Information Systems Security Security Architecture Domain #5.
-
date post
21-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Information Systems Security Security Architecture Domain #5.
Information Systems Security
Security Architecture
Domain #5
Hardware Components
CPU– Primary Storage– Control Unit
Coordinates activities during instruction execution Does not process data
– Arithmetic Logic Unit (ALU) Perform mathematical functions on data
Memory Types
Primary Memory (RAM/ROM/EPROM/EE) Real Memory
– Available to users Cache Memory
– Buffers used to increase performance– Holds data that is accessed often
Virtual Memory– Combination of real and secondary storage
Memory Management
Keep track of used memory segments Assign memory to processes Manage swapping Memory protection Access control Control virtual memory addressing
Protection Rings
Organize Code and components in an operating system into concentric rings
Modern OS’s use a 4-ring model Ring 0 – highest privilege – kernel Ring 1 – remainder of the OS Ring 2 – drivers and utilities Ring 3 – applications and programs – user
mode
Hardware Bus
Data Bus– Transfers instructions and data – Differs based on architectures
EISA – 8/16 MCA – 16/32 VLB – 32 PCI – 32/64 AGP - 32
Process and Threads
Process– Application and users run as processes in OS– Process can contain several threads of code– Thread are individual instruction sets
Threads
Advantages– Much quicker to create than a process– Much quicker to switch between threads– Share data easier– Used in browsers and windowing systems
Disadvantages– No security between threads– If one user thread blocks, all are blocked
Process States
Stopped – not running
Waiting – waiting for interrupt
Running – being executed by the CPU
Ready – available and waiting for instruction
System Functionality
Multithreading– Several threads processing at one time
Multitasking– Several processes at one time
Multiprocessing– Multiple CPU available
System Security Modes
Dedicated Security Mode– All users have clearance and need-to-know to
access all information on the system– Does not require complex methods of
controlling access between different levels Multilevel Security Mode
– All users have clearance but not need-to-know– Two of more levels of classification– Data is compartmentalized in containers
Security Modes
Dedicated Mode– Single state system– All have need to know and clearance
System High Mode– All have need-to-know for ‘some’ material
Compartmented Mode– Not all have access for all information
Multilevel Mode– Not all have clearance or need-to-know
Levels of System Trust
Processes with higher trust can access more system instructions
CPU architecture dictates the levels of trust available and the rights of access
CPU executes instructions in different states depending upon the process trust level– User mode – less trusted– Privilege mode – most trusted
Trusted Computing Base
All mechanisms that provide protection for the system– Software, firmware, hardware
Made up of processes that executed in privileged mode
Term originated from the Orange Book
System Protection
Reference Monitor– Access control concept that is referred to as an
abstract machine that mediates all accesses– Controls relationship between subjects and
objects Security Kernel
– Enforces the reference monitors rules– Physical implementation of reference monitor– Part of TCB concerned with access control
Access Control Models
Provides rules and structures used to control access and shows how decisions are made
Main components are subjects, objects, operations, and their relationships
Goal is to control how objects are accessed and ensure a security principle– Confidentiality, integrity
Finite State Machine
Execution sequence for each possible state transformation
Mappings for each state change Does not specify protection mechanisms or
means of enforcing model If system comes up in a secure state and
shuts down in a secure state, the system is secure
Information Flow
Information must flow securely through the system– Bell – Lapadula– Biba– Clark-Wilson– Take-Grant– Access Control Matrix– Noninterference
Bell LaPadula
Confidentiality Model Information cannot flow to an object of
lesser classification Mathematical model uses a set theory to
define access rights Maps a subject’s clearance and an object’s
classification and creates a relationship
Rules
Subjects cannot read data from an object in a higher security level– “No Read Up” – simple security property– “No Write Up” – star property– “No Write Up and No Read Down” – strong star
Biba
Integrity Model– No subject can depend on an object of lesser
integrity– Based on hierarchical lattice – Prevents modification of objects by
unauthorized subjects– Prevents unauthorized modification by
authorized users
Rules of Biba
“No Write Up” – integrity axiom– No writing data at a higher integrity level
“No Read Down” – simple axiom– No reading data from a lower integrity level
Disadvantages– Does not address confidentiality– Does not address control management nor
provide a way to change classification levels
Clark - Wilson
Integrity Model– Model for commercial integrity– Requires well formed transactions and
separation of duties– Does not use lattice approach, partitions objects
into programs and data– Access triple – subject must go through a
program to access and modify data– Separation of duties with auditing required
Non-Interference
Based on theory where users are separated into different domains
An output stream remains unchanged when inputs come from levels that are less dominant
Subject cannot be influenced by the behavior of other subjects at higher security levels
Lattice Based
Every subject and object relationship has a partially ordered set with a lower and upper bounds
Rules are set that dictate how information can flow from one class to another– Confidential can flow to secret but secret cannot
flow to confidential
Access Control
Relational table Specifies the operations and rights allowed
for each subject Access Control Lists – DACL, trustees
Brewer - Nash
Also known as “Chinese Wall” Mathematical theory used to implement
dynamically changing access permissions Defines a wall and develops a set of rules
that ensures no subject accesses objects on the other side
Enforces “no conflict of interest” rules Allows separation of competitors’ data
Take Grant
Mathematical framework for granting and revoking access authorization
Analytical tool for auditors to test software security
Rules for how users transfer their permissions to others
Trusted Computer System Evaluation Criteria (TCSEC)
Developed by National Security Computer Center
Based on the Bell-LaPadula model Uses a series of evaluation classes “Orange Book”
Requirements of TCSEC
Security Policy Marking – labels associated with objects Identification – individual ID of subjects Accountability – audit data collected Assurance – each mechanism evaluated Continuous protection – mechanisms
always protected against unauthorized changes
TCSEC Ratings
A1 – Verified Protection B3,B2,B1 – Mandatory Protection C2,C1 – Discretionary Protection D – Minimal Security Red Book – Trusted Network Interpretation
Layers of TCSEC
C1 – Discretionary Security Protection C2 – Controlled Access Protection B1 – Labeled Security B2 – Structured Security (covert channels) B3 – Security Domains (covert timing) A1 – Verified Protection
Information Technology Security Evaluation Criteria (ITSEC)
Evaluates functionality and assurance separately – F1 to F10 for functionality– E0 to E6 for assurance
E0 = D F1+E1 = C1 F2+E2 = C2 F3+E3 = B1 etc
ITSEC
Advantages– More granular approach– Goes beyond the Orange Book
Disadvantages– Increased amount of rating combinations– Still does not provide all the answers
Common Criteria
ISO created in 1993 TCSEC was too rigid ITSEC added too much complexity Target of Evaluation (TOE) Security Target (ST) EALs – E1 (functionally tested only) –
E7(formally verified, designed, and tested)
Covert Channels
Timing Channels – conveys information by altering the performance of a system component in a predictable manner
Storage Channels – conveys information by writing data to a common storage area where another process can read it.
Level B2 address covert channels Level B3 address covert timing
Certification and Authentication
Certification– 1st phase – comprehensive evaluation of the
security features of an IT system Accreditation
– Management decides the certification of the system satisfies their needs
Definition, Verification, Validation, Post Accreditation
Other Threats
Back Doors Maintenance Hooks Asynchronous Attack – TOC/TOU Race Attacks Data Validation (Unicode attack) Buffer Overflow (Use input controls) SYN Flood Ping of Death
More Attacks
TCP Session Hijacking Web Spoofing DNS Poisoning