The CISSP Prep GuideChapter 5

Security Architecture and Models

The CISSP® Prep Guide: Mastering the Ten Domains of Computer Security by Ronald L. Krutz, Russell Dean Vines (August 24, 2001), John Wiley & Sons. ISBN: 0471413569

Topics in Chapter 5

• Computer Organization

• Hardware Components

• Software/Firmware Components

• Open Systems

• Distributed Systems

• Protection Mechanism

• Evaluation Criteria

Topics in Chapter 5

• Certification and Accreditation

• Formal Security Models

• Confidentiality Models

• Integrity Models

• Information Flow Models

Computer Architecture

• CPU – ALU and Control Unit

• Memory – Cache, RAM, PLD, ROM, Real/Primary and

Secondary memory, Sequential and Random Access Memory, Virtual Memory

– Addressing: Register, Direct, Absolute, Implied, Indirect Addressing

– Memory Protection

Instruction Execution Cycle

• Privileged Instructions

• Pipelining

• CISC versus RISC

• Multiprogramming

• Multitasking

• Multiprocessing

Input/Output Structures

• Instruction Fetch-Decode-Execute Cycle

• Direct Memory Access

• Interruption

Software

• 1GL - Machine language

• 2GL - Assembly language

• 3GL - High Level Programming language

• 4GL - NATURAL, FOCUS, SQL

• 5GL – Natural Language

Distributed Architecture

• Client-Server Model

• Security Concerns– Email– Telnet, FTP– Encryption

Distributed ArchitectureSecurity Concerns

• Desktop Systems may be at risk of being exposed, and as entry for critical information

• Users may lack security awareness• Modem and dial-up access to corporate

network• Download or Upload of critical information• Lack of proper backup or disaster recovery

For Protection Mechanisms

• Email and download/upload policies

• Robust access control and biometrics

• Graphical user interface mechanism

• File encryption

• Separation of privileged process and others

• Protection domain, disks, systems, laptops

• Labeling and classification

For Protection Mechanisms

• Centralized backup for desktop systems

• Security awareness and regular training

• Control of software on desktop systems

• Encryption

• Logging of transaction and transmission

• Appropriate access controls

• Protection of applications and database

For Protection Mechanisms

• Security Formal methods in Software Development, Change Control, Configuration Management, and Environmental Change

• Disaster Recovery and Business Continuity Planning, for all systems including desktop, file system and storages, database and applications, data and information

Protected Mechanisms

• Trusted Computing Base (TCB)

• Security Perimeter

• Trusted Path

• Trusted Computer System

• Abstraction, Encapsulation, and Information Hiding

Rings

• Protection Rings

• Security Kernel

• Reference Model

• MULTICS

Security Modes

• Dedicated

• Compartmented

• Controlled

• Limited Access

Additional Considerations

• Covert Channel

• Lack of Parameter Checking

• Maintenance Hook and Trapdoor

• Time of Check to Time of Use (TOC/TOU) Attack

Assurance

• Evaluation Criteria– TCSEC by NCSC

Trusted Computer System Evaluation Criteria

– Classes of Security• D – Minimal protection• C – Discretionary protection (C1 and C2)• B – Mandatory protection (B1, B2, B3)• A – Verified protection; formal methods (A1)

– ITSEC

Certification and Accreditation

• Certification– The comprehensive evaluation of the technical

and non-technical security features of an information system and the other safeguards, which are created in support of the accreditation process, to establish the extent in which a particular design and implementation meets the set of specified security

Certification and Accreditation

• Accreditation– A formal declaration by a Designated

Approving Authority (DAA) where an information system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk

Certification and Accreditation

• DITSCAP– Defense Information Technology Security

Certification and Accreditation Process– Phase 1 Definition– Phase 2 Verification– Phase 3 Validation– Phase 4 Post Accreditation

• NIACAP– National Information Technology Security

Certification and Accreditation Process– Site Accreditation– Type Accreditation for Application or System– System Accreditation for major application or

general support system

Information Security Models• Access Control Models

– The Access Matrix– Take-Grant Model– Bell-LaPadula Model

• Integrity Models– The Biba Integrity Model– The Clark-Wilson Integrity Model

• Information Flow Models– Non-interference Model– Composition Theories

Bell-LaPadula Model

• DoD, Multilevel security policy– Individual’s Need-to-Know Basis– Security-labeled Materials and – Clearance of Confidential, Secret, or Top Secret– Thus dealing only with confidentiality of

classified material, but not with integrity or availability

– Input, State, Function and State Transition

Bell-LaPadula Model

1. The Simple Security Property

(ss Property).

States that reading of information by a subject at a lower sensitivity level from an object at a higher level is not permitted (No Read Up)

Bell-LaPadula Model

2. The * (star) Security Property

States that writing of information by a subject at a higher level of sensitive to an object at a lower level of sensitivity is not permitted.

(No Write Down)

Bell-LaPadula Model

3. The Discretionary Security Property

Uses an access matrix to specify discretionary access control

But Write-Up, Read-Down are OK.

• Authorization

• Control– Content-Dependent, Context-Dependent

Integrity Model

• Goals1. The data is protected from modification by

unauthorized users2. The data is protected from unauthorized

modification by authorized users3. The data is internally and externally

consistent – the data held in a database must balance internally and must correspond to the external, real-world situation.

Biba Integrity Model

• In 1977, lattice-based model

• Using “less than” or “equal to” relationship

• least upper bound (LUB) and greatest lower bound (GLB)

• The Lattice as a set of integrity classes (IC) and an ordered relationship among classes

• A Lattice as (IC, <=, LUB, GUB)

Biba Integrity Model

1. The Simple Integrity Axiom

States that a subject at one level of integrity is not permitted to observe (read) an object of a lower integrity

No Read Down

Biba Integrity Model

2. The * (Star) Integrity Axiom,

States that an object at one level of integrity is not permitted to modify (write to) an object of a higher level of integrity.

No Write Up

Biba Integrity Model

3. A subject at one level of integrity cannot invoke a subject at a higher level of integrity

Clark-Wilson Integrity Model

• Clark-Wilson, 1987• Constrained Data Item (CDI)

– A Data item whose integrity is to be preserved

• Integrity Verification Procedure (IVP)– Confirms that all CDIs through a well-formed

transaction, which transforms a CDI from one valid integrity state to another valid integrity state

• Unconstrained Data Item (UDI)– Data items outside of the control area of the modeled

environment such as input information