ECE Prof. John A. Copeland fax Offices: Klaus or call for office visit, Chapter 10 (b) - Trusted Systems 3/9/2015

2 Trusted Systems Subject: - an entity capable of accessing objects. Usually a process of an application being run by a user. Note that a secure user authentication procedure is essential (pass-phase, biometrics,...). Object: - anything to which access is controlled. This includes files, portions of files, programs, segments of memory, records and fields of records in a database. Access Right: - a way in which an object can be accessed by a subject, typically read, write, and execute. Access matrix, access control list (ACL), or capability list (ticket): ways of defining access rights.

3 Subjects Objects

4 Object[1] Subject[3] Subject[5] Object[2] Subject[2] Subject[5] Object[3] ACL – Access Control List For each object, a list of subjects (& rights).

5 Subject[1] Object[4] Object[7] Subject[2] Object[2] Object[5] Subject[3] Capability List For each Subject, a list of Objects (& Rights)

6 Multilevel Security Put Subjects into Levels, then Level defines Rights No Read Up (Simple Security Property): - a subject can only read an object of less or equal security level. No Write Down (*-Property): - a subject can only write to an object of greater or equal security level (can not lower the security classification of information by writing to an object with a lower security level). You can contribute information to a higher security level report, but can not read the report. Need to Know - a subject can only access data if he is cleared for that project or category (compartmentalized sensitive information). [not in book] Reference Monitor: - a way to enforce the three rules above. SCI,...* Top-Secret Secret Confidential Unclassified * so secret we can ’ t reveal the name. SCI,...* Top-Secret Secret Confidential Unclassified SCI,...* Top-Secret Secret Confidential Unclassified <- Compartments: Projects, Areas, … (need-to-know)

d – directory For directories “x” means “can list files” Permissions, r = read, w = write, x = execute 3 sets for: user, group, others Owner Group Size Date Modified Name $ ls -l total rw-r--r-- 1 copeland staff Apr pcap -rw-r--r-- 1 copeland staff Oct 31 10: alias -rw-r--r-- 1 copeland staff Sep 21 10: pcap -rwxr--r-- 1 copeland staff Jan reset_script drwx copeland staff 918 Feb 22 11:22 Desktop drwxr copeland staff 1020 Jan 24 14:45 Documents drwxr-xr-x 12 root root 5542 May Downloads drwx copeland staff 204 Mar Movies drwxr-xr-x 4 copeland staff 306 Mar Music -rw-r--r-- 1 copeland admin 0 Feb PGP Keyrings drwxr--r-- 13 copeland copeland 748 Mar Pictures drwx-wx--- 3 copeland staff 170 Nov Public $ id uid=501(copeland) gid=20(staff) groups=20(staff),204(_developer),100(_lpoperator),98(_lpadmin),81(_appserveradm),80(adm in),12(everyone),504(access_bpf) UNIX – each directory and file belongs to an user (owner) and a group. Users can belong many groups

8

9 Alice ’ s program has a Trojan Horse hidden inside. Bob: RW Alice: RW Bob: W CPE170KS "Secret" Data File Program Back-Pocket File "Secret" Clearance In normal computers, programs and files usually have the same privileges as the "user" using them. "Confidential" Clearance

10 When Bob runs Alice ’ s program, the Trojan writes info from Bob ’ s Secret file to Alice ’ s Confidential file ( “ write down ” ). Bob: RW Alice: RW Bob: W CPE170KS "Secret" Data File Program Back-Pocket File "Secret" Clearance "Confidential" Clearance

11 Secret Clearance Confidential Clearance Bob: RW Alice: RW Bob: W Reference Monitor CPE170KS "Secret" Data File "Secret" Program Back-Pocket File In "Trusted System" computers, programs and files have their own security levels. Alice ’ s Program has to access the Secret Program through the Reference Monitor, which upgrades the level of the process to Secret.

12 The Security Monitor will not let the (now rated Secret) process write down to a lower level file. Bob: RW Alice: RW Bob: W Reference Monitor CPE170KS "Secret" Data File "Secret" Program "Secret" Program "Confidential" Back-Pocket File "Secret" Clearance "Confidential" Clearance

Offense: How could one attack a secure system? Defense: What attacks need to be anticipated? Defense strategy starts with an analysis of possible offensive strategies. Then, for attack vector, how do you Prevent Detect Stop 13

The Computer Security Center within the National Security Agency has a Commercial Product Evaluation Program To be rated a “ Trusted System ” (at a certain level) and be eligible for government and DoD RFP ’ s, the computer must provide: Complete Mediation: Security rules are enforced on every access, not just when a file is opened. Isolation: The reference monitor and database are protected from unauthorized modification. Verifiability: The reference monitor ’ s correctness must be mathematically provable (by a set of logic rules, that it can provide Complete Mediation and Isolation). 14

In January 1996, the United States, United Kingdom, Germany, France, Canada, and the Netherlands released a jointly developed evaluation standard for a multi- national marketplace. This standard is known as the "Common Criteria for Information Technology Security Evaluation" (CCITSE) usually referred to as the "Common Criteria" (CC). The Common Criteria can be used for the following purposes: (see table on next slide) Under the Common Criteria, each level of trust rating from the TCSEC can be specified as a Protection Profile (PP). A Protection Profile looks very similar to a level of trust rating but has two fundamental differences. First, where the TCSEC binds sets of features and assurances together, the Common Criteria allows Protection Profiles to combine features and assurances together in any combination. Also, the TCSEC specifies a fixed set of ratings (profiles), but the Common Criteria allows for consumers to write a customized set of requirements in a standard format. The TPEP office is currently developing Protection Profiles that map to the C2 rating referred to in the TCSEC and SBU Firewall Protection Profiles. Common Criteria evaluations are now in progress using the Firewall Protection Profiles. From - no longer available “ Common Criteria ” Security Specifications 15

16

4/13/2009, 3/16/2012 If a product is Common Criteria certified, it does not necessarily mean it is completely secure. For example, various Microsoft Windows versions, including Windows Server 2003 and Windows XP, were certified at EAL4+, but regular security patches for security vulnerabilities were still published by Microsoft for these Windows systems. This is possible because the process of obtaining a Common Criteria certification allows a vendor to restrict the analysis to certain security features and to make certain assumptions about the operating environment and the strength of threats, if any, faced by the product in that environment. … So far, most PPs and most evaluated STs/certified products have been for IT components (e.g., firewalls, operating systems, smart cards). Common Criteria certification is sometimes specified for IT procurement. Other standards containing riles for interoperation, system management, user training, …, supplement CC and other product standards. Evaluation is a costly process (often measured in hundreds of thousands of US dollars) -- and the vendor's return on that investment is not necessarily a more secure product (but it permits selling product to certain government areas). Value of Certification 17