Security Certifications and Building a Secure System…in search of the Holy Grail? Lesson 21.

Slides:



Advertisements
Similar presentations
Module 1 Evaluation Overview © Crown Copyright (2000)
Advertisements

Configuration Management
Software Quality Assurance Plan
Test process essentials Riitta Viitamäki,
Operating System Security
System Integration Verification and Validation
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Software Quality Assurance Plan
4/28/20151 Computer Security Security Evaluation.
Enhancing Data Quality of Distributive Trade Statistics Workshop for African countries on the Implementation of International Recommendations for Distributive.
IT Security Evaluation By Sandeep Joshi
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
Secure Operating Systems Lesson 0x11h: Systems Assurance.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Security Controls – What Works
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Software Configuration Management
Network security policy: best practices
Fraud Prevention and Risk Management
What is Business Analysis Planning & Monitoring?
Gurpreet Dhillon Virginia Commonwealth University
Mantova 18/10/2002 "A Roadmap to New Product Development" Supporting Innovation Through The NPD Process and the Creation of Spin-off Companies.
SEC835 Database and Web application security Information Security Architecture.
Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.
Introduction to Software Quality Assurance (SQA)
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 20 October 28, 2004.
Information Systems Security Computer System Life Cycle Security.
CPIS 357 Software Quality & Testing I.Rehab Bahaaddin Ashary Faculty of Computing and Information Technology Information Systems Department Fall 2010.
Evaluating Systems Information Assurance Fall 2010.
Information ITIL Technology Infrastructure Library ITIL.
ISA 562 Internet Security Theory & Practice
Software Configuration Management (SCM)
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
Important informations
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
CMSC : Common Criteria for Computer/IT Systems
Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #
Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.
CSCE 548 Secure Software Development Security Operations.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
CS526: Information Security Chris Clifton November 4, 2003 Assurance.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Trusted Operating Systems
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Chapter 8: Principles of Security Models, Design, and Capabilities
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
The NIST Special Publications for Security Management By: Waylon Coulter.
Cmpe 589 Spring Fundamental Process and Process Management Concepts Process –the people, methods, and tools used to produce software products. –Improving.
CSCE 727 Awareness and Training Secure System Development and Monitoring.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
Information ITIL Technology Infrastructure Library ITIL.
CS457 Introduction to Information Security Systems
ITIL: Service Transition
Configuration Management
Security Testing Methods
Security Criteria, Certifications, and Training
Configuration Management
Official levels of Computer Security
Chapter 19: Building Systems with Assurance
THE ORANGE BOOK Ravi Sandhu
Presentation transcript:

Security Certifications and Building a Secure System…in search of the Holy Grail? Lesson 21

Building Secure Systems  Vulnerabilities frequently found in operating systems and application programs.  Problem is not new, we’ve always had problems with the security of our systems and flaws in the operating system.  Is it really that hard to build a secure system?

Why systems are not secure  Security is fundamentally difficult. What is adequate for most functions isn’t for security “good enough” doesn’t apply for security  Security is often (usually) an afterthought.  Security is viewed as an impediment.  False solutions impede progress industry subject to ‘fads’ -- quick fixes cause us to become complacent.  Technology is oversold -- the problem is often with the people not the computers.  Errors are made – and not found (inadequate testing, poor programming techniques).

Example of poor programming/errors  Buffer Overflows result of poor programming practice –use of functions such as gets and strcpy  these don’t check input for boundaries may allow individual to gain root or admin access

Sample Buffer Overflow Example #include void func(char *p) { char stack_temp[20]; strcpy(stack_temp, p); printf(stack_temp); } int main(int argc, char* argv[]) { func(“I AM MORE THAN TWENTY CHARACTERS LONG!”); return 0; }

Buffer Overflows Program Execute A Return Subroutine A Read Variable Data Process Stack Return Addr

Buffer Overflows Program Execute A Return Subroutine A Read Variable Data Process Stack Return Addr New Addr Another Routine

Exploits  Buffer Overflows fingerd, statd, talkd, … result of poor programming practice  Shell Escapes special character in input string causes escape to shell

Cover your tracks  Adjust log files RootKit –contains sniffer, login program that disables logging, “hacker” versions of several system utilities (e.g. ps)  Looping launch attack from another system you’ve compromised thus hiding trail greatly increases complexity of tracking

Security Kernel  The HW and SW that implements the “reference monitor” All accesses that subjects make to objects are authorized on information in an access control database. The specific checks that are made and all modifications to the access control database are controlled by the reference monitor in accordance with the established security policy. Audit File Reference Monitor Access Control Database Objects Subjects

Three Principles for Security Kernels  Completeness: it must be impossible to bypass. All access to information must be mediated by the reference monitor.  Isolation: it must be tamperproof The OS and the reference monitor should “protect” themselves from modification.  Verifiability: it must be shown to be properly implemented. Good software engineering practices. Simplicity of function in the kernel. Minimize the size of the kernel.

