390 likes | 578 Views
Information Systems Security. Security Architecture Domain #5. Hardware Components. CPU Primary Storage Control Unit Coordinates activities during instruction execution Does not process data Arithmetic Logic Unit (ALU) Perform mathematical functions on data. Memory Types.
E N D
Information Systems Security Security Architecture Domain #5
Hardware Components • CPU • Primary Storage • Control Unit • Coordinates activities during instruction execution • Does not process data • Arithmetic Logic Unit (ALU) • Perform mathematical functions on data
Memory Types • Primary Memory (RAM/ROM/EPROM/EE) • Real Memory • Available to users • Cache Memory • Buffers used to increase performance • Holds data that is accessed often • Virtual Memory • Combination of real and secondary storage
Memory Management • Keep track of used memory segments • Assign memory to processes • Manage swapping • Memory protection • Access control • Control virtual memory addressing
Protection Rings • Organize Code and components in an operating system into concentric rings • Modern OS’s use a 4-ring model • Ring 0 – highest privilege – kernel • Ring 1 – remainder of the OS • Ring 2 – drivers and utilities • Ring 3 – applications and programs – user mode
Hardware Bus • Data Bus • Transfers instructions and data • Differs based on architectures • EISA – 8/16 • MCA – 16/32 • VLB – 32 • PCI – 32/64 • AGP - 32
Process and Threads • Process • Application and users run as processes in OS • Process can contain several threads of code • Thread are individual instruction sets
Threads • Advantages • Much quicker to create than a process • Much quicker to switch between threads • Share data easier • Used in browsers and windowing systems • Disadvantages • No security between threads • If one user thread blocks, all are blocked
Process States • Stopped – not running • Waiting – waiting for interrupt • Running – being executed by the CPU • Ready – available and waiting for instruction
System Functionality • Multithreading • Several threads processing at one time • Multitasking • Several processes at one time • Multiprocessing • Multiple CPU available
System Security Modes • Dedicated Security Mode • All users have clearance and need-to-know to access all information on the system • Does not require complex methods of controlling access between different levels • Multilevel Security Mode • All users have clearance but not need-to-know • Two of more levels of classification • Data is compartmentalized in containers
Security Modes • Dedicated Mode • Single state system • All have need to know and clearance • System High Mode • All have need-to-know for ‘some’ material • Compartmented Mode • Not all have access for all information • Multilevel Mode • Not all have clearance or need-to-know
Levels of System Trust • Processes with higher trust can access more system instructions • CPU architecture dictates the levels of trust available and the rights of access • CPU executes instructions in different states depending upon the process trust level • User mode – less trusted • Privilege mode – most trusted
Trusted Computing Base • All mechanisms that provide protection for the system • Software, firmware, hardware • Made up of processes that executed in privileged mode • Term originated from the Orange Book
System Protection • Reference Monitor • Access control concept that is referred to as an abstract machine that mediates all accesses • Controls relationship between subjects and objects • Security Kernel • Enforces the reference monitors rules • Physical implementation of reference monitor • Part of TCB concerned with access control
Access Control Models • Provides rules and structures used to control access and shows how decisions are made • Main components are subjects, objects, operations, and their relationships • Goal is to control how objects are accessed and ensure a security principle • Confidentiality, integrity
Finite State Machine • Execution sequence for each possible state transformation • Mappings for each state change • Does not specify protection mechanisms or means of enforcing model • If system comes up in a secure state and shuts down in a secure state, the system is secure
Information Flow • Information must flow securely through the system • Bell – Lapadula • Biba • Clark-Wilson • Take-Grant • Access Control Matrix • Noninterference
Bell LaPadula • Confidentiality Model • Information cannot flow to an object of lesser classification • Mathematical model uses a set theory to define access rights • Maps a subject’s clearance and an object’s classification and creates a relationship
