Ms2 ms3 ms4 levels official yearly planning & omitted lessons
Official levels of Computer Security
-
Upload
arden-burke -
Category
Documents
-
view
44 -
download
0
description
Transcript of Official levels of Computer Security
![Page 1: Official levels of Computer Security](https://reader036.fdocuments.in/reader036/viewer/2022072016/568131d9550346895d983f16/html5/thumbnails/1.jpg)
Official levels of Computer Security•United States Government Department of Defense (DoD)•Trusted Computer System Evaluation Criteria (TCSEC)- “Orange Book”•Requirements:
1. Specific security requirements2. Assurance requirements
![Page 2: Official levels of Computer Security](https://reader036.fdocuments.in/reader036/viewer/2022072016/568131d9550346895d983f16/html5/thumbnails/2.jpg)
TCSEC /Orange Book
• 4 divisions- A,B,C,D– Specifies evaluation classes (D, C1, C2, B1, B2, B3, A1)– Specifies functionality and assurance requirements
for each class
• Each class defines 4 requirements– Policy– Accountability– Assurance– Documentation
![Page 3: Official levels of Computer Security](https://reader036.fdocuments.in/reader036/viewer/2022072016/568131d9550346895d983f16/html5/thumbnails/3.jpg)
TCSEC Classes
• D – Minimal Protection• C1 – Discretionary Security Protection– Identification and authentication and DAC– users processing data at common sensitivity level, separates
users from data– Minimal Assurance, may be based on features, not
evaluation• C2 – Control led access protection– Adds object reuse and auditing– More testing requirements– Windows NT 3.5 evaluated C2
![Page 4: Official levels of Computer Security](https://reader036.fdocuments.in/reader036/viewer/2022072016/568131d9550346895d983f16/html5/thumbnails/4.jpg)
TCSEC Classes• B1 – Labelled Security Protection
– Adds MAC for some objects• Controlled objects “labeled”, access control based on these
– Stronger testing requirements. Information model of security policy. Bell-La Padula model.
– Trusted Unix tended to be B1
• B2 – Structured protection– MAC for all objects, including devices. – Design and implementation must enable thorough testing & review
• “well-defined largely independent modules”– Trusted Path. Least privilege.– Covert channel analysis, configuration management, more
documentation, formal model of security policy
![Page 5: Official levels of Computer Security](https://reader036.fdocuments.in/reader036/viewer/2022072016/568131d9550346895d983f16/html5/thumbnails/5.jpg)
TCSEC Classes• B3 – Security Domains
– Requirements on code modularity, layering, simplicity.– Argument (short of proof) that implementation meets design
specifications– Tamper-proof implementation– More stringent testing and documentation.– XTS-200/STOP
• A1 – Verified protection– Same functional requirements as B3– Five criteria
• Formal model of protection and proofs of consistency/adequacy• Formal specification for protection system• Demonstration that specification corresponds to model of
protection• “proof” that implementation is consistent with specification• Formal analysis of covert channel
– Existence proof : Honeywell’s SCOMP
![Page 6: Official levels of Computer Security](https://reader036.fdocuments.in/reader036/viewer/2022072016/568131d9550346895d983f16/html5/thumbnails/6.jpg)
Trusted Computing Base• Trusted Computing Base
– Hardware and software for enforcing security rules process• Reference monitor
– Part of TCB Reference– All system calls go throughreference monitor for security checking– Most OS not designed thisway
![Page 7: Official levels of Computer Security](https://reader036.fdocuments.in/reader036/viewer/2022072016/568131d9550346895d983f16/html5/thumbnails/7.jpg)
![Page 8: Official levels of Computer Security](https://reader036.fdocuments.in/reader036/viewer/2022072016/568131d9550346895d983f16/html5/thumbnails/8.jpg)
![Page 9: Official levels of Computer Security](https://reader036.fdocuments.in/reader036/viewer/2022072016/568131d9550346895d983f16/html5/thumbnails/9.jpg)
Security Breaches
• Interception• Interruption• Modification• FabricationSecurity Hole - Software & hardware vulnerability– Holes that allow DoS– Holes that allow Local users unauthorized access– Holes that allow Remote users unauthorized access
![Page 10: Official levels of Computer Security](https://reader036.fdocuments.in/reader036/viewer/2022072016/568131d9550346895d983f16/html5/thumbnails/10.jpg)
• Other types:– FTP– Gopher– Telnet– Sendmail– ARP– Portmap