430 likes | 744 Views
Chapter 3 Security Architecture and Models. Overview. Building an information system requires a balance among various requirements: capability, flexibility, performance, ease of use, cost, and security .
E N D
Chapter 3 Security Architecture and Models COMP4690, HKBU
Overview • Building an information system requires a balance among various requirements: capability, flexibility, performance, ease of use, cost, and security. • Security architecture: a view of an overall system architecture from a security perspective. It is fundamental to any information system. • It describes how the system is put together to satisfy the security requirement. • It describes at an abstract level the relationships between key elements of the hardware, operating systems, applications, network, etc., to protect the organization’s interests. • It describes how the functions in the system development process follow the security requirements. • Security model: a statement that outlines the requirements necessary to properly support a security policy. It provides a deeper explanation of how a computer system should be developed to properly support a specific security policy. COMP4690, HKBU
Main Topics • Information protection environment • Computer organization & architecture • Software • Distributed systems • Security models • Confidentiality models • Integrity models • Information flow models • Security Technology and Tools • Assurance, Trust, and Confidence Mechanisms COMP4690, HKBU
Computer organization & architecture • Architecture is those attributes visible to the programmer • Instruction set, number of bits used for data representation, I/O mechanisms, addressing techniques. • e.g. Is there a multiply instruction? • Organization is how features are implemented • Control signals, interfaces, memory technology. • e.g. Is there a hardware multiply unit or is it done by repeated addition? • E.g. • All Intel x86 family share the same basic architecture • The IBM System/370 family share the same basic architecture COMP4690, HKBU
Computer Components COMP4690, HKBU
Computer Components • CPU • Arithmetic logic unit (ALU): performs arithmetic and logical operations • Control logic • Registers: general-purpose registers, instruction register, program counter, accumulators COMP4690, HKBU
Memory • Cache • Relatively small amount of very high speed RAM • To reduce the apparent main memory access time • RAM: random access memory • Volatile: data is lost if power is off • Dynamic RAM (DRAM) vs. Static RAM (SRAM) • PLD: programmable logic device • ROM: Read Only Memory • PAL: Programmable Array Logic • CPLD: Complex Programmable Logic Device • FPGA: Field Programmable Gate Array COMP4690, HKBU
Memory • ROM • EPROM: erasable programmable read only memory • EAROM: electrically alterable read only memory • EEPROM: electrically erasable programmable read only memory • Firmware: the programs stored on these devices COMP4690, HKBU
Memory Hierarchy • Register • Cache • Primary memory • directly addressable by CPU; used for the storage of instructions and data; usually RAM • Secondary memory • Slower memory such as magnetic disks that provides non-volatile storage • Virtual memory • Use secondary memory in conjunction with primary memory to present a CPU with a larger address space COMP4690, HKBU
Memory addressing modes • Register addressing • Addressing the registers within a CPU • Direct addressing • Addressing a portion of primary memory by specifying the actual address of the memory location • Absolute addressing • Addressing all of the primary memory space • Indexed addressing • By adding the contents of the address defined in the program’s instruction to that of an index register • Implied addressing • When operations are internal to the processor, no need to provide an address • Indirect addressing • The address location that is specified in the program instruction contains the address of the final desired location COMP4690, HKBU
Instruction Cycle • Two steps: • Fetch and Execute COMP4690, HKBU
Review of Terms • CISC: complex-instruction set computer • Uses instructions that perform many operations per instruction • RISC: reduced-instruction set computer • Uses instructions that are simpler and require fewer clock cycles to execute • Pipelining • Overlapping the steps of different instructions • Scalar Processor • A processor that executes one instruction at a time • Superscalar Processor • A processor that enables concurrent execution of multiple instructions in the same pipeline stage as well as in different pipeline stages COMP4690, HKBU
Review of Terms • Multitasking • Multiprogramming • Multiprocessing • Multithreading COMP4690, HKBU
CPU Modes and Protection Rings • Operating system needs to ensure that processes do not negatively affect each other or the critical components of the system itself • Protection Rings • Provide strict boundaries and definitions on what the processes that work within each ring can access and what commands they can successfully execute • The processes that operate within the inner rings have more privileges than the processes operating in the outer rings. • Privileged mode • Execute within the inner rings • User mode • Execute in the outer rings COMP4690, HKBU
Input/Output System • Programmed IO • Interrupt • Direct memory access COMP4690, HKBU
Software • High-level language • a = b + c; • d = a – e; • Assembly language • add a, b, c • sub d, a, e • Machine language • 00000010001100100100000000100000 • layout of the instruction is called instruction format Compiler Assembler / Linker COMP4690, HKBU
Open and Closed Systems • Open System • Vendor-independent systems • Have published specifications and interfaces • Subject to review and evaluation by independent parties • Closed System • Use vendor-dependent proprietary hardware and/or software • Not compatible with other systems or components • May have vulnerabilities that are not known COMP4690, HKBU
Some Concerns • Desktop systems can contain sensitive information • Users may generally lack security awareness • A desktop PC can provide an avenue of access into critical information systems of an organization • Downloading data from the Internet increases the risk of infecting corporate systems • A desktop system may not be protected from physical intrusion or theft • May lack of proper backup COMP4690, HKBU
Some security mechanisms • Email and download/upload policies • Robust access control • File encryption • Separation of the processes that run in privileged or non-privileged processor states • Protection of sensitive disks by locking • Distinct labeling of disks and materials according to their classification • A centralized backup of desktop system files • Regular security awareness training sessions • Control of software installed on desktop systems • Logging of transactions and transmissions • Database management systems restricting access to sensitive information • Protection against environmental damage to computers and media • Use of formal methods for software development and application • Inclusion of desktop systems in disaster recovery and business continuity plans COMP4690, HKBU
Information Security Models • Security Policy: • A high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area. • Security models are used to formalize security policies, and to provide a framework for the understanding of fundamental concepts. • Access models • Integrity models • Information flow models • Object: a passive entity such as a file or a storage resource • Subject: an active entity that is seeing rights to a resource or object. It can be a person, a program, or a process. COMP4690, HKBU
Access Control Models • Access matrix COMP4690, HKBU
Access Control Models • Bell-LaPadula Model • Developed to formalize the U.S. Department of Defense (DoD) multilevel security policy • Only deals with confidentiality of classified material. Doesn’t address integrity or availability. • Built on the state machine concept: • A set of allowable state is defined in a system • The transition from one state to another upon receipt of an input is defined by transition functions • The objective is to ensure that the initial state is secure and that the transitions always result in a secure state COMP4690, HKBU
Bell-LaPadula Model (Cont.) Simple security property: reading of information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not permitted (no read up) * (star) security property: writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down) – too restrictive Discretionary security property: uses an access matrix to specify discretionary access control High Sensitivity Level Write OK Medium Sensitivity Level Read OK Write OK (violate * property by Trusted Subject) Low Sensitivity Level COMP4690, HKBU
Integrity Models • Biba Integrity Model • Three integrity axioms: • Simple integrity axiom: a subject at one level of integrity is not permitted to read an object of a lower integrity (no read down) • * (star) integrity axiom: an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up) • A subject at one level of integrity cannot invoke a subject at a higher level of integrity COMP4690, HKBU
Biba Integrity Model (cont.) High Integrity Level Subject Invoke NOT OK Read OK Medium Integrity Level Subject Write OK Low Integrity Level COMP4690, HKBU
Information Flow Models • Based on a state machine • Consists of objects, stat transitions, and lattice (flow policy) states • Each object is assigned a security class and value, and information is constrained to flow in the directions that are permitted by the security policy COMP4690, HKBU
(cont.) Confidential (Project X) Confidential (Task 1, Project X) Confidential Confidential (Task 2, Project X) Unclassified COMP4690, HKBU
Security Technology and Tools • Operating System Protection • Memory Protection • CPU and I/O Device Protection • Application Layer Protection • Storage Device Protection • Network Protection COMP4690, HKBU
Operating System Protection • Three security technologies are used to protect security features • Trusted Computing Base (TCB): the totality of protection mechanisms within a computer system. • The TCB maintains the confidentiality and integrity and monitors four basic functions: Process activation, Execution domain switching, Memory protection, I/O operations • Reference Monitor • an access control concept referring to an abstract machine that mediates all accesses to objects by subjects based on information in an access control database • Security Kernel • The hardware, firmware, and software elements of a TCB implementing the reference monitor concept. • It must mediate all accesses (completeness), must be protected from modification (isolation), must be verifiable as correct (verifiable). • The reference monitor is an abstract concept; the security kernel is the implementation of the reference monitor; and the TCB contains the security kernel along with other protection mechanisms. COMP4690, HKBU
