1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

Slides:



Advertisements
Similar presentations
Security Requirements
Advertisements

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Software Quality Assurance Plan
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #18-1 Chapter 18: Evaluating Systems Goals Trusted Computer System Evaluation.
CS526Topic 22: TCSEC and Common Criteria 1 Information Security CS 526 Topic 22: TCSEC and Common Criteria.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Effective Design of Trusted Information Systems Luděk Novák,
IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
Computer Security: Principles and Practice Chapter 10 – Trusted Computing and Multilevel Security.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
Secure Operating Systems Lesson 0x11h: Systems Assurance.
1 Lecture 8 Security Evaluation. 2 Contents u Introduction u The Orange Book u TNI-The Trusted Network Interpretation u Information Technology Security.
COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Software Configuration Management (SCM)
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and.
Gurpreet Dhillon Virginia Commonwealth University
Principles of Information System Security: Text and Cases
SEC835 Database and Web application security Information Security Architecture.
Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.
Introduction to Software Quality Assurance (SQA)
IS 2150 / TEL 2810 CC Evaluation, Risk Management, Legal Issues, Physical Security November 2, 2006.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 20 October 28, 2004.
IS 2620: Developing Secure Systems Assurance and Evaluation Lecture 8 March 15, 2012.
Information Systems Security Computer System Life Cycle Security.
Evaluating Systems Information Assurance Fall 2010.
ISA 562 Internet Security Theory & Practice
Software Configuration Management (SCM)
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Background. History TCSEC Issues non-standard inflexible not scalable.
TEL2813/IS2820 Security Management Systems/Evaluations Lecture 11 April 7, 2005.
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
CMSC : Common Criteria for Computer/IT Systems
Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 13 Nov 13, 2012 Risk Analysis Legal Issues.
TM8104 IT Security EvaluationAutumn CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.
1 Common Evaluation Methodology for IT Security Part 2: Evaluation Methodology chapter 5-8 Marie Elisabeth Gaup Moe 06/12/04.
Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.
Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.
Verification Formal Verification & Formal Evaluation Derived from Purdue: Cerias.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Trusted Operating Systems
TM8104 IT Security EvaluationAutumn Evaluation - the Main Road to IT Security Assurance CC Part 3.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
A Comparison of Commercial and Military Computer Security Presenter: Ivy Jiang1 A Comparison of Commercial and Military Computer Security Policies Authors:
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
CSCE 727 Awareness and Training Secure System Development and Monitoring.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Ch.18 Evaluating Systems - Part 2 -
Official levels of Computer Security
THE ORANGE BOOK Ravi Sandhu
Computer Security: Art and Science, 2nd Edition
Presentation transcript:

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004

2 Acknowledgements Many of these slides came from Chris Clifton and Matt Bishop, author of Computer Security: Art and Science

3 What is Formal Evaluation? Method to achieve Trust –N–N–N–Not a guarantee of security Evaluation methodology includes: –S–S–S–Security requirements –A–A–A–Assurance requirements showing how to establish that security requirements are met –P–P–P–Procedures to demonstrate that system meets requirements –M–M–M–Metrics for results (level of trust) Examples: TCSEC (Orange Book), ITSEC, CC

4 Formal Evaluation: Why? Organizations require assurance Organizations require assurance –Defense –Telephone / Utilities –“Mission Critical” systems Formal verification of entire systems not feasible Formal verification of entire systems not feasible Instead, organizations develop formal evaluation methodologies Instead, organizations develop formal evaluation methodologies –Products passing evaluation are trusted –Required to do business with the organization

5 TCSEC: The Original Trusted Computer System Evaluation Criteria Trusted Computer System Evaluation Criteria –U.S. Government security evaluation criteria –Used for evaluating commercial products Policy model based on Bell-LaPadula Policy model based on Bell-LaPadula Enforcement: Reference Validation Mechanism Enforcement: Reference Validation Mechanism –Every reference checked by compact, analyzable body of code Emphasis on Confidentiality Emphasis on Confidentiality Metric: Seven trust levels: Metric: Seven trust levels: –D, C1, C2, B1, B2, B3, A1 –D is “tried but failed”

