Trusted System? What are the characteristics of a trusted system? What is a security policy and how must it be enforced? Functional correctness: does what is suppose to do. Enforcement of Integrity: correctness of data. Limited Privilege: access is minimized, neither access rights or data are passed along to other untrusted programs or user. Appropriate confidence level: system has been tested and rated.
Underpinning of a Trusted OS Policy: has requirements. Model: represents the policy. Design: decide how to implement it. Trust Features: has them to enforce security. Assurance: provide confidence in the system. Requirements: what it should and should not do. Model: compare it to the policy. Design: how it is built.
Trusted Software Key Characteristics Functionally correct: does what it is suppose to. Enforcement of Integrity: maintain correctness of data. Limited privilege: program access secure data but access is minimized. Appropriate confidence level: program has been evaluated and rated at a degree of trust. Common Criteria: ICC international standard for security. Book.
Figure 5-14 Combined Security Kernel/Operating System. Separate the security functions of an existing operating system, creating a security kernel. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-14 Combined Security Kernel/Operating System.
Figure 5-15 Separate Security Kernel. Computing systems have at least three execution domains: security kernel, operating system and user. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-15 Separate Security Kernel.
Trusted Computing Base (TCB) Conceptual Construct: not physical. Security-relevant portions of a computer system that enforce a security policy. The level of trust a system provides. Address hardware software and firmware. Trusted Path: communication channel. Trusted Shell: can’t bust out of it. Processes have their own execution domain. Memory and I/O protection. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.
Figure 5-13 TCB and Non-TCB Code. Typical divisions into TCB and Non TCB sections. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-13 TCB and Non-TCB Code.
Security Perimeter Everything outside of TCB. Divides trusted from un-trusted. Communication between TCB and components outside the TCB cannot expose the system to security compromises. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.
Figure 5-12 Reference Monitor. Conceptual The most important part of a security kernel. Mediates all access subjects have to objects. Tamperproof and provide isolation. Un-bypassable: invoked for every access attempt. Analyzable: small enough to be tested. There are other security mechanisms helping the system. Other parts: audit, identification, and authentication. Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition
Security Policy Policy Policy Components High-level management directives. A statement of the security we expect the system to enforce. Policy Components Purpose: Why. Scope: what is covered. Responsibilities: of teams, staff, management. Compliance: judge effectiveness, consequences Book and Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide
Military Security Policy Military Policy. Protect classified information; Rank information by sensitivity level. Need to know rule: only subjects who need to know. Projects are compartmentalized for protection.
Figure 5-1 Hierarchy of Sensitivities. Rank information at a sensitivity level. Unclassified, restricted, confidential, secret or top secret. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Least Sensitive Figure 5-1 Hierarchy of Sensitivities.
Compartments Projects are called compartments; Information can cross compartments and sensitivity levels. Individuals are assigned to projects. Compartments enforce need-to-know policy. Clearances are required to access information.
Figure 5-2 Compartments and Sensitivity Levels. Compartments can cross sensitivity levels. Compartment are usually named after a project. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-2 Compartments and Sensitivity Levels.
Figure 5-3 Association of Information and Compartments. As titled. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-3 Association of Information and Compartments.
Discussion Question Commercial Security Policies. Why must companies be concerned about security?
Commercial Security Maintain competitive advantage. Industrial espionage. Protect financial information. Categories of information; Public: less sensitive. Proprietary: less sensitive than internal. Internal: sensitive.
Figure 5-4 Commercial View of Sensitive Information. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-4 Commercial View of Sensitive Information.
Models of Security (Why?) Test a particular policy for completeness and consistency. Document a policy. Help conceptualize and design an implementation. Check whether an implementation meets its requirements.
Bell-LaPadula Security Model First mathematical model to of a multi-level security policy. For Department of Defense Simple security property: no read up. *Security property: no write down. Strong Tranquility Property Security labels will not change while system operating. Weak Tranquility Property Security labels will not change in a way that conflicts with defined security properties. “Keep secrets secret” Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.
Figure 5-7 Secure Flow of Information. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-7 Secure Flow of Information. Bell-La Padula model Simple security property: no read up operations. *security property: no write-down operations. Confidentiality is critical to maintain.
Biba (integrity) Mode Businesses are concerned with integrity of information A State Machine model mathematical model, evaluate every state. Simple integrity axiom: No read down. *Integrity axiom: no write up. Invocation property Subject cannot request service to subjects of a higher integrity. Opposite of Bell-LaPadula. Confidentiality at odds with integrity. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.
Clark-Wilson Integrity Model Well formed transactions: ability to enforce control over applications. Users: Active Agents. Transformation Procedures (TPs) abstract operations, read, write and modify. Constrained data items (CDIs): manipulated only by TPs. Unconstrained data items (UDIs): manipulated by users via primitive read and write operations. Integrity verification procedures (IVPs) Check the consistency of CDIs with external reality. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.
Clark Wilson Diagram reproduced and updated from Harris, S. (2010) CISSSP All-In-One Study Guide.
Security Models cont. Information Flow: describe how information can flow. Bell-LaPadula and Biba use this. Chinese Wall (Brewer-Nash):avoid conflicts of interest. (consultant control) Prohibit access to conflict of interest categories. Noninterference: data at different security domains remain separate. Harrison-Ruzzo-Ullman: maps subjects, objects and access rights to a matrix. Zachman Framework: six frameworks for providing information security. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide
Figure 5-5 Chinese Wall Security Policy. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-5 Chinese Wall Security Policy.
