Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 106

Sam PowerPoint PPT Presentation

Sam Write iClickers for hardware & software Resume lecture at Software Security Architecture and Design CISSP Guide to Security Essentials Chapter 9 Objectives Security models Bell LaPadula Biba Clark-Wilson Access Matrix Multi-Level Mandatory Access Control (MAC)

Download Presentation

Sam

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

Sam

  • Write iClickers for hardware & software

  • Resume lecture at Software


Slide2 l.jpg

Security Architecture and Design

CISSP Guide to Security Essentials

Chapter 9


Objectives l.jpg

Objectives

  • Security models

    • Bell LaPadula

    • Biba

    • Clark-Wilson

    • Access Matrix

    • Multi-Level

    • Mandatory Access Control (MAC)

    • Discretionary Access Control (DAC)

    • Role-based Access Control (RBAC)

    • Non-interference

    • Information Flow


Objectives cont l.jpg

Objectives (cont.)

  • Information systems evaluation models including Common Criteria, TCSEC, ITSEC

  • Computer hardware architecture

  • Computer software: operating systems, applications, and tools

  • Security threats and countermeasures


Security models l.jpg

Security Models


Security models6 l.jpg

Security Models

  • A model is a simplified representation used to explain a real world system

  • Security models are used to design a system to protect secrets


Bell lapadula security model 1973 l.jpg

Bell LaPadula Security Model(1973)

  • State machine model that addresses the confidentiality of information.

  • Uses No Read Up & No Write Down

  • No Read Up (NRU)

    • A subject can read all documents at or below his level of security, but cannot read any documents above his level of security

    • Prevents learning secrets at a higher security level


Bell lapadula security model cont l.jpg

Bell LaPadula Security Model (cont.)

  • No Write Down (NWD)

    • A subject can write documents at or above his level of security, but cannot write documents below his level

    • Prevents leaks of secrets


Bell lapadula model problem l.jpg

Bell LaPadula Model Problem

  • In Bell LaPadula

    • A subject at a lower security level can overwrite and potentially destroy secret information at a higher level (even though they cannot see it)

    • No Write Down and No Read Up don't prevent this "Write Up" operation

  • Bell LaPadula protects confidentiality but not integrity


Biba security model 1977 l.jpg

Biba Security Model(1977)

  • The first formal integrity model, by preventing modifications to data by unauthorized persons.

  • A subject cannot read documents below his level (no read down, NRD)

  • A subject cannot write documents above his level (no write up, NWU)


Example military orders l.jpg

Example: Military Orders

  • Write Down is allowed

    • A General may write orders to a Colonel, who can issue these orders to a Major

  • Integrity is preserved

    • In this fashion, the General's original orders are kept intact and the mission of the military is protected

  • Write Up is forbidden

    • Conversely, a Private can never issue orders to his Sergeant, who may never issue orders to a Lieutenant, also protecting the integrity of the mission

      • From Wikipedia, link Ch 9b


Comparing the models l.jpg

Comparing the Models

  • If you need to protect secrets, use Bell-Lapadula

    • No Write Down

    • No Read Up

  • If you need to stay on target, use Biba

    • No Write Up

    • No Read Down

  • Both of these are designed for the military, to protect high-level secrets


Clark wilson security model 1987 l.jpg

Clark-Wilson Security Model(1987)

  • Designed for businesses, to protect the integrity of data at all levels, not just the high value secrets

  • Based on Transactions

    • Well-formed transactions move a system from one consistent state to another consistent state

      • From Wikipedia, link Ch 9c


Clark wilson security model 198714 l.jpg

Clark-Wilson Security Model(1987)

  • A data integrity model

  • Two principals: users and programs (called transformation procedures, or TPs)

  • Two types of data: unconstrained data items (UDIs), and constrained data items (CDIs).


Udis and cdis l.jpg

UDIs and CDIs

  • Unconstrained Data Items (UDIs)

    • Untrusted data, like user input

    • Not necessarily safe

    • May even be from an attacker

  • Constrained Data Items (CDIs)

    • Data that has been verified and is now guaranteed to be valid

    • Data that is "safe"


Clark wilson security model cont l.jpg

Clark-Wilson Security Model (cont.)

