Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416
Information Flow Model Example: Bell-LaPadula – Prevent flow from high to low security
Covert Channels 1=FileA is locked 0=FileA is not locked Countermeasures – Common Criteria EAL6 has formally verified the absence of covert channels.
Noninterference Model If a lower-level entity is aware of activity at a higher level Inference attack = Information leaking attack – Observe executives from Staples and Home Depot meeting? Merger affecting stock prices!
Lattice Models Table 4-1 on page 381
Brewer and Nash Model Chinese Wall Figure 4-25 on page 384
Graham-Denning Model Details for 8 primitive rights on page 384
Dedicated Security Mode All users have clearance for and need-to-know for all data processed in the system Many military systems can handle only one level of security
System High-Security Mode All users have high security mode but may not have need-to-know for all data
Compartmented Security Mode All user have security clearance May not have need-to-know May not have formal access approval
Multilevel Security Mode System has various security levels – Example: Bell-LaPadula User also must have need-to-know and formal approval
Guards Software and hardware protections for flow of information between low-assurance and high- assurance systems
Trust and Assurance Trust level – how much protection to expect out of a system Assurance – the system will act correctly and predictably in each and every situation, more in depth Orange book – different levels of evaluation of assurance
Orange Book U.S. Department of Defense Division D: Minimal protection Division C: Discretionary Protection C1: Discretionary Security Protection – Same security level C2: Controlled Access Protection – Authentication and Authorization – Auditing – Memory erased after use
Orange Book Division B: Mandatory Protection B1: Labeled Security – Objects- Classification Labels – Subject – Clearance Labels
Orange Book B2: Structured Protection – Security policy defined and documented – Design and implementation reviewed and tested – No covert channels – Trusted path for authentication and authorization – Higher level of assurance
Orange Book B3 – Security Domains – Design and implementation of security code must not be too complex so can be tested – For highly secure environment that processes sensitive information – Highly resistant to penetration
Orange Book Division A – Verified Protection A1 – Verified Design – More assurance than B3 because formally (mathematically) designed and verified
Red Book Framework for network security Encryption and protocols Communication integrity – Authentication, message integrity, non- repudiation Denial of Service protection Data Flow protection – Confidentiality, Traffic-flow confidentiality
ITSEC European Functionality: F1 to F10 – Evaluation of the functionality of security protection mechanisms Assurance: E0 to E6 – Correctness and effectiveness
Common Criteria ISO global standard EAL – Evaluation Assurance Level Page 402 EAL1 – Functionally tested EAL2 – Structurally tested EAL3 – Methodically tested and checked
Common Criteria EAL4 – Methodically designed, tested, and reviewed EAL5 – Semiformally designed and tested EAL6 – Semiformally verified design and tested EAL7 – Formally verified design and tested
Common Criteria Allows consumers to compare products
Certification vs Accreditation Certification – Technical evaluation of a security component Accreditation – Formal acceptance of system and risk
Open vs Closed System Open – built upon standards, protocols, specifications that are published. – Windows, Linux, Mac – More security tools – More attacks Closed – Proprietary, communicates only with like systems – Security through obscurity
Bugs “Carnegie Mellon University estimates that there are 5 to15 bugs in every 1,000 lines of code. Windows 2008 has million lines of code.” The rich functionality demanded by users brings about deep complexity, which usually opens the doors to vulnerabilities.
Maintenance Hook Backdoor for developers Countermeasures – Host intrusion detection system to watch for hackers using a backdoor – File system encryption
TOC/TOU Time –of-check/Time-of-use OS validates access to file/ User changes file to point to Password file/ User accesses the file Race Condition