Trusted OS Design and Trusted OS Design and Evaluation Evaluation

CS432 - Security in Computing

Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University

Section OverviewSection Overview

Security Policies and ModelsSecurity Policies and Models

Trust design elements and featuresTrust design elements and features

Orange Book Certification LevelsOrange Book Certification Levels

Common CriteriaCommon Criteria

False Guaranties of TrustFalse Guaranties of Trust

ReferencesReferences

Security in Computing, 4Security in Computing, 4thth Ed. Ed. Chapter 5 (pgs. 242-257, 264-313)Chapter 5 (pgs. 242-257, 264-313)

Military PolicyMilitary Policy

ClassificationClassification Rank (Hierarchical) Rank (Hierarchical) Compartments (Non-Hierarchical)Compartments (Non-Hierarchical)

Can only read object ifCan only read object if Subject clearance Subject clearance ≥ Required clearance for ≥ Required clearance for

objectobject Subject has Subject has need to knowneed to know about all about all

compartments for with the object is classifiedcompartments for with the object is classified Who controls access?Who controls access?

Commercial Security PolicyCommercial Security Policy

Project and/or department basedProject and/or department based No formal notion of clearancesNo formal notion of clearances Rules less consistentRules less consistent Typical classifications:Typical classifications:

PublicPublic ProprietaryProprietary InternalInternal

Clark-Wilson PolicyClark-Wilson Policy

Integrity is of prime importanceIntegrity is of prime importance Well formed transactionsWell formed transactions Handled via access triplesHandled via access triples

User Identifier (userID)User Identifier (userID) Transformation procedures (TP)Transformation procedures (TP) Constrained data items (CDI)Constrained data items (CDI)

Separation of DutySeparation of Duty

Prevent possibility of abusePrevent possibility of abuse Keeps track of various operations Keeps track of various operations

(state)(state) Prevent same person from handling Prevent same person from handling

multiple transactions on same multiple transactions on same objects (even if authorized to)objects (even if authorized to)

Chinese Wall PolicyChinese Wall Policy

Goal is to prevent conflicts of interestGoal is to prevent conflicts of interest Levels of abstractionLevels of abstraction

ObjectsObjects Company groupsCompany groups Conflict classesConflict classes

Can’t access objects from two Can’t access objects from two company groups within same conflict company groups within same conflict classclass

Models of SecurityModels of Security

Mechanism to enforce policyMechanism to enforce policy Lattice – Visualization of relationshipsLattice – Visualization of relationships Bell-La PadulaBell-La Padula Biba Integrity modelBiba Integrity model

Bell La Padula ModelBell La Padula Model

Military Policy basedMilitary Policy based Secures the flow of informationSecures the flow of information PropertiesProperties

Simple Security Property: Subject s can Simple Security Property: Subject s can read object read object o o only if C(o) only if C(o) ≤ C(s)≤ C(s)

*-Property: Subject with read access to *-Property: Subject with read access to object object oo may write to object may write to object pp if C(o) ≤ if C(o) ≤ C(p)C(p)

Read down / Write UpRead down / Write Up

Bell La Padula Read-DownBell La Padula Read-Down

Top Secret

Secret

Unclassified

Top Secret

Secret

Unclassified

Subject (s)Subject (s) Object (o)Object (o)

Bell La Padula Write-UpBell La Padula Write-Up

Top Secret

Secret

Unclassified

Top Secret

Secret

Unclassified

ReadReadObject (o)Object (o)

WriteWriteObject (p)Object (p)

Bell La Padula Lattice Bell La Padula Lattice ExampleExample

TS {A, B}

TS {A} TS {B}

S {A, B}

S {A} S {B}

U {}

Biba ModelBiba Model

Dual of Bell-La Padula modelDual of Bell-La Padula model Focus is on integrity (trustworthiness)Focus is on integrity (trustworthiness) PropertiesProperties

Simple Integrity Property: Subject Simple Integrity Property: Subject s s can modify can modify object object o o only if I(s) only if I(s) ≥ I(o)≥ I(o)

*-Property: If subject *-Property: If subject ss has read access to has read access to object object oo with integrity level I(o), with integrity level I(o), ss can write to can write to object object pp only if I(o) ≥ I(p) only if I(o) ≥ I(p)

Read up / Write downRead up / Write down

Biba Read-UpBiba Read-Up

High Integrity

Medium Integrity

Low Integrity

High Integrity

Medium Integrity

Low Integrity

Subject (s)Subject (s) Object (o)Object (o)

Biba Write-DownBiba Write-Down

ReadReadObject (o)Object (o)

WriteWriteObject (p)Object (p)

