email or call for office visit, 404 894-5177 ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland jcopeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Offices: Klaus 3362 email or call for office visit, 404 894-5177 Chapter 10 (b) - Trusted Systems 3/10/2016
Trusted Systems Subject: - an entity capable of accessing objects. Usually a process of an application being run by a user. Note that a secure user authentication procedure is essential (pass-phase, biometrics, ...). Object: - anything to which access is controlled. This includes files, portions of files, programs, segments of memory, records and fields of records in a database. Access Right: - a way in which an object can be accessed by a subject, typically read, write, and execute. Access matrix, access control list (ACL), or capability list (ticket): ways of defining access rights. 2
Objects Subjects 3
ACL – Access Control List For each object, a list of subjects (& rights). Object[1] Subject[3] Subject[5] Object[2] Subject[2] Object[3] • • • 4
For each Subject, a list of Objects (& Rights) Capability List For each Subject, a list of Objects (& Rights) Subject[1] Object[4] Object[7] Subject[2] Object[2] Object[5] Subject[3] • • • 5
Put Subjects into Levels, then Level defines Rights Multilevel Security Put Subjects into Levels, then Level defines Rights SCI, ...* Top-Secret Secret Confidential Unclassified SCI, ...* Top-Secret Secret Confidential Unclassified SCI, ...* Top-Secret Secret Confidential Unclassified <- Compartments: Projects, Areas, … (need-to-know) • No Read Up (Simple Security Property): - a subject can only read an object of less or equal security level. • No Write Down (*-Property): - a subject can only write to an object of greater or equal security level (can not lower the security classification of information by writing to an object with a lower security level). You can contribute information to a higher security level report, but can not read the report. • Need to Know - a subject can only access data if he is cleared for that project or category (compartmentalized sensitive information). [not in book] • Reference Monitor: - a way to enforce the three rules above. * so secret we can’t reveal the name. 6
UNIX – each directory and file belongs to an user (owner) and a group. Users can belong many groups d – directory For directories “x” means “can list files” Permissions, r = read, w = write, x = execute 3 sets for: user, group, others Owner Group Size Date Modified Name $ ls -l total 35816 -rw-r--r-- 1 copeland staff 3213979 Apr 18 2012 220.pcap -rw-r--r-- 1 copeland staff 519884 Oct 31 10:35 3076 alias -rw-r--r-- 1 copeland staff 242276 Sep 21 10:54 5900.pcap -rwxr--r-- 1 copeland staff 519040 Jan 20 2012 reset_script drwx------ 5 copeland staff 918 Feb 22 11:22 Desktop drwxr----- 18 copeland staff 1020 Jan 24 14:45 Documents drwxr-xr-x 12 root root 5542 May 24 2012 Downloads drwx------ 5 copeland staff 204 Mar 14 2012 Movies drwxr-xr-x 4 copeland staff 306 Mar 8 2010 Music -rw-r--r-- 1 copeland admin 0 Feb 15 2009 PGP Keyrings drwxr--r-- 13 copeland copeland 748 Mar 14 2012 Pictures drwx-wx--- 3 copeland staff 170 Nov 6 2008 Public $ id uid=501(copeland) gid=20(staff) groups=20(staff),204(_developer),100(_lpoperator),98(_lpadmin),81(_appserveradm),80(admin),12(everyone),504(access_bpf)
Write Only Allow or Block ACL's 8
Alice’s program has a Trojan Horse hidden inside. In normal computers, programs and files usually have the same privileges as the "user" using them. Bob: RW CPE170KS "Secret" Data File Program "Secret" Clearance Alice: RW Bob: W Back-Pocket File Program "Confidential" Clearance Alice’s program has a Trojan Horse hidden inside. 9
"Secret" Clearance Bob: RW CPE170KS "Secret" Data File Program Alice: RW Bob: W Back-Pocket File Program "Confidential" Clearance When Bob runs Alice’s program, the Trojan writes info from Bob’s Secret file to Alice’s Confidential file (“write down”). 10
Confidential Clearance In "Trusted System" computers, programs and files have their own security levels. Reference Monitor Bob: RW CPE170KS "Secret" Data File "Secret" Program Secret Clearance Alice: RW Bob: W Back-Pocket File Program Confidential Clearance Alice’s Program has to access the Secret Program through the Reference Monitor, which upgrades the level of the process to Secret. 11
"Confidential" Back-Pocket File "Secret" Clearance Reference Monitor Bob: RW CPE170KS "Secret" Data File "Secret" Program Alice: RW Bob: W "Secret" Program "Confidential" Back-Pocket File "Confidential" Clearance The Security Monitor will not let the (now rated Secret) process write down to a lower level file. 12
Offense: How could one attack a secure system? Defense: What attacks need to be anticipated? Defense strategy starts with an analysis of possible offensive strategies. Then, for each attack vector, how do you • Prevent • Detect • Terminate and Report 13
The Computer Security Center within the National Security Agency has a Commercial Product Evaluation Program To be rated a “Trusted System” (at a certain level) and be eligible for government and DoD RFP’s, the computer must provide: Complete Mediation: Security rules are enforced on every access, not just when a file is opened. Isolation: The reference monitor and database are protected from unauthorized modification. Verifiability: The reference monitor’s correctness must be mathematically provable (by a set of logic rules, that it can provide Complete Mediation and Isolation). 14
“Common Criteria” Security Specifications In January 1996, the United States, United Kingdom, Germany, France, Canada, and the Netherlands released a jointly developed evaluation standard for a multi-national marketplace. This standard is known as the "Common Criteria for Information Technology Security Evaluation" (CCITSE) usually referred to as the "Common Criteria" (CC). The Common Criteria can be used for the following purposes: (see table on next slide) Under the Common Criteria, each level of trust rating from the TCSEC can be specified as a Protection Profile (PP). A Protection Profile looks very similar to a level of trust rating but has two fundamental differences. First, where the TCSEC binds sets of features and assurances together, the Common Criteria allows Protection Profiles to combine features and assurances together in any combination. Also, the TCSEC specifies a fixed set of ratings (profiles), but the Common Criteria allows for consumers to write a customized set of requirements in a standard format. The TPEP office is currently developing Protection Profiles that map to the C2 rating referred to in the TCSEC and SBU Firewall Protection Profiles. Common Criteria evaluations are now in progress using the Firewall Protection Profiles. From http://www.radium.ncsc.mil/tpep/library/ccitse/cc_over.html - no longer available 15
16
Value of Certification If a product is Common Criteria certified, it does not necessarily mean it is completely secure. For example, various Microsoft Windows versions, including Windows Server 2003 and Windows XP, were certified at EAL4+, but regular security patches for security vulnerabilities were still published by Microsoft for these Windows systems. This is possible because the process of obtaining a Common Criteria certification allows a vendor to restrict the analysis to certain security features and to make certain assumptions about the operating environment and the strength of threats, if any, faced by the product in that environment. … So far, most PPs and most evaluated STs/certified products have been for IT components (e.g., firewalls, operating systems, smart cards). Common Criteria certification is sometimes specified for IT procurement. Other standards containing riles for interoperation, system management, user training, … , supplement CC and other product standards. Evaluation is a costly process (often measured in hundreds of thousands of US dollars) -- and the vendor's return on that investment is not necessarily a more secure product (but it permits selling product to certain government areas). http://en.wikipedia.org/wiki/Common_Criteria 3/11/16 17