  • Integrity Verification Procedure (IVP)

    • Transforms Unconstrained Data Items (UDIs) into Constrained Data Items (CDIs)

    • Changes "unsafe" data into "safe" data


Clark wilson security model cont17 l.jpg

Clark-Wilson Security Model (cont.)

  • Users must be authenticated

  • Transaction logs are kept


Access matrix security model l.jpg

Access Matrix Security Model

  • Defines which subjects are permitted to access which objects


Multi level security model l.jpg

Multi-level Security Model

  • Several levels of security

    • Such as Confidential, Secret, Top Secret

  • People have varying levels of security clearance

    • Such as Confidential, Secret, Top Secret

  • System will control access to objects according to their level and the level of the persons accessing them


Mandatory access control mac security model l.jpg

Mandatory Access Control (MAC) Security Model

  • System controls access to resources

  • When a subject requests access to an object

    • The system examines the user’s identity and access rights, and compares to access permissions of the object

  • System then permits or denies the access

    • Example: shared file server where access permissions are administered by an administrator


Discretionary access control dac security model l.jpg

Discretionary Access Control (DAC) Security Model

  • The owner of an object controls who and what may access it. Access is at the owner’s discretion.

    • Example: shared file server where access permissions are administered by the owners (users) of its contents.


Role based access control rbac security model l.jpg

Role-based Access Control (RBAC) Security Model

  • An improvement over the mandatory access control (MAC) security model

  • Access permissions are granted to “roles” instead of “persons.”

    • Example: "Managers" can write to the Personnel folder, but "Help Desk Workers" cannot


Role based access control rbac security model cont l.jpg

Role-based Access Control (RBAC) Security Model (cont.)

  • Simplifies management in a complex system with many users and objects

  • Makes changes much easier, because they involve changes to roles instead of to individuals


Non interference security model l.jpg

Non-Interference Security Model

  • Specifies that low inputs and outputs will not be altered by high inputs and outputs

  • In other words, activities at a higher security level cannot be detected (and will not interfere with) at lower security levels

    • Prevents data leaking through "covert channels"

    • Link Ch 9d


Information flow security model l.jpg

Information Flow Security Model

  • Based upon flow of information rather than on access controls

  • Data objects are assigned to a class or level of security

  • Flow of objects are controlled by security policy that specifies where objects of various levels are permitted to flow


Iclicker questions l.jpg

iClicker Questions


Which security model uses constrained data items l.jpg

Which security model uses Constrained Data Items?

Biba

Bell-LaPadula

Clark-Wilson

MAC

DAC


Which security model allows the owner of an object to assign permissions to it l.jpg

Which security model allows the owner of an object to assign permissions to it?

Biba

Bell-LaPadula

RBAC

MAC

DAC


Which security model forbids write up l.jpg

Which security model forbids write-up?

Biba

Bell-LaPadula

Clark-Wilson

MAC

DAC


Slide30 l.jpg

Which security model is best for a large corporation with thousands of people sharing thousands of devices?

Non-Interference

RBAC

Clark-Wilson

MAC

DAC


Which security model explicitly prevents data leaking through covert channels l.jpg

Which security model explicitly prevents data leaking through covert channels?

Non-Interference

Biba

Clark-Wilson

Bell-LaPadula

DAC


Information systems evaluation models l.jpg

Information Systems Evaluation Models


Evaluation models l.jpg

Evaluation Models

  • Companies often claim to have secure systems, but how can they prove it?

  • Test the system with a Framework

    • Consistent and repeatable approach to the evaluation of systems

  • Frameworks

    • Common Criteria

    • TCSEC

    • TNI

    • ITSEC

    • SEI-CMMI

    • SSE-SMM


Common criteria l.jpg

Common Criteria

  • Formal name: Common Criteria for Information Technology Security Evaluation

    • Usually known as just Common Criteria or CC

    • ISO 15408 international standard

    • Supersedes TCSEC and ITSEC

    • Typically applied to computer components sold to the government, not to organizations as a whole the way ISO 27002 is

      • Link Ch 9e


Common criteria cont l.jpg

Common Criteria (cont.)

  • Seven Evaluation Assurance Levels(EALs) for a Target of Evaluation (TOE)

    • EAL1: Functionally Tested

    • EAL2: Structurally Tested

    • EAL3: Methodically Tested and Checked

    • EAL4: Methodically Designed, Tested and Reviewed

    • EAL5: Semiformally Designed and Tested

    • EAL6: Semiformally Verified Design and Tested

    • EAL7: Formally Verified Design and Tested


Common criteria cont36 l.jpg

Common Criteria (cont.)

  • Time and expense required to perform evaluation


Tcsec l.jpg

TCSEC

  • Trusted Computer Security Evaluation Criteria

  • U.S. DoD Orange Book as part of the Rainbow Series

    • A – Verified Protection

    • B – Mandatory Protection

    • B3 – Security domains

Superseded by

Common Criteria


Tcsec cont l.jpg

TCSEC (cont.)

  • U.S. DoD Orange Book (cont.)

    • B2 – Structured protection

    • B1 – Labeled security

    • C – Discretionary protection

    • C2 – Controlled access

    • C1 – Discretionary protection

    • D – Minimal security

Superseded by

Common Criteria


Slide39 l.jpg

TNI

  • Trusted Network Implementation

  • U.S. DoD Red Book in the Rainbow Series

  • Used to evaluate confidentiality and integrity in communications networks


Itsec l.jpg

ITSEC

  • Information Technology Security Evaluation Criteria

  • European standard for security evaluations

  • ITSEC addresses confidentiality, integrity, and availability, whereas TCSEC evaluated only confidentiality

  • Superseded by Common Criteria


Sei cmmi l.jpg

SEI-CMMI

  • Software Engineering Institute Capability Maturity Model Integration

  • Objective measure of the maturity of an organization’s system engineering practices


Sei cmmi cont l.jpg

SEI-CMMI (cont.)

  • Maturity Levels

    • Level 0 – Incomplete

    • Level 1 – Performed

    • Level 2 – Managed

    • Level 3 – Defined

    • Level 4 – Quantitatively Managed

    • Level 5 – Optimizing


Sse cmm l.jpg

SSE-CMM

  • Systems Security Engineering Capability Maturity Model

  • Objective measure of the maturity of security engineering

    • Capability Level 1 - Performed Informally

    • Capability Level 2 - Planned and Tracked

    • Capability Level 3 - Well Defined

    • Capability Level 4 - Quantitatively Controlled

    • Capability Level 5 - Continuously Improving


Certification and accreditation l.jpg

Certification and Accreditation

  • Processes used to evaluate and approve a system for government or military use

    • Or a highly regulated industry like pharmaceuticals or aeonautics

    • Not normally used in businesses

  • Two-step process

    • Certification is the process of evaluation of a system’s architecture, design, and controls, according to established evaluation criteria

    • Accreditation is the formal management decision to approve the use of a certified system


Certification and accreditation cont l.jpg

Certification and Accreditation (cont.)

  • Five standards for certification and accreditation

    • FISMA (Federal Information Security Management Act of 2002)

      • Requires all US Federal information systems to conform to security standards

    • DITSCAP (Department of Defense Information Technology Security Certification and Accreditation Process)


Certification and accreditation cont46 l.jpg

Certification and Accreditation (cont.)

  • Five standards (cont.)

    • DIACAP (DoD Information Assurance Certification and Accreditation Process)

      • Successor to DITSCAP

    • NIACAP (National Information Assurance Certification and Accreditation Process)

      • Certifies and accredits systems that handle US national security information

    • DCID6/3 (Director of Central intelligence Directive 6/3)


Iclicker questions47 l.jpg

iClicker Questions


Which evaluation model is known as the orange book l.jpg

Which evaluation model is known as the orange book?

Common criteria

TCSEC

TNI

ITSEC

SEI-CMMI


Which evaluation model supercedes tcsec l.jpg

Which evaluation model supercedes TCSEC?

Common criteria

SSE-CMM

TNI

ITSEC

SEI-CMMI


Which term means the process of evaluation of a system according to established criteria l.jpg

Which term means "the process of evaluation of a system according to established criteria"?