Zachman Framework Help security professionals think about all of the areas they should be concerned with. http://commons.wikimedia.org/wiki/File:Zachman_Framework.jpg
Security Models cont. Objects are either active or passive. Take Grant Protection: rules govern interactions between subjects, and objects and permissions subjects can grant. Primitive operations: Create Revoke Take Grant Objects are either active or passive.
Figure 5-8 Subject, Object, and Rights. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-9 Creating an Object; Revoking, Granting, and Taking Access Rights.
Why Study Models? Models help us to determine what policies a secure system will enforce. Essential to designing a trusted operating system. Determine what is feasible and what is not.
Figure 5-10 Overview of an Operating System’s Functions. Identify and authenticate. Protect memory. Protect I/O from unauthorized users. Access control via table lookups. Sharing: resource should be available. Fair Service: enforce sharing of the system resources. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-10 Overview of an Operating System’s Functions. User authentication, memory protection, file I/O access, access access control, enforce sharing, fair service, inter-process communications and synchronization, protected OS and data.
Figure 5-11 Security Functions of a Trusted Operating System. MAC: access control decisions made beyond the control of the user. DAC: Owner has some discretion. Complete mediation: all accesses must be controlled. Trusted path: no spoofing. Maintain logs. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-11 Security Functions of a Trusted Operating System. User identification and authentication, mandatory access control, discretionary access control, object reuse protection, complete mediation, trusted path, audit, audit log reduction, intrusion detection.
Access Control Mandatory (MAC): decisions made beyond the end user. Discretionary (DAC): end user decides access. Non-Discretionary: Role based access control. Roles define access. Content/Context dependent: check an additional context before allowing access such as time, or if accessing their records. Centralized: all access centralized. Single Sign On. Provide AAA. Decentralized: allow IT administrators at each location employ different policies and levels of security. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide
Discussion Question Explain the meaning of granularity in respect to access control. Discuss the trade off between granularity and effciency.
Granularity vs. Efficiency Granularity: the extend to which a task is broken down into smaller parts. Maximum granularity control each individual object. Course granularity Organize information into directories or groups. Then apply access rules. Management efficiency affected by choice. Access control systems can become hard to manage based upon the granularity of controls placed upon objects.
Memory Chip based (RAM), disk based, tape. RAM: CPU may randomly access addresses. ROM: Read Only Memory, survives power loss. Cache Memory: fast memory on system. Memory Protection: protect CIA of process Hardware segmentation: mapping processes to specific memory addresses. Virtual Memory: map between applications and hardware. More than just paging, shares libraries in memory. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide
Figure 5-16 Conventional Multiuser Operating System Memory. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-16 Conventional Multiuser Operating System Memory.
Figure 5-17 Multiple Virtual Addressing Spaces. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-17 Multiple Virtual Addressing Spaces.
Operating System and Drivers Typical Computer Operating System and Drivers Application CPU(s) Memory Network Storage Peripherals Hardware 4/22/2017
Figure 5-18 Conventional Operating System. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-18 Conventional Operating System.
Virtual Computer Hardware CPU(s) Memory Network Storage Peripherals Applications Virtual Hardware and Operating System Applications Virtual Hardware and Operating System Applications Virtual Hardware and Operating System Applications Virtual Hardware and Operating System CPU(s) Memory Network Storage Peripherals Hardware 4/22/2017
Figure 5-19 Virtual Machine. Virtual machines allow for more efficient use of hardware but do have security risks. Figure 5-19 Virtual Machine.
VM Security Harden base OS: this manages VMs. Set Resource limits: CPU, memory, etc. Firewall host on operating system. Use encrypted protocols. Harden guest operating systems. Keep up with host and guest patches. Guest operating system may be different. Audit logs and performance.
4/22/2017
Figure 5-20 Layered Operating System. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-20 Layered Operating System.
Figure 5-21 Modules Operating in Different Layers. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-21 Modules Operating in Different Layers.
International Common Criteria Agreed upon standard for describing and testing the security of IT products. Target of Evaluation ToE product under evaluation. Security Target (ST) documentation describing the ToE including security requirements. Protection Profile Independent set of security requirements for a category of products or systems. Evaluation assurance level Score of the product. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide
CC Levels of Evaluation 7 Levels building on previous level. EAL1: functionally tested. EAL2: structurally tested. EAL3: methodically tested & checked. EAL4: methodically designed, tested & checked. EAL5: semi-formally designed & tested. EAL6: semi-formally verified, designed & tested. EAL7: formally verified, designed & tested. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide
Discussion Question Why would a company go after Common Criteria Certification for their products?
New Business and $$$ Having certified products opens new markets for your business Government Contracts. International private businesses requiring high levels of security. It can be an expensive process though. In 2006 an EAL4 rating takes 2 years and $350,000 for a product. http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
Figure 5-27 Criteria Development Efforts. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-27 Criteria Development Efforts.
Payment Card Industry (PCI) Data Security Standard (DSS) Core Principles: Build and maintain a secure network. Protect cardholder data. Maintain a vulnerability management program. Implement strong access control measures. Regularly monitor and test networks. Maintain an information security policy. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide
Certification and Accreditation System has been certified to meet security requirements of the data owner. Accreditation The data owner’s acceptance of the certification and the residual risk required before it is put into production. Government busy working on these procedures. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide