1 / 43

Security Architecture and Models

Security Architecture and Models. Attempts at Formalization . Security Architecture & Models. Meeting 2 Agenda CISP Review Models and Definitions Test Practice. Mapping. What is Covered?. Formal Models & Correctness Proofs Attempted in 1980s in lots of domains 1990’s for security?

sevilen
Télécharger la présentation

Security Architecture and Models

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Architecture and Models Attempts at Formalization Security Architecture and Models

  2. Security Architecture & Models • Meeting 2 Agenda • CISP Review • Models and Definitions • Test Practice Security Architecture and Models

  3. Mapping Security Architecture and Models

  4. What is Covered? • Formal Models & Correctness Proofs • Attempted in 1980s in lots of domains • 1990’s for security? • Material from Study Guides • More Recent Efforts • Lots of Definitions • Why • When you identify possible problems it helps to use reference to formal models in efforts to get them fixed! Security Architecture and Models

  5. Computer Architecture – Included in Some Study Guides! • CPU - Central Processing Unit Is a microprocessor • Memory: RAM / Random Access Memory • Cache memory: Is a part of RAM that is used for high-speed writing and reading activities.PLD - Programmable Logic Device: • Memory Mapping: Real or primary memory • - Memory directly addressable by the CPU and used for the storage of instructions and data associated with the program that is being • Virtual memory – • Uses secondary memory in conjunction with primary memory to present a CPU with a larger, apparent address space of the real memory locations. • Memory addressing • Register addressing, Direct addressing, Absolute addressing • Buffer Overflow – One of many Faults • If the software instructions do not properly set the boundaries for how much data can come in as a block, extra data can slip in and be executed Security Architecture and Models

  6. Important Term • Star Property (Bell-LaPadula), also known as confinement property - prevents subjects from writing down into a dominated security object • Contamination – co-mingling of data of varying classification levels • Correctness Proof - mathematical proof of consistency between a specification and implementation Security Architecture and Models

  7. The Ten Worst Security Mistakes Information Technology People Make • Connecting systems to the Internet before hardening them. • Connecting test systems to the Internet with default accounts/passwords • Failing to update systems when security holes are found. • Using telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI. • Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated. • Failing to maintain and test backups. • Running unnecessary services • Implementing firewalls with rules that don't stop malicious or dangerous traffic-incoming or outgoing. • Failing to implement or update virus detection software • Failing to educate users on what to look for and what to do when they see a potential security problem. Security Architecture and Models

  8. What is the Common Criteria? • The Common Criteria represents the outcome of a series of efforts to develop criteria for evaluation of IT security that are broadly useful within the international community. • Need to use certificated products when trying to avoid lots of testing for government contracts. • http://commoncriteria.org/index.html Security Architecture and Models

  9. Orange to Common Criteria Security Architecture and Models

  10. The Orange Book Trusted Computer System Evaluation Criteria • The Orange Book / TCSEC:Hierarchical division of security levels - A - Verified protectionB - Mandatory protectionC - Discretionary protectionD - Minimal security • Evaluation levels - D - Minimal ProtectionC1 - Discretionary Security ProtectionC2 - Controlled Access ProtectionB1 - Labeled SecurityB2 - Structured ProtectionB3 - Security DomainsA1 - Verified Design Security Architecture and Models

  11. The Red Book / TNI: • TNI - Trusted Network Interpretation.Addresses security evaluation topics for networks and network components. • Ratings - - None- C1 - Minimum- C2 - Fair- B2 - Good Security Architecture and Models

  12. Model Goals Security Architecture and Models

  13. Modes of Operation • System High Mode - All users of a system have clearance and approval to view info on the system, but not necessarily need to know for all info (typically military) • Compartmented (partitioned) mode - each user with access meets security criteria, some need to know • Multi-Level Secure mode (MLS) - Not all personnel have approval or need to know for all info in the system Security Architecture and Models

