770 likes | 1.96k Vues
Security Architecture and Models. Attempts at Formalization . Security Architecture & Models. Meeting 2 Agenda CISP Review Models and Definitions Test Practice. Mapping. What is Covered?. Formal Models & Correctness Proofs Attempted in 1980s in lots of domains 1990’s for security?
E N D
Security Architecture and Models Attempts at Formalization Security Architecture and Models
Security Architecture & Models • Meeting 2 Agenda • CISP Review • Models and Definitions • Test Practice Security Architecture and Models
Mapping Security Architecture and Models
What is Covered? • Formal Models & Correctness Proofs • Attempted in 1980s in lots of domains • 1990’s for security? • Material from Study Guides • More Recent Efforts • Lots of Definitions • Why • When you identify possible problems it helps to use reference to formal models in efforts to get them fixed! Security Architecture and Models
Computer Architecture – Included in Some Study Guides! • CPU - Central Processing Unit Is a microprocessor • Memory: RAM / Random Access Memory • Cache memory: Is a part of RAM that is used for high-speed writing and reading activities.PLD - Programmable Logic Device: • Memory Mapping: Real or primary memory • - Memory directly addressable by the CPU and used for the storage of instructions and data associated with the program that is being • Virtual memory – • Uses secondary memory in conjunction with primary memory to present a CPU with a larger, apparent address space of the real memory locations. • Memory addressing • Register addressing, Direct addressing, Absolute addressing • Buffer Overflow – One of many Faults • If the software instructions do not properly set the boundaries for how much data can come in as a block, extra data can slip in and be executed Security Architecture and Models
Important Term • Star Property (Bell-LaPadula), also known as confinement property - prevents subjects from writing down into a dominated security object • Contamination – co-mingling of data of varying classification levels • Correctness Proof - mathematical proof of consistency between a specification and implementation Security Architecture and Models
The Ten Worst Security Mistakes Information Technology People Make • Connecting systems to the Internet before hardening them. • Connecting test systems to the Internet with default accounts/passwords • Failing to update systems when security holes are found. • Using telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI. • Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated. • Failing to maintain and test backups. • Running unnecessary services • Implementing firewalls with rules that don't stop malicious or dangerous traffic-incoming or outgoing. • Failing to implement or update virus detection software • Failing to educate users on what to look for and what to do when they see a potential security problem. Security Architecture and Models
What is the Common Criteria? • The Common Criteria represents the outcome of a series of efforts to develop criteria for evaluation of IT security that are broadly useful within the international community. • Need to use certificated products when trying to avoid lots of testing for government contracts. • http://commoncriteria.org/index.html Security Architecture and Models
Orange to Common Criteria Security Architecture and Models
The Orange Book Trusted Computer System Evaluation Criteria • The Orange Book / TCSEC:Hierarchical division of security levels - A - Verified protectionB - Mandatory protectionC - Discretionary protectionD - Minimal security • Evaluation levels - D - Minimal ProtectionC1 - Discretionary Security ProtectionC2 - Controlled Access ProtectionB1 - Labeled SecurityB2 - Structured ProtectionB3 - Security DomainsA1 - Verified Design Security Architecture and Models
The Red Book / TNI: • TNI - Trusted Network Interpretation.Addresses security evaluation topics for networks and network components. • Ratings - - None- C1 - Minimum- C2 - Fair- B2 - Good Security Architecture and Models
Model Goals Security Architecture and Models
Modes of Operation • System High Mode - All users of a system have clearance and approval to view info on the system, but not necessarily need to know for all info (typically military) • Compartmented (partitioned) mode - each user with access meets security criteria, some need to know • Multi-Level Secure mode (MLS) - Not all personnel have approval or need to know for all info in the system Security Architecture and Models
The Three Tenets of Computer Security • Confidentiality • Unauthorized users cannot access data • Integrity • Unauthorized users cannot manipulate/destroy data • Availability • Unauthorized users cannot make system resources unavailable to legitimate users Security Architecture and Models
Security Models • Bell-LaPadula • Biba • Clark & Wilson • Non-interference • State machine • Access Matrix • Information flow Security Architecture and Models
Bell-LaPadula • Formal description of allowable paths of information flow in a secure system • Used to define security requirements for systems handling data at different sensitivity levels • *-property - prevents write-down, by preventing subjects with access to high level data from writing the information to objects of lower access Security Architecture and Models
Bell-LaPadula • Model defines secure state • Access between subjects, objects in accordance with specific security policy • Model central to TCSEC (TCSEC is an implementation of the Bell-LaPadula model) • Bell-LaPadula model only applies to secrecy of information • identifies paths that could lead to inappropriate disclosure • the next model covers more . . . Security Architecture and Models
Biba Integrity Model • Biba model covers integrity levels, which are analogous to sensitivity levels in Bell-LaPadula • Integrity levels cover inappropriate modification of data • Prevents unauthorized users from making modifications (1st goal of integrity) • Read Up, Write Down model - Subjects cannot read objects of lesser integrity, subjects cannot write to objects of higher integrity Security Architecture and Models
Bell-LaPadula versus Biba Security Architecture and Models
Clark & Wilson Model • An Integrity Model, like Biba • Addresses all 3 integrity goals • Prevents unauthorized users from making modifications • Maintains internal and external consistency • Prevents authorized users from making improper modifications • T - cannot be Tampered with while being changed • L - all changes must be Logged • C - Integrity of data is Consistent Security Architecture and Models
Clark & Wilson Model • Proposes “Well Formed Transactions” • perform steps in order • perform exactly the steps listed • authenticate the individuals who perform the steps • Calls for separation of duty Security Architecture and Models
Other Models • Noninterference model - Covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy • State machine model - abstract mathematical model consisting of state variables and transition functions Security Architecture and Models
