COMP4690, HKBU 1

Chapter 3

Security Architecture and Models

COMP4690, HKBU 2

Overview Building an information system requires a balance among various

requirements: capability, flexibility, performance, ease of use, cost, and security.

Security architecture: a view of an overall system architecture from a security perspective. It is fundamental to any information system. It describes how the system is put together to satisfy the security

requirement. It describes at an abstract level the relationships between key elements

of the hardware, operating systems, applications, network, etc., to protect the organization’s interests.

It describes how the functions in the system development process follow the security requirements.

Security model: a statement that outlines the requirements necessary to properly support a security policy. It provides a deeper explanation of how a computer system should be developed to properly support a specific security policy.

COMP4690, HKBU 3

Main Topics

Information protection environment Computer organization & architecture Software Distributed systems

Security models Confidentiality models Integrity models Information flow models

Security Technology and Tools Assurance, Trust, and Confidence Mechanisms

COMP4690, HKBU 4

Computer organization & architecture Architecture is those attributes visible to the

programmer Instruction set, number of bits used for data representation,

I/O mechanisms, addressing techniques. e.g. Is there a multiply instruction?

Organization is how features are implemented Control signals, interfaces, memory technology. e.g. Is there a hardware multiply unit or is it done by

repeated addition? E.g.

All Intel x86 family share the same basic architecture The IBM System/370 family share the same basic

architecture

COMP4690, HKBU 5

Computer Components

COMP4690, HKBU 6

Computer Components

CPU Arithmetic logic unit (ALU): performs arithmetic

and logical operations Control logic Registers: general-purpose registers, instruction

register, program counter, accumulators

COMP4690, HKBU 7

Memory

Cache Relatively small amount of very high speed RAM To reduce the apparent main memory access time

RAM: random access memory Volatile: data is lost if power is off Dynamic RAM (DRAM) vs. Static RAM (SRAM)

PLD: programmable logic device ROM: Read Only Memory PAL: Programmable Array Logic CPLD: Complex Programmable Logic Device FPGA: Field Programmable Gate Array

COMP4690, HKBU 8

Memory

ROM EPROM: erasable programmable read only

memory EAROM: electrically alterable read only memory EEPROM: electrically erasable programmable

read only memory Firmware: the programs stored on these

devices

COMP4690, HKBU 9

Memory Hierarchy

Register Cache Primary memory

directly addressable by CPU; used for the storage of instructions and data; usually RAM

Secondary memory Slower memory such as magnetic disks that provides non-

volatile storage Virtual memory

Use secondary memory in conjunction with primary memory to present a CPU with a larger address space

COMP4690, HKBU 10

Memory addressing modes Register addressing

Addressing the registers within a CPU Direct addressing

Addressing a portion of primary memory by specifying the actual address of the memory location

Absolute addressing Addressing all of the primary memory space

Indexed addressing By adding the contents of the address defined in the program’s instruction to

that of an index register Implied addressing

When operations are internal to the processor, no need to provide an address

Indirect addressing The address location that is specified in the program instruction contains the

address of the final desired location

COMP4690, HKBU 11

Instruction Cycle

Two steps: Fetch and Execute

COMP4690, HKBU 12

Review of Terms CISC: complex-instruction set computer

Uses instructions that perform many operations per instruction RISC: reduced-instruction set computer

Uses instructions that are simpler and require fewer clock cycles to execute

Pipelining Overlapping the steps of different instructions

Scalar Processor A processor that executes one instruction at a time

Superscalar Processor A processor that enables concurrent execution of multiple

instructions in the same pipeline stage as well as in different pipeline stages

COMP4690, HKBU 13

Review of Terms

Multitasking Multiprogramming Multiprocessing Multithreading

COMP4690, HKBU 14

CPU Modes and Protection Rings Operating system needs to ensure that processes do not

negatively affect each other or the critical components of the system itself

Protection Rings Provide strict boundaries and definitions on what the processes

that work within each ring can access and what commands they can successfully execute

The processes that operate within the inner rings have more privileges than the processes operating in the outer rings.