6 TCSEC Class Assurances C1: Discretionary Protection C1: Discretionary Protection –Identification –Authentication –Discretionary access control C2: Controlled Access Protection C2: Controlled Access Protection –Object reuse and auditing –Most common for commercial systems B1: Labeled security protection B1: Labeled security protection –Mandatory access control on limited set of objects –Informal model of the security policy

7 TCSEC Class Assurances (continued) B2: Structured Protections B2: Structured Protections –Mandatory access control for all objects –Trusted path for login –Principle of Least Privilege –Formal model of Security Policy –Covert channel analysis –Configuration management B3: Security Domains B3: Security Domains –Full reference validation mechanism –Constraints on code development process –Documentation, testing requirements A1: Verified Protection A1: Verified Protection –Formal methods for analysis, verification –Trusted distribution

8 How is Evaluation Done? Government-sponsored independent evaluators Government-sponsored independent evaluators –Application: Determine if government cares –Preliminary Technical Review Discussion of process, schedules Discussion of process, schedules Development Process Development Process Technical Content, Requirements Technical Content, Requirements –Evaluation Phase

9 TCSEC: Evaluation Phase Three phases Three phases –Design analysis Review of design based on documentation Review of design based on documentation –Test analysis –Final Review Trained independent evaluation Trained independent evaluation –Results presented to Technical Review Board –Must approve before next phase starts Ratings Maintenance Program Ratings Maintenance Program –Determines when updates trigger new evaluation

10 TCSEC: Problems Based heavily on confidentiality Based heavily on confidentiality –Did not address integrity, availability Base TCSEC geared to operating systems Base TCSEC geared to operating systems –TNI: Trusted Network Interpretation –TDI: Trusted Database management System Interpretation

11 Later Standards CTCPEC – Canada CTCPEC – Canada ITSEC – European Standard ITSEC – European Standard –Did not define criteria –Levels correspond to strength of evaluation –Includes code evaluation, development methodology requirements –Known vulnerability analysis CISR: Commercial outgrowth of TCSEC CISR: Commercial outgrowth of TCSEC FC: Modernization of TCSEC FC: Modernization of TCSEC FIPS 140: Cryptographic module validation FIPS 140: Cryptographic module validation Common Criteria: International Standard Common Criteria: International Standard SSE-CMM: Evaluates developer, not product SSE-CMM: Evaluates developer, not product

12 ITSEC: Levels E1: Security target defined, tested E1: Security target defined, tested –Must have informal architecture description E2: Informal description of design E2: Informal description of design –Configuration control, distribution control E3: Correspondence between code and security target E3: Correspondence between code and security target E4: Formal model of security policy E4: Formal model of security policy –Structured approach to design –Design level vulnerability analysis E5: Correspondence between design and code E5: Correspondence between design and code –Source code vulnerability analysis E6: Formal methods for architecture E6: Formal methods for architecture –Formal mapping of design to security policy –Mapping of executable to source code

13 ITSEC Problems: No validation that security requirements made sense No validation that security requirements made sense –Product meets goals –But does this meet user expectations? Inconsistency in evaluations Inconsistency in evaluations –Not as formally defined as TCSEC

14 Replaced TCSEC, ITSEC Replaced TCSEC, ITSEC 1. CC Documents –Functional requirements –Assurance requirements –Evaluation Assurance Levels (EAL) 2. CC Evaluation Methodology –Detailed evaluation guidelines for each EAL 3. National Scheme (Country specific)

15 Common Criteria: Origin

16 Some Abbreviations CC: Common Criteria CC: Common Criteria PP: Protection Profile PP: Protection Profile ST: Security Target ST: Security Target TOE: Target of Evaluation TOE: Target of Evaluation TSF: TOE Security Function TSF: TOE Security Function TSP: TOE Security Policy TSP: TOE Security Policy

17 CC Evaluation 1: Protection Profile Implementation independent, domain- specific set of security requirements Narrative Overview Narrative Overview Product/System description Product/System description Security Environment (threats, overall policies) Security Environment (threats, overall policies) Security Objectives: System, Environment Security Objectives: System, Environment IT Security Requirements IT Security Requirements –Functional requirements drawn from CC set –Assurance level Rationale for objectives and requirements Rationale for objectives and requirements

18 CC Evaluation 2: Security Target Specific requirements used to evaluate system Narrative introduction Narrative introduction Environment Environment Security Objectives Security Objectives –How met Security Requirements Security Requirements –Environment and system –Drawn from CC set Mapping of Function to Requirements Mapping of Function to Requirements Claims of Conformance to Protection Profile Claims of Conformance to Protection Profile

19 Common Criteria: Functional Requirements 362 page document 362 page document 11 Classes 11 Classes –Security Audit, Communication, Cryptography, User data protection, ID/authentication, Security Management, Privacy, Protection of Security Functions, Resource Utilization, Access, Trusted paths Several families per class Several families per class Lattice of components in a family Lattice of components in a family

20 Class Example: Communication Non-repudiation of origin Non-repudiation of origin 1.Selective Proof. Capability to request verification of origin 2.Enforced Proof. All communication includes verifiable origin

21 Class Example: Privacy 1. Pseudonymity 1.The TSF shall ensure that [assignment: set of users and/or subjects] are unable to determine the real user name bound to [assignment: list of subjects and/or operations and/or objects] 2.The TSF shall be able to provide [assignment: number of aliases] aliases of the real user name to [assignment: list of subjects] 3.The TSF shall [selection: determine an alias for a user, accept the alias from the user] and verify that it conforms to the [assignment: alias metric] 2. Reversible Pseudonimity 1.… 3. Alias Pseudonimity 1.…

22 Common Criteria: Assurance Requirements 216 page document 216 page document 10 Classes 10 Classes –Protection Profile Evaluation, Security Target Evaluation –Configuration management, Delivery and operation, Development, Guidance, Life cycle, Tests, Vulnerability assessment –Maintenance Several families per class Several families per class Lattice of components in family Lattice of components in family

23 Example: Protection Profile Evaluation Security environment In order to determine whether the IT security requirements in the PP are sufficient, it is important that the security problem to be solved is clearly understood by all parties to the evaluation. In order to determine whether the IT security requirements in the PP are sufficient, it is important that the security problem to be solved is clearly understood by all parties to the evaluation. 1. Protection Profile, Security environment, Evaluation requirements –Dependencies: No dependencies. –Developer action elements: The PP developer shall provide a statement of TOE security environment as part of the PP. The PP developer shall provide a statement of TOE security environment as part of the PP. –Content and presentation of evidence elements:...

24 Example: Delivery and Operation Installation, generation and start-up A. Installation, generation, and start-up procedures –Dependencies: AGD_ADM.1 Administrator guidance B. Developer action elements: –The developer shall document procedures necessary for the secure installation, generation, and start-up of the TOE. C. Content and presentation of evidence elements: –The documentation shall describe the steps necessary for secure installation, generation, and start-up of the TOE. D. …..

25 Common Criteria: Evaluation Assurance Levels 1. Functionally tested 2. Structurally tested (TCSEC C1) 3. Methodically tested and checked (C2) 4. Methodically designed, tested, and reviewed (B1) 5. Semi-formally designed and tested (B2) 6. Semi-formally verified design and tested (B3) 7. Formally verified design and tested (A1)

26 Common Criteria: Evaluation Process National Authority authorizes evaluators National Authority authorizes evaluators –U.S.: NIST accredits commercial organizations –Fee charged for evaluation Team of four to six evaluators Team of four to six evaluators –Develop work plan and clear with NIST –Evaluate Protection Profile first –If successful, can evaluate Security Target

27 Common Criteria: Status About 80 registered products About 80 registered products –Only one at level 5 (Java Smart Card) –Several OS at 4 –Likely many more not registered New versions appearing on regular basis New versions appearing on regular basis

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.