Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.

Published byBonnie Wilkerson Modified over 8 years ago

Similar presentations

Presentation on theme: "Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University."— Presentation transcript:

1 Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University

2 Section Overview Security Policies and Models Security Policies and Models Trust design elements and features Trust design elements and features Orange Book Certification Levels Orange Book Certification Levels Common Criteria Common Criteria False Guaranties of Trust False Guaranties of Trust

3 References Security in Computing, 4 th Ed. Security in Computing, 4 th Ed. Chapter 5 (pgs. 242-257, 264-313) Chapter 5 (pgs. 242-257, 264-313)

4 Military Policy Classification Classification Rank (Hierarchical) Rank (Hierarchical) Compartments (Non-Hierarchical) Compartments (Non-Hierarchical) Can only read object if Can only read object if Subject clearance ≥ Required clearance for object Subject clearance ≥ Required clearance for object Subject has need to know about all compartments for with the object is classified Subject has need to know about all compartments for with the object is classified Who controls access? Who controls access?

5 Commercial Security Policy Project and/or department based Project and/or department based No formal notion of clearances No formal notion of clearances Rules less consistent Rules less consistent Typical classifications: Typical classifications: Public Public Proprietary Proprietary Internal Internal

6 Clark-Wilson Policy Integrity is of prime importance Integrity is of prime importance Well formed transactions Well formed transactions Handled via access triples Handled via access triples User Identifier (userID) User Identifier (userID) Transformation procedures (TP) Transformation procedures (TP) Constrained data items (CDI) Constrained data items (CDI)

7 Separation of Duty Prevent possibility of abuse Prevent possibility of abuse Keeps track of various operations (state) Keeps track of various operations (state) Prevent same person from handling multiple transactions on same objects (even if authorized to) Prevent same person from handling multiple transactions on same objects (even if authorized to)

8 Chinese Wall Policy Goal is to prevent conflicts of interest Goal is to prevent conflicts of interest Levels of abstraction Levels of abstraction Objects Objects Company groups Company groups Conflict classes Conflict classes Can’t access objects from two company groups within same conflict class Can’t access objects from two company groups within same conflict class

9 Models of Security Mechanism to enforce policy Mechanism to enforce policy Lattice – Visualization of relationships Lattice – Visualization of relationships Bell-La Padula Bell-La Padula Biba Integrity model Biba Integrity model

10 Bell La Padula Model Military Policy based Military Policy based Secures the flow of information Secures the flow of information Properties Properties Simple Security Property: Subject s can read object o only if C(o) ≤ C(s) Simple Security Property: Subject s can read object o only if C(o) ≤ C(s) *-Property: Subject with read access to object o may write to object p if C(o) ≤ C(p) *-Property: Subject with read access to object o may write to object p if C(o) ≤ C(p) Read down / Write Up Read down / Write Up

11 Bell La Padula Read-Down Top Secret Secret Unclassified Top Secret Secret Unclassified Subject (s) Object (o)

12 Bell La Padula Write-Up Top Secret Secret Unclassified Top Secret Secret Unclassified Read Object (o) Write Object (p)

13 Bell La Padula Lattice Example TS {A, B} TS {A} TS {B} S {A, B} S {A} S {B} U {}

14 Biba Model Dual of Bell-La Padula model Dual of Bell-La Padula model Focus is on integrity (trustworthiness) Focus is on integrity (trustworthiness) Properties Properties Simple Integrity Property: Subject s can modify object o only if I(s) ≥ I(o) Simple Integrity Property: Subject s can modify object o only if I(s) ≥ I(o) *-Property: If subject s has read access to object o with integrity level I(o), s can write to object p only if I(o) ≥ I(p) *-Property: If subject s has read access to object o with integrity level I(o), s can write to object p only if I(o) ≥ I(p) Read up / Write down Read up / Write down

15 Biba Read-Up High Integrity Medium Integrity Low Integrity High Integrity Medium Integrity Low Integrity Subject (s) Object (o)

16 Biba Write-Down Read Object (o) Write Object (p) High Integrity Medium Integrity Low Integrity High Integrity Medium Integrity Low Integrity