  14. The Three Tenets of Computer Security • Confidentiality • Unauthorized users cannot access data • Integrity • Unauthorized users cannot manipulate/destroy data • Availability • Unauthorized users cannot make system resources unavailable to legitimate users Security Architecture and Models

  15. Security Models • Bell-LaPadula • Biba • Clark & Wilson • Non-interference • State machine • Access Matrix • Information flow Security Architecture and Models

  16. Bell-LaPadula • Formal description of allowable paths of information flow in a secure system • Used to define security requirements for systems handling data at different sensitivity levels • *-property - prevents write-down, by preventing subjects with access to high level data from writing the information to objects of lower access Security Architecture and Models

  17. Bell-LaPadula • Model defines secure state • Access between subjects, objects in accordance with specific security policy • Model central to TCSEC (TCSEC is an implementation of the Bell-LaPadula model) • Bell-LaPadula model only applies to secrecy of information • identifies paths that could lead to inappropriate disclosure • the next model covers more . . . Security Architecture and Models

  18. Biba Integrity Model • Biba model covers integrity levels, which are analogous to sensitivity levels in Bell-LaPadula • Integrity levels cover inappropriate modification of data • Prevents unauthorized users from making modifications (1st goal of integrity) • Read Up, Write Down model - Subjects cannot read objects of lesser integrity, subjects cannot write to objects of higher integrity Security Architecture and Models

  19. Bell-LaPadula versus Biba Security Architecture and Models

  20. Clark & Wilson Model • An Integrity Model, like Biba • Addresses all 3 integrity goals • Prevents unauthorized users from making modifications • Maintains internal and external consistency • Prevents authorized users from making improper modifications • T - cannot be Tampered with while being changed • L - all changes must be Logged • C - Integrity of data is Consistent Security Architecture and Models

  21. Clark & Wilson Model • Proposes “Well Formed Transactions” • perform steps in order • perform exactly the steps listed • authenticate the individuals who perform the steps • Calls for separation of duty Security Architecture and Models

  22. Other Models • Noninterference model - Covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy • State machine model - abstract mathematical model consisting of state variables and transition functions Security Architecture and Models

  23. More Models • Access matrix model - a state machine model for a discretionary access control environment • Information flow model - simplifies analysis of covert channels Security Architecture and Models

  24. Certification & Accreditation • Procedures and judgements to determine the suitability of a system to operate in a target operational environment • Certification considers system in operational environment • Accreditation is the official management decision to operate a system Security Architecture and Models

  25. IPSEC • IETF updated 1997, 1998 • Addresses security at IP layer • Key goals: • authentication • encryption • Components • IP Authentication Header (AH) • Encapsulating Security Payload (ESP) • Both are vehicles for access control • Key management via ISAKMP Security Architecture and Models

  26. Network/Host Security Concepts • Security Awareness Program • CERT/CIRT • Errors of omission vs. commission • physical security • dial-up security • Host vs. network security controls • Wrappers • Fault Tolerance Security Architecture and Models

  27. TEMPEST • Electromagnetic shielding standard • Currently somewhat obsolete • See “accreditation” - i.e. acceptance of risk Security Architecture and Models

  28. Threats to Security Models and Architectures • Covert Channels • Back Doors • Timing Issues • Buffer Overflows Security Architecture and Models

  29. Terms and Definitions • Access control - prevention of unauthorized use or misuse of a system • ACL - Access control list • Access Mode - an operation on an object recognized by the security mechanisms - think read, write or execute actions on files • Accountability- actions can be correlated to an entity • Accreditation - approval to operate in a given capacity in a given environment • Asynchronous attack - an attack exploiting the time lapse between an attack action and a system reaction Security Architecture and Models

  30. Terms • Audit trail - records that document actions on or against a system • Bounds Checking - within a program, the process of checking for references outside of declared limits. When bounds checking is not employed, attacks such as buffer overflows are possible • Compartmentalization - storing sensitive data in isolated blocks Security Architecture and Models