More Models • Access matrix model - a state machine model for a discretionary access control environment • Information flow model - simplifies analysis of covert channels Security Architecture and Models
Certification & Accreditation • Procedures and judgements to determine the suitability of a system to operate in a target operational environment • Certification considers system in operational environment • Accreditation is the official management decision to operate a system Security Architecture and Models
IPSEC • IETF updated 1997, 1998 • Addresses security at IP layer • Key goals: • authentication • encryption • Components • IP Authentication Header (AH) • Encapsulating Security Payload (ESP) • Both are vehicles for access control • Key management via ISAKMP Security Architecture and Models
Network/Host Security Concepts • Security Awareness Program • CERT/CIRT • Errors of omission vs. commission • physical security • dial-up security • Host vs. network security controls • Wrappers • Fault Tolerance Security Architecture and Models
TEMPEST • Electromagnetic shielding standard • Currently somewhat obsolete • See “accreditation” - i.e. acceptance of risk Security Architecture and Models
Threats to Security Models and Architectures • Covert Channels • Back Doors • Timing Issues • Buffer Overflows Security Architecture and Models
Terms and Definitions • Access control - prevention of unauthorized use or misuse of a system • ACL - Access control list • Access Mode - an operation on an object recognized by the security mechanisms - think read, write or execute actions on files • Accountability- actions can be correlated to an entity • Accreditation - approval to operate in a given capacity in a given environment • Asynchronous attack - an attack exploiting the time lapse between an attack action and a system reaction Security Architecture and Models
Terms • Audit trail - records that document actions on or against a system • Bounds Checking - within a program, the process of checking for references outside of declared limits. When bounds checking is not employed, attacks such as buffer overflows are possible • Compartmentalization - storing sensitive data in isolated blocks Security Architecture and Models
More Terms • Configuration Control - management and control of changes to a system’s hardware, firmware, software, and documentation • confinement - Ensuring data cannot be abused when a process is executing a borrowed program and has some access to that data Security Architecture and Models
Terms • Countermeasure - anything that neutralizes vulnerability • Covert Channel - A communication channel that allows cooperating processes to transfer information in a way that violates a system’s security policy • covert storage channel involves memory shared by processes • covert timing channel involves modulation of system resource usage (like CPU time) Security Architecture and Models
Terms, cont. • Criticality - AF term - importance of system to mission • Cycle - as in overwriting - one cycle consists of writing a zero, then a 1 in every possible location • Data Contamination - see Chinese espionage - deliberate or accidental change in the integrity of data Security Architecture and Models
Heard this one yet? • Discretionary Access Control - an entity with access privileges can pass those privileges on to other entities • Mandatory Access control - requires that access control policy decisions are beyond the control of the individual owner of an object (think military security classification) Security Architecture and Models
Terms • DoD Trusted Computer System Evaluation Criteria (TCSEC) - orange book • Firmware - software permanently stored in hardware device (ROM, read only memory) • Formal Proof - mathematical argument • Hacker/Cracker • Lattice - partially ordered set where every pair has greatest lower bound and least upper bound Security Architecture and Models
Terms • Principle of Least Privilege - every entity granted least privileges necessary to perform assigned tasks • Logic bomb - an unauthorized action triggered by a system state • Malicious logic - evil hardware,software, or firmware included by malcontents for malcontents • Memory bounds - the limits in a range of storage addresses for a protected memory region Security Architecture and Models
Terminology • Piggy Back - unauthorized system via another’s authorized access (shoulder surfing is similar) • Privileged Instructions - set of instructions generally executable only when system is operating in executive state • Privileged property - a process afforded extra privileges, often used in the context of being able to override the Bell-LaPadula *-property Security Architecture and Models
TERMS to Remember • Reference Monitor - a security control which controls subjects’ access to resources - an example is the security kernel for a given hardware base • Resource - anything used while a system is functioning (eg CPU time, memory, disk space) • Resource encapsulation - property which states resources cannot be directly accessed by subjects because subject access must be controlled by the reference monitor Security Architecture and Models
Terminology, cont. • Security Kernel - hardware/software/firmware elements of the Trusted Computing Base - security kernel implements the reference monitor concept • Not in windows!! • Trusted Computing Base - from the TCSEC, the portion of a computer system which contains all elements of the system responsible for supporting the security policy and supporting the isolation of objects on which the protection is based -follows the reference monitor concept Security Architecture and Models
Terminology • Evaluation Guides other than the Orange Book (TCSEC) • ITSEC - Information Technology Security Evaluation Criteria (European) • CTCPEC - Canadian Trusted Computer Product Evaluation Criteria • Common Criteria Security Architecture and Models
Terminology • Trusted System • follows from TCB • A system that can be expected to meet users’ requirements for reliability, security, effectiveness due to having undergone testing and validation • System Assurance • the trust that can be placed in a system, and the trusted ways the system can be proven to have been developed, tested, maintained, etc. Security Architecture and Models
TCB Divisions (from TCSEC) • D - Minimal protection • C - Discretionary Protection • C1 cooperative users who can protect their own info • C2 more granular DAC, has individual accountability • B - Mandatory Protection • B1 Labeled Security Protection • B2 Structured Protection • B3 Security Domains • A - Verified Protection • A1 Verified Design Security Architecture and Models
Terminology • Virus - program that can infect other programs • Worm - program that propagates but doesn’t necessarily modify other programs • Bacteria or rabbit - programs that replicate themselves to overwhelm system resources • Back Doors - trap doors - allow unauthorized access to systems • Trojan horse - malicious program masquerading as a benign program Security Architecture and Models