Section 4: Security Architecture and Design

l Computer Architecturel Rings of Protectionl Security Modulesl System Evaluation

4-2Security Models

l Security models are used to incorporate the security policies enforced by the operating system

l Security models the CISSP candidate needs to know include:n State machinen Bell-LaPadula modeln Biban Clark Wilsonn Brewer Nash modeln Information flow modeln Non-interference modeln Graham-Denning model

4-3State Machine Models

l The state machine model:n Deals with the different states a system can enter n Uses abstract mathematical models

l The state machine consists of:n State variablesn Transition functions

l If a state machine starts in a secure state and all activities that take place in the system are secure the system will never end up in an insecure state

4-4Bell-LaPadula Model

l Built on the state machine concept

l Designed so that: n System that starts secure

stays securen Transitions always occur

in a secure state StateA1

StateA2

X1 f1 f2 X2

Bell-LaPadula

State Transactions

4-5Bell-LaPadula Model (cont.)

l Model contains three propertiesl Properties are defined as follows:

n Simple security property: Subject cannot read object of higher sensitivity

n Star property (* property): Subject cannot write to object of lower sensitivity

n Strong star property (Strong * property): Subject cannot read/write to object of higher/lower sensitivity

4-6Bell-LaPadula Model (cont.)

l Model’s weaknesses:n Considers normal channels of the information

exchange and does not address covert channelsn Does not deal with modern systems that use file

sharing and serversn Does not explicitly define what it means by a secure

state transitionn Is based on multilevel security policy

uDoes not address other policy types that may be used by an organization such as integrity

4-7Rules of Integrity

Item Description

1. Data is protected from modification by unauthorized users

2. Data is protected from unauthorized modification by authorized users

3. Data is internally and externally consistent

4.Data held in a database must balance internally and correspond to the external, real-world situation

4-8Biba Model

l Developed to address the concerns of integrityl Originally published in 1977, this lattice based model

has the following properties:n Simple integrity property: States that a subject at one

level of integrity is not permitted to read an object of lower integrity

n Star * integrity property: States that a object at one level of integrity is not permitted to write to an object of higher integrity

n Invocation property: Prohibits a subject at one level of integrity from invoking a subject at a higher level of integrityuIf this invocation were possible software at the higher

level could be used to access restricted data

4-9Biba Model (cont.)

l Only addresses integrity not availability or confidentiality

l The Biba model only addresses the first rule of integrityl It also assumes that internal threats are being protected

by good coding practices and therefore focuses on external threats

4-10Clark-Wilson Model

l Created in 1987l Differed from previous models as it was developed to

be used for commercial activitiesl Dictates that

n Separation of duties must be enforcedn Subjects must access data through an applicationn Auditing is required

l Differs from the Biba model in that subjects are restrictedn A subject at one level of access can read one set of data

while a subject at another level of access has access to a different set of data

4-11Clark-Wilson Model (cont.)

l Unit of access control is the “access control triple,” composed of: n Usern Transformation proceduren Constrained data item

l Well-formed transaction:n Preserve/ensure internal consistencyn Manipulate data only in ways that ensure internal consistency

l T: Cannot be Tampered with while being changedl L: All changes must be Loggedl C: Integrity of data is Consistentl Requires integrity labelsl Addresses all the rules of integrity

4-12Other Integrity Models Implementationsl There are some other integrity modelsl One reference to other integrity models is in

National Computer Security Center Report 79–91l Each of the models detailed below offer a different

approach to achieving integrity:n Goguen- Meseguer

uA domain is the list of objects that a user can access l Users can be grouped according to their defined

domains n Sutherland

uApproaches integrity by focusing on the problem of inference and is state machine based

4-13Information Flow Model

l Each object is assigned a security class and value

l Information is constrained to flow in the directions permitted by the security policy

l Model consists of:n Objectsn State transitionsn Lattice states

Information flows from object B to object A

File A

Subject

Object A

Read

File B

Object B

Write

4-14Graham-Denning Model

l Formal system of protection rules, including:n Securely creating an objectn Securely creating a subject n Securely deleting an object n Securely deleting a subject n Securely providing the read access right n Securely providing the grant access right n Securely providing the delete access right n Securely providing the transfer access right

4-15Security Modes of Operation

l The Department of Defense defines the security modes of operation (DoD 5220.22-M) in which information systems are configured into four modes:n Dedicated security moden System high-security moden Compartmented security moden Multilevel security mode

4-16Dedicated Security Mode

l All users must have:n Proper clearance for all information on the systemn Formal access approval for all information on the

systemn Signed NDA for all information on the systemn Valid need to know for all information on the system