Privileged mode Execute within the inner rings

User mode Execute in the outer rings

COMP4690, HKBU 15

Input/Output System

Programmed IO Interrupt Direct memory access

COMP4690, HKBU 16

Software

High-level language a = b + c; d = a – e;

Assembly language add a, b, c sub d, a, e

Machine language 00000010001100100100000000100000 layout of the instruction is called instruction format

Compiler

Assembler / Linker

COMP4690, HKBU 17

Open and Closed Systems

Open System Vendor-independent systems Have published specifications and interfaces Subject to review and evaluation by independent

parties Closed System

Use vendor-dependent proprietary hardware and/or software

Not compatible with other systems or components May have vulnerabilities that are not known

COMP4690, HKBU 18

Some Concerns

Desktop systems can contain sensitive information Users may generally lack security awareness A desktop PC can provide an avenue of access into

critical information systems of an organization Downloading data from the Internet increases the

risk of infecting corporate systems A desktop system may not be protected from

physical intrusion or theft May lack of proper backup

COMP4690, HKBU 19

Some security mechanisms Email and download/upload policies Robust access control File encryption Separation of the processes that run in privileged or non-privileged processor

states Protection of sensitive disks by locking Distinct labeling of disks and materials according to their classification A centralized backup of desktop system files Regular security awareness training sessions Control of software installed on desktop systems Logging of transactions and transmissions Database management systems restricting access to sensitive information Protection against environmental damage to computers and media Use of formal methods for software development and application Inclusion of desktop systems in disaster recovery and business continuity plans

COMP4690, HKBU 20

Information Security Models Security Policy:

A high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area.

Security models are used to formalize security policies, and to provide a framework for the understanding of fundamental concepts.

Access models Integrity models Information flow models

Object: a passive entity such as a file or a storage resource Subject: an active entity that is seeing rights to a resource or

object. It can be a person, a program, or a process.

COMP4690, HKBU 21

Access Control Models

Access matrix

Object

Subject

File Income File Salaries Process Deductions

Print Server A

Joe Read Read/Write Execute Write

Jane Read/Write Read None Write

Process Check

Read Read Execute None

Program Tax

Read/Write Read/Write Call Write

COMP4690, HKBU 22

Access Control Models

Bell-LaPadula Model Developed to formalize the U.S. Department of Defense

(DoD) multilevel security policy Only deals with confidentiality of classified material.

Doesn’t address integrity or availability. Built on the state machine concept:

A set of allowable state is defined in a system The transition from one state to another upon receipt of an

input is defined by transition functions The objective is to ensure that the initial state is secure and

that the transitions always result in a secure state

COMP4690, HKBU 23

Bell-LaPadula Model (Cont.)

High Sensitivity Level

Medium Sensitivity Level

Low Sensitivity Level

WriteOK

ReadOK

Simple security property: reading of information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not permitted (no read up)

* (star) security property: writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down) – too restrictive

Discretionary security property: uses an access matrix to specify discretionary access control

WriteOK

(violate * property by Trusted Subject)

COMP4690, HKBU 24

Integrity Models

Biba Integrity Model Three integrity axioms:

Simple integrity axiom: a subject at one level of integrity is not permitted to read an object of a lower integrity (no read down)

* (star) integrity axiom: an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up)

A subject at one level of integrity cannot invoke a subject at a higher level of integrity

COMP4690, HKBU 25

Biba Integrity Model (cont.)

High Integrity Level

Medium Integrity Level

Low Integrity Level

ReadOK

WriteOK

Subject

Subject

InvokeNOTOK

COMP4690, HKBU 26

Information Flow Models

Based on a state machine Consists of objects, stat transitions, and

lattice (flow policy) states Each object is assigned a security class and

value, and information is constrained to flow in the directions that are permitted by the security policy

COMP4690, HKBU 27

(cont.)

Confidential(Project X)

Confidential

Unclassified

Confidential(Task 2, Project X)

Confidential(Task 1, Project X)

COMP4690, HKBU 28

Security Technology and Tools

Operating System Protection Memory Protection CPU and I/O Device Protection Application Layer Protection Storage Device Protection Network Protection

COMP4690, HKBU 29

Operating System Protection Three security technologies are used to protect security features

Trusted Computing Base (TCB): the totality of protection mechanisms within a computer system. The TCB maintains the confidentiality and integrity and monitors four basic

functions: Process activation, Execution domain switching, Memory protection, I/O operations

Reference Monitor an access control concept referring to an abstract machine that mediates all

accesses to objects by subjects based on information in an access control database

Security Kernel The hardware, firmware, and software elements of a TCB implementing the

reference monitor concept. It must mediate all accesses (completeness), must be protected from

modification (isolation), must be verifiable as correct (verifiable). The reference monitor is an abstract concept; the security kernel is the

implementation of the reference monitor; and the TCB contains the security kernel along with other protection mechanisms.