General operating system protection • User identification and authentication • Mandatory access control • Discretionary access control • Complete mediation • Object reuse protection • Audit • Protection of audit logs • Audit log reduction • Trusted path • Intrusion detection COMP4690, HKBU
Memory Protection • For single-task system • To prevent the user’s programs from affecting the operating system • For multitasking system • To isolate the process’s memory areas from each other • Hardware techniques were developed to provide memory protection • In privileged state, only operating system can perform the operations that were critical to controlling and maintaining the protection mechanisms • For multi-user systems, various controls must be built into the operating system for memory protection: • Every reference is checked for protection • Many different data classes can be assigned different levels of protection • Two or more users can share access to the same segment with potentially different access rights • Users cannot access a memory or address segment outside what has been allocated for them COMP4690, HKBU
CPU and I/O Device Protection • The protections for the I/O devices are based on the type of processor. • E.g., Intel 80486 is a 32-bit processor, which defines four privilege levels (rings). • Software could be assigned to the levels as • 0 = operating system kernel • 1 = I/O drivers • 2 = rest of the operating system • 3 = application software • If an application in ring 3 needs a service from the operating system in ring 1, it can only invoke some system subroutines and the current privilege level will change from 3 to 1. After returning from the subroutine, the privilege level is changed back to 3. COMP4690, HKBU
Application Layer Protection • All input received from a source external to the application must be validated prior to processing. • Possible sources of data include: • User input through data entry screens • Output generated by an external program • Access requests from an external program • Operating system environment • Command parameters • Input checking • Verify that the input is of the proper type and within specified ranges COMP4690, HKBU
Storage Device Protection • Access to servers, workstations, and mobile computer storage devices needs security protection such as • Removable storage media • Encryption software for protection of sensitive files • Physical locking devices • Locking portable devices in a desk or file cabinet • Fixed disk systems may need additional protection such as lockable enclosures COMP4690, HKBU
Network Protection • Data transmission controls • Hash totals • Recording of sequence checking • Transmission logging • Transmission error correction • Invalid login, modem error, lost connections, CPU failure, disk error, line error, etc. • Retransmission control COMP4690, HKBU
Assurance, Trust, and Confidence Mechanisms • It is important to verify whether the architecture is secure. • Evaluation methods have been developed to assure that the products provide the necessary security requirements. • What is to be evaluated? A product or a system? • A product could be a specific operating system. • A system means a collection of products that together meet the specific requirements of a given application. • Available evaluating methods • Trusting the advertisements from the manufacturer/vendor • Performing system tests internally within the organization • Trusting an impartial, independent assessment authority COMP4690, HKBU
Trusted Computer Security Evaluation Criteria (TCSEC) • Produced by National Computer Security Center (NCSC) of U.S. Department of Defense in 1985, also known as the “orange book”. It only addressed confidentiality, but it provided guidelines for the evaluation of security products, such as hardware and operating systems. • Some criteria: • Security policy • Marking of objects: labels indicate the sensitivity of objects • Identification of subjects: subjects must be identified and authenticated • Accountability: security-related events must be contained in audit logs • Assurance: operational assurance, lifecycle assurance • Documentation • Continuous protection • Four security divisions (seven security classes) • A: verified protection, the highest assurance level • B: mandatory protection (B1, B2, B3), B3 the highest • C: discretionary protection (C1, C2), C2 (controlled access protection) is the most reasonable class for commercial applications • D: minimal protection COMP4690, HKBU
Trusted Network Interpretation (TNI) • The red book, published in 1987 • Using orange book as the basis, it addresses network and telecommunications. • Key features: • Integrity: biba model for integrity • Labels: to guarantee mandatory access controls • Other security services • Communication integrity: authentication, integrity, non-repudiation • Denial-of-service: continuity of operation, protocol-based protection, and network management • Compromise protection: data confidentiality and traffic confidentiality COMP4690, HKBU
Information Technology Security Evaluation Criteria (ITSEC) • Endorsed by the Council of the European Union in 1995 • Includes the concepts from TCSEC, but more flexible • It includes integrity and availability as security goals, along with confidentiality. COMP4690, HKBU