Trusted System? What are the characteristics of a trusted system?

Slides:



Advertisements
Similar presentations
Operating System Security
Advertisements

Chapter 6 Security Kernels.
Computer Security: Principles and Practice Chapter 10 – Trusted Computing and Multilevel Security.
Access Control Methodologies
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Security Models and Architecture
Secure Operating Systems Lesson 0x11h: Systems Assurance.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Verifiable Security Goals
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
Information Systems Security Security Architecture Domain #5.
CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.
User Domain Policies.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
ISA 562 Internet Security Theory & Practice
G53SEC 1 Reference Monitors Enforcement of Access Control.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
Chapter 5 – Designing Trusted Operating Systems  What makes an operating system “secure”? Or “trustworthy?  How are trusted systems designed, and which.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Chapter 5 Network Security
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
G53SEC 1 Reference Monitors Enforcement of Access Control.
CS426Fall 2010/Lecture 251 Computer Security CS 426 Lecture 25 Integrity Protection: Biba, Clark Wilson, and Chinese Wall.
Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.
UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Integrity Policies Murat Kantarcioglu.
12/4/20151 Computer Security Security models – an overview.
Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.
Domain 6 Security Architecture and Models Domain Objective The objective of this domain is to understand: security models in terms of confidentiality,
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 19 October 26, 2004.
ISA 400 Management of Information Security
Academic Year 2014 Spring Academic Year 2014 Spring.
Chapter 5 – Designing Trusted Operating Systems
Trusted Operating Systems
Security Architecture and Design: Part II
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Chapter 8: Principles of Security Models, Design, and Capabilities
Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Chap5: Designing Trusted Operating Systems.  What makes an operating system “secure”? Or “trustworthy”?  How are trusted systems designed, and which.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models.
22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
6/22/20161 Computer Security Integrity Policies. 6/22/20162 Integrity Policies Commercial requirement differ from military requirements: the emphasis.
CS526Topic 19: Integrity Models1 Information Security CS 526 Topic 19: Integrity Protection Models.
Access Control. Assignment Review  Current  Next 6/23/2016 Access Control 2.
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
TOPIC: Web Security Models
Security Models and Designing a Trusted Operating System
Official levels of Computer Security
Chapter 19: Building Systems with Assurance
How to Mitigate the Consequences What are the Countermeasures?
Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)
PLANNING A SECURE BASELINE INSTALLATION
Chapter 6: Integrity Policies
Access Control What’s New?
Presentation transcript:

Trusted System? What are the characteristics of a trusted system? What is a security policy and how must it be enforced? Functional correctness: does what is suppose to do. Enforcement of Integrity: correctness of data. Limited Privilege: access is minimized, neither access rights or data are passed along to other untrusted programs or user. Appropriate confidence level: system has been tested and rated.

Underpinning of a Trusted OS Policy: has requirements. Model: represents the policy. Design: decide how to implement it. Trust Features: has them to enforce security. Assurance: provide confidence in the system. Requirements: what it should and should not do. Model: compare it to the policy. Design: how it is built.

Trusted Software Key Characteristics Functionally correct: does what it is suppose to. Enforcement of Integrity: maintain correctness of data. Limited privilege: program access secure data but access is minimized. Appropriate confidence level: program has been evaluated and rated at a degree of trust. Common Criteria: ICC international standard for security. Book.

Figure 5-14 Combined Security Kernel/Operating System. Separate the security functions of an existing operating system, creating a security kernel. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-14  Combined Security Kernel/Operating System.

Figure 5-15 Separate Security Kernel. Computing systems have at least three execution domains: security kernel, operating system and user. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-15  Separate Security Kernel.

Trusted Computing Base (TCB) Conceptual Construct: not physical. Security-relevant portions of a computer system that enforce a security policy. The level of trust a system provides. Address hardware software and firmware. Trusted Path: communication channel. Trusted Shell: can’t bust out of it. Processes have their own execution domain. Memory and I/O protection. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.

Figure 5-13 TCB and Non-TCB Code. Typical divisions into TCB and Non TCB sections. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-13  TCB and Non-TCB Code.

Security Perimeter Everything outside of TCB. Divides trusted from un-trusted. Communication between TCB and components outside the TCB cannot expose the system to security compromises. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.

