security models and architecture cissp exam preparation bernie eydt
TRANSCRIPT
Security Models and ArchitectureCISSP Exam Preparation
Bernie Eydt
2
OverviewOverview
• Basic concepts
• The Models
– Bell-LaPadula (BLP)
– Biba
– Clark-Wilson
– Chinese Wall
• Systems Evaluation
3
Basic Concepts
4
TerminologyTerminology
• Trusted Computing Base (TCB) – combination of protection mechanisms within a computer system
• Subjects / Objects
– Subjects are active (e.g., users / programs)
– Objects are passive (e.g., files)
• Reference Monitor – abstract machine that mediates subject access to objects
• Security Kernel – core element of TCB that enforces the reference monitor’s security policy
5
Types of Access ControlTypes of Access Control
• Discretionary Access Control (DAC) – data owners can create and modify matrix of subject / object relationships (e.g., ACLs)
• Mandatory Access Control (MAC) – “insecure” transactions prohibited regardless of DAC
• Cannot enforce MAC rules with DAC security kernel
– Someone with read access to a file can copy it and build a new “insecure” DAC matrix because he will be an owner of the new file.
6
Information Flow ModelsInformation Flow Models
• Pour cement over a PC and you have a secure system
• In reality, there are state transitions
• Key is to ensure transitions are secure
• Models provide rules for how information flows from state to state.
• Information flow models do not address covert channels
– Trojan horses
– Requesting system resources to learn about other users
7
Access Control Models
8
ModelsModels
• Bell-LaPadula
• Biba
• Clark-Wilson
• Chinese Wall
Good brief summary on Harris p.247
9
Bell-LaPadula (BLP) ModelBell-LaPadula (BLP) Model
• BLP is formal (mathematical) description of mandatory access control
• Three properties:
– ds-property (discretionary security)
– ss-property (simple security – no “read down”)
– *-property (star property – no “write down”)
• A secure system satisfies all of these properties
• BLP includes mathematical proof that if a system is secure and a transition satisfies all of the properties, then the system will remain secure.
10
Bell-LaPadula Model (Continued)Bell-LaPadula Model (Continued)
• Honeywell Multics kernel was only true implementation of BLP, but it never took hold
• DOD information security requirements currently achieved via discretionary access control and segregation of systems rather than BLP-compliant computers
11
Biba ModelBiba Model
• Similar to BLP but focus is on integrity, not confidentiality
• Result is to turn the BLP model upside down
– High integrity subjects cannot read lower integrity objects (no “read down”)
– Subjects cannot move low integrity data to high-integrity environment (no “write up”)
• McLean notes that ability to flip models essentially renders their assurance properties useless
12
Clark-Wilson ModelClark-Wilson Model
• Reviews distinction between military and commercial policy
– Military policy focus on confidentiality
– Commercial policy focus on integrity
• Mandatory commercial controls typically involve who gets to do what type of transaction rather than who sees what (Example: cut a check above a certain dollar amount)
13
Clark-Wilson Model (Continued)Clark-Wilson Model (Continued)
• Two types of objects:
– Constrained Data Items (CDIs)
– Unconstrained Data Items (UDIs)
• Two types of transactions on CDIs in model
– Integrity Verification Procedures (IVPs)
– Transformation Procedures (TPs)
• IVPs certify that TPs on CDIs result in valid state
• All TPs must be certified to result in valid transformation
14
Clark-Wilson Model (Continued)Clark-Wilson Model (Continued)
• System maintains list of valid relations of the form:{UserID, TP, CDI/UDI}
• Only permitted manipulation of CDI is via an authorized TP
• If a TP takes a UDI as an input, then it must result in a proper CDI or the TP will be rejected
• Additional requirements
– Auditing: TPs must write to an append-only CDI (log)
– Separation of duties
15
Clark-Wilson versus BibaClark-Wilson versus Biba
• In Biba’s model, UDI to CDI conversion is performed by trusted subject only (e.g., a security officer), but this is problematic for data entry function.