4-17System High-Security Mode

l All users must have:n Proper clearance for all information on the systemn Formal access approval for all information on the

systemn Signed NDA for all information on the systemn Valid need to know for some information on the

system

4-18Compartmented Security Mode

l All users must have:n Proper clearance for the highest level of data

classification on the systemn Formal access approval for all information they will

access on the systemn Signed NDA for all information they will access on

the systemn Valid need to know for some of the information on

the system

4-19Multilevel Security Mode

l All users must have:n Proper clearance for all information they will access

on the systemn Formal access approval for all information they will

access on the systemn Signed NDA for all information they will access on

the systemn Valid need to know for some of the information on

the system

4-20Trust and Assurance

l Described as the degree of confidence in the satisfaction of security needs

l Trust is built into a system, it is the components, parts, or mechanisms of security.

l Assurance is a subjective measurement of reliability and worthiness.

l Trust and assurance is needed by vendors and by consumersn Vendors need a method of communicating the

security features of their products to consumersn Consumers need a way to evaluate different vendor’s

offerings to determine the differences

4-21Security Evaluation Methods

l A means of measuring the security of a system.l This may include:

n Access controln Reference monitor (security kernel)n Protection mechanisms designed for

uConfidentialityuAvailabilityuIntegrity

4-22System Evaluation Standards

l System evaluation standards include:n Rainbow series

uOrange book (TCSEC)uRed book (TNI)

n ITSEC (Information Technology Security Evaluation Criteria)

n CTCPEC (Canadian Trusted Computer Product Evaluation Criteria)

n CC (Common Criteria)

4-23Rainbow Series

l These names were adopted in the military and government security community.

l Some of these documents include:n Tan book: A Guide to Understanding Audit in

Trusted Systemsn Bright blue book: Trusted Product Evaluation - A

Guide for Vendorsn Neon orange book: A Guide to Understanding

Discretionary Access Control in Trusted Systemsn Green book: Password Management Guidelinesn Pink book: Rating Maintenance Phase Program

Document

4-24Rainbow Series (cont.)

n Purple book: Guidelines for Formal Verification Systems

n Burgundy book: A Guide to Understanding Design Documentation in Trusted Systems

n Venice Blue book: Computer Security Subsystem Interpretation of the Trusted Computer System Evaluation Criteria

n Aqua book: A Glossary of Computer Security Terms

n Orange book: A Guide to Understanding Configuration Management in Trusted Systems

n Red book: Trusted Network Interpretation

4-25Trusted Computer System Evaluation Criteria (Orange Book)l TCSEC was developed by the NCSC (National

Computer Security Center) in 1985l TCSEC was designed to:

n Evaluate operating systemsn Serve as a basis for establishing security

requirements in the acquisition specificationsn Act as a:

uStandard of the security services that should be provided by vendors for the different classes of security requirements

uMeans to measure the trustworthiness of an information system

uOnly addressed stand alone systems

4-26The Orange Book

l Numbered classesl Criteria:

n Security policyn Identificationn Documentationn Accountabilityn Life cycle assurancen Continuous protectionn Labels, required at some levels

4-27The Orange Book (cont.)

l Each division and class incorporates the following security level requirements:n A: Verified protectionn B: Mandatory protection (label, classification

hierarchy, category)n C: Discretionary protectionn D: Minimal security

4-28“A” Verified Protection

l A1 is the most secure ratingn A1 systems represent the top level of security and

are designed to handle top secret datan Every step is documented and verified. The

system be:uCapable of handling top secret informationuDelivered and installed in a secure manner

4-29“B” Mandatory Protection

l Uses security labelsl Bases architecture on Bell-LaPadulal Includes:

n B1: Labeledu Grants access by matching up the subject and object labels and

comparing their permission compatibilityu Supports sufficient security to house classified data

n B2: Structuredu In addition to the requirement for security labels in B1 systems,

B2 systems must ensure that no covert channels existu Operator and administrator functions are separated

n B3: Secure Domainsu Secure state of B3 systems must be addressed during the initial

boot processu B3 systems are very difficult to successfully attack and provide

sufficient secure controls for very sensitive or secret data

4-30“C” Discretionary Protection

l Is based on individuals and groupsl Separates users and informationl C1 and C2 systems provide basic controls and

complete documentation for system installation and configuration, including:n C1: Discretionary secure protection

uProvide only weak protection mechanisms n C2: Controlled access protection

uEnforce strict logon procedures and media cleansing

4-31“D” Minimal Security

l Reserved for systems that have been evaluated but failed to meet the criteria

4-32TCSEC

TCSEC addresses confidentiality but does not cover integrity

4-33Trusted Network Interpretation (Red Book)

l TNI incorporates integrity labels, cryptography, authentication, and non-repudiation for network protection

l DoS preventionn Continuity of operationsn Network management

l Compromise Protectionn Selective routingn Data confidentialityn Traffic confidentiality

l Communications integrityn Authenticationn Message integrityn Nonrepudiation

4-34Information Technology Security Evaluation Criterial ITSEC system evaluations

n European ITSEC (Information Technology Security Evaluation Criteria) addresses C.I.A. issues

n ITSEC uWas designed to offer a common testing and

evaluation platform for the EU nationsuWas endorsed by the Council of the European

Union in 1995 uIs notable because it was the first international effortuHas two main attributes:

l Functionality: F ratingsl Assurance: E ratings

l TOE (Targets of evaluation)

4-35Information Technology Security Evaluation Criteria (cont.)

l ITSEC ratings are in the form F-X, E where functionality and assurance are listed.

l ITSEC ratings that are equivalent to TCSEC ratings are:E0 = DF1 + E1= C1F2 + E2 = C2F3 + E3 = B1F4 + E4 = B2F5 + E5 = B3F5 + E6 = A1

4-36Canadian Trusted Computer Product Evaluation Criteria

l Was developed by Canadal Helped harmonize evaluation criteria in the US and

Canada l Served as a basis of talks that help lead to the

development of the common criteria

4-37Common Criteria (1)

l With all the standards we have discussed, it is easy to see how determining the right choice might be difficult.

l ISO (International Standards Organization) also had these same thoughts.

l Because of the various standards and ratings that existed, ISO decided to work toward a single global standard.n This is how Common Criteria (IS 15408) was born

l Common Criteria uses security targets, protection profiles, and ratings.

4-38

ITSEC

Common Criteria (2)

Common Criteria Development

French Criteria German Criteria UK Criteria Orange Book

Common Criteria

Canadian Criteria

Federal Criteria

4-39Common Criteria (3)

Level Definition EAL 0 Inadequate assurance EAL 1 Functionality tested EAL 2 Structurally tested EAL 3 Methodically checked and tested EAL 4 Methodically designed, tested, and reviewed EAL 5 Semi-formally designed and tested EAL 6 Semi-formally verified, designed, and tested

EAL 7 Formally verified, designed, and tested

l Some typical CC ratings are:

4-40Certification vs. Accreditation

l Certificationn Comprehensive evaluation of the technical and

nontechnical security features of an information system

l Accreditation n Official management decision

to operate a system DITSCAPNIACAP

DoD

4-41Reaccreditation

l Certification and accreditation is not permanentl Recertification and accreditation must occur:

n Any time system changes occurn After a defined period of time

4-42Open vs. Closed Systems

l Open systems can be described as:n Systems, designs, and architecture that are open and

available to publicn In the case of computer code, system can be

reviewed by and examined by alln Example (USB)

l Closed systems n Proprietary in nature n These systems do not follow open industry

standards n Example (Firewire)

4-43Open vs. Closed Source

l Open vs. closed source is about whether others can view/alter your source code:n As an example, Microsoft Windows is an open

system, but closed source

4-44A Few Threats to Security Models and Architectures

l Covert channelsl Maintenance hooksl Time of check/time of use attacksl Buffer overflowsl Malicious code

4-45Covert Channels

l Means of moving information in a manner in which it was not intended

l Two types of covert channels exist:n Covert storage channel

uOrange book - B2n Covert timing channel

uOrange book - B3 & A1

4-46Maintenance Hooks

l Maintenance hooks are a means of bypassing normal access controls

l These exist primarily as a means of testing code during development

l Issues arise when they are not removed before software release

4-47Time-of-Check/Time-of-Use-Attack

l A TOC/TOU attack typically targets timingl Objective: Exploit the delay between the TOC (time

of check) and the TOU (time of use)l These attacks are sometimes called a race

condition as the attacker is racing to make a change to the object after it has been changed but before it has been used by the system

4-48Buffer Overflows

l Buffer is a temporary storage area, coded to hold a certain amount of data.

l Buffer overflows occur because of poor coding techniques. l Buffer overflows can give an attacker access to a system.l Buffer overflows target:

n A specific variable n A specific program n A specific hardware and software platform

l Type safe languages are a defense against buffer overflows

Fixed length input buffer Stack

XXXYexec “/bin/sh” XXXXXXXXXXXXXXXXXgotoY

4-49Malicious Code (Malware)

l Malicious code includes:n Viruses, worms, spyware, and Trojan horsesn Active Code (also called executable content)

uJava and ActiveXuJavaScript and VBSuMacros

n Potentially any incoming data that is processed or executed

4-50Summary

l In this domain we:n Explained common computer architecturen Defined the rings of protection conceptn Listed common security modulesn Stated the various documents used for system

evaluation