  31. More Terms • Configuration Control - management and control of changes to a system’s hardware, firmware, software, and documentation • confinement - Ensuring data cannot be abused when a process is executing a borrowed program and has some access to that data Security Architecture and Models

  32. Terms • Countermeasure - anything that neutralizes vulnerability • Covert Channel - A communication channel that allows cooperating processes to transfer information in a way that violates a system’s security policy • covert storage channel involves memory shared by processes • covert timing channel involves modulation of system resource usage (like CPU time) Security Architecture and Models

  33. Terms, cont. • Criticality - AF term - importance of system to mission • Cycle - as in overwriting - one cycle consists of writing a zero, then a 1 in every possible location • Data Contamination - see Chinese espionage - deliberate or accidental change in the integrity of data Security Architecture and Models

  34. Heard this one yet? • Discretionary Access Control - an entity with access privileges can pass those privileges on to other entities • Mandatory Access control - requires that access control policy decisions are beyond the control of the individual owner of an object (think military security classification) Security Architecture and Models

  35. Terms • DoD Trusted Computer System Evaluation Criteria (TCSEC) - orange book • Firmware - software permanently stored in hardware device (ROM, read only memory) • Formal Proof - mathematical argument • Hacker/Cracker • Lattice - partially ordered set where every pair has greatest lower bound and least upper bound Security Architecture and Models

  36. Terms • Principle of Least Privilege - every entity granted least privileges necessary to perform assigned tasks • Logic bomb - an unauthorized action triggered by a system state • Malicious logic - evil hardware,software, or firmware included by malcontents for malcontents • Memory bounds - the limits in a range of storage addresses for a protected memory region Security Architecture and Models

  37. Terminology • Piggy Back - unauthorized system via another’s authorized access (shoulder surfing is similar) • Privileged Instructions - set of instructions generally executable only when system is operating in executive state • Privileged property - a process afforded extra privileges, often used in the context of being able to override the Bell-LaPadula *-property Security Architecture and Models

  38. TERMS to Remember • Reference Monitor - a security control which controls subjects’ access to resources - an example is the security kernel for a given hardware base • Resource - anything used while a system is functioning (eg CPU time, memory, disk space) • Resource encapsulation - property which states resources cannot be directly accessed by subjects because subject access must be controlled by the reference monitor Security Architecture and Models

  39. Terminology, cont. • Security Kernel - hardware/software/firmware elements of the Trusted Computing Base - security kernel implements the reference monitor concept • Not in windows!! • Trusted Computing Base - from the TCSEC, the portion of a computer system which contains all elements of the system responsible for supporting the security policy and supporting the isolation of objects on which the protection is based -follows the reference monitor concept Security Architecture and Models

  40. Terminology • Evaluation Guides other than the Orange Book (TCSEC) • ITSEC - Information Technology Security Evaluation Criteria (European) • CTCPEC - Canadian Trusted Computer Product Evaluation Criteria • Common Criteria Security Architecture and Models

  41. Terminology • Trusted System • follows from TCB • A system that can be expected to meet users’ requirements for reliability, security, effectiveness due to having undergone testing and validation • System Assurance • the trust that can be placed in a system, and the trusted ways the system can be proven to have been developed, tested, maintained, etc. Security Architecture and Models

  42. TCB Divisions (from TCSEC) • D - Minimal protection • C - Discretionary Protection • C1 cooperative users who can protect their own info • C2 more granular DAC, has individual accountability • B - Mandatory Protection • B1 Labeled Security Protection • B2 Structured Protection • B3 Security Domains • A - Verified Protection • A1 Verified Design Security Architecture and Models

  43. Terminology • Virus - program that can infect other programs • Worm - program that propagates but doesn’t necessarily modify other programs • Bacteria or rabbit - programs that replicate themselves to overwhelm system resources • Back Doors - trap doors - allow unauthorized access to systems • Trojan horse - malicious program masquerading as a benign program Security Architecture and Models

More Related