• In Clark-Wilson, TPs are specified for particular users and functions. Biba’s model does not offer this level of granularity.
16
Chinese WallChinese Wall
Focus is on conflicts of interest.
• Principle: Users should not access the confidential information of both a client organization and one or more of its competitors.
• How it works
– Users have no “wall” initially.
– Once any given file is accessed, files with competitor information become inaccessible.
– Unlike other models, access control rules change with user behavior
17
Systems Evaluation
18
Trusted Computer System Evaluation (TCSEC)Trusted Computer System Evaluation (TCSEC)
• Criteria published in the Orange Book
• Officially replaced by Common Criteria
• Four Levels
– A Verified protectionA1 Verified design
– B Mandatory protectionB1 Labeled SecurityB2 Structured ProtectionB3 Security Domains
– C Discretionary protectionC1 Discretionary securityC2 Controlled access
– D Minimal security
19
Information Technology Security Evaluation Criteria (ITSEC)Information Technology Security Evaluation Criteria (ITSEC)
• Used primarily in Europe
• Target of Evaluation (TOE) is either product or system
• Two ratings
– Functionality rating (F1 to F10)
– Assurance Rating (E0 to E6)
• Rough mapping exists between TCSEC and ITSEC (see Harris p.260)
20
Common CriteriaCommon Criteria
• ISO standard evaluation criteria that combines several different criteria, including TCSEC and ITSEC
• Participating governments recognize Common Criteria certifications awarded in other nations
• Seven Evaluation Assurance Levels (EAL 1-7)
• Utilize protection profiles (see Harris p.262)
21
Evaluation Assurance Levels - Overview
Common Criteria – Evaluation Assurance LevelsCommon Criteria – Evaluation Assurance Levels
• Define a scale for measuring the criteria for the evaluation of PPs (Protection Profiles) and STs (Security Targets)
• Constructed using components from the assurance families
• Organization
– Seven hierarchically ordered EALs in a uniformly increasing scale of assurance
22
CC EALs - ReferenceCC EALs - Reference
Level Short TitleUS
TCSEC
EAL 7 Formally verified design and tested
A1
EAL 6 Semi-formally verified design and tested
B3
EAL 5 Semi-formally designed and tested
B2
EAL 4 Methodically designed, tested and reviewed
B1
C2EAL 3 Methodically tested and checked
EAL 2 Structurally tested C1
EAL 1 Functionally tested
HigherAssurance
LowerAssurance
23
CC EALs – Summary 1-3CC EALs – Summary 1-3
• EAL 1 - Functionally tested– “Applicable where some confidence in correct operation is
required, but the threats to security are not viewed as serious”
• EAL 2 - Structurally tested
– “Applicable where developers or users require a low to moderate level of independently assured security”
• EAL 3 - Methodically tested and checked– “Applicable where the requirement is for a moderate level
of independently assured security”
24
CC EALs – Summary 4-5CC EALs – Summary 4-5
• EAL 4 - Methodically designed, tested and reviewed
– “Applicable where developers or users require a moderate to high level of independently assured security”
• EAL 5 - Semi-formally designed and tested
– “Applicable where the requirement is for a high level of independently assured security”
25
CC EALs – Summary 6-7CC EALs – Summary 6-7
• EAL 6 - Semi-formally verified design and tested
– “Applicable to the development of specialised TOEs (Targets of Evaluation), for high risk situations ”
• EAL 7 - Formally verified design and tested
– “Applicable to the development of security TOEs for application in extremely high risk situations
26
CC EALs - Web ReferencesCC EALs - Web References
• Common Criteria.org Web Site
– Main page
• http://www.commoncriteria.org/index.html
– Formal specification document
• http://www.commoncriteria.org/cc/cc.html
– Introductory overviews
• http://www.commoncriteria.org/ introductory_overviews/index.html