Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2001 Objective Interface Systems, Inc. Common Expressions/Languages for Protection Profiles Bill Beckwith Objective Interface Systems,

Published byJessie Gary Morton Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2001 Objective Interface Systems, Inc. Common Expressions/Languages for Protection Profiles Bill Beckwith Objective Interface Systems,"— Presentation transcript:

1 © 2001 Objective Interface Systems, Inc. Common Expressions/Languages for Protection Profiles Bill Beckwith bill.beckwith@ois.com Objective Interface Systems, Inc. 13873 Park Center Road, Suite 360 Herndon, VA 20171-3247 703/295-6500 (voice) 703/295-6501 (fax) http://www.ois.com/ info@ois.com

2 © 2003 Objective Interface Systems, Inc. 2 Agenda  Objectives  Background on Common Criteria  Objectives  Arena for Common Expression  MILS Example

3 © 2003 Objective Interface Systems, Inc. 3 Background on Common Criteria  Common Criteria  Used as the basis for evaluation of security properties of IT  Permit comparability between independent security evaluations  By providing a common set of requirements for the security functions  And for assurance measures applied to them during a security evaluation  Evaluation process establishes a level of confidence  Target audience: consumers, developers, evaluators, et al  Protection Profile  An implementation-independent set of security requirements  For a category of TOEs  That meet specific consumer needs  A warning to standards authors: PPs have no APIs, no wire formats, …

4 © 2003 Objective Interface Systems, Inc. 4 EAL: Evaluated Assurance Level  EAL 1 = functionally tested  EAL 2 = structurally tested  EAL 3 = methodically tested and checked  EAL 4 = methodically designed, tested, and reviewed  analysis of security functions  informal model of security policy & independent testing  vulnerability analysis for low attack potential attackers  EAL 5 = semiformally designed and tested  semiformal functional spec & HL design + semiformal correspondence  covert channel analysis  vulnerability analysis for moderate attack potential attackers  EAL 6 = semiformally verified design and tested  structured development process & more structured architecture  vulnerability analysis for high attack potential attackers  structured presentation + semiformal LL design  systematic covert channel analysis  more comprehensive vulnerability analysis  improved CM and development environment controls  EAL 7 = formally verified design and tested  formal functional spec and HL design + formal correspondence  comprehensive testing

5 © 2003 Objective Interface Systems, Inc. 5 Objectives  Reduce time-to-understand new PPs  Develop and leverage common knowledge  Improve consistency of PPs  Common definitions  Common approach  Common creation and vetting process  Ease creation of high quality PPs  Template  Reference example  Assure composition of components  Facilitate layering of PPs  Facilitate specification of layered security architectures  Facilitate evaluation of layered security architecture implementations

6 © 2003 Objective Interface Systems, Inc. 6 Arena for Common Expression

7 © 2001 Objective Interface Systems, Inc. MILS Security: Example Architecture

8 © 2003 Objective Interface Systems, Inc. 8 Security Evolution Fail-first Patch-later (cont.)  Questions:  How many PC anti-virus programs can detect or repair handle malicious device drivers?  None!  What can an Active-X web download do to your PC?  Anything!

9 © 2003 Objective Interface Systems, Inc. 9 Privilege Mode Processing Network Data Wild Creatures of the Net, Worms, Virus,... Foundational Threats Buffer Overflow ?

10 © 2003 Objective Interface Systems, Inc. 10 Privilege Mode Processing Network Data Under MILS Network Data and Privilege Mode Processing is Separated Paradigm Shift Foundational Threats (That MILS Protects Against)

11 © 2001 Objective Interface Systems, Inc. MILS Multiple Independent Levels of Security

12 © 2003 Objective Interface Systems, Inc. 12 The Whole Point of MILS Really simple:  Dramatically reduce the amount of security critical code  Dramatically increase the scrutiny of security critical code

13 © 2003 Objective Interface Systems, Inc. 13 MILS Objective  Enable the Application Layer Entities to  Enforce, Manage, and Control  Application Level  Security Policies  where the Application Level Security Policies are  Non-Bypassable,  Evaluatable,  Always-Invoked, and  Tamper-proof.  An architecture that allows the Security Kernel to share the RESPONSIBILITY of Security with the Application.