17 Design Elements Least Privilege Least Privilege Economy of Mechanism Economy of Mechanism Open Design Open Design Complete Mediation Complete Mediation Permission-Based Permission-Based Separation of Privilege Separation of Privilege Least Common Mechanism Least Common Mechanism Ease of Use Ease of Use

18 Security Features User Identification and Authentication User Identification and Authentication Complete Mediation Complete Mediation Discretionary Access Control Discretionary Access Control Mandatory Access Control Mandatory Access Control Object Reuse Protection Object Reuse Protection Audit Audit Audit Reduction Audit Reduction Trusted Path Trusted Path Intrusion Detection Intrusion Detection

19 Trusted Computer Base (TCB) ReferenceModel SecurityKernel Trusted Computer Base

20 Assurance Methods Testing Testing Pentesting Pentesting Formal Verification Formal Verification Validation Validation

21 A1 B3 B2 B1 C2 Orange Book Evaluation C1 D - Minimal Protection - Discretionary Security Protection - Controlled Access Protection - Labeled Security Protection - Structured Protection - Security Domains - Verified Design

22 Discretionary Security Protection User Authentication User Authentication Object Access Control Object Access Control Discretionary Access Control Discretionary Access Control Memory Protection Memory Protection Penetration Testing Penetration Testing C1 D

23 Controlled Access Protection C2 C1 D  Single User Access Control  Object Reuse  Audit Logs

24 Labeled Security Protection B1 C2 C1 D  Mandatory Access Control  Labeled Objects  Need to Know Access Policy  Hierarchical  Nonhierarchical

25 Structured Protection B2 B1 C2 C1 D  Test and review of design  Principle of Least Privilege  Trusted Paths  Covert Channel Analysis

26 Security Domains  Extensive Testing  Full Access Control  Active Audits and Alerts  Resistant to Penetration B3 B2 B1 C2 C1 D

27 Verified Design A1 B3 B2 B1 C2 C1 D  Formally Verifiable Design  Formal Top-Down Spec.  Informal demonstration that spec. is consistent with design  Formal Analysis of Covert Channels

28 Orange Book Weaknesses All or Nothing for Level Certification All or Nothing for Level Certification Local software can invalidate Local software can invalidate OS Patches can invalidate OS Patches can invalidate Mandatory Access Control can be difficult to set up Mandatory Access Control can be difficult to set up Viruses not taken into consideration Viruses not taken into consideration Common Criteria Common Criteria Common Criteria Common Criteria Class-family-component based Class-family-component based International system International system

29 Common Criteria Classes Functionality Functionality Identification and Authentication Identification and Authentication Trusted Path Trusted Path Security Audit Security Audit Invocation of Security Functions Invocation of Security Functions User Data Protection User Data Protection Resource Utilization Resource Utilization Protection of the Trusted Security Functions Protection of the Trusted Security Functions Privacy Privacy Communication Communication Assurance Assurance Development Testing Vulnerability Assessment Configuration Management Life-cycle Support Guidance Documents Delivery and Operation

30 Common Criteria ClassClass FamilyFamily ComponentComponent ComponentComponent ComponentComponent PackagePackage PackagePackage PackagePackage Protection Profile Security Target Protection Profile Security Target ComponentComponent

31 False Guaranties of Trust Emphatic Assertions Emphatic Assertions Security through Obscurity Security through Obscurity I couldn’t find any flaws I couldn’t find any flaws Challenges Challenges

Download ppt "Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
CSE331: Introduction to Networks and Security Lecture 34 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 34 Fall 2002.
Trusted vs. secure software

Trusted vs. secure software
Security Models and Architecture

Security Models and Architecture
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Verifiable Security Goals

Verifiable Security Goals
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Information Systems Security Security Architecture Domain #5.

Information Systems Security Security Architecture Domain #5.
CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.

CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.
User Domain Policies.

User Domain Policies.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
Policy, Models, and Trust 1. Security Policy A security policy is a well-defined set of rules that include the following: Subjects: the agents who interact.

Policy, Models, and Trust 1. Security Policy A security policy is a well-defined set of rules that include the following: Subjects: the agents who interact.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Similar presentations

Ads by Google