The “Orange Book”  The NCSC (NSA) developed the Trusted Computer System Evaluation Criteria (TCSEC)  Designed to meet three objectives to provide guidance to manufacturers as to what security features to build into their products to provide the DoD customers with a metric to evaluate the degree of trust they could place in a computer system to provide a basis for specifying security requirements in acquisition specifications

The Orange Book  Particular emphasis is on preventing unauthorized disclosure of information.  Based on Bell-La Padula security model Simple Security Condition –allows a subject read access to an object only if the security level of the subject dominates the security level of the object. *-Property –allows a subject write access to an object only if the security level of the subject is dominated by the security level of the object. Also known as the Confinement Property.  “No Read Up/No Write Down”

The Orange Book  “Trusted Computing Base” Concept  7 Levels D: Minimal Protection C1: Discretionary Security Protection C2: Controlled Access Protection B1: Labeled Security Protection B2: Structured Protection B3: Security Domains A1: Verified Protection

The Orange Book

Fundamental Requirements  Policy Security Policy Marking  Accountability Identification: Individual subjects must be identified. Accountability: Audit information must be selectively kept and protected.  Assurance Assurance: system must contain HW/SW mechanisms that can be independently evaluated to ensure system enforces requirements. Continuous Protection: mechanisms that enforce protection must be protected against tampering and unauthorized changes.  Documentation

Division C Class C1

Division C Class C2

Division B Class B1

TCSEC Summary

The “Yellow Book” Open: Application developers do not have sufficient clearance or authorization to proved an acceptable presumption that they have not introduced malicious logic. Closed: Application developers (including maintainers) do have the clearance/authorization.

The “Yellow Book”

The “Red Book”  Trusted Network Interpretation (TNI)  Two parts Interprets Orange book for networks –interpretation –rationale Describes additional security services that arise with networks.

Division C Class C1

The Network Security Services

Issues with Any Certification  Certifications take time thus they generally have a hefty price associated with them. By the time the product is evaluated, its obsolete.  Who gets to do the evaluation? Lots of folks don’t want the government poking around their product, but can you trust some other company?  Certifications are for a single release, if you release a new version it will need to be evaluated too.

The ITSEC and Common Criteria  After the TCSEC was published, several European countries issued their own criteria. The Information Technology Security Evaluation Criteria (ITSEC). Had a number of improvements. –Permitted new feature definitions and functionalities. –Accommodated commercial evaluation facilities  Soon the U.S. was preparing to update the TCSEC.  Instead of multiple standards, how about a joint one? Thus, the birth of the Common Criteria

Common Criteria

 Has 7 Evaluation Assurance Levels (EAL) EAL1: functionally tested EAL2: Structurally tested EAL3: Methodologically tested and checked EAL4: Methodologically designed, tested, & reviewed EAL5: Semiformally designed and tested EAL6: Semiformally verified design and tested EAL7: Formally verified design and tested  Any collection of components can be combined with an EAL to form a Protection Profile. Defines an implementation-independent set of security requirements and objectives.

Example Level Description  EAL1 - functionally tested EAL1 is applicable where some confidence in correct operation is required, but the threats to security are not viewed as serious. It will be of value where independent assurance is required to support contention that due care has been exercised with respect to the protection of personal or similar information. This level provides an evaluation of the Target of Evaluation (TOE) as made available to the consumer, including independent testing against a specification, and an examination of the guidance documentation provided.

Level Description  EAL2 - structurally tested EAL2 requires the cooperation of the developer in terms of the delivery of design information and test results, but should not demand more effort on the part of the developer than is consistent with good commercial practice. As such it should not require a substantially increased investment of cost or time. EAL2 is applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record. Such a situation may arise when securing legacy systems, or where access to the developer may be limited.

Level Description  EAL3 - methodically tested and checked EAL3 permits a conscientious developer to gain maximum assurance from positive security engineering at the design stage without substantial alteration of existing sound development practices. It is applicable in those circumstances where developers or users require a moderate level of independently assured security, and require a thorough investigation of the TOE and its development without incurring substantial reengineering costs. An EAL3 evaluation provides an analysis supported by "grey box" testing, selective confirmation of the developer test results, and evidence of a developer search for obvious vulnerabilities. Development environmental controls and TOE configuration management are also required.

ICSA Certification  ICSA Labs initiated a program for certifying IT products against a set of industry accepted, de facto standards. Standards are developed with input from security experts, vendors, developers, and users. Targets threats that actually occur frequently, not postulated ones (think covert channels). Goal is criteria appropriate for 80% of customers.  Has mechanism for certification of future versions.

ICSA

ICSA - IDS

System Security Engineering Capability Maturity Model  SSE-CMM: “Describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering.”  Began as an NSA-sponsored effort in  The model is a standard metric for security engineering practices covering: the entire life cycle the whole organization interactions with other organizations including acquisitions, system management, certification,… interactions with other disciplines

SSE-CMM  Intended to be used as a: Tool for engineering organizations to evaluate their security engineering practices and define improvements to them. Standard mechanism for customers to evaluate a provider’s security engineering capability. Basis for security engineering evaluation organizations to establish capability-based confidences or assurance.

SSE-CMM Capability Levels 1 Performed Informally 2 Planned & Tracked 3 Well Defined 0 Not Performed 4 Qualitatively Controlled 5 Continuously Improving 1 Base Practices Performed 2 Committing to perform Planning performance Disciplined performance Tracking performance Verifying performance 3 Defining a standard process Tailoring a standard process Using data Perform a defined process 4 Establishing measurable quality goals Determining process capability to achieve goals Objectively managing performance 5 Establishing quantitative process effectiveness goals Improving process effectiveness

21 SSE-CMM Process Areas (some examples)  Administer Security Controls Establish security responsibilities Manage security configuration Manage security awareness, training, and education programs Manage security services and control mechanisms  Attack Security Scope attack Develop attack scenarios Perform attacks Synthesize attack results  Monitor System Security Posture Analyze event records Monitor changes Identify security incidents Manage security incident response

Summary  What is the Importance and Significance of this material?  How does this topic fit into the subject of “Voice and Data Security”?