Security Architecture and Models
Download
Report
Transcript Security Architecture and Models
Security Architecture and
Models
Attempts at Formalization
Security Architecture and Models
1
Security Architecture & Models
Meeting 2 Agenda
CISP Review
Models and Definitions
Test Practice
Models
Tests
Practice
Security Architecture and Models
2
Mapping
Domain Name
Syllabus Mapping
Chapter 2
Security Trends
Designing Security Architecture Infrastructures A
Chapter 4
Access Control Systems & Methodology
Designing Security Architecture Infrastructures A
Chapter 5
Security Architecture & Models
Designing Security Architecture
Infrastructures B
Chapter 6
Physical Security
Designing Security Architecture Infrastructures C
Chapter 7
Telecommunications, Network & Internet Security
Designing Security Architecture Infrastructures D
Chapter 8
Cryptography
Designing Security Architecture Infrastructures E
Chapter 11
Applications & Systems Development
Designing Security Architecture Infrastructures F
Chapter 3
Security Management Practices
Management Infrastructures A
Chapter 9
Business Continuity Planning
Management Infrastructures B
Chapter 12
Operations Security
Management Infrastructures C
Chapter 10
Law, Investigation & Ethics
Management Infrastructures D
Test Preparation
Management Infrastructures E
Check Lists
Management Infrastructures E
Security Architecture and Models
3
What is Covered?
Formal Models & Correctness Proofs
Material from Study Guides
Attempted in 1980s in lots of domains
1990’s for security?
More Recent Efforts
Lots of Definitions
Why
When you identify possible problems it helps to
use reference to formal models in efforts to get
them fixed!
Security Architecture and Models
4
Computer Architecture – Included in
Some Study Guides!
CPU - Central Processing Unit Is a microprocessor
Memory: RAM / Random Access Memory
Memory Mapping: Real or primary memory
Uses secondary memory in conjunction with primary memory to present a
CPU with a larger, apparent address space of the real memory locations.
Memory addressing
- Memory directly addressable by the CPU and used for the storage of
instructions and data associated with the program that is being
Virtual memory –
Cache memory: Is a part of RAM that is used for high-speed writing and
reading activities.
PLD - Programmable Logic Device:
Register addressing, Direct addressing, Absolute addressing
Buffer Overflow – One of many Faults
If the software instructions do not properly set the boundaries for how much
data can come in as a block, extra data can slip in and be executed
Security Architecture and Models
5
Important Term
Star Property (Bell-LaPadula), also known as
confinement property - prevents subjects
from writing down into a dominated security
object
Contamination – co-mingling of data of
varying classification levels
Correctness Proof - mathematical proof of
consistency between a specification and
implementation
Security Architecture and Models
6
The Ten Worst Security Mistakes
Information Technology People Make
Connecting systems to the Internet before hardening them.
Connecting test systems to the Internet with default accounts/passwords
Failing to update systems when security holes are found.
Using telnet and other unencrypted protocols for managing systems, routers,
firewalls, and PKI.
Giving users passwords over the phone or changing user passwords in
response to telephone or personal requests when the requester is not
authenticated.
Failing to maintain and test backups.
Running unnecessary services
Implementing firewalls with rules that don't stop malicious or dangerous trafficincoming or outgoing.
Failing to implement or update virus detection software
Failing to educate users on what to look for and what to do when they see a
potential security problem.
Security Architecture and Models
7
What is the Common Criteria?
The Common Criteria represents the
outcome of a series of efforts to develop
criteria for evaluation of IT security that are
broadly useful within the international
community.
Need to use certificated products when trying to
avoid lots of testing for government contracts.
http://commoncriteria.org/index.html
Security Architecture and Models
8
Orange to Common Criteria
Security Architecture and Models
9
The Orange Book Trusted Computer
System Evaluation Criteria
The Orange Book / TCSEC:
Hierarchical division of security levels A - Verified protection
B - Mandatory protection
C - Discretionary protection
D - Minimal security
Evaluation levels D - Minimal Protection
C1 - Discretionary Security Protection
C2 - Controlled Access Protection
B1 - Labeled Security
B2 - Structured Protection
B3 - Security Domains
A1 - Verified Design
Security Architecture and Models
10
The Red Book / TNI:
TNI - Trusted Network Interpretation.
Addresses security evaluation topics for
networks and network components.
