Security Architecture - Department of Computer Science

Download Report

Transcript Security Architecture - Department of Computer Science

Chapter 3
Security Architecture and Models
COMP4690, HKBU
1
Overview


Building an information system requires a balance among various
requirements: capability, flexibility, performance, ease of use, cost,
and security.
Security architecture: a view of an overall system architecture from a
security perspective. It is fundamental to any information system.




It describes how the system is put together to satisfy the security
requirement.
It describes at an abstract level the relationships between key elements
of the hardware, operating systems, applications, network, etc., to
protect the organization’s interests.
It describes how the functions in the system development process follow
the security requirements.
Security model: a statement that outlines the requirements
necessary to properly support a security policy. It provides a deeper
explanation of how a computer system should be developed to
properly support a specific security policy.
COMP4690, HKBU
2
Main Topics

Information protection environment




Security models





Computer organization & architecture
Software
Distributed systems
Confidentiality models
Integrity models
Information flow models
Security Technology and Tools
Assurance, Trust, and Confidence Mechanisms
COMP4690, HKBU
3
Computer organization &
architecture

Architecture is those attributes visible to the
programmer



Organization is how features are implemented



Instruction set, number of bits used for data representation,
I/O mechanisms, addressing techniques.
e.g. Is there a multiply instruction?
Control signals, interfaces, memory technology.
e.g. Is there a hardware multiply unit or is it done by
repeated addition?
E.g.


All Intel x86 family share the same basic architecture
The IBM System/370 family share the same basic
architecture
COMP4690, HKBU
4
Computer Components
COMP4690, HKBU
5
Computer Components

CPU



Arithmetic logic unit (ALU): performs arithmetic
and logical operations
Control logic
Registers: general-purpose registers, instruction
register, program counter, accumulators
COMP4690, HKBU
6
Memory

Cache



RAM: random access memory



Relatively small amount of very high speed RAM
To reduce the apparent main memory access time
Volatile: data is lost if power is off
Dynamic RAM (DRAM) vs. Static RAM (SRAM)
PLD: programmable logic device




ROM: Read Only Memory
PAL: Programmable Array Logic
CPLD: Complex Programmable Logic Device
FPGA: Field Programmable Gate Array
COMP4690, HKBU
7
Memory

ROM




EPROM: erasable programmable read only
memory
EAROM: electrically alterable read only memory
EEPROM: electrically erasable programmable
read only memory
Firmware: the programs stored on these
devices
COMP4690, HKBU
8
Memory Hierarchy



Register
Cache
Primary memory


Secondary memory


directly addressable by CPU; used for the storage of
instructions and data; usually RAM
Slower memory such as magnetic disks that provides nonvolatile storage
Virtual memory

Use secondary memory in conjunction with primary
memory to present a CPU with a larger address space
COMP4690, HKBU
9
Memory addressing modes

Register addressing


Direct addressing


By adding the contents of the address defined in the program’s instruction to
that of an index register
Implied addressing


Addressing all of the primary memory space
Indexed addressing


Addressing a portion of primary memory by specifying the actual address of
the memory location
Absolute addressing


Addressing the registers within a CPU
When operations are internal to the processor, no need to provide an
address
Indirect addressing

The address location that is specified in the program instruction contains the
address of the final desired location
COMP4690, HKBU
10
Instruction Cycle

Two steps:

Fetch and Execute
COMP4690, HKBU
11
Review of Terms





CISC: complex-instruction set computer
 Uses instructions that perform many operations per instruction
RISC: reduced-instruction set computer
 Uses instructions that are simpler and require fewer clock cycles
to execute
Pipelining
 Overlapping the steps of different instructions
Scalar Processor
 A processor that executes one instruction at a time
Superscalar Processor
 A processor that enables concurrent execution of multiple
instructions in the same pipeline stage as well as in different
pipeline stages
COMP4690, HKBU
12
Review of Terms




Multitasking
Multiprogramming
Multiprocessing
Multithreading
COMP4690, HKBU
13
CPU Modes and Protection
Rings




Operating system needs to ensure that processes do not
negatively affect each other or the critical components of the
system itself
Protection Rings
 Provide strict boundaries and definitions on what the processes
that work within each ring can access and what commands they
can successfully execute
 The processes that operate within the inner rings have more
privileges than the processes operating in the outer rings.
Privileged mode
 Execute within the inner rings
User mode
 Execute in the outer rings
COMP4690, HKBU
14
Input/Output System



Programmed IO
Interrupt
Direct memory access
COMP4690, HKBU
15
Software

High-level language



Compiler
Assembly language



a = b + c;
d = a – e;
add a, b, c
sub d, a, e
Assembler / Linker
Machine language


00000010001100100100000000100000
layout of the instruction is called instruction format
COMP4690, HKBU
16
Open and Closed Systems

Open System




Vendor-independent systems
Have published specifications and interfaces
Subject to review and evaluation by independent
parties
Closed System



Use vendor-dependent proprietary hardware
and/or software
Not compatible with other systems or components
May have vulnerabilities that are not known
COMP4690, HKBU
17
Some Concerns






Desktop systems can contain sensitive information
Users may generally lack security awareness
A desktop PC can provide an avenue of access into
critical information systems of an organization
Downloading data from the Internet increases the
risk of infecting corporate systems
A desktop system may not be protected from
physical intrusion or theft
May lack of proper backup
COMP4690, HKBU
18
Some security mechanisms














Email and download/upload policies
Robust access control
File encryption
Separation of the processes that run in privileged or non-privileged processor
states
Protection of sensitive disks by locking
Distinct labeling of disks and materials according to their classification
A centralized backup of desktop system files
Regular security awareness training sessions
Control of software installed on desktop systems
Logging of transactions and transmissions
Database management systems restricting access to sensitive information
Protection against environmental damage to computers and media
Use of formal methods for software development and application
Inclusion of desktop systems in disaster recovery and business continuity plans
COMP4690, HKBU
19
Information Security Models








Security Policy:
A high-level statement of enterprise beliefs, goals, and
objectives and the general means for their attainment for a
specified subject area.
Security models are used to formalize security policies, and to
provide a framework for the understanding of fundamental
concepts.
Access models
Integrity models
Information flow models
Object: a passive entity such as a file or a storage resource
Subject: an active entity that is seeing rights to a resource or
object. It can be a person, a program, or a process.
COMP4690, HKBU
20
Access Control Models

Access matrix
Object File Income
Subject
File Salaries
Process
Deductions
Print Server
A
Joe
Read
Read/Write
Execute
Write
Jane
Read/Write
Read
None
Write
Process
Check
Read
Read
Execute
None
Read/Write
Call
Write
Program Tax Read/Write
COMP4690, HKBU
21
Access Control Models

Bell-LaPadula Model



Developed to formalize the U.S. Department of Defense
(DoD) multilevel security policy
Only deals with confidentiality of classified material.
Doesn’t address integrity or availability.
Built on the state machine concept:
 A set of allowable state is defined in a system
 The transition from one state to another upon receipt of an
input is defined by transition functions
 The objective is to ensure that the initial state is secure and
that the transitions always result in a secure state
COMP4690, HKBU
22
Bell-LaPadula Model (Cont.)
Simple security property: reading
of information by a subject at a
lower sensitivity level from an
object at a higher sensitivity level
is not permitted (no read up)
High Sensitivity Level
Write
OK
Medium Sensitivity Level
Read
OK
Write
OK
(violate * property by
Trusted Subject)
Low Sensitivity Level
* (star) security property: writing
of information by a subject at a
higher level of sensitivity to an
object at a lower level of
sensitivity is not permitted (no
write down) – too restrictive
Discretionary security property:
uses an access matrix to specify
discretionary access control
COMP4690, HKBU
23
Integrity Models


Biba Integrity Model
Three integrity axioms:



Simple integrity axiom: a subject at one level of
integrity is not permitted to read an object of a
lower integrity (no read down)
* (star) integrity axiom: an object at one level of
integrity is not permitted to modify an object of a
higher level of integrity (no write up)
A subject at one level of integrity cannot invoke a
subject at a higher level of integrity
COMP4690, HKBU
24
Biba Integrity Model (cont.)
High Integrity Level
Read
OK
Medium Integrity Level
Subject
Invoke
NOT
OK
Subject
Write
OK
Low Integrity Level
COMP4690, HKBU
25
Information Flow Models



Based on a state machine
Consists of objects, stat transitions, and
lattice (flow policy) states
Each object is assigned a security class and
value, and information is constrained to flow
in the directions that are permitted by the
security policy
COMP4690, HKBU
26
(cont.)
Confidential
(Project X)
Confidential
(Task 1, Project X)
Confidential
Confidential
(Task 2, Project X)
Unclassified
COMP4690, HKBU
27
Security Technology and Tools






Operating System Protection
Memory Protection
CPU and I/O Device Protection
Application Layer Protection
Storage Device Protection
Network Protection
COMP4690, HKBU
28
Operating System Protection

Three security technologies are used to protect security features

Trusted Computing Base (TCB): the totality of protection mechanisms within
a computer system.


Reference Monitor


an access control concept referring to an abstract machine that mediates all
accesses to objects by subjects based on information in an access control
database
Security Kernel



The TCB maintains the confidentiality and integrity and monitors four basic
functions: Process activation, Execution domain switching, Memory protection,
I/O operations
The hardware, firmware, and software elements of a TCB implementing the
reference monitor concept.
It must mediate all accesses (completeness), must be protected from
modification (isolation), must be verifiable as correct (verifiable).
The reference monitor is an abstract concept; the security kernel is the
implementation of the reference monitor; and the TCB contains the
security kernel along with other protection mechanisms.
COMP4690, HKBU
29
General operating system
protection










User identification and authentication
Mandatory access control
Discretionary access control
Complete mediation
Object reuse protection
Audit
Protection of audit logs
Audit log reduction
Trusted path
Intrusion detection
COMP4690, HKBU
30
Memory Protection

For single-task system


For multitasking system


To isolate the process’s memory areas from each other
Hardware techniques were developed to provide memory protection


To prevent the user’s programs from affecting the operating system
In privileged state, only operating system can perform the operations that
were critical to controlling and maintaining the protection mechanisms
For multi-user systems, various controls must be built into the operating
system for memory protection:




Every reference is checked for protection
Many different data classes can be assigned different levels of protection
Two or more users can share access to the same segment with potentially
different access rights
Users cannot access a memory or address segment outside what has been
allocated for them
COMP4690, HKBU
31
CPU and I/O Device Protection


The protections for the I/O devices are based on the type of
processor.
E.g., Intel 80486 is a 32-bit processor, which defines four
privilege levels (rings).
 Software could be assigned to the levels as





0 = operating system kernel
1 = I/O drivers
2 = rest of the operating system
3 = application software
If an application in ring 3 needs a service from the operating
system in ring 1, it can only invoke some system subroutines and
the current privilege level will change from 3 to 1. After returning
from the subroutine, the privilege level is changed back to 3.
COMP4690, HKBU
32
Application Layer Protection


All input received from a source external to the
application must be validated prior to processing.
Possible sources of data include:






User input through data entry screens
Output generated by an external program
Access requests from an external program
Operating system environment
Command parameters
Input checking

Verify that the input is of the proper type and within
specified ranges
COMP4690, HKBU
33
Storage Device Protection

Access to servers, workstations, and mobile
computer storage devices needs security
protection such as





Removable storage media
Encryption software for protection of sensitive files
Physical locking devices
Locking portable devices in a desk or file cabinet
Fixed disk systems may need additional
protection such as lockable enclosures
COMP4690, HKBU
34
Network Protection

Data transmission controls






Hash totals
Recording of sequence checking
Transmission logging
Transmission error correction
Invalid login, modem error, lost connections, CPU
failure, disk error, line error, etc.
Retransmission control
COMP4690, HKBU
35
Assurance, Trust, and
Confidence Mechanisms


It is important to verify whether the architecture is
secure.
Evaluation methods have been developed to assure
that the products provide the necessary security
requirements.


What is to be evaluated? A product or a system?
 A product could be a specific operating system.
 A system means a collection of products that together meet
the specific requirements of a given application.
Available evaluating methods



Trusting the advertisements from the manufacturer/vendor
Performing system tests internally within the organization
Trusting an impartial, independent assessment authority
COMP4690, HKBU
36
Trusted Computer Security
Evaluation Criteria (TCSEC)


Produced by National Computer Security Center (NCSC) of U.S. Department of
Defense in 1985, also known as the “orange book”. It only addressed
confidentiality, but it provided guidelines for the evaluation of security products,
such as hardware and operating systems.
Some criteria:








Security policy
Marking of objects: labels indicate the sensitivity of objects
Identification of subjects: subjects must be identified and authenticated
Accountability: security-related events must be contained in audit logs
Assurance: operational assurance, lifecycle assurance
Documentation
Continuous protection
Four security divisions (seven security classes)




A: verified protection, the highest assurance level
B: mandatory protection (B1, B2, B3), B3 the highest
C: discretionary protection (C1, C2), C2 (controlled access protection) is the most
reasonable class for commercial applications
D: minimal protection
COMP4690, HKBU
37
Trusted Network Interpretation
(TNI)



The red book, published in 1987
Using orange book as the basis, it addresses
network and telecommunications.
Key features:



Integrity: biba model for integrity
Labels: to guarantee mandatory access controls
Other security services
 Communication integrity: authentication, integrity, nonrepudiation
 Denial-of-service: continuity of operation, protocol-based
protection, and network management
 Compromise protection: data confidentiality and traffic
confidentiality
COMP4690, HKBU
38
Information Technology Security
Evaluation Criteria (ITSEC)



Endorsed by the Council of the European
Union in 1995
Includes the concepts from TCSEC, but more
flexible
It includes integrity and availability as security
goals, along with confidentiality.
COMP4690, HKBU
39