Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004."— Presentation transcript:

1 1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004

2 2 Acknowledgements Many of these slides came from Chris Clifton and Matt Bishop, author of Computer Security: Art and Science

3 3 Threats and Vulnerabilities Threat Threat –A potential occurrence that can have an undesirable effect on the system assets of resources  Results in breaches in confidentiality, integrity, or a denial of service  Example: outsider penetrating a system is an outsider threat  Need to identify all possible threats and address them to generate security objectives Vulnerability Vulnerability  A weakness that makes it possible for a threat to occur

4 4 Architectural considerations Determine the focus of control of security enforcement mechanism Determine the focus of control of security enforcement mechanism –Operating system: focus is on data –Applications: more on operations/transactions Centralized or Distributed Centralized or Distributed –Distribute them among systems/components –Generally easier to “assure” centralized system Security mechanism may exist in any layer Security mechanism may exist in any layer

5 5 Architectural considerations Example: Four layer architecture Application layer Application layer –Transaction control Services/middleware layer Services/middleware layer –Support services for applications –E.g.., DBMS, Object reference brokers Operating system layer Operating system layer –Memory management, scheduling and process control Hardware Hardware –Includes firmware

6 6 Architectural considerations Select the correct layer for a mechanism Select the correct layer for a mechanism –Controlling user actions may be more effective at application layer –Controlling file access may be more effective at the operating system layer Need to secure layers lower than target layer Need to secure layers lower than target layer –Application security means OS security as well –Special-purpose OS? –All DBMSs require the OS to provide specific security features

7 7 Build or Add? Security is an integral part of a system Security is an integral part of a system –Address security issues at system design phase –Easy to analyze and assure Reference monitor (concept) Reference monitor (concept) –Mediates all accesses to objects by subjects Reference validation mechanism (implementation) must be: Reference validation mechanism (implementation) must be: 1.Tamperproof 2.Never bypassed 3.Small enough to be subject to analysis and testing – the completeness can be assured Security kernel Security kernel –Hardware + software implementing a RM

8 8 Trusted Computing Base TCB consists of all protection mechanisms within a computer system that are responsible for enforcing a security policy TCB consists of all protection mechanisms within a computer system that are responsible for enforcing a security policy TCB monitors four basic interactions TCB monitors four basic interactions –Process activation –Execution domain switching –Memory protection –I/O operation A unified TCB may be too large A unified TCB may be too large –Create a security kernel

9 9 Security Policy Requirements Can be done at different levels Can be done at different levels Specification must be Specification must be –Clear  “meet C2 security” –Unambiguous  “users must be identified and authenticated” –Complete Methods of defining policies Methods of defining policies –Extract applicable requirements from existing security standards (e.g. Common Criteria) –Create a policy based on threat analysis –Map the system to an existing model Justify the requirements: completeness and consistency Justify the requirements: completeness and consistency

10 10 Design assurance Identify design flaws Identify design flaws –Enhances trustworthiness –Supports implementation and operational assurance Design assurance technique employs Design assurance technique employs –Specification of requirements –Specification of the system design –Process to examine how well the design meets the requirement

11 11 Techniques for Design Assurance Modularity & Layering Modularity & Layering –Well-defined independent modules –Simplifies and makes system more understandable –Data hiding –Easy to understand and analyze Different layers to capture different levels of abstraction Different layers to capture different levels of abstraction –Subsystem (memory management, I/O subsystem, credit- card processing function) –Subcomponent (I/O management, I/O drivers) –Module: set of related functions and data structure Use principles of secure design Use principles of secure design

12 12 Design Documents Design documentation is an important component in life cycle models Design documentation is an important component in life cycle models Documentation must specify Documentation must specify –Security functions and approach  Describe each security function  Overview of a set of security functions  Map to requirements (tabular) –External interfaces used by users  Parameters, syntax, security constraints and error conditions  Component overview, data descriptions, interface description –Internal design with low-level details  Overview of the component  Detailed description of the component  Security relevance of the component

13 13 Design meets requirements? Techniques needed Techniques needed –To prevent requirements and functionality from being discarded, forgotten, or ignored at lower levels of design Requirements tracing Requirements tracing –Process of identifying specific security requirements that are met by parts of a description Informal Correspondence Informal Correspondence –Process of showing that a specification is consistent with an adjacent level of specification

14 14 Requirement mapping and informal correspondence Security Functional Requirements External Functional Specification Internal Design Specification Implementation Code Requirement Tracing Informal Correspondence

15 15 Design meets requirements? Informal arguments Informal arguments –Protection profiles  Define threats to systems and security objectives  Provide rationale (an argument) –Security targets  Identifies mechanisms and provide justification Formal methods: proof techniques Formal methods: proof techniques –Formal proof mechanisms are usually based on logic (predicate calculus) –Model checking  Checks that a model satisfies a specification

16 16 Design meets requirements? Review Review –When informal assurance technique is used –Formal reviews include:  preparation  moderation  recording and reporting  resolution

17 17 Implementation considerations for assurance Modularity with minimal interfaces Modularity with minimal interfaces Language choice Language choice –C programs may not be reliable  Pointers – memory overwrites  Not much error handling  Writing past the bounds of memory and buffers –Java  Designed to support secure code as a primary goal  Ameliorates security risks present in C

18 18 Implementation meets Design? Security testing Security testing –Functional testing (FT) (black box testing)  Testing of an entity to determine how well it meets its specification –Structural testing (ST) (white box testing)  Testing based on an analysis of the code to develop test cases Testing occurs at different times Testing occurs at different times –Unit testing (usually ST): testing a code module before integration –System testing (FT): on integrated modules –Security testing: product security

Download ppt "1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004."

Similar presentations

Operating System Security

Operating System Security
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
1 norshahnizakamalbashah-19112007- CEM v3.1: Chapter 10 Security Target Evaluation.

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.

Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.

1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.

1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
1 Vulnerability Analysis CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 26, 2004.

1 Vulnerability Analysis CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 26, 2004.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
Chapter 10 Architectural Design

Chapter 10 Architectural Design
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
IS 2620: Developing Secure Systems Assurance and Evaluation Lecture 8 March 15, 2012.

IS 2620: Developing Secure Systems Assurance and Evaluation Lecture 8 March 15, 2012.
Security Assessments FITSP-A Module 5

Security Assessments FITSP-A Module 5

Similar presentations

Ads by Google