Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University

Section Overview Security Policies and Models Security Policies and Models Trust design elements and features Trust design elements and features Orange Book Certification Levels Orange Book Certification Levels Common Criteria Common Criteria False Guaranties of Trust False Guaranties of Trust

References Security in Computing, 4 th Ed. Security in Computing, 4 th Ed. Chapter 5 (pgs , ) Chapter 5 (pgs , )

Military Policy Classification Classification Rank (Hierarchical) Rank (Hierarchical) Compartments (Non-Hierarchical) Compartments (Non-Hierarchical) Can only read object if Can only read object if Subject clearance ≥ Required clearance for object Subject clearance ≥ Required clearance for object Subject has need to know about all compartments for with the object is classified Subject has need to know about all compartments for with the object is classified Who controls access? Who controls access?

Commercial Security Policy Project and/or department based Project and/or department based No formal notion of clearances No formal notion of clearances Rules less consistent Rules less consistent Typical classifications: Typical classifications: Public Public Proprietary Proprietary Internal Internal

Clark-Wilson Policy Integrity is of prime importance Integrity is of prime importance Well formed transactions Well formed transactions Handled via access triples Handled via access triples User Identifier (userID) User Identifier (userID) Transformation procedures (TP) Transformation procedures (TP) Constrained data items (CDI) Constrained data items (CDI)

Separation of Duty Prevent possibility of abuse Prevent possibility of abuse Keeps track of various operations (state) Keeps track of various operations (state) Prevent same person from handling multiple transactions on same objects (even if authorized to) Prevent same person from handling multiple transactions on same objects (even if authorized to)

Chinese Wall Policy Goal is to prevent conflicts of interest Goal is to prevent conflicts of interest Levels of abstraction Levels of abstraction Objects Objects Company groups Company groups Conflict classes Conflict classes Can’t access objects from two company groups within same conflict class Can’t access objects from two company groups within same conflict class

Models of Security Mechanism to enforce policy Mechanism to enforce policy Lattice – Visualization of relationships Lattice – Visualization of relationships Bell-La Padula Bell-La Padula Biba Integrity model Biba Integrity model

Bell La Padula Model Military Policy based Military Policy based Secures the flow of information Secures the flow of information Properties Properties Simple Security Property: Subject s can read object o only if C(o) ≤ C(s) Simple Security Property: Subject s can read object o only if C(o) ≤ C(s) *-Property: Subject with read access to object o may write to object p if C(o) ≤ C(p) *-Property: Subject with read access to object o may write to object p if C(o) ≤ C(p) Read down / Write Up Read down / Write Up

Bell La Padula Read-Down Top Secret Secret Unclassified Top Secret Secret Unclassified Subject (s) Object (o)

Bell La Padula Write-Up Top Secret Secret Unclassified Top Secret Secret Unclassified Read Object (o) Write Object (p)

Bell La Padula Lattice Example TS {A, B} TS {A} TS {B} S {A, B} S {A} S {B} U {}

Biba Model Dual of Bell-La Padula model Dual of Bell-La Padula model Focus is on integrity (trustworthiness) Focus is on integrity (trustworthiness) Properties Properties Simple Integrity Property: Subject s can modify object o only if I(s) ≥ I(o) Simple Integrity Property: Subject s can modify object o only if I(s) ≥ I(o) *-Property: If subject s has read access to object o with integrity level I(o), s can write to object p only if I(o) ≥ I(p) *-Property: If subject s has read access to object o with integrity level I(o), s can write to object p only if I(o) ≥ I(p) Read up / Write down Read up / Write down

Biba Read-Up High Integrity Medium Integrity Low Integrity High Integrity Medium Integrity Low Integrity Subject (s) Object (o)

Biba Write-Down Read Object (o) Write Object (p) High Integrity Medium Integrity Low Integrity High Integrity Medium Integrity Low Integrity

Design Elements Least Privilege Least Privilege Economy of Mechanism Economy of Mechanism Open Design Open Design Complete Mediation Complete Mediation Permission-Based Permission-Based Separation of Privilege Separation of Privilege Least Common Mechanism Least Common Mechanism Ease of Use Ease of Use

Security Features User Identification and Authentication User Identification and Authentication Complete Mediation Complete Mediation Discretionary Access Control Discretionary Access Control Mandatory Access Control Mandatory Access Control Object Reuse Protection Object Reuse Protection Audit Audit Audit Reduction Audit Reduction Trusted Path Trusted Path Intrusion Detection Intrusion Detection

Trusted Computer Base (TCB) ReferenceModel SecurityKernel Trusted Computer Base

Assurance Methods Testing Testing Pentesting Pentesting Formal Verification Formal Verification Validation Validation

A1 B3 B2 B1 C2 Orange Book Evaluation C1 D - Minimal Protection - Discretionary Security Protection - Controlled Access Protection - Labeled Security Protection - Structured Protection - Security Domains - Verified Design

Discretionary Security Protection User Authentication User Authentication Object Access Control Object Access Control Discretionary Access Control Discretionary Access Control Memory Protection Memory Protection Penetration Testing Penetration Testing C1 D

Controlled Access Protection C2 C1 D  Single User Access Control  Object Reuse  Audit Logs

Labeled Security Protection B1 C2 C1 D  Mandatory Access Control  Labeled Objects  Need to Know Access Policy  Hierarchical  Nonhierarchical

Structured Protection B2 B1 C2 C1 D  Test and review of design  Principle of Least Privilege  Trusted Paths  Covert Channel Analysis

Security Domains  Extensive Testing  Full Access Control  Active Audits and Alerts  Resistant to Penetration B3 B2 B1 C2 C1 D

Verified Design A1 B3 B2 B1 C2 C1 D  Formally Verifiable Design  Formal Top-Down Spec.  Informal demonstration that spec. is consistent with design  Formal Analysis of Covert Channels

Orange Book Weaknesses All or Nothing for Level Certification All or Nothing for Level Certification Local software can invalidate Local software can invalidate OS Patches can invalidate OS Patches can invalidate Mandatory Access Control can be difficult to set up Mandatory Access Control can be difficult to set up Viruses not taken into consideration Viruses not taken into consideration Common Criteria Common Criteria Common Criteria Common Criteria Class-family-component based Class-family-component based International system International system

Common Criteria Classes Functionality Functionality Identification and Authentication Identification and Authentication Trusted Path Trusted Path Security Audit Security Audit Invocation of Security Functions Invocation of Security Functions User Data Protection User Data Protection Resource Utilization Resource Utilization Protection of the Trusted Security Functions Protection of the Trusted Security Functions Privacy Privacy Communication Communication Assurance Assurance Development Testing Vulnerability Assessment Configuration Management Life-cycle Support Guidance Documents Delivery and Operation

Common Criteria ClassClass FamilyFamily ComponentComponent ComponentComponent ComponentComponent PackagePackage PackagePackage PackagePackage Protection Profile Security Target Protection Profile Security Target ComponentComponent

False Guaranties of Trust Emphatic Assertions Emphatic Assertions Security through Obscurity Security through Obscurity I couldn’t find any flaws I couldn’t find any flaws Challenges Challenges