Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr...
-
Upload
bonnie-wilkerson -
Category
Documents
-
view
213 -
download
0
Transcript of Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr...
Trusted OS Design and Trusted OS Design and Evaluation Evaluation
CS432 - Security in Computing
Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University
Section OverviewSection Overview
Security Policies and ModelsSecurity Policies and Models
Trust design elements and featuresTrust design elements and features
Orange Book Certification LevelsOrange Book Certification Levels
Common CriteriaCommon Criteria
False Guaranties of TrustFalse Guaranties of Trust
ReferencesReferences
Security in Computing, 4Security in Computing, 4thth Ed. Ed. Chapter 5 (pgs. 242-257, 264-313)Chapter 5 (pgs. 242-257, 264-313)
Military PolicyMilitary Policy
ClassificationClassification Rank (Hierarchical) Rank (Hierarchical) Compartments (Non-Hierarchical)Compartments (Non-Hierarchical)
Can only read object ifCan only read object if Subject clearance Subject clearance ≥ Required clearance for ≥ Required clearance for
objectobject Subject has Subject has need to knowneed to know about all about all
compartments for with the object is classifiedcompartments for with the object is classified Who controls access?Who controls access?
Commercial Security PolicyCommercial Security Policy
Project and/or department basedProject and/or department based No formal notion of clearancesNo formal notion of clearances Rules less consistentRules less consistent Typical classifications:Typical classifications:
PublicPublic ProprietaryProprietary InternalInternal
Clark-Wilson PolicyClark-Wilson Policy
Integrity is of prime importanceIntegrity is of prime importance Well formed transactionsWell formed transactions Handled via access triplesHandled via access triples
User Identifier (userID)User Identifier (userID) Transformation procedures (TP)Transformation procedures (TP) Constrained data items (CDI)Constrained data items (CDI)
Separation of DutySeparation of Duty
Prevent possibility of abusePrevent possibility of abuse Keeps track of various operations Keeps track of various operations
(state)(state) Prevent same person from handling Prevent same person from handling
multiple transactions on same multiple transactions on same objects (even if authorized to)objects (even if authorized to)
Chinese Wall PolicyChinese Wall Policy
Goal is to prevent conflicts of interestGoal is to prevent conflicts of interest Levels of abstractionLevels of abstraction
ObjectsObjects Company groupsCompany groups Conflict classesConflict classes
Can’t access objects from two Can’t access objects from two company groups within same conflict company groups within same conflict classclass
Models of SecurityModels of Security
Mechanism to enforce policyMechanism to enforce policy Lattice – Visualization of relationshipsLattice – Visualization of relationships Bell-La PadulaBell-La Padula Biba Integrity modelBiba Integrity model
Bell La Padula ModelBell La Padula Model
Military Policy basedMilitary Policy based Secures the flow of informationSecures the flow of information PropertiesProperties
Simple Security Property: Subject s can Simple Security Property: Subject s can read object read object o o only if C(o) only if C(o) ≤ C(s)≤ C(s)
*-Property: Subject with read access to *-Property: Subject with read access to object object oo may write to object may write to object pp if C(o) ≤ if C(o) ≤ C(p)C(p)
Read down / Write UpRead down / Write Up
Bell La Padula Read-DownBell La Padula Read-Down
Top Secret
Secret
Unclassified
Top Secret
Secret
Unclassified
Subject (s)Subject (s) Object (o)Object (o)
Bell La Padula Write-UpBell La Padula Write-Up
Top Secret
Secret
Unclassified
Top Secret
Secret
Unclassified
ReadReadObject (o)Object (o)
WriteWriteObject (p)Object (p)
Bell La Padula Lattice Bell La Padula Lattice ExampleExample
TS {A, B}
TS {A} TS {B}
S {A, B}
S {A} S {B}
U {}
Biba ModelBiba Model
Dual of Bell-La Padula modelDual of Bell-La Padula model Focus is on integrity (trustworthiness)Focus is on integrity (trustworthiness) PropertiesProperties
Simple Integrity Property: Subject Simple Integrity Property: Subject s s can modify can modify object object o o only if I(s) only if I(s) ≥ I(o)≥ I(o)
*-Property: If subject *-Property: If subject ss has read access to has read access to object object oo with integrity level I(o), with integrity level I(o), ss can write to can write to object object pp only if I(o) ≥ I(p) only if I(o) ≥ I(p)
Read up / Write downRead up / Write down
Biba Read-UpBiba Read-Up
High Integrity
Medium Integrity
Low Integrity
High Integrity
Medium Integrity
Low Integrity
Subject (s)Subject (s) Object (o)Object (o)
Biba Write-DownBiba Write-Down
ReadReadObject (o)Object (o)
WriteWriteObject (p)Object (p)
High Integrity
Medium Integrity
Low Integrity
High Integrity
Medium Integrity
Low Integrity
Design ElementsDesign Elements Least PrivilegeLeast Privilege Economy of MechanismEconomy of Mechanism Open DesignOpen Design Complete MediationComplete Mediation Permission-BasedPermission-Based Separation of PrivilegeSeparation of Privilege Least Common MechanismLeast Common Mechanism Ease of UseEase of Use
Security FeaturesSecurity Features
User Identification User Identification and Authenticationand Authentication
Complete Complete MediationMediation
Discretionary Discretionary Access Control Access Control
Mandatory Access Mandatory Access ControlControl
Object Reuse Object Reuse ProtectionProtection
AuditAudit Audit ReductionAudit Reduction Trusted PathTrusted Path Intrusion DetectionIntrusion Detection
Trusted Computer Base Trusted Computer Base (TCB)(TCB)
ReferencReferencee
ModelModel
SecuritySecurityKernelKernel
Trusted Computer Trusted Computer BaseBase
Assurance MethodsAssurance Methods
TestingTesting PentestingPentesting Formal VerificationFormal Verification ValidationValidation
A1A1
B3B3
B2B2
B1B1
C2C2
Orange Book EvaluationOrange Book Evaluation
C1C1
DD - Minimal Protection- Minimal Protection
- Discretionary Security - Discretionary Security Protection Protection
- Controlled Access Protection- Controlled Access Protection
- Labeled Security Protection- Labeled Security Protection
- Structured Protection- Structured Protection
- Security Domains- Security Domains
- Verified Design- Verified Design
Discretionary Security Discretionary Security ProtectionProtection
User AuthenticationUser Authentication Object