Figure 5-12 Reference Monitor. Conceptual The most important part of a security kernel. Mediates all access subjects have to objects. Tamperproof and provide isolation. Un-bypassable: invoked for every access attempt. Analyzable: small enough to be tested. There are other security mechanisms helping the system. Other parts: audit, identification, and authentication. Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

Security Policy Policy Policy Components High-level management directives. A statement of the security we expect the system to enforce. Policy Components Purpose: Why. Scope: what is covered. Responsibilities: of teams, staff, management. Compliance: judge effectiveness, consequences Book and Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

Military Security Policy Military Policy. Protect classified information; Rank information by sensitivity level. Need to know rule: only subjects who need to know. Projects are compartmentalized for protection.

Figure 5-1 Hierarchy of Sensitivities. Rank information at a sensitivity level. Unclassified, restricted, confidential, secret or top secret. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Least Sensitive Figure 5-1  Hierarchy of Sensitivities.

Compartments Projects are called compartments; Information can cross compartments and sensitivity levels. Individuals are assigned to projects. Compartments enforce need-to-know policy. Clearances are required to access information.

Figure 5-2 Compartments and Sensitivity Levels. Compartments can cross sensitivity levels. Compartment are usually named after a project. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-2  Compartments and Sensitivity Levels.

Figure 5-3 Association of Information and Compartments. As titled. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-3  Association of Information and Compartments.

Discussion Question Commercial Security Policies. Why must companies be concerned about security?

Commercial Security Maintain competitive advantage. Industrial espionage. Protect financial information. Categories of information; Public: less sensitive. Proprietary: less sensitive than internal. Internal: sensitive.

Figure 5-4 Commercial View of Sensitive Information. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-4  Commercial View of Sensitive Information.

Models of Security (Why?) Test a particular policy for completeness and consistency. Document a policy. Help conceptualize and design an implementation. Check whether an implementation meets its requirements.

Bell-LaPadula Security Model First mathematical model to of a multi-level security policy. For Department of Defense Simple security property: no read up. *Security property: no write down. Strong Tranquility Property Security labels will not change while system operating. Weak Tranquility Property Security labels will not change in a way that conflicts with defined security properties. “Keep secrets secret” Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.

Figure 5-7 Secure Flow of Information. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-7  Secure Flow of Information. Bell-La Padula model Simple security property: no read up operations. *security property: no write-down operations. Confidentiality is critical to maintain.

Biba (integrity) Mode Businesses are concerned with integrity of information A State Machine model mathematical model, evaluate every state. Simple integrity axiom: No read down. *Integrity axiom: no write up. Invocation property Subject cannot request service to subjects of a higher integrity. Opposite of Bell-LaPadula. Confidentiality at odds with integrity. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.

Clark-Wilson Integrity Model Well formed transactions: ability to enforce control over applications. Users: Active Agents. Transformation Procedures (TPs) abstract operations, read, write and modify. Constrained data items (CDIs): manipulated only by TPs. Unconstrained data items (UDIs): manipulated by users via primitive read and write operations. Integrity verification procedures (IVPs) Check the consistency of CDIs with external reality. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.

Clark Wilson Diagram reproduced and updated from Harris, S. (2010) CISSSP All-In-One Study Guide.

Security Models cont. Information Flow: describe how information can flow. Bell-LaPadula and Biba use this. Chinese Wall (Brewer-Nash):avoid conflicts of interest. (consultant control) Prohibit access to conflict of interest categories. Noninterference: data at different security domains remain separate. Harrison-Ruzzo-Ullman: maps subjects, objects and access rights to a matrix. Zachman Framework: six frameworks for providing information security. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

Figure 5-5 Chinese Wall Security Policy. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-5  Chinese Wall Security Policy.

Zachman Framework Help security professionals think about all of the areas they should be concerned with. http://commons.wikimedia.org/wiki/File:Zachman_Framework.jpg

Security Models cont. Objects are either active or passive. Take Grant Protection: rules govern interactions between subjects, and objects and permissions subjects can grant. Primitive operations: Create Revoke Take Grant Objects are either active or passive.

Figure 5-8 Subject, Object, and Rights. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-9  Creating an Object; Revoking, Granting, and Taking Access Rights.

Why Study Models? Models help us to determine what policies a secure system will enforce. Essential to designing a trusted operating system. Determine what is feasible and what is not.

Figure 5-10 Overview of an Operating System’s Functions. Identify and authenticate. Protect memory. Protect I/O from unauthorized users. Access control via table lookups. Sharing: resource should be available. Fair Service: enforce sharing of the system resources. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-10  Overview of an Operating System’s Functions. User authentication, memory protection, file I/O access, access access control, enforce sharing, fair service, inter-process communications and synchronization, protected OS and data.

