ECE-6612http://www.csc.gatech.edu/copeland/jac/6612/

Prof. John A. Copelandjcopeland@ece.gatech.edu

404 894-5177fax 404 894-0035

Offices: Klaus 3362email or call for office visit, 404 894-5177

Chapter 10 (b) - Trusted Systems

3/9/2015

2

Trusted Systems

Subject: - an entity capable of accessing objects. Usually a process of an application being run by a user. Note that a secure user authentication procedure is essential (pass-phase, biometrics, ...).

Object: - anything to which access is controlled. This includes files, portions of files, programs, segments of memory, records and fields of records in a database.

Access Right: - a way in which an object can be accessed by a subject, typically read, write, and execute.

Access matrix, access control list (ACL), or capability list (ticket): ways of defining access rights.

3

Subjects

Objects

4

Object[1] Subject[3] Subject[5]Object[2] Subject[2] Subject[5]Object[3] • • •

ACL – Access Control ListFor each object, a list of subjects (& rights).

5

Subject[1] Object[4] Object[7]Subject[2] Object[2] Object[5]Subject[3] • • •

Capability ListFor each Subject, a list of Objects (& Rights)

6

Multilevel SecurityPut Subjects into Levels, then Level defines Rights

• No Read Up (Simple Security Property): - a subject can only read an object of less or equal security level.• No Write Down (*-Property): - a subject can only write to an object of greater or equal security level (can not lower the security classification of information by writing to an object with a lower security level). You can contribute information to a higher security level report, but can not read the report.• Need to Know - a subject can only access data if he is cleared for that project or category (compartmentalized sensitive information). [not in book]• Reference Monitor: - a way to enforce the three rules above.

SCI, ...*Top-Secret

SecretConfidentialUnclassified

* so secret we can’t reveal the name.

SCI, ...*Top-Secret

SecretConfidentialUnclassified

SCI, ...*Top-Secret

SecretConfidentialUnclassified

<- Compartments: Projects, Areas, … (need-to-know)

d – directory For directories “x” means “can list files” Permissions, r = read, w = write, x = execute 3 sets for: user, group, others Owner Group Size Date Modified Name$ ls -ltotal 35816-rw-r--r-- 1 copeland staff 3213979 Apr 18 2012 220.pcap-rw-r--r-- 1 copeland staff 519884 Oct 31 10:35 3076 alias-rw-r--r-- 1 copeland staff 242276 Sep 21 10:54 5900.pcap-rwxr--r-- 1 copeland staff 519040 Jan 20 2012 reset_scriptdrwx------ 5 copeland staff 918 Feb 22 11:22 Desktopdrwxr----- 18 copeland staff 1020 Jan 24 14:45 Documentsdrwxr-xr-x 12 root root 5542 May 24 2012 Downloadsdrwx------ 5 copeland staff 204 Mar 14 2012 Moviesdrwxr-xr-x 4 copeland staff 306 Mar 8 2010 Music-rw-r--r-- 1 copeland admin 0 Feb 15 2009 PGP Keyringsdrwxr--r-- 13 copeland copeland 748 Mar 14 2012 Picturesdrwx-wx--- 3 copeland staff 170 Nov 6 2008 Public$ iduid=501(copeland) gid=20(staff) groups=20(staff),204(_developer),100(_lpoperator),98(_lpadmin),81(_appserveradm),80(admin),12(everyone),504(access_bpf)

UNIX – each directory and file belongs toan user (owner) and a group. Users can belong many groups

8

9Alice’s program has a Trojan Horse hidden inside.

Bob: RW

Alice: RWBob: W

CPE170KS"Secret"Data FileProgram

ProgramBack-Pocket

File

"Secret"Clearance

In normal computers, programs and files usually have the same privileges as the "user" using them.

"Confidential"Clearance

10

When Bob runs Alice’s program, the Trojan writes info from Bob’s Secret file to Alice’s Confidential file (“write down”).

Bob: RW

Alice: RWBob: W

CPE170KS"Secret"Data File

Program

ProgramBack-Pocket

File

"Secret"Clearance

"Confidential"Clearance

11

Secret Clearance

Confidential Clearance

Bob: RW

Alice: RWBob: W

ReferenceMonitor

CPE170KS"Secret"Data File

"Secret"Program

ProgramBack-Pocket

File

In "Trusted System" computers, programs and files have their own security levels.

Alice’s Program has to access the Secret Program through the Reference Monitor, which upgrades the level of the process to Secret.

12

The Security Monitor will not let the (now rated Secret) process write down to a lower level file.

Bob: RW

Alice: RWBob: W

ReferenceMonitor

CPE170KS"Secret"Data File

"Secret"Program

"Secret" Program

"Confidential" Back-Pocket File

"Secret"Clearance

"Confidential"Clearance

Offense: How could one attack a secure system?

Defense: What attacks need to be anticipated?

Defense strategy starts with an analysis of possible offensive strategies. Then, for attack vector, how do you

• Prevent

• Detect

• Stop

13

The Computer Security Center within the National Security Agency has a

Commercial Product Evaluation Program

To be rated a “Trusted System” (at a certain level) and be eligible for government and DoD RFP’s, the computer must provide: Complete Mediation: Security rules are enforced on every access, not just when a file is opened.

Isolation: The reference monitor and database are protected from unauthorized modification.

Verifiability: The reference monitor’s correctness must be mathematically provable (by a set of logic rules, that it can provide Complete Mediation and Isolation).

14

In January 1996, the United States, United Kingdom, Germany, France, Canada, and the Netherlands released a jointly developed evaluation standard for a multi-national marketplace. This standard is known as the "Common Criteria for Information Technology Security Evaluation" (CCITSE) usually referred to as the "Common Criteria" (CC). The Common Criteria can be used for the following purposes:

(see table on next slide)

Under the Common Criteria, each level of trust rating from the TCSEC can be specified as a Protection Profile (PP). A Protection Profile looks very similar to a level of trust rating but has two fundamental differences. First, where the TCSEC binds sets of features and assurances together, the Common Criteria allows Protection Profiles to combine features and assurances together in any combination. Also, the TCSEC specifies a fixed set of ratings (profiles), but the Common Criteria allows for consumers to write a customized set of requirements in a standard format.

The TPEP office is currently developing Protection Profiles that map to the C2 rating referred to in the TCSEC and SBU Firewall Protection Profiles. Common Criteria evaluations are now in progress using the Firewall Protection Profiles.

From http://www.radium.ncsc.mil/tpep/library/ccitse/cc_over.html - no longer available

“Common Criteria” Security Specifications

15

16

http://en.wikipedia.org/wiki/Common_Criteria 4/13/2009, 3/16/2012

If a product is Common Criteria certified, it does not necessarily mean it is completely secure. For example, various Microsoft Windows versions, including Windows Server 2003 and Windows XP, were certified at EAL4+, but regular security patches for security vulnerabilities were still published by Microsoft for these Windows systems. This is possible because the process of obtaining a Common Criteria certification allows a vendor to restrict the analysis to certain security features and to make certain assumptions about the operating environment and the strength of threats, if any, faced by the product in that environment. …

So far, most PPs and most evaluated STs/certified products have been for IT components (e.g., firewalls, operating systems, smart cards). Common Criteria certification is sometimes specified for IT procurement. Other standards containing riles for interoperation, system management, user training, … , supplement CC and other product standards.

Evaluation is a costly process (often measured in hundreds of thousands of US dollars) -- and the vendor's return on that investment is not necessarily a more secure product (but it permits selling product to certain government areas).

Value of Certification

17