Certification

Assessment

Accounting

Accreditation

Authentication


Which standard applies to all federal government systems not just to military or intelligence ones l.jpg

Which standard applies to all federal government systems, not just to military or intelligence ones?

DITSCAP

FISMA

DIACAP

NIACAP

DCID 6/3


Computer hardware architecture l.jpg

Computer Hardware Architecture


Computer components l.jpg

Computer Components

  • Central processor

  • Bus

  • Main storage

  • Secondary storage

  • Communications

  • Firmware


Central processor cpu l.jpg

Central Processor (CPU)

  • Executes program instructions

  • Components

    • Arithmetic logic unit (ALU). Performs arithmetic and logic operations.

    • Registers. These are temporary storage locations that are used to store the results of intermediate calculations. A CPU can access data in its registers far more quickly than main memory.


Central processor cont l.jpg

Central Processor (cont.)

  • Components (cont.)

    • Program counter. A register that keeps track of which instruction in a program the CPU is currently working on.

    • Memory interface. This is the circuitry that permits the CPU to access main memory.


Central processor cont56 l.jpg

Central Processor (cont.)

  • Operations

    • Fetch. The CPU fetches (retrieves) an instruction from memory.

    • Decode. The CPU breaks the instruction into its components

      • Opcode--the task that the CPU is expected to perform

      • Operands--numeric values

      • Example: ADD R1 R2


Central processor cont57 l.jpg

Central Processor (cont.)

  • Operations (cont.)

    • Execute. This is the actual operation as directed by the opcode.

    • Writeback. The CPU writes the result of the opcode (for instance, the sum of the two numbers to add together) to some memory location.


Central processor cont58 l.jpg

Central Processor (cont.)

  • CPU instruction sets (of opcodes)

    • CISC (Complex Instruction Set Computer)

      • VAX, PDP-11, Motorola 68000, Intel x86

    • RISC (Reduced Instruction Set Computer)

      • SPARC, Dec Alpha, MIPS, Power PC

    • Explicitly Parallel Instruction Computing (EPIC)

      • Intel Itanium


Central processor cont59 l.jpg

Central Processor (cont.)

  • Single core, multi-core (2 to 8 CPUs on a single die)


Central processor cont60 l.jpg

Central Processor (cont.)

  • Multi processor computers

    • Symmetric multiprocessing (SMP)

      • Two or more CPUs connected to the computer’s main memory. Virtually all multi processor computers are SMP

    • Asymmetric multiprocessing (ASMP)

      • Two or more CPUs, in a master-slave relationship

      • No current operating system supports this


Central processor cont61 l.jpg

Central Processor (cont.)

  • CPU security features

    • Protected mode – CPU prevents a process from being able to access the memory space assigned to another process

    • Executable space protection – prevents the execution of instructions that reside in data


Slide62 l.jpg

Bus

  • High speed network used to transfer data among the computer’s internal components

    • CPU, storage, network, peripherals

    • Can also be used to transfer data between computers

      • Like USB


Bus cont l.jpg

Bus (cont.)

  • Actually a special high-speed network

  • Modern computers have more than one bus, usually one for communication with memory and another for communication with peripherals


Bus cont64 l.jpg

Bus (cont.)

  • Internal bus architectures

    • Unibus (used in PDP-11 and VAX computers)

    • SBus (used in SPARC and Sun computers)

    • Microchannel (used in IBM PS/2 computers)

    • PCI (Peripheral Component Interconnect) (used in modern PCs)


Bus cont65 l.jpg

Bus (cont.)

  • External bus architectures

    • SCSI (Small Computer Systems Interface)

    • SATA (Serial ATA)

    • IEEE1394 (also known as FireWire)

    • PC card (formerly known as PCMCIA)

    • Universal Serial Bus (USB)


Main storage l.jpg

Main Storage

  • Also known as primary storage or memory

  • Stores instructions and data being actively worked on

  • Computer’s fastest storage (aside from CPU registers)


Main storage cont l.jpg

Main Storage (cont.)

