Trusted System?Trusted System?What are the characteristics of a

trusted system?What is a security policy and how

must it be enforced?

Underpinning of a Trusted Underpinning of a Trusted OSOSPolicy: has requirements.Model: represents the policy.Design: decide how to implement

it.Trust

◦Features: has them to enforce security.

◦Assurance: provide confidence in the system.

Trusted Software Key Trusted Software Key CharacteristicsCharacteristics

Functionally correct: does what it is suppose to.

Enforcement of Integrity: maintain correctness of data.

Limited privilege: program access secure data but access is minimized.

Appropriate confidence level: program has been evaluated and rated at a degree of trust.◦ Common Criteria: ICC international standard for

security.

Figure 5-14  Combined Security Kernel/Operating System.

Figure 5-15  Separate Security Kernel.

Trusted Computing Base Trusted Computing Base (TCB)(TCB)Conceptual Construct: not physical.Security-relevant portions of a computer

system that enforce a security policy.The level of trust a system provides. Address hardware software and firmware.Trusted Path: communication channel.Trusted Shell: can’t bust out of it.Processes have their own execution

domain.Memory and I/O protection.

Figure 5-13  TCB and Non-TCB Code.

Security PerimeterSecurity PerimeterEverything outside of TCB.Divides trusted from un-trusted.Communication between TCB and

components outside the TCB cannot expose the system to security compromises.

Figure 5-12  Reference Monitor.ConceptualThe most important part of a security kernel.Mediates all access subjects have to objects.

•Tamperproof and provide isolation.•Un-bypassable: invoked for every access attempt.•Analyzable: small enough to be tested.

There are other security mechanisms helping the system.

Security PolicySecurity PolicyPolicy

◦High-level management directives.◦A statement of the security we expect the

system to enforce.Policy Components

◦Purpose: Why.◦Scope: what is covered.◦Responsibilities: of teams, staff,

management.◦Compliance: judge effectiveness,

consequences

Military Security PolicyMilitary Security PolicyMilitary Policy.

◦Protect classified information;◦Rank information by sensitivity level.◦Need to know rule:

only subjects who need to know.

◦Projects are compartmentalized for protection.

Figure 5-1  Hierarchy of Sensitivities.

Least Sensitive

CompartmentsCompartmentsProjects are called

compartments;◦Information can cross compartments

and sensitivity levels.◦Individuals are assigned to projects.◦Compartments enforce need-to-know

policy.◦Clearances are required to access

information.

Figure 5-2  Compartments and Sensitivity Levels.

Figure 5-3  Association of Information and Compartments.

Discussion QuestionDiscussion QuestionCommercial Security Policies.

◦Why must companies be concerned about security?

Commercial SecurityCommercial SecurityMaintain competitive advantage.Industrial espionage.Protect financial information.Categories of information;

◦Public: less sensitive.◦Proprietary: less sensitive than

internal.◦Internal: sensitive.

Figure 5-4  Commercial View of Sensitive Information.

Models of Security (Why?)Models of Security (Why?)Test a particular policy for

completeness and consistency.Document a policy.Help conceptualize and design an

implementation.Check whether an

implementation meets its requirements.

Bell-LaPadula Security Bell-LaPadula Security ModelModelFirst mathematical model to of a multi-level

security policy.For Department of Defense

◦ Simple security property: no read up.◦ *Security property: no write down. ◦ Strong Tranquility Property

Security labels will not change while system operating.

◦ Weak Tranquility Property Security labels will not change in a way

that conflicts with defined security properties.

“Keep secrets secret”

Figure 5-7  Secure Flow of Information.Bell-La Padula modelSimple security property: no read up operations.*security property: no write-down operations.Confidentiality is critical to maintain.

Biba (integrity) ModeBiba (integrity) Mode

Businesses are concerned with integrity of information

A State Machine model ◦ mathematical model, evaluate every state.

Simple integrity axiom: No read down.*Integrity axiom: no write up. Invocation property

◦ Subject cannot request service to subjects of a higher integrity.

Opposite of Bell-LaPadula.◦ Confidentiality at odds with integrity.

Clark-Wilson Integrity Clark-Wilson Integrity ModelModelWell formed transactions: ability to enforce

control over applications.Users: Active Agents.Transformation Procedures (TPs) abstract

operations, read, write and modify.Constrained data items (CDIs): manipulated

only by TPs.Unconstrained data items (UDIs):

manipulated by users via primitive read and write operations.

Integrity verification procedures (IVPs) Check the consistency of CDIs with external reality.

Clark WilsonClark Wilson

Security Models cont.Security Models cont. Information Flow: describe how information can

flow.◦ Bell-LaPadula and Biba use this.

Chinese Wall (Brewer-Nash):avoid conflicts of interest. (consultant control)◦ Prohibit access to conflict of interest categories.

Noninterference: data at different security domains remain separate.

Harrison-Ruzzo-Ullman: maps subjects, objects and access rights to a matrix.