Figure 5-11 Security Functions of a Trusted Operating System. MAC: access control decisions made beyond the control of the user. DAC: Owner has some discretion. Complete mediation: all accesses must be controlled. Trusted path: no spoofing. Maintain logs. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-11  Security Functions of a Trusted Operating System. User identification and authentication, mandatory access control, discretionary access control, object reuse protection, complete mediation, trusted path, audit, audit log reduction, intrusion detection.

Access Control Mandatory (MAC): decisions made beyond the end user. Discretionary (DAC): end user decides access. Non-Discretionary: Role based access control. Roles define access. Content/Context dependent: check an additional context before allowing access such as time, or if accessing their records. Centralized: all access centralized. Single Sign On. Provide AAA. Decentralized: allow IT administrators at each location employ different policies and levels of security. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

Discussion Question Explain the meaning of granularity in respect to access control. Discuss the trade off between granularity and effciency.

Granularity vs. Efficiency Granularity: the extend to which a task is broken down into smaller parts. Maximum granularity control each individual object. Course granularity Organize information into directories or groups. Then apply access rules. Management efficiency affected by choice. Access control systems can become hard to manage based upon the granularity of controls placed upon objects.

Memory Chip based (RAM), disk based, tape. RAM: CPU may randomly access addresses. ROM: Read Only Memory, survives power loss. Cache Memory: fast memory on system. Memory Protection: protect CIA of process Hardware segmentation: mapping processes to specific memory addresses. Virtual Memory: map between applications and hardware. More than just paging, shares libraries in memory. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

Figure 5-16 Conventional Multiuser Operating System Memory. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-16  Conventional Multiuser Operating System Memory.

Figure 5-17 Multiple Virtual Addressing Spaces. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-17  Multiple Virtual Addressing Spaces.

Operating System and Drivers Typical Computer Operating System and Drivers Application CPU(s) Memory Network Storage Peripherals Hardware 4/22/2017

Figure 5-18 Conventional Operating System. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-18  Conventional Operating System.

Virtual Computer Hardware CPU(s) Memory Network Storage Peripherals Applications Virtual Hardware and Operating System Applications Virtual Hardware and Operating System Applications Virtual Hardware and Operating System Applications Virtual Hardware and Operating System CPU(s) Memory Network Storage Peripherals Hardware 4/22/2017

Figure 5-19 Virtual Machine. Virtual machines allow for more efficient use of hardware but do have security risks. Figure 5-19  Virtual Machine.

VM Security Harden base OS: this manages VMs. Set Resource limits: CPU, memory, etc. Firewall host on operating system. Use encrypted protocols. Harden guest operating systems. Keep up with host and guest patches. Guest operating system may be different. Audit logs and performance.

4/22/2017

Figure 5-20 Layered Operating System. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-20  Layered Operating System.

Figure 5-21 Modules Operating in Different Layers. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-21  Modules Operating in Different Layers.

International Common Criteria Agreed upon standard for describing and testing the security of IT products. Target of Evaluation ToE product under evaluation. Security Target (ST) documentation describing the ToE including security requirements. Protection Profile Independent set of security requirements for a category of products or systems. Evaluation assurance level Score of the product. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

CC Levels of Evaluation 7 Levels building on previous level. EAL1: functionally tested. EAL2: structurally tested. EAL3: methodically tested & checked. EAL4: methodically designed, tested & checked. EAL5: semi-formally designed & tested. EAL6: semi-formally verified, designed & tested. EAL7: formally verified, designed & tested. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

Discussion Question Why would a company go after Common Criteria Certification for their products?

New Business and $$$ Having certified products opens new markets for your business Government Contracts. International private businesses requiring high levels of security. It can be an expensive process though. In 2006 an EAL4 rating takes 2 years and $350,000 for a product. http://en.wikipedia.org/wiki/Evaluation_Assurance_Level

Figure 5-27 Criteria Development Efforts. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-27  Criteria Development Efforts.

Payment Card Industry (PCI) Data Security Standard (DSS) Core Principles: Build and maintain a secure network. Protect cardholder data. Maintain a vulnerability management program. Implement strong access control measures. Regularly monitor and test networks. Maintain an information security policy. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

Certification and Accreditation System has been certified to meet security requirements of the data owner. Accreditation The data owner’s acceptance of the certification and the residual risk required before it is put into production. Government busy working on these procedures. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide