Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trusted System? What are the characteristics of a trusted system?

Published byDeborah Hood Modified over 8 years ago

Similar presentations

Presentation on theme: "Trusted System? What are the characteristics of a trusted system?"— Presentation transcript:

1 Trusted System? What are the characteristics of a trusted system?
What is a security policy and how must it be enforced? Functional correctness: does what is suppose to do. Enforcement of Integrity: correctness of data. Limited Privilege: access is minimized, neither access rights or data are passed along to other untrusted programs or user. Appropriate confidence level: system has been tested and rated.

2 Underpinning of a Trusted OS
Policy: has requirements. Model: represents the policy. Design: decide how to implement it. Trust Features: has them to enforce security. Assurance: provide confidence in the system. Requirements: what it should and should not do. Model: compare it to the policy. Design: how it is built.

3 Trusted Software Key Characteristics
Functionally correct: does what it is suppose to. Enforcement of Integrity: maintain correctness of data. Limited privilege: program access secure data but access is minimized. Appropriate confidence level: program has been evaluated and rated at a degree of trust. Common Criteria: ICC international standard for security. Book.

4 Figure 5-14 Combined Security Kernel/Operating System.
Separate the security functions of an existing operating system, creating a security kernel. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-14  Combined Security Kernel/Operating System.

5 Figure 5-15 Separate Security Kernel.
Computing systems have at least three execution domains: security kernel, operating system and user. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-15  Separate Security Kernel.

6 Trusted Computing Base (TCB)
Conceptual Construct: not physical. Security-relevant portions of a computer system that enforce a security policy. The level of trust a system provides. Address hardware software and firmware. Trusted Path: communication channel. Trusted Shell: can’t bust out of it. Processes have their own execution domain. Memory and I/O protection. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.

7 Figure 5-13 TCB and Non-TCB Code.
Typical divisions into TCB and Non TCB sections. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-13  TCB and Non-TCB Code.

8 Security Perimeter Everything outside of TCB.
Divides trusted from un-trusted. Communication between TCB and components outside the TCB cannot expose the system to security compromises. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.

9 Figure 5-12 Reference Monitor.
Conceptual The most important part of a security kernel. Mediates all access subjects have to objects. Tamperproof and provide isolation. Un-bypassable: invoked for every access attempt. Analyzable: small enough to be tested. There are other security mechanisms helping the system. Other parts: audit, identification, and authentication. Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

10 Security Policy Policy Policy Components
High-level management directives. A statement of the security we expect the system to enforce. Policy Components Purpose: Why. Scope: what is covered. Responsibilities: of teams, staff, management. Compliance: judge effectiveness, consequences Book and Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

11 Military Security Policy
Military Policy. Protect classified information; Rank information by sensitivity level. Need to know rule: only subjects who need to know. Projects are compartmentalized for protection.

12 Figure 5-1 Hierarchy of Sensitivities.
Rank information at a sensitivity level. Unclassified, restricted, confidential, secret or top secret. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Least Sensitive Figure 5-1  Hierarchy of Sensitivities.

13 Compartments Projects are called compartments;
Information can cross compartments and sensitivity levels. Individuals are assigned to projects. Compartments enforce need-to-know policy. Clearances are required to access information.

14 Figure 5-2 Compartments and Sensitivity Levels.
Compartments can cross sensitivity levels. Compartment are usually named after a project. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-2  Compartments and Sensitivity Levels.

15 Figure 5-3 Association of Information and Compartments.
As titled. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-3  Association of Information and Compartments.

16 Discussion Question Commercial Security Policies.
Why must companies be concerned about security?

17 Commercial Security Maintain competitive advantage.
Industrial espionage. Protect financial information. Categories of information; Public: less sensitive. Proprietary: less sensitive than internal. Internal: sensitive.

18 Figure 5-4 Commercial View of Sensitive Information.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-4  Commercial View of Sensitive Information.

19 Models of Security (Why?)
Test a particular policy for completeness and consistency. Document a policy. Help conceptualize and design an implementation. Check whether an implementation meets its requirements.