Ratings - None
- C1 - Minimum
- C2 - Fair
- B2 - Good
Security Architecture and Models
11
Model Goals
Security Architecture and Models
12
Modes of Operation
System High Mode - All users of a system have
clearance and approval to view info on the
system, but not necessarily need to know for all
info (typically military)
Compartmented (partitioned) mode - each user
with access meets security criteria, some need to
know
Multi-Level Secure mode (MLS) - Not all
personnel have approval or need to know for all
info in the system
Security Architecture and Models
13
The Three Tenets of Computer
Security
Confidentiality
Integrity
Unauthorized users cannot access data
Unauthorized users cannot manipulate/destroy
data
Availability
Unauthorized users cannot make system
resources unavailable to legitimate users
Security Architecture and Models
14
Security Models
Bell-LaPadula
Biba
Clark & Wilson
Non-interference
State machine
Access Matrix
Information flow
Security Architecture and Models
15
Bell-LaPadula
Formal description of allowable paths of
information flow in a secure system
Used to define security requirements for
systems handling data at different sensitivity
levels
*-property - prevents write-down, by
preventing subjects with access to high level
data from writing the information to objects of
lower access
Security Architecture and Models
16
Bell-LaPadula
Model defines secure state
Access between subjects, objects in accordance with
specific security policy
Model central to TCSEC (TCSEC is an
implementation of the Bell-LaPadula model)
Bell-LaPadula model only applies to secrecy of
information
identifies paths that could lead to inappropriate disclosure
the next model covers more . . .
Security Architecture and Models
17
Biba Integrity Model
Biba model covers integrity levels, which are
analogous to sensitivity levels in Bell-LaPadula
Integrity levels cover inappropriate modification of
data
Prevents unauthorized users from making
modifications (1st goal of integrity)
Read Up, Write Down model - Subjects cannot
read objects of lesser integrity, subjects cannot
write to objects of higher integrity
Security Architecture and Models
18
Bell-LaPadula versus Biba
Property
Basis
Protects
Rules
Biba Model
BLP Model
Confidentiality
Integrity
Hierarchically classified data
(e.g., Confidential, Secret,
Top Secret)
Hierarchically marked integrity
or quality data (e.g., Good,
Better, Best; or Vague, Precise)
Simple Security: A
Simple integrity: a subject
cannot
access/observe/read an
object of a lesser integrity.
*-property: a subject
cannot modify/write-to an
object with a higher
integrity.
subject cannot read
objects of higher
sensitivity (No read up)
*-property: a subject
cannot write to objects
of lower sensitivity (no
write down)
Security Architecture and Models
19
Clark & Wilson Model
An Integrity Model, like Biba
Addresses all 3 integrity goals
Prevents unauthorized users from making modifications
Maintains internal and external consistency
Prevents authorized users from making improper modifications
T - cannot be Tampered with while being changed
L - all changes must be Logged
C - Integrity of data is Consistent
Security Architecture and Models
20
Clark & Wilson Model
Proposes “Well Formed Transactions”
perform steps in order
perform exactly the steps listed
authenticate the individuals who perform the steps
Calls for separation of duty
Security Architecture and Models
21
Other Models
Noninterference model - Covers ways to
prevent subjects operating in one domain
from affecting each other in violation of
security policy
State machine model - abstract mathematical
model consisting of state variables and
transition functions
Security Architecture and Models
22
More Models
Access matrix model - a state machine model
for a discretionary access control
environment
Information flow model - simplifies analysis of
covert channels
Security Architecture and Models
23
Certification & Accreditation
Procedures and judgements to determine the
suitability of a system to operate in a target
operational environment
Certification considers system in operational
environment
Accreditation is the official management
decision to operate a system
Security Architecture and Models
24
IPSEC
IETF updated 1997, 1998
Addresses security at IP layer
Key goals:
authentication
encryption
Components
IP Authentication Header (AH)
Encapsulating Security Payload (ESP)
Both are vehicles for access control
Key management via ISAKMP
Security Architecture and Models
25
Network/Host Security Concepts
Security Awareness Program
CERT/CIRT
Errors of omission vs. commission
physical security
dial-up security
Host vs. network security controls
Wrappers
Fault Tolerance
Security Architecture and Models
26
TEMPEST
Electromagnetic shielding standard
Currently somewhat obsolete
See “accreditation” - i.e. acceptance of risk
Security Architecture and Models
27
Threats to Security Models and
Architectures
Covert Channels
Back Doors
Timing Issues
Buffer Overflows
Security Architecture and Models
28
Terms and Definitions
Access control - prevention of unauthorized use or misuse
of a system
ACL - Access control list
Access Mode - an operation on an object recognized by
the security mechanisms - think read, write or execute
actions on files
Accountability- actions can be correlated to an entity
Accreditation - approval to operate in a given capacity in a
given environment
Asynchronous attack - an attack exploiting the time lapse
between an attack action and a system reaction
Security Architecture and Models
29
Terms
Audit trail - records that document actions on
or against a system
Bounds Checking - within a program, the
process of checking for references outside of
declared limits. When bounds checking is
not employed, attacks such as buffer
overflows are possible
Compartmentalization - storing sensitive data
in isolated blocks
Security Architecture and Models
30
More Terms
Configuration Control - management and
control of changes to a system’s hardware,
firmware, software, and documentation
confinement - Ensuring data cannot be
abused when a process is executing a
borrowed program and has some access to
that data
Security Architecture and Models
31
Terms
Countermeasure - anything that neutralizes
vulnerability
Covert Channel - A communication channel that
allows cooperating processes to transfer
information in a way that violates a system’s
security policy
covert storage channel involves memory shared by
processes
covert timing channel involves modulation of system
resource usage (like CPU time)
Security Architecture and Models
32
Terms, cont.