  • Used by operating system, active processes

  • Main technologies

    • DRAM (Dynamic Random Access Memory)

    • SRAM (Static Random Access Memory)


Secondary storage l.jpg

Secondary Storage

  • Much larger, slower than main storage

  • Usually implemented with hard drives

    • Persistence

    • Capacity


Secondary storage cont l.jpg

Secondary Storage (cont.)

  • Structured storage

    • Partitions

    • File systems

    • Directories

    • Files

  • Unstructured storage

    • “raw” partitions


Virtual memory l.jpg

Virtual Memory

  • Permits main storage to overflow into, and occupy, secondary storage

    • Swapping – copying a process’ entire memory image from primary to secondary storage

    • Paging – copying individual pages of a process’ memory image from primary to secondary storage

      • This is what Windows does

    • Permits more efficient and flexible use of main memory


Communications l.jpg

Communications

  • Communications is generally performed by hardware modules that are connected to the computer’s bus

    • Adaptors, communications adaptors, communications controllers, interface cards, or network interface cards (NICs)


Firmware l.jpg

Firmware

  • Software that is embedded in persistent memory chips

  • Used to store the initial computer instructions required to put the computer into operation after power is applied to it

  • Firmware is used to store the BIOS (Basic Input-Output Subsystem) in an Intel-based PC


Firmware cont l.jpg

Firmware (cont.)

  • Firmware technologies

    • PROM (Programmable Read-Only Memory)

    • EPROM (Erasable Programmable Read-Only Memory)

    • EEPROM (Electrically Erasable Programmable Read-Only Memory)

    • Flash Memory


Trusted computing base l.jpg

Trusted Computing Base

  • Trusted Computing Base (TCB)

    • The Orange Book defines the trusted computing base as “the totality of protection mechanisms within it, including hardware, firmware, and software, the combination of which is responsible for enforcing a computer security policy.”


Reference monitor l.jpg

Reference Monitor

  • A hardware or software component in a system that mediates access to objects according to their security level or clearance

  • An access control mechanism that is auditable

    • It creates a record of its activities that can be examined at a later time.


Security hardware l.jpg

Security Hardware

  • Trusted Platform Module (TPM)

    • A secure cryptoprocessor

      • A separate microprocessor in the computer that stores and generates cryptographic keys and generates random numbers for use in cryptographic algorithms

    • Used for a variety of cryptographic functions

      • Disk encryption

      • Authentication


Hardware authentication l.jpg

Hardware Authentication

  • Smart card reader

  • Fingerprint reader

  • Facial recognition camera


Security modes of operation l.jpg

Security Modes of Operation

  • Dedicated security mode

    • This is a system with only one level of security

    • All information on the system is at the same security level

    • All users must be at or above the same level of security and have a valid need-to-know for all of the information on the system


Security modes of operation cont l.jpg

Security Modes of Operation (cont.)

  • System high security mode. Similar to dedicated security mode, except that users may access some data on the system based upon their need-to-know.


Security modes of operation cont80 l.jpg

Security Modes of Operation (cont.)

  • Compartmented security mode. Similar to system high security mode, except that users may access somedata on the system based upon their need-to-know plus formal access approval.


Security modes of operation cont81 l.jpg

Security Modes of Operation (cont.)

  • Multilevel security mode. Similar to compartmented security mode, except that users may access some data based upon their need-to-know, formal access approval, and proper clearance.


Resume here l.jpg

Resume Here


Review of first half of chapter 9 l.jpg

Review of first half of Chapter 9

iClicker Questions


Which security model protects secrets but does not ensure integrity of confidential data l.jpg

Which security model protects secrets but does not ensure integrity of confidential data?

Biba

Bell-LaPuda

Clark-Wilson

MAC

DAC


Which security model uses transactions and integrity verification procedures l.jpg

Which security model uses Transactions and Integrity Verification Procedures?

Biba

Bell-LaPuda

Clark-Wilson

MAC

DAC


Which european evaluation model was superceded by common criteria l.jpg

Which European evaluation model was superceded by Common Criteria?

SSE-SMM

TCSEC

TNI

ITSEC

SEI-CMMI


Which standard applies especially to cia systems l.jpg

Which standard applies especially to CIA systems?