20 Bell-LaPadula Security Model
First mathematical model to of a multi-level security policy. For Department of Defense Simple security property: no read up. *Security property: no write down. Strong Tranquility Property Security labels will not change while system operating. Weak Tranquility Property Security labels will not change in a way that conflicts with defined security properties. “Keep secrets secret” Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.

21 Figure 5-7 Secure Flow of Information.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-7  Secure Flow of Information. Bell-La Padula model Simple security property: no read up operations. *security property: no write-down operations. Confidentiality is critical to maintain.

22 Biba (integrity) Mode Businesses are concerned with integrity of information A State Machine model mathematical model, evaluate every state. Simple integrity axiom: No read down. *Integrity axiom: no write up. Invocation property Subject cannot request service to subjects of a higher integrity. Opposite of Bell-LaPadula. Confidentiality at odds with integrity. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.

23 Clark-Wilson Integrity Model
Well formed transactions: ability to enforce control over applications. Users: Active Agents. Transformation Procedures (TPs) abstract operations, read, write and modify. Constrained data items (CDIs): manipulated only by TPs. Unconstrained data items (UDIs): manipulated by users via primitive read and write operations. Integrity verification procedures (IVPs) Check the consistency of CDIs with external reality. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide Harris, S. (2010) CISSP All-in-one Exam Guide 5th edition.

24 Clark Wilson Diagram reproduced and updated from Harris, S. (2010) CISSSP All-In-One Study Guide.

25 Security Models cont. Information Flow: describe how information can flow. Bell-LaPadula and Biba use this. Chinese Wall (Brewer-Nash):avoid conflicts of interest. (consultant control) Prohibit access to conflict of interest categories. Noninterference: data at different security domains remain separate. Harrison-Ruzzo-Ullman: maps subjects, objects and access rights to a matrix. Zachman Framework: six frameworks for providing information security. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

26 Figure 5-5 Chinese Wall Security Policy.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-5  Chinese Wall Security Policy.

27 Zachman Framework Help security professionals think about all of the areas they should be concerned with.

28 Security Models cont. Objects are either active or passive.
Take Grant Protection: rules govern interactions between subjects, and objects and permissions subjects can grant. Primitive operations: Create Revoke Take Grant Objects are either active or passive.

29 Figure 5-8 Subject, Object, and Rights.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

30 Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition
Figure 5-9  Creating an Object; Revoking, Granting, and Taking Access Rights.

31 Why Study Models? Models help us to determine what policies a secure system will enforce. Essential to designing a trusted operating system. Determine what is feasible and what is not.

32 Figure 5-10 Overview of an Operating System’s Functions.
Identify and authenticate. Protect memory. Protect I/O from unauthorized users. Access control via table lookups. Sharing: resource should be available. Fair Service: enforce sharing of the system resources. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-10  Overview of an Operating System’s Functions. User authentication, memory protection, file I/O access, access access control, enforce sharing, fair service, inter-process communications and synchronization, protected OS and data.

33 Figure 5-11 Security Functions of a Trusted Operating System.
MAC: access control decisions made beyond the control of the user. DAC: Owner has some discretion. Complete mediation: all accesses must be controlled. Trusted path: no spoofing. Maintain logs. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-11  Security Functions of a Trusted Operating System. User identification and authentication, mandatory access control, discretionary access control, object reuse protection, complete mediation, trusted path, audit, audit log reduction, intrusion detection.

34 Access Control Mandatory (MAC): decisions made beyond the end user.
Discretionary (DAC): end user decides access. Non-Discretionary: Role based access control. Roles define access. Content/Context dependent: check an additional context before allowing access such as time, or if accessing their records. Centralized: all access centralized. Single Sign On. Provide AAA. Decentralized: allow IT administrators at each location employ different policies and levels of security. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

35 Discussion Question Explain the meaning of granularity in respect to access control. Discuss the trade off between granularity and effciency.

36 Granularity vs. Efficiency
Granularity: the extend to which a task is broken down into smaller parts. Maximum granularity control each individual object. Course granularity Organize information into directories or groups. Then apply access rules. Management efficiency affected by choice. Access control systems can become hard to manage based upon the granularity of controls placed upon objects.