14 © 2003 Objective Interface Systems, Inc. 14 Required Characteristics of MILS Reference Monitors Partitioning Kernel & trusted Middleware must be: Non-bypassable  Security functions cannot be circumvented Evaluatable  Security functions are small enough and simple enough for mathematically verification Always Invoked  Security functions are invoked each and every time Tamperproof  Subversive code cannot alter the security functions  By exhausting resources, over-running buffers, or other ways of making the security software fail

15 © 2003 Objective Interface Systems, Inc. 15 MILS Architecture  Three distinct layers (John Rushby, PhD)  Partitioning Kernel must  Separate process spaces (partitions)  Provide secure transfer of control between partitions  MILS Middleware provides  Application component creation  Secure inter-object message flow  e.g., ORB, device driver, file system  Applications provide  Application specific security functions  e.g., firewalls, crypto services

16 © 2003 Objective Interface Systems, Inc. 16 CSCI (Main Program) Monolithic Applications Partitioning Kernel Middleware Orange Book vs. MILS Architecture Kernel Privilege Mode Monolithic Kernel Information Flow Periods Processing Mathematical Verification User Mode Device drivers Auditing File systems MAC DAC Network I/OFault Isolation Data isolation

17 © 2003 Objective Interface Systems, Inc. 17 MILS: Like a JVM for All Applications  The Java Virtual Machine contains  Internet Java  To a confined set of operations  In each JVM  Result:  Potential for damage is limited  The MILS architecture contains  All executable code  To a confined set of operations  In each partition  Result:  Potential for damage is bounded  + Information flow is bounded Application and Data MILS Partition

18 © 2003 Objective Interface Systems, Inc. 18 MILS Network Security Policy Example MILS provides End-to-End: D1 D2 D3 BS RV RPM E1 E2 E3 RS BV BPM Red DataBlack Data Information Flow Data Isolation Periods Processing Damage Limitation CPU & Network Registers Switches, DMA, … Policy Enforcement Independent of Node Boundaries System

19 © 2003 Objective Interface Systems, Inc. 19 Partitioning Kernel: Just a Start …  Partitioning Kernel provides  Secure foundation for secure middleware  Secure Middleware provides  Most of traditional O/S capabilities  File system  Device drivers ( not in the kernel, not special privileges)  Etc.  Secure intersystem communication (PCS)  Secure foundation for building secure applications  Secure Applications can  Be built!  Be trusted to enforce application-level security policies!!!

20 © 2003 Objective Interface Systems, Inc. 20 Layer Responsibilities MILS Partitioning Kernel Functionality  Time and Space Partitioning  Data Isolation  Inter-partition Communication  Periods Processing  Minimum Interrupt Servicing  Semaphores  Timers  Instrumentation MILS Middleware Functionality  RTOS Services  Display Drivers  Keyboard Drivers  File System  Partitioned Communication System  Inter-processor Communication  Traditional Middleware  Real-time CORBA  Data Distribution Services  Web Services And nothing else!

Download ppt "© 2001 Objective Interface Systems, Inc. Common Expressions/Languages for Protection Profiles Bill Beckwith Objective Interface Systems,"

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Threads, SMP, and Microkernels

Threads, SMP, and Microkernels
Operating System Security

Operating System Security
Operating System Structures

Operating System Structures
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Information Security and Cloud Computing Naresh K. Sehgal, Sohum Sohoni, Ying Xiong, David Fritz, Wira Mulia, and John M. Acken 1 NKS.

Information Security and Cloud Computing Naresh K. Sehgal, Sohum Sohoni, Ying Xiong, David Fritz, Wira Mulia, and John M. Acken 1 NKS.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.

New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Security Models and Architecture

Security Models and Architecture
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Introduction to Operating Systems CS-2301 B-term 20081 Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
1/21/2008CSCI 315 Operating Systems Design1 Operating System Structures Notice: The slides for this lecture have been largely based on those accompanying.

1/21/2008CSCI 315 Operating Systems Design1 Operating System Structures Notice: The slides for this lecture have been largely based on those accompanying.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.

Similar presentations

Ads by Google