Rules • Subjects cannot read data from an object in a higher security level • “No Read Up” – simple security property • “No Write Up” – star property • “No Write Up and No Read Down” – strong star
Biba • Integrity Model • No subject can depend on an object of lesser integrity • Based on hierarchical lattice • Prevents modification of objects by unauthorized subjects • Prevents unauthorized modification by authorized users
Rules of Biba • “No Write Up” – integrity axiom • No writing data at a higher integrity level • “No Read Down” – simple axiom • No reading data from a lower integrity level • Disadvantages • Does not address confidentiality • Does not address control management nor provide a way to change classification levels
Clark - Wilson • Integrity Model • Model for commercial integrity • Requires well formed transactions and separation of duties • Does not use lattice approach, partitions objects into programs and data • Access triple – subject must go through a program to access and modify data • Separation of duties with auditing required
Non-Interference • Based on theory where users are separated into different domains • An output stream remains unchanged when inputs come from levels that are less dominant • Subject cannot be influenced by the behavior of other subjects at higher security levels
Lattice Based • Every subject and object relationship has a partially ordered set with a lower and upper bounds • Rules are set that dictate how information can flow from one class to another • Confidential can flow to secret but secret cannot flow to confidential
Access Control • Relational table • Specifies the operations and rights allowed for each subject • Access Control Lists – DACL, trustees
Brewer - Nash • Also known as “Chinese Wall” • Mathematical theory used to implement dynamically changing access permissions • Defines a wall and develops a set of rules that ensures no subject accesses objects on the other side • Enforces “no conflict of interest” rules • Allows separation of competitors’ data
Take Grant • Mathematical framework for granting and revoking access authorization • Analytical tool for auditors to test software security • Rules for how users transfer their permissions to others
Trusted Computer System Evaluation Criteria (TCSEC) • Developed by National Security Computer Center • Based on the Bell-LaPadula model • Uses a series of evaluation classes • “Orange Book”
Requirements of TCSEC • Security Policy • Marking – labels associated with objects • Identification – individual ID of subjects • Accountability – audit data collected • Assurance – each mechanism evaluated • Continuous protection – mechanisms always protected against unauthorized changes
TCSEC Ratings • A1 – Verified Protection • B3,B2,B1 – Mandatory Protection • C2,C1 – Discretionary Protection • D – Minimal Security • Red Book – Trusted Network Interpretation
Layers of TCSEC • C1 – Discretionary Security Protection • C2 – Controlled Access Protection • B1 – Labeled Security • B2 – Structured Security (covert channels) • B3 – Security Domains (covert timing) • A1 – Verified Protection
Information Technology Security Evaluation Criteria (ITSEC) • Evaluates functionality and assurance separately • F1 to F10 for functionality • E0 to E6 for assurance • E0 = D • F1+E1 = C1 • F2+E2 = C2 • F3+E3 = B1 • etc
ITSEC • Advantages • More granular approach • Goes beyond the Orange Book • Disadvantages • Increased amount of rating combinations • Still does not provide all the answers
Common Criteria • ISO created in 1993 • TCSEC was too rigid • ITSEC added too much complexity • Target of Evaluation (TOE) • Security Target (ST) • EALs – E1 (functionally tested only) – E7(formally verified, designed, and tested)
Covert Channels • Timing Channels – conveys information by altering the performance of a system component in a predictable manner • Storage Channels – conveys information by writing data to a common storage area where another process can read it. • Level B2 address covert channels • Level B3 address covert timing
Certification and Authentication • Certification • 1st phase – comprehensive evaluation of the security features of an IT system • Accreditation • Management decides the certification of the system satisfies their needs • Definition, Verification, Validation, Post Accreditation
Other Threats • Back Doors • Maintenance Hooks • Asynchronous Attack – TOC/TOU • Race Attacks • Data Validation (Unicode attack) • Buffer Overflow (Use input controls) • SYN Flood • Ping of Death
More Attacks • TCP Session Hijacking • Web Spoofing • DNS Poisoning