Criticality - AF term - importance of system to
mission
Cycle - as in overwriting - one cycle consists
of writing a zero, then a 1 in every possible
location
Data Contamination - see Chinese espionage
- deliberate or accidental change in the
integrity of data
Security Architecture and Models
33
Heard this one yet?
Discretionary Access Control - an entity with
access privileges can pass those privileges
on to other entities
Mandatory Access control - requires that
access control policy decisions are beyond
the control of the individual owner of an
object (think military security classification)
Security Architecture and Models
34
Terms
DoD Trusted Computer System Evaluation
Criteria (TCSEC) - orange book
Firmware - software permanently stored in
hardware device (ROM, read only memory)
Formal Proof - mathematical argument
Hacker/Cracker
Lattice - partially ordered set where every
pair has greatest lower bound and least
upper bound
Security Architecture and Models
35
Terms
Principle of Least Privilege - every entity granted
least privileges necessary to perform assigned
tasks
Logic bomb - an unauthorized action triggered by
a system state
Malicious logic - evil hardware,software, or
firmware included by malcontents for
malcontents
Memory bounds - the limits in a range of storage
addresses for a protected memory region
Security Architecture and Models
36
Terminology
Piggy Back - unauthorized system via
another’s authorized access (shoulder surfing
is similar)
Privileged Instructions - set of instructions
generally executable only when system is
operating in executive state
Privileged property - a process afforded extra
privileges, often used in the context of being
able to override the Bell-LaPadula *-property
Security Architecture and Models
37
TERMS to Remember
Reference Monitor - a security control which controls
subjects’ access to resources - an example is the
security kernel for a given hardware base
Resource - anything used while a system is
functioning (eg CPU time, memory, disk space)
Resource encapsulation - property which states
resources cannot be directly accessed by subjects
because subject access must be controlled by the
reference monitor
Security Architecture and Models
38
Terminology, cont.
Security Kernel - hardware/software/firmware elements
of the Trusted Computing Base - security kernel
implements the reference monitor concept
Not in windows!!
Trusted Computing Base - from the TCSEC, the portion
of a computer system which contains all elements of the
system responsible for supporting the security policy and
supporting the isolation of objects on which the
protection is based -follows the reference monitor
concept
Security Architecture and Models
39
Terminology
Evaluation Guides other than the Orange
Book (TCSEC)
ITSEC - Information Technology Security
Evaluation Criteria (European)
CTCPEC - Canadian Trusted Computer
Product Evaluation Criteria
Common Criteria
Security Architecture and Models
40
Terminology
Trusted System
follows from TCB
A system that can be expected to meet users’
requirements for reliability, security, effectiveness
due to having undergone testing and validation
System Assurance
the trust that can be placed in a system, and the
trusted ways the system can be proven to have
been developed, tested, maintained, etc.
Security Architecture and Models
41
TCB Divisions (from TCSEC)
D - Minimal protection
C - Discretionary Protection
B - Mandatory Protection
C1 cooperative users who can protect their own info
C2 more granular DAC, has individual accountability
B1 Labeled Security Protection
B2 Structured Protection
B3 Security Domains
A - Verified Protection
A1 Verified Design
Security Architecture and Models
42
Terminology
Virus - program that can infect other programs
Worm - program that propagates but doesn’t
necessarily modify other programs
Bacteria or rabbit - programs that replicate
themselves to overwhelm system resources
Back Doors - trap doors - allow unauthorized
access to systems
Trojan horse - malicious program masquerading
as a benign program
Security Architecture and Models
43