Secure Operating Systems Lesson 0x11h: Systems Assurance.

Slides:



Advertisements
Similar presentations
THE ORANGE BOOK Ravi Sandhu ORANGE BOOK CLASSES A1Verified Design B3Security Domains B2Structured Protection B1Labeled Security Protection.
Advertisements

Operating System Security
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
4/28/20151 Computer Security Security Evaluation.
CSE331: Introduction to Networks and Security Lecture 34 Fall 2002.
CS526Topic 22: TCSEC and Common Criteria 1 Information Security CS 526 Topic 22: TCSEC and Common Criteria.
Chapter 6 Security Kernels.
IT Security Evaluation By Sandeep Joshi
Secure Operating Systems Lesson 10: SCOMP. Where are we?  Multics is busy being explored, which is kind of cool…  But Multics wasn’t the end of custom.
Security Models and Architecture
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Information Systems Security Security Architecture Domain #5.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Principles of Information System Security: Text and Cases
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 20 October 28, 2004.
Evaluating Systems Information Assurance Fall 2010.
Trusted System? What are the characteristics of a trusted system?
Chapter 5 – Designing Trusted Operating Systems  What makes an operating system “secure”? Or “trustworthy?  How are trusted systems designed, and which.
Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
Secure Operating System. Mandatory Protection Systems Problem of discretionary access control: untrusted processes can modify protection states Mandatory.
Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.
CMSC 414 Computer (and Network) Security Lecture 11 Jonathan Katz.
Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.
UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Integrity Policies Murat Kantarcioglu.
CSCE 548 Secure Software Development Security Operations.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 19 October 26, 2004.
Mandatory Access Control
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Trusted Operating Systems
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
Privilege Management Chapter 22.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.
Chapter 8: Principles of Security Models, Design, and Capabilities
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
CSCE 727 Awareness and Training Secure System Development and Monitoring.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Chap5: Designing Trusted Operating Systems.  What makes an operating system “secure”? Or “trustworthy”?  How are trusted systems designed, and which.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
6/22/20161 Computer Security Integrity Policies. 6/22/20162 Integrity Policies Commercial requirement differ from military requirements: the emphasis.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
1 Trusted OS Design CS461/ECE Reading Material Section 5.4 of Security in Computing.
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
Computer Security Introduction
TCSEC: The Orange Book.
CS703 - Advanced Operating Systems
Access Control Model SAM-5.
Security Models and Designing a Trusted Operating System
Introduction to Assurance
Official levels of Computer Security
CSE565: Computer Security Lectures 24, 25 OS Security
THE ORANGE BOOK Ravi Sandhu
Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)
PLANNING A SECURE BASELINE INSTALLATION
Presentation transcript:

Secure Operating Systems Lesson 0x11h: Systems Assurance

Where are we?  Really, we’re now just looking at the loose ends of OS Security  But there’s one question we don’t have an answer to: how do we KNOW an OS has particular properties?

Verification  The aim is to verify that a system enforces a desired set of security goals  Example: are two sets of users separated? Are the mechanisms (e.g. reference monitor) and policies (e.g. MLS) appropriate to enforce the goal? Are these ideas implemented correctly?  Assurance concerns itself with what and how

Building secure things is HARD  Three Steps: Define the security goals (clearly!) Design for verification (ideally, using formal methods) Build so that the system can be mapped back to the verified design

Assurance Standards  Historically, Orange Book (part of TCSEC)  Now, The Common Criteria  We will take a look at both approaches

Orange Book A-D  D: Minimal Protection  C: Discretionary Protection C1 – discretionary security protection C2 – Controlled access protection  B: Mandatory Protection Labeled Security Protection, Structured Protection, Security Domains (B1, B2, B3)  A: Verified Protection A1 – Verified design Beyond A1 – speaks to physical root of trust etc.

D: Minimal Protection  Government-speak for “evaluated but failed to meet the requirements of anything higher” (!)  Rule of thumb: D is probably not very helpful (what does it actually tell you?)

C1: Discretionary Sec. Protection  DAC: Permissions of named users to named objects  System actions are performed by hardware- protected domains  No obvious ways to bypass controls  Basic documentation required

C2: Controlled Access Protection  Rights must be specifiable at the level of the single user  Authentication based on a secret that is protected from others  Audit of particular events in a protected log  Object reuse checked – new objects do not “leak” data from previous uses  C2 is our “day to day” security level

B1: Labeled Security Protection  C2 plus MAC  Named objects must be associated with a sensitivity label, corresponding to an MLS policy  Security mechanisms must work as claimed in the documentation (how to verify?)  B1 requires proof of detailed testing – few OS are in this level

B2: Structured Protection  Adds protection/enforcement to all objects  Requires covert channel protection  Authentication requires a “trusted path”  The Trusted Computing Base must be “relatively resistant to penetration”

B3: Security Domains  Extends the TCB to cover the “reference monitor” concept  TCB is “highly resistant to penetration”

A1: Verified Design  A formal model of the security policy, plus a mathematical proof that the model is consistent with the policy  A Formal Top Level Specification (FTLS) of the functions the TCB performs  The FTLS of the TCB must be shown to be consistent with the formal model of the policy  The TCB implementation must be consistent with the FTLS  Formal analysis must be used to identify and analyze covert channels

Beyond A1  A1 allows informal verification if no formal tool exists  This class was left open to allow for a system that can be verified more precisely

Formal Methods  It’s possible to apply formal methods to computing problems Essentially, prove mathematically that a system functions a certain way  The needs for formal methods are huge: most modern systems are really computers with moving parts  To get failure rates, we cannot rely on visual analysis Exhaustive testing is impossible due to state space explosion

Testing?  Debugging requires either examining a crash, or choosing the right test cases  Good coverage is impossible for real systems  Formal methods cover all behaviors, and is certain to find the bugs… provided the model, environment and properties are correct However, all problems are NP-hard, and most are superexponential or even undecidable

Common Criteria LevelRequirements EAL1Functionally tested EAL2 (C1)Structurally tested EAL3 (C2/BA)Methodically tested and checked EAL4 (C2/B1)Methodically designed, tested and reviewed EAL5 (B2)Semiformally designed and tested EAL6 (B3)Semiformally verified design and tested EAL7 (A1)Formally verified design and tested

Aside: ITSEC and AV  Anti-malware provides some really interesting challenges to all this… let’s discuss

Questions & Comments  What do you want to know?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.