1 / 34

Computer System Security CSE 5339/7339

Computer System Security CSE 5339/7339. Session 18 October 21, 2004. Contents. Midterm  back Midterm Key – Part-3 (Questions 2, 3, 9, 10) Security Policy Models of Security Trusted Operating Systems Mehmet’s presentation. Midterm Question 2. “ELVISISALIVE” and S 2 = “DNOYZWLFEDSL”.

flower
Télécharger la présentation

Computer System Security CSE 5339/7339

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer System SecurityCSE 5339/7339 Session 18 October 21, 2004

  2. Contents • Midterm  back • Midterm Key – Part-3 (Questions 2, 3, 9, 10) • Security Policy • Models of Security • Trusted Operating Systems • Mehmet’s presentation

  3. Midterm Question 2 “ELVISISALIVE” and S2 = “DNOYZWLFEDSL”. a) What ciphertext results from using S1 as plaintext and S2 as a one-time pad? Justify your answer. b) If S2 is ciphertext, what characters must have been used as key material from a one-time pad if the plaintext is “ANDINMEMPHIS”? Justify your answer

  4. Midterm Question 3 Describe the difference between symmetric-key and asymmetric-key cryptosystems. Discuss one advantage and one disadvantage of each

  5. Midterm Question 9 Using DES, what would the 32-bit output of the S-boxes be if the input was (in binary): 001011 010111 001011 110100 110110 111010 001000 110011

  6. Midterm Question 10 Using AES, show the column that will result after applying the Mix Column operation to the following column:   0A 52 31 9C

  7. Military Security policy Unclassified Restricted Confidential Secret Top Secret

  8. Access to Information Information access is limited by the need-to-know rule. Compartment: Each piece of classified information may be associated with one or more projects called compartments

  9. Compartments and Sensitivity Levels Top Secret Compartment 1 Secret Compartment 2 Confidential Compartment 3 Restricted Unclassified

  10. Classification & Clearance <rank; compartments>  class of a piece of information Clearance: an indication that a person is trusted to access information up to a certain level of sensitivity. <rank; compartments>  clearance of a subject

  11. Dominance Relation We say that s dominates o (or o is dominated by s) if o  s. For a subject s and an object o, o  s if and only if rank(o)  rank(s) and compartments(o) is subset of compartments(s) A subject can read an object if the subject dominates the object.

  12. Example Information classified as <secret; {Sweden}> Which of the following subject clearances can read the above information? <top secret; {Sweden}> <secret; {Sweden, crypto}> <top secret; {crypto}> <confidential; {Sweden}> <secret; {France}>

  13. Models of Security • Security models are used to • Test a particular policy for completeness and consistency • Document a policy • Help conceptualize and design an implementation • Check whether an implementation meets the requirements

  14. Upper bound Lattice Lower bound

  15. Bell-La Padula Model • Formal description of the allowable paths of information flow in a secure system. • Set of subjects and another set of objects • Each subject s has a fixed security clearance C(s) • Each object o has a fixed security class C(o)

  16. Bell-La Padula Model (Cont.) • Two properties characterize the secure flow of information: • A subject s may have read access to an object o only if C(o) C(s) • A subject s who has read access to an object o may have write access to an object p only if C(o) C(p).

  17. o5 High Illustration s2 o4 o3 s1 o2 Low o1

  18. Harrison, Ruzzo, and Ullman (HRU) Model

  19. HRU Model (cont.) • HRU allows the state of the protraction system to be changed by a well defined set of commands: • Add subject s to M • Add object o to M • Delete subject s from M • Delete object o from M • Add right r to M[s,o] • Delete right r from M[s,o] Owner can change rights of an object

  20. Take Grant Model • Unlimited number of subjects and objects • States and state transitions • Directed graph • Four primitive operations: • take • create • grant • revoke

  21. Take Grant Model (Cont.) S2 read O2 execute Read, write read O1 O3 S1 read execute S3

  22. Create S O S becomes rights

  23. Revoke S O S O becomes r1, r2 r1, r2, r3

  24. Take S2 O S1 read take becomes read S2 O S1 read take

  25. Grant read S2 O S1 grant becomes read S2 O S1 read grant

  26. Trusted OS Design • OS is a complex system  difficult to design • Adding the responsibility of security enforcement makes it even more difficult • OS controls interactions between subjects and objects • Clear mapping from security requirements to the design • Design must be checked using formal reviews or simulation • Requirements  design  testing

  27. Security Design Principles • Least privilege – users, programs, fewest privilege possible • Economy of mechanism – small, simple, straight forward • Open design – extensive public scrutiny • Complete mediation – every attempt must be checked • Permission based – denial of access is the default • Separation of privilege – more than one condition • Least common mechanism – the risk of sharing • Ease of use – unlikely to be avoided

  28. OS Functions users User interface Synchronization Concurrency control Deadlock management Communication Accounting OS Services Resource allocation Data CPU Memory I/O devices Tables Libraries

  29. Security features in ordinary OS • Authentication of users – password comparison • Protection of memory – user space, paging, segmentations • File and I/O device access control – access control matrix • Allocation & access control to general objects – table lookup • Enforcement of sharing – integrity, consistency • Fair service – no starvation • Interprocess communication & synchronization – table lookup • Protection of OS protection data – encryption, hardware control, isolation

  30. Security features of Trusted OS • Identification and Authentication • Mandatory and Discretionary Access Control (MAC & DAC) • Object reuse protection • Complete mediation – all accesses are checked • Trusted path • Accountability and Audit – security log • Audit log reduction • Intrusion detection – patterns of normal system usages, anomalies

  31. Kernel – OS part that performs lowest level functions User tasks OS OS Kernel Hardware

  32. Security Kernel – responsible for enforcing security mechanisms of the entire OS • Coverage – ensure that every access is checked • Separation – security mechanisms are isolated from the rest of OS and from user space  easier to protect • Unity – allsecurity mechanisms are performed by a single set of code  easier to trace problems • Modifiability – security mechanism changes are easier to make and test • Compactness – relatively small • Verifiability – formal methods , all situations are covered

  33. User tasks Combined Security Kernel / OS System OS Kernel: - HW interactions - Access control OS OS Kernel Hardware OS: • Resource allocation • Sharing • Access control • Authentication functions Security activity

  34. User tasks Separate Security Kernel Security Kernel: • Access control • Authentication functions OS Security Kernel Hardware OS: • Resource allocation • Sharing • Hardware interactions

More Related