Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evaluating Systems Information Assurance Fall 2010.

Published byGerard Lloyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Evaluating Systems Information Assurance Fall 2010."— Presentation transcript:

1 Evaluating Systems Information Assurance Fall 2010

2 Reading Material Chapter 21 Computer Security: Art and Science The orange book and the whole rainbow series – http://nsi.org/Library/Compsec/orangebo.t xt http://nsi.org/Library/Compsec/orangebo.t xt The common criteria –Lists all evaluated protection profiles and products –http://www.commoncriteriaportal.orghttp://www.commoncriteriaportal.org

3 Outline Motivation for system evaluation Specific evaluation systems –TCSEC/Orange Book –Interim systems –Common Criteria

4 Evaluation Goals Oriented to purchaser/user of system Assurance that system operates as advertised

5 Evaluation Options Rely on vendor/developer evidence –Self-evaluate vendor design docs, test results, etc –Base on reputation of vendor Rely on an expert –Read product evaluations from trusted source –Penetration testing

6 Formal Evaluation Provide a systematic framework for system evaluation –More consistent evaluation –Better basis for comparing similar product Trusted third party system for evaluation Originally driven by needs of government and military

7 TCSEC: 1983-1999 Trusted Computer System Evaluation Criteria (TCSEC) also called the Orange Book –Specifies evaluation classes (C1, C2, B1, B2, B3, A1) –Specifies functionality and assurance requirements for each class Functional Model builds on –BLP (mandatory labeling) –Reference Monitors

8 Reference Monitor Reference Monitor – abstract machine that mediates all access to objects by subjects Reference Validation Mechanism (RVM) – Implementation of a Reference Monitor –Tamper-proof –Well defined –Never bypassed –Small enough for analysis and testing

9 Trusted Computing Base (TCB) Includes all protection mechanisms including HW, firmware, and software responsible for enforcing the security policy Strong boundary around the TCB is critical –Any code trusted by element of TCB must be part of TCB too. –If portion of TCB is corrupted, must consider that all of the TCB can be corrupted

10 TCSEC Functional Requirements DAC Object Reuse –Sufficient clearing of objects between uses in resource pool –E.g. zero pages in memory system MAC and Labels Identification and Authentication Audit –requirements increase at higher classes Trusted Path –Non-spoofable means to interact with TCB –Ctl-Alt-Del in Windows

11 TCSEC Assurance Requirements Configuration Management –For TCB Trusted Distribution –Integrity of mapping between master and installations System Architecture –Small and modular Design Specification – vary between classes Verification – Vary between classes Testing Product Documentation

12 TCSEC Classes D – Catch all C1 – Discretionary Protection –Identification and authentication and DAC –Minimal Assurance C2 – Control access protection –Adds object reuse and auditing –More testing requirements –Windows NT 3.5 evaluated C2

13 TCSEC Classes B1 – Labeled Security Protection –Adds MAC for some objects –Stronger testing requirements. Information model of security policy. –Trusted Unixes tended to be B1 B2 – Structured protection –MAC for all objects. Additional logging. Trusted Path. Least privilege. –Covert channel analysis, configuration management, more documentation, formal model of security policy

14 TCSEC Classes B3 – Security Domains –Implements full RVM. Requirements on code modularity, layering, simplicity. –More stringent testing and documentation. A1 – verified protection –Same functional requirements as B3 –Significant use of formal methods in assurance –Honeywell’s SCOMP

15 TCSEC Evaluation process Originally controlled by government –No fee to vendor –May reject evaluation application if product not of interest to government Later introduced fee-based evaluation labs Evaluation phases –Design analysis – no source code access –Test analysis –Final review

16 TCSEC Evaluation Issues Evaluating a specific configuration –E.g., Window NT, no applications installed, no network –New patches, versions require re-certification RAMP introduced to ease re-certifications Long time for evaluation –Sometimes product was obsolete before evaluation finished Criteria Creep –B1 means something more in 1999 than it did in 1989

17 Interim Efforts in the ’90s Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) Information Technology Security Evaluation Criteria (ITSEC) – Western Europe Commercial International Security Requirements (CISR) – AmEx and EDS Federal Criteria – NSA and NIST

18 FIPS 140 Framework for evaluating Cryptographic Modules Still in Use Addresses –Functionality –Assurance –Physical security

19 FIPS 140-2 Security Levels Security Level 1 – Uses a FIPS-approved crypto algorithm. Security Level 2 – Adds physical security requirements, e.g. Tamper-evident coatings Security Level 3 – Greater physical security. Protect data hardware falls into the wrong hands. Security Level 4 – Greatest physical security. Detects and responds to environmental and unauthorized attacks.

20 Common Criteria – 1998 to today Pulls together international evaluation efforts –Evaluations mean something between countries Three top level documents –Common Criteria Documents Describe functional and assurance requirements. Defines Evaluation Assurance Levels (EALs) –CC Evaluation Methodology (CEM) More details on the valuation. Complete through EAL5 (at least) –Evaluation Scheme National specific rules for how CC evals are performed in that country Directed by NIST in US

21 CC Terminology Target of Evaluation (TOE) –The product being evaluated TOE Security Policy (TSP) –Rules that regulate how assets are managed, protected, and distributed in a product TOE Security Functions (TSF) –Implementation of the TSP –Generalization of the TCB

22 Protection Profile (PP) Profile that describes the security requirements for a class of products –List of evaluated PP’s –http://www.commoncriteriaportal.org/pp.htmlhttp://www.commoncriteriaportal.org/pp.html Replaces the fixed set of classes from TCSEC ISSO created some initial profiles to match TCSEC classes –Controlled Access Protection Profile (CAPP) corresponds to C2 –Labeled Security Protection Profile (LSPP) corresponds to B1

23 Product evaluation Define a security target (ST) –May leverage an evaluated protection profile Evaluated with respect to the ST

24 CC Functional Requirements Defined in a taxonomy –Top level 11 classes E.g., FAU – Security audit and FDP – User Data Protection –Each class divided into families E.g., FDP_ACC – Access control policy –Each family divided into components E.g., FDP_ACC.2 – Complete access control –Each component contains requirements and dependencies on other requirements

25 CC Assurance Requirements Similar class, family, component taxonomy Eight product oriented assurance classes –ACM – Configuration Management –ADO – Delivery and Operation –ADV – Development –AGD – Guidance Documentation –ALC – Life Cycle –ATE – Tests –AVA – Vulnerability Analysis –AMA – Maintenance of Assurance

26 Evaluation Assurance Levels 7 fixed EALs –EAL1 – Functionality Tested –EAL2 – Structurally Tested –EAL3 – Methodically tested and checked Analogous to C2 –EAL4 – Methodically Designed, Tested, and Reviewed –EAL5 – Semiformally Designed and Tested –EAL6 – Semiformally Verified Design and Tested –EAL7 – Formally Verified Design and Tested

27 CC Evaluation Process in US NIST provides accreditation of third party evaluation labs –Vendor pays lab –Lab works with oversight board Evaluate both PP’s and Products List of evaluated products – http://www.commoncriteriaportal.org/products. html http://www.commoncriteriaportal.org/products. html

28 Certifying Process Gain assurance from knowledge of developers process –ISO 9000 –SEI's Capability Maturity Model(CMM) –System Security Engineering Capability Maturity Model (SSE-CMM) http://www.sse-cmm.org

29 System Security Engineering Capability Maturity Model SSE-CMM - http://www.sse-cmm.orghttp://www.sse-cmm.org –Based on SEI’s SE-CMM Divide software development into process areas (which are further divided into processes) –E.g., Assess Threat, Coordinate Security, Assess impact Plus some process areas from base SE-CMM –E.g., Ensure Quality, Plan Technical Effort

30 Capability Maturity Levels An organization is evaluated at a maturity level for these process areas and processes –Performed informally –Planned and tracked –Well-defined –Quantitatively controlled –Continuously improving

31 Key Points Evaluation for the benefit of the customer Product Evaluations –Functional Requirements –Assurance Requirements Process Evaluation

Download ppt "Evaluating Systems Information Assurance Fall 2010."

Similar presentations

Security Requirements

Security Requirements
University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #18-1 Chapter 18: Evaluating Systems Goals Trusted Computer System Evaluation.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #18-1 Chapter 18: Evaluating Systems Goals Trusted Computer System Evaluation.
4/28/20151 Computer Security Security Evaluation.

4/28/20151 Computer Security Security Evaluation.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and.
CS526Topic 22: TCSEC and Common Criteria 1 Information Security CS 526 Topic 22: TCSEC and Common Criteria.

CS526Topic 22: TCSEC and Common Criteria 1 Information Security CS 526 Topic 22: TCSEC and Common Criteria.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah-19112007- CEM v3.1: Chapter 10 Security Target Evaluation.

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
Computer Security: Principles and Practice Chapter 10 – Trusted Computing and Multilevel Security.

Computer Security: Principles and Practice Chapter 10 – Trusted Computing and Multilevel Security.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 10 – Trusted Computing.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 10 – Trusted Computing.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.

Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
Security Models and Architecture

Security Models and Architecture
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

Similar presentations

Ads by Google