FISMA

DITSCAP

DIACAP

NIACAP

DCID 6/3


Hardware l.jpg

Hardware

iClicker Questions


Which of these memory types can read and write the fastest l.jpg

Which of these memory types can read and write the fastest?

SRAM

DRAM

Registers

PROM

Flash memory


Which of these is a processor dedicated to cryptography l.jpg

Which of these is a processor dedicated to cryptography?

TPM

BIOS

EEPROM

EPIC

DRAM


Which of these is a hard disk file that contains a copy of data that was originally in ram l.jpg

Which of these is a hard disk file that contains a copy of data that was originally in RAM?

Firmware

Page file

Flash memory

EEPROM

DRAM


Software l.jpg

Software


Operating systems l.jpg

Operating Systems

  • Components of an OS

    • Kernel

    • Device drivers

    • Tools


Operating systems cont l.jpg

Operating Systems (cont.)

  • Functions of an OS

    • Process management

    • Resource management

    • Access management

    • Event management

    • Communications management


Operating systems cont95 l.jpg

Operating Systems (cont.)

  • Operating system security methods

    • Privilege level

      • Windows: admin, user, guest

      • Unix: root, non-root

    • Protection ring

      • Ring 0: kernel

      • Ring 1: device drivers

      • Ring 3: user processes

    • But Windows only usesrings 0 and 3

      • Links Ch 9g, 9h


Subsystems l.jpg

Subsystems

  • Database management systems (DBMS)

  • Web server

  • Authentication server

  • E-mail server

  • File / print server

  • Directory server (DNS, NIS, AD, LDAP)


Programs tools and applications l.jpg

Programs, Tools, and Applications

  • Programs

    • Firefox, writer, photoshop, acrobat

  • Tools

    • Compilers, debuggers, defragmenters

  • Applications

    • A collection of programs and tools that support a business function

    • Financial (General Ledger (GL), Accounts Payable (AP), Accounts Receivable (AR), etc.), payroll, mfg resource planning, customer relationship mgmt, etc.


Software security threats and countermeasures l.jpg

Software Security Threats and Countermeasures


Threats l.jpg

Threats

  • Covert channel

    • Unauthorized, hidden channel of communications that exists within a legitimate communications channel

    • Includes timing attacks that leak data through changes in response times

    • Difficult to detect

    • Examples: unused fields in packets, steganography


Threats cont l.jpg

Threats (cont.)

  • Side channel attack

    • Observation of the physical characteristics of a system in order to make inferences on its operation

    • Examples: timing, power consumption, emanations

  • State attacks

    • Time of check to time of use (TOCTTOU), also known as a race condition

    • Data can be altered between the time of check and the time of use ("winning the race")


Threats cont101 l.jpg

Threats (cont.)

  • Emanations

    • RF (radio frequency) emissions from CRTs and equipment

  • Maintenance hooks and back doors

    • Secret master password

    • Really happened in "Lock My PC" -- link Ch 9i

  • Privileged programs

    • Artifacts of development, testing

    • Can be used to elevate privileges


Countermeasures l.jpg

Countermeasures

  • Reduce the potential of a threat by reducing its probability of occurrence or its impact

    • Sniffers (bug detectors)

    • Source code reviews

    • Auditing tools

      • Filesystem integrity, like Tripwire

      • Configuration checking like Windows Defender

      • Log analyzers

    • Penetration testing

    • Application vulnerability testing


Iclicker questions103 l.jpg

iClicker Questions


A user launches microsoft word on a pc what protection ring is word operating in l.jpg

A user launches Microsoft Word on a PC. What protection ring is Word operating in?

Ring 0

Ring 1

Ring 2

Ring 3

Something else


Which threat comes from accidental radio transmissions l.jpg

Which threat comes from accidental radio transmissions?

Covert channel

Side channel

Race condition

Emanations

Back door


Which countermeasure ensures the integrity of operating system files l.jpg

Which countermeasure ensures the integrity of operating system files?

Sniffers

Source code review

Tripwire

Pen test

Application vulnerability test


  • Login