37 Memory Chip based (RAM), disk based, tape.
RAM: CPU may randomly access addresses. ROM: Read Only Memory, survives power loss. Cache Memory: fast memory on system. Memory Protection: protect CIA of process Hardware segmentation: mapping processes to specific memory addresses. Virtual Memory: map between applications and hardware. More than just paging, shares libraries in memory. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

38 Figure 5-16 Conventional Multiuser Operating System Memory.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-16  Conventional Multiuser Operating System Memory.

39 Figure 5-17 Multiple Virtual Addressing Spaces.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-17  Multiple Virtual Addressing Spaces.

40 Operating System and Drivers
Typical Computer Operating System and Drivers Application CPU(s) Memory Network Storage Peripherals Hardware 4/22/2017

41 Figure 5-18 Conventional Operating System.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-18  Conventional Operating System.

42 Virtual Computer Hardware CPU(s) Memory Network Storage Peripherals
Applications Virtual Hardware and Operating System Applications Virtual Hardware and Operating System Applications Virtual Hardware and Operating System Applications Virtual Hardware and Operating System CPU(s) Memory Network Storage Peripherals Hardware 4/22/2017

43 Figure 5-19 Virtual Machine.
Virtual machines allow for more efficient use of hardware but do have security risks. Figure 5-19  Virtual Machine.

44 VM Security Harden base OS: this manages VMs.
Set Resource limits: CPU, memory, etc. Firewall host on operating system. Use encrypted protocols. Harden guest operating systems. Keep up with host and guest patches. Guest operating system may be different. Audit logs and performance.

45 4/22/2017

46 Figure 5-20 Layered Operating System.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-20  Layered Operating System.

47 Figure 5-21 Modules Operating in Different Layers.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-21  Modules Operating in Different Layers.

48 International Common Criteria
Agreed upon standard for describing and testing the security of IT products. Target of Evaluation ToE product under evaluation. Security Target (ST) documentation describing the ToE including security requirements. Protection Profile Independent set of security requirements for a category of products or systems. Evaluation assurance level Score of the product. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

49 CC Levels of Evaluation
7 Levels building on previous level. EAL1: functionally tested. EAL2: structurally tested. EAL3: methodically tested & checked. EAL4: methodically designed, tested & checked. EAL5: semi-formally designed & tested. EAL6: semi-formally verified, designed & tested. EAL7: formally verified, designed & tested. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

50 Discussion Question Why would a company go after Common Criteria Certification for their products?

51 New Business and $$$ Having certified products opens new markets for your business Government Contracts. International private businesses requiring high levels of security. It can be an expensive process though. In 2006 an EAL4 rating takes 2 years and $350,000 for a product.

52 Figure 5-27 Criteria Development Efforts.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 5-27  Criteria Development Efforts.

53 Payment Card Industry (PCI) Data Security Standard (DSS)
Core Principles: Build and maintain a secure network. Protect cardholder data. Maintain a vulnerability management program. Implement strong access control measures. Regularly monitor and test networks. Maintain an information security policy. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

54 Certification and Accreditation
System has been certified to meet security requirements of the data owner. Accreditation The data owner’s acceptance of the certification and the residual risk required before it is put into production. Government busy working on these procedures. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

Download ppt "Trusted System? What are the characteristics of a trusted system?"

Similar presentations

Operating System Security

Operating System Security
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Computer Security: Principles and Practice Chapter 10 – Trusted Computing and Multilevel Security.

Computer Security: Principles and Practice Chapter 10 – Trusted Computing and Multilevel Security.
Access Control Methodologies

Access Control Methodologies
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Security Models and Architecture

Security Models and Architecture
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Verifiable Security Goals

Verifiable Security Goals
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
Information Systems Security Security Architecture Domain #5.

Information Systems Security Security Architecture Domain #5.
CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.

CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.
User Domain Policies.

User Domain Policies.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Similar presentations

Ads by Google