High Integrity

Medium Integrity

Low Integrity

High Integrity

Medium Integrity

Low Integrity

Design ElementsDesign Elements Least PrivilegeLeast Privilege Economy of MechanismEconomy of Mechanism Open DesignOpen Design Complete MediationComplete Mediation Permission-BasedPermission-Based Separation of PrivilegeSeparation of Privilege Least Common MechanismLeast Common Mechanism Ease of UseEase of Use

Security FeaturesSecurity Features

User Identification User Identification and Authenticationand Authentication

Complete Complete MediationMediation

Discretionary Discretionary Access Control Access Control

Mandatory Access Mandatory Access ControlControl

Object Reuse Object Reuse ProtectionProtection

AuditAudit Audit ReductionAudit Reduction Trusted PathTrusted Path Intrusion DetectionIntrusion Detection

Trusted Computer Base Trusted Computer Base (TCB)(TCB)

ReferencReferencee

ModelModel

SecuritySecurityKernelKernel

Trusted Computer Trusted Computer BaseBase

Assurance MethodsAssurance Methods

TestingTesting PentestingPentesting Formal VerificationFormal Verification ValidationValidation

A1A1

B3B3

B2B2

B1B1

C2C2

Orange Book EvaluationOrange Book Evaluation

C1C1

DD - Minimal Protection- Minimal Protection

- Discretionary Security - Discretionary Security Protection Protection

- Controlled Access Protection- Controlled Access Protection

- Labeled Security Protection- Labeled Security Protection

- Structured Protection- Structured Protection

- Security Domains- Security Domains

- Verified Design- Verified Design

Discretionary Security Discretionary Security ProtectionProtection

User AuthenticationUser Authentication Object Access ControlObject Access Control Discretionary Access Discretionary Access

ControlControl Memory ProtectionMemory Protection Penetration TestingPenetration TestingC1C1

DD

Controlled Access ProtectionControlled Access Protection

C2C2

C1C1

DD

Single User Access Control

Object Reuse Audit Logs

Labeled Security ProtectionLabeled Security Protection

B1B1

C2C2

C1C1

DD

Mandatory Access Control

Labeled Objects Need to Know Access

Policy Hierarchical Nonhierarchical

Structured ProtectionStructured Protection

B2B2

B1B1

C2C2

C1C1

DD

Test and review of design

Principle of Least Privilege

Trusted Paths Covert Channel

Analysis

Security DomainsSecurity Domains

Extensive Testing Full Access Control Active Audits and

Alerts Resistant to

Penetration

B3B3

B2B2

B1B1

C2C2

C1C1

DD

Verified DesignVerified Design

A1A1

B3B3

B2B2

B1B1

C2C2

C1C1

DD

Formally Verifiable Design

Formal Top-Down Spec.

Informal demonstration that spec. is consistent with design

Formal Analysis of Covert Channels

Orange Book WeaknessesOrange Book Weaknesses

All or NothingAll or Nothing for Level Certification for Level Certification Local software can invalidateLocal software can invalidate OS Patches can invalidateOS Patches can invalidate Mandatory Access Control can be difficult Mandatory Access Control can be difficult

to set upto set up Viruses not taken into considerationViruses not taken into consideration Common Criteria

Class-family-component basedClass-family-component based International systemInternational system

Common Criteria ClassesCommon Criteria Classes

FunctionalityFunctionality Identification and Identification and

AuthenticationAuthentication Trusted PathTrusted Path Security AuditSecurity Audit Invocation of Security Invocation of Security

FunctionsFunctions User Data ProtectionUser Data Protection Resource UtilizationResource Utilization Protection of the Protection of the

Trusted Security Trusted Security FunctionsFunctions

PrivacyPrivacy CommunicationCommunication

AssuranceAssurance DevelopmentDevelopment TestingTesting Vulnerability Vulnerability

AssessmentAssessment Configuration Configuration

ManagementManagement Life-cycle SupportLife-cycle Support Guidance DocumentsGuidance Documents Delivery and OperationDelivery and Operation

Common CriteriaCommon Criteria

ClassClassClassClass

FamilyFamilyFamilyFamily

ComponentComponentComponentComponentComponentComponentComponentComponent

ComponentComponentComponentComponentPackagePackagePackagePackage

PackagePackagePackagePackagePackagePackagePackagePackage

Protection ProfileProtection ProfileSecurity TargetSecurity Target

Protection ProfileProtection ProfileSecurity TargetSecurity Target

ComponentComponentComponentComponent

False Guaranties of TrustFalse Guaranties of Trust

Emphatic AssertionsEmphatic Assertions Security through ObscuritySecurity through Obscurity I couldn’t find any flawsI couldn’t find any flaws ChallengesChallenges