanisms in a Trusted Computing Base cont. Layering is a process operation that is divided into layers by function Abstraction is a process that defines a specific set of permissible values for an object and the operations that are permissible on that object © Pearson Education Information Security: Principles and Practices

Protection Mechanisms in a Trusted Computing Base cont. Data hiding (also known as information hiding) is a mechanism to assure that information available at one processing level is not available in another, regardless of whether it is higher or lower Information storage refers to the parts of a computer system that retain a physical state (information) for some interval of time, possibly even after electrical power to the computer is removed Various types Primary storage is the computer’s main memory and a volatile storage medium Secondary storage is a nonvolatile storage format, where application and system code plus data can be stored when the system is not in use Real memory is where a program has been given a definite storage location in memory and direct access to a peripheral device Virtual memory extends the volume of primary storage by using secondary storage to hold the memory contents Random memory is the computer’s primary working and storage area Sequential storage is computer memory that is accessed sequentially Volatile memory means that there is a complete loss of any stored information when the power is removed © Pearson Education Information Security: Principles and Practices

Protection Mechanisms in a Trusted Computing Base cont. Closed System vs. Open System Closed systems are of a proprietary nature use specific operating systems and hardware to perform the task and generally lack standard interfaces to allow connection to other systems An open system is based on accepted standards and employs standard interfaces to allow connections between different systems promotes interoperability and allows the user to have full access to the total system capability © Pearson Education Information Security: Principles and Practices

Protection Mechanisms in a Trusted Computing Base cont. Multitasking is a technique used by a system that is capable of running two or more tasks in a concurrent performance or interleaved execution Multiprogramming system allows for the interleaved execution of two or more programs on a processor © Pearson Education Information Security: Principles and Practices

Protection Mechanisms in a Trusted Computing Base cont. Multiprocessing provides for simultaneous execution of two or more programs by a processor (CPU) Finite-state machine stores the status or state of something at a given time that can operate based on inputs to change the stored status and/or cause an action or output to take place © Pearson Education Information Security: Principles and Practices

System Security Assurance Concepts Functional requirements Describe what a system should do Assurance requirements Describe how functional requirements should be implemented and tested Does the system do the right things in the right way? Verification: the process of confirming that one or more predetermined requirements or specifications are met Validation: a determination of the correctness or quality of the mechanisms used in meeting the needs © Pearson Education Information Security: Principles and Practices

System Security Assurance Concepts cont. Security Testing It verifies that the functions designed to meet a security requirement operate as expected In addition, it validates that the implementation of the function is not flawed or haphazard © Pearson Education Information Security: Principles and Practices

System Security Assurance Concepts cont. Formal Security Testing Models Trusted Computer System Evaluation Criteria (TCSEC) United States in the early 1980s Information Technology Security Evaluation Criteria (ITSEC) Europe in 1991 by the European Commission Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) Canada in early 1993 Federal Criteria for Information Technology Security (FC) United States in early 1993 Common Criteria Today’s standard © Pearson Education Information Security: Principles and Practices

Trusted Computer Security Evaluation Criteria Division D: Minimal Protection Division C: Discretionary Protection Class C1: Discretionary Security Protection Class C2: Controlled Access Protection © Pearson Education Information Security: Principles and Practices

Trusted Computer Security Evaluation Criteria cont. Division B: Mandatory Protection Class B1: Labeled Security Protection Class B2: Structured Protection Class B3: Security Domains Division A: Verified Protection Class A1: Verified Design © Pearson Education Information Security: Principles and Practices

Information Technology Security Evaluation Criteria (ITSEC) ITSEC introduces the concept of the target of evaluation (TOE), which refers to the product or system under evaluation It also introduces the security target (ST), a written document that contains a system security policy required security enforcing functions required security mechanisms claimed ratings of minimum strength target evaluation levels, expressed as both functional and evaluation (F-xx and E-yy) © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices ITSEC cont. © Pearson Education Information Security: Principles and Practices

Comparing ITSEC and TCSEC ITSEC functionality and assurance classes map closely to the TCSEC divisions and classes © Pearson Education Information Security: Principles and Practices

Canadian Trusted Computer Product Evaluation Criteria It is somewhat more flexible than the TCSEC while maintaining fairly close compatibility with individual TCSEC requirements The CTCPEC and its approach to structure security functionality separate from assurance functionality influenced international standardization through the Common Criteria © Pearson Education Information Security: Principles and Practices

Federal Criteria for Information Technology Security FC introduces the concept of a protection profile (PP) that empowers users or buyers of technology to specify their security requirements for hardware and software © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Common Criteria CC provides a common language and structure to express IT security requirements CC enables the creation of catalogs of standards broken down into components and packages CC breaks apart the functional and assurance requirements into distinct elements that users can select for customized security device implementation © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Common Criteria cont. Using the CC framework, users and developers of IT security products create protection profiles (PPs) as an implementation-independent collection of objectives and requirements for any given category of products or systems that must meet similar needs © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Common Criteria cont. Protection Profile Organization Introduction Section Target of evaluation description Security environment Assumptions Threats Organizational security policies © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Common Criteria cont. Security Requirements and Classes Classes of functional requirements Classes of assurance requirements Evaluation Assurance Levels define a scale for measuring the criteria for evaluating PPs and STs provide an increasing scale that balances the levels of assurance claimed with the cost and feasibility of acquiring such assurance © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Common Criteria cont. Common Evaluation Methodology (CEM) is focused on the actions that evaluators must take to determine that CC requirements for a TOE are present is a tool that is used by evaluation schemes to ensure consistent application of the requirements across multiple evaluations and multiple schemes © Pearson Education Information Security: Principles and Practices

Security Criteria Compared © Pearson Education Information Security: Principles and Practices

Confidentiality and Integrity Models Security models are mathematical representations of abstract machines that describe how a reference monitor is designed to operate Commonly used models: Bell-LaPadula model Biba integrity model Clark and Wilson Noninterference State machine model Access matrix model Information flow model © Pearson Education Information Security: Principles and Practices

Confidentiality and Integrity Models cont. Bell-LaPadula model is a confidentiality model intended to preserve the principle of least privilege Biba integrity model uses a read up, write down approach. Subjects cannot read objects of lesser integrity and subjects cannot write to objects of higher integrity © Pearson Education Information Security: Principles and Practices

Confidentiality and Integrity Models cont. Clark and Wilson model requires mathematical proof that steps are performed in order exactly as they are listed, authenticates the individuals who perform the steps, and defines separation of duties Noninterference model covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy State machine model is an abstract mathematical model consisting of state variables and transition functions © Pearson Education Information Security: Principles and Practices

Confidentiality and Integrity Models cont. Access matrix model is a state machine model for a discretionary access control environment Information flow model simplifies analysis of covert channels © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Summary The trusted computing base is the portion of a computer system that contains all elements of the system responsible for supporting the security policy and supporting the isolation of objects on which the protection is based Several evolving models of evaluation and assurance cover various aspects of confidentiality, integrity, and availability Common Criteria harmonizes the work of the various international efforts into a unified evaluation methodology that replaces the former methods © Pearson Education Information Security: Principles and Practices