Trusted System?Trusted System?What are the characteristics of a
trusted system?What is a security policy and how
must it be enforced?
Underpinning of a Trusted Underpinning of a Trusted OSOSPolicy: has requirements.Model: represents the policy.Design: decide how to implement
it.Trust
◦Features: has them to enforce security.
◦Assurance: provide confidence in the system.
Trusted Software Key Trusted Software Key CharacteristicsCharacteristics
Functionally correct: does what it is suppose to.
Enforcement of Integrity: maintain correctness of data.
Limited privilege: program access secure data but access is minimized.
Appropriate confidence level: program has been evaluated and rated at a degree of trust.◦ Common Criteria: ICC international standard for
security.
Figure 5-14 Combined Security Kernel/Operating System.
Figure 5-15 Separate Security Kernel.
Trusted Computing Base Trusted Computing Base (TCB)(TCB)Conceptual Construct: not physical.Security-relevant portions of a computer
system that enforce a security policy.The level of trust a system provides. Address hardware software and firmware.Trusted Path: communication channel.Trusted Shell: can’t bust out of it.Processes have their own execution
domain.Memory and I/O protection.
Figure 5-13 TCB and Non-TCB Code.
Security PerimeterSecurity PerimeterEverything outside of TCB.Divides trusted from un-trusted.Communication between TCB and
components outside the TCB cannot expose the system to security compromises.
Figure 5-12 Reference Monitor.ConceptualThe most important part of a security kernel.Mediates all access subjects have to objects.
•Tamperproof and provide isolation.•Un-bypassable: invoked for every access attempt.•Analyzable: small enough to be tested.
There are other security mechanisms helping the system.
Security PolicySecurity PolicyPolicy
◦High-level management directives.◦A statement of the security we expect the
system to enforce.Policy Components
◦Purpose: Why.◦Scope: what is covered.◦Responsibilities: of teams, staff,
management.◦Compliance: judge effectiveness,
consequences
Military Security PolicyMilitary Security PolicyMilitary Policy.
◦Protect classified information;◦Rank information by sensitivity level.◦Need to know rule:
only subjects who need to know.
◦Projects are compartmentalized for protection.
Figure 5-1 Hierarchy of Sensitivities.
Least Sensitive
CompartmentsCompartmentsProjects are called
compartments;◦Information can cross compartments
and sensitivity levels.◦Individuals are assigned to projects.◦Compartments enforce need-to-know
policy.◦Clearances are required to access
information.
Figure 5-2 Compartments and Sensitivity Levels.
Figure 5-3 Association of Information and Compartments.
Discussion QuestionDiscussion QuestionCommercial Security Policies.
◦Why must companies be concerned about security?
Commercial SecurityCommercial SecurityMaintain competitive advantage.Industrial espionage.Protect financial information.Categories of information;
◦Public: less sensitive.◦Proprietary: less sensitive than
internal.◦Internal: sensitive.
Figure 5-4 Commercial View of Sensitive Information.
Models of Security (Why?)Models of Security (Why?)Test a particular policy for
completeness and consistency.Document a policy.Help conceptualize and design an
implementation.Check whether an
implementation meets its requirements.
Bell-LaPadula Security Bell-LaPadula Security ModelModelFirst mathematical model to of a multi-level
security policy.For Department of Defense
◦ Simple security property: no read up.◦ *Security property: no write down. ◦ Strong Tranquility Property
Security labels will not change while system operating.
◦ Weak Tranquility Property Security labels will not change in a way
that conflicts with defined security properties.
“Keep secrets secret”
Figure 5-7 Secure Flow of Information.Bell-La Padula modelSimple security property: no read up operations.*security property: no write-down operations.Confidentiality is critical to maintain.
Biba (integrity) ModeBiba (integrity) Mode
Businesses are concerned with integrity of information
A State Machine model ◦ mathematical model, evaluate every state.
Simple integrity axiom: No read down.*Integrity axiom: no write up. Invocation property
◦ Subject cannot request service to subjects of a higher integrity.
Opposite of Bell-LaPadula.◦ Confidentiality at odds with integrity.
Clark-Wilson Integrity Clark-Wilson Integrity ModelModelWell formed transactions: ability to enforce
control over applications.Users: Active Agents.Transformation Procedures (TPs) abstract
operations, read, write and modify.Constrained data items (CDIs): manipulated
only by TPs.Unconstrained data items (UDIs):
manipulated by users via primitive read and write operations.
Integrity verification procedures (IVPs) Check the consistency of CDIs with external reality.
Clark WilsonClark Wilson
Security Models cont.Security Models cont. Information Flow: describe how information can
flow.◦ Bell-LaPadula and Biba use this.
Chinese Wall (Brewer-Nash):avoid conflicts of interest. (consultant control)◦ Prohibit access to conflict of interest categories.
Noninterference: data at different security domains remain separate.
Harrison-Ruzzo-Ullman: maps subjects, objects and access rights to a matrix.
Zachman Framework: six frameworks for providing information security.
Figure 5-5 Chinese Wall Security Policy.
Zachman FrameworkZachman Framework
Security Models cont.Security Models cont.
Take Grant Protection: ◦ rules govern interactions between subjects,
and objects and permissions subjects can grant.
◦ Primitive operations: Create Revoke Take Grant
Objects are either active or passive.
Figure 5-8 Subject, Object, and Rights.
Figure 5-9 Creating an Object; Revoking, Granting, and Taking Access Rights.
Why Study Models?Why Study Models?Models help us to determine
what policies a secure system will enforce.
Essential to designing a trusted operating system.
Determine what is feasible and what is not.
Figure 5-10 Overview of an Operating System’s Functions.User authentication, memory protection, file I/O access, access
access control, enforce sharing, fair service, inter-process communications and synchronization, protected OS and data.
Figure 5-11 Security Functions of a Trusted Operating System.User identification and authentication, mandatory access control,
discretionary access control, object reuse protection, complete mediation,trusted path, audit, audit log reduction, intrusion detection.
Access ControlAccess ControlMandatory (MAC): decisions made beyond the end
user.Discretionary (DAC): end user decides access.Non-Discretionary: Role based access control. Roles
define access.Content/Context dependent: check an additional
context before allowing access such as time, or if accessing their records.
Centralized: all access centralized.◦ Single Sign On. Provide AAA.
Decentralized: allow IT administrators at each location employ different policies and levels of security.
Discussion QuestionDiscussion QuestionExplain the meaning of
granularity in respect to access control.
Discuss the trade off between granularity and effciency.
Granularity vs. EfficiencyGranularity vs. EfficiencyGranularity: the extend to which a
task is broken down into smaller parts.◦Maximum granularity
control each individual object.
◦Course granularity Organize information into directories or
groups. Then apply access rules.
Management efficiency affected by choice.
MemoryMemoryChip based (RAM), disk based, tape.RAM: CPU may randomly access addresses.ROM: Read Only Memory, survives power loss.Cache Memory: fast memory on system.Memory Protection: protect CIA of processHardware segmentation: mapping processes
to specific memory addresses.Virtual Memory: map between applications and
hardware.◦ More than just paging, shares libraries in
memory.
Figure 5-16 Conventional Multiuser Operating System Memory.
Figure 5-17 Multiple Virtual Addressing Spaces.
04/19/23 40
Typical Computer
CPU(s) Memory Network Storage Peripherals
Hardware
Operating System and Drivers
Figure 5-18 Conventional Operating System.
04/19/23 42
Virtual Computer
CPU(s) Memory Network Storage Peripherals
Hardware
Applications
Virtual Hardware and Operating System
Applications
Virtual Hardware and Operating System
Applications
Virtual Hardware and Operating System
Applications
Virtual Hardware and Operating System
Figure 5-19 Virtual Machine.
VM SecurityVM SecurityHarden base OS: this manages VMs.Set Resource limits: CPU, memory,
etc.Firewall host on operating system.Use encrypted protocols.Harden guest operating systems.Keep up with host and guest patches.
◦Guest operating system may be different.Audit logs and performance.
04/19/23 45
Figure 5-20 Layered Operating System.
Figure 5-21 Modules Operating in Different Layers.
International Common International Common CriteriaCriteria Agreed upon standard for describing and testing the
security of IT products. Target of Evaluation
◦ ToE product under evaluation. Security Target (ST)
◦ documentation describing the ToE including security requirements.
Protection Profile◦ Independent set of security requirements for a
category of products or systems. Evaluation assurance level
◦ Score of the product.
CC Levels of EvaluationCC Levels of Evaluation7 Levels building on previous level.EAL1: functionally tested.EAL2: structurally tested.EAL3: methodically tested & checked.EAL4: methodically designed, tested &
checked.EAL5: semi-formally designed & tested.EAL6: semi-formally verified, designed &
tested. EAL7: formally verified, designed & tested.
Discussion QuestionDiscussion QuestionWhy would a company go after
Common Criteria Certification for their products?
New Business and $$$New Business and $$$Having certified products opens
new markets for your business◦Government Contracts.◦International private businesses
requiring high levels of security.It can be an expensive process
though.◦In 2006 an EAL4 rating takes 2 years
and $350,000 for a product.
Figure 5-27 Criteria Development Efforts.
Payment Card Industry Payment Card Industry (PCI)(PCI)Data Security Standard (DSS)Data Security Standard (DSS)Core Principles:
◦Build and maintain a secure network.◦Protect cardholder data.◦Maintain a vulnerability
management program.◦Implement strong access control
measures.◦Regularly monitor and test networks.◦Maintain an information security
policy.
Certification and Certification and AccreditationAccreditationCertification
◦System has been certified to meet security requirements of the data owner.
Accreditation◦The data owner’s acceptance of the
certification and the residual risk required before it is put into production.
Government busy working on these procedures.