Zachman Framework: six frameworks for providing information security.

Figure 5-5  Chinese Wall Security Policy.

Zachman FrameworkZachman Framework

Security Models cont.Security Models cont.

Take Grant Protection: ◦ rules govern interactions between subjects,

and objects and permissions subjects can grant.

◦ Primitive operations: Create Revoke Take Grant

Objects are either active or passive.

Figure 5-8  Subject, Object, and Rights.

Figure 5-9  Creating an Object; Revoking, Granting, and Taking Access Rights.

Why Study Models?Why Study Models?Models help us to determine

what policies a secure system will enforce.

Essential to designing a trusted operating system.

Determine what is feasible and what is not.

Figure 5-10  Overview of an Operating System’s Functions.User authentication, memory protection, file I/O access, access

access control, enforce sharing, fair service, inter-process communications and synchronization, protected OS and data.

Figure 5-11  Security Functions of a Trusted Operating System.User identification and authentication, mandatory access control,

discretionary access control, object reuse protection, complete mediation,trusted path, audit, audit log reduction, intrusion detection.

Access ControlAccess ControlMandatory (MAC): decisions made beyond the end

user.Discretionary (DAC): end user decides access.Non-Discretionary: Role based access control. Roles

define access.Content/Context dependent: check an additional

context before allowing access such as time, or if accessing their records.

Centralized: all access centralized.◦ Single Sign On. Provide AAA.

Decentralized: allow IT administrators at each location employ different policies and levels of security.

Discussion QuestionDiscussion QuestionExplain the meaning of

granularity in respect to access control.

Discuss the trade off between granularity and effciency.

Granularity vs. EfficiencyGranularity vs. EfficiencyGranularity: the extend to which a

task is broken down into smaller parts.◦Maximum granularity

control each individual object.

◦Course granularity Organize information into directories or

groups. Then apply access rules.

Management efficiency affected by choice.

MemoryMemoryChip based (RAM), disk based, tape.RAM: CPU may randomly access addresses.ROM: Read Only Memory, survives power loss.Cache Memory: fast memory on system.Memory Protection: protect CIA of processHardware segmentation: mapping processes

to specific memory addresses.Virtual Memory: map between applications and

hardware.◦ More than just paging, shares libraries in

memory.

Figure 5-16  Conventional Multiuser Operating System Memory.

Figure 5-17  Multiple Virtual Addressing Spaces.

04/19/23 40

Typical Computer

CPU(s) Memory Network Storage Peripherals

Hardware

Operating System and Drivers

Figure 5-18  Conventional Operating System.

04/19/23 42

Virtual Computer

CPU(s) Memory Network Storage Peripherals

Hardware

Applications

Virtual Hardware and Operating System

Applications

Virtual Hardware and Operating System

Applications

Virtual Hardware and Operating System

Applications

Virtual Hardware and Operating System

Figure 5-19  Virtual Machine.

VM SecurityVM SecurityHarden base OS: this manages VMs.Set Resource limits: CPU, memory,

etc.Firewall host on operating system.Use encrypted protocols.Harden guest operating systems.Keep up with host and guest patches.

◦Guest operating system may be different.Audit logs and performance.

04/19/23 45

Figure 5-20  Layered Operating System.

Figure 5-21  Modules Operating in Different Layers.

International Common International Common CriteriaCriteria Agreed upon standard for describing and testing the

security of IT products. Target of Evaluation

◦ ToE product under evaluation. Security Target (ST)

◦ documentation describing the ToE including security requirements.

Protection Profile◦ Independent set of security requirements for a

category of products or systems. Evaluation assurance level

◦ Score of the product.

CC Levels of EvaluationCC Levels of Evaluation7 Levels building on previous level.EAL1: functionally tested.EAL2: structurally tested.EAL3: methodically tested & checked.EAL4: methodically designed, tested &

checked.EAL5: semi-formally designed & tested.EAL6: semi-formally verified, designed &

tested. EAL7: formally verified, designed & tested.

Discussion QuestionDiscussion QuestionWhy would a company go after

Common Criteria Certification for their products?

New Business and $$$New Business and $$$Having certified products opens

new markets for your business◦Government Contracts.◦International private businesses

requiring high levels of security.It can be an expensive process

though.◦In 2006 an EAL4 rating takes 2 years

and $350,000 for a product.

Figure 5-27  Criteria Development Efforts.

Payment Card Industry Payment Card Industry (PCI)(PCI)Data Security Standard (DSS)Data Security Standard (DSS)Core Principles:

◦Build and maintain a secure network.◦Protect cardholder data.◦Maintain a vulnerability

management program.◦Implement strong access control

measures.◦Regularly monitor and test networks.◦Maintain an information security

policy.

Certification and Certification and AccreditationAccreditationCertification

◦System has been certified to meet security requirements of the data owner.

Accreditation◦The data owner’s acceptance of the

certification and the residual risk required before it is put into production.

Government busy working on these procedures.