COMP4690, HKBU 30

General operating system protection

User identification and authentication Mandatory access control Discretionary access control Complete mediation Object reuse protection Audit Protection of audit logs Audit log reduction Trusted path Intrusion detection

COMP4690, HKBU 31

Memory Protection For single-task system

To prevent the user’s programs from affecting the operating system For multitasking system

To isolate the process’s memory areas from each other Hardware techniques were developed to provide memory protection

In privileged state, only operating system can perform the operations that were critical to controlling and maintaining the protection mechanisms

For multi-user systems, various controls must be built into the operating system for memory protection: Every reference is checked for protection Many different data classes can be assigned different levels of protection Two or more users can share access to the same segment with potentially

different access rights Users cannot access a memory or address segment outside what has been

allocated for them

COMP4690, HKBU 32

CPU and I/O Device Protection The protections for the I/O devices are based on the type of

processor. E.g., Intel 80486 is a 32-bit processor, which defines four

privilege levels (rings). Software could be assigned to the levels as

0 = operating system kernel 1 = I/O drivers 2 = rest of the operating system 3 = application software

If an application in ring 3 needs a service from the operating system in ring 1, it can only invoke some system subroutines and the current privilege level will change from 3 to 1. After returning from the subroutine, the privilege level is changed back to 3.

COMP4690, HKBU 33

Application Layer Protection

All input received from a source external to the application must be validated prior to processing.

Possible sources of data include: User input through data entry screens Output generated by an external program Access requests from an external program Operating system environment Command parameters

Input checking Verify that the input is of the proper type and within

specified ranges

COMP4690, HKBU 34

Storage Device Protection

Access to servers, workstations, and mobile computer storage devices needs security protection such as Removable storage media Encryption software for protection of sensitive files Physical locking devices Locking portable devices in a desk or file cabinet Fixed disk systems may need additional protection

such as lockable enclosures

COMP4690, HKBU 35

Network Protection

Data transmission controls Hash totals Recording of sequence checking Transmission logging Transmission error correction Invalid login, modem error, lost connections, CPU

failure, disk error, line error, etc. Retransmission control

COMP4690, HKBU 36

Assurance, Trust, and Confidence Mechanisms It is important to verify whether the architecture is

secure. Evaluation methods have been developed to assure

that the products provide the necessary security requirements. What is to be evaluated? A product or a system?

A product could be a specific operating system. A system means a collection of products that together meet

the specific requirements of a given application. Available evaluating methods

Trusting the advertisements from the manufacturer/vendor Performing system tests internally within the organization Trusting an impartial, independent assessment authority

COMP4690, HKBU 37

Trusted Computer Security Evaluation Criteria (TCSEC) Produced by National Computer Security Center (NCSC) of U.S. Department of

Defense in 1985, also known as the “orange book”. It only addressed confidentiality, but it provided guidelines for the evaluation of security products, such as hardware and operating systems.

Some criteria: Security policy Marking of objects: labels indicate the sensitivity of objects Identification of subjects: subjects must be identified and authenticated Accountability: security-related events must be contained in audit logs Assurance: operational assurance, lifecycle assurance Documentation Continuous protection

Four security divisions (seven security classes) A: verified protection, the highest assurance level B: mandatory protection (B1, B2, B3), B3 the highest C: discretionary protection (C1, C2), C2 (controlled access protection) is the most

reasonable class for commercial applications D: minimal protection

COMP4690, HKBU 38

Trusted Network Interpretation (TNI) The red book, published in 1987 Using orange book as the basis, it addresses

network and telecommunications. Key features:

Integrity: biba model for integrity Labels: to guarantee mandatory access controls Other security services

Communication integrity: authentication, integrity, non-repudiation

Denial-of-service: continuity of operation, protocol-based protection, and network management

Compromise protection: data confidentiality and traffic confidentiality

COMP4690, HKBU 39

Information Technology Security Evaluation Criteria (ITSEC)

Endorsed by the Council of the European Union in 1995

Includes the concepts from TCSEC, but more flexible

It includes integrity and availability as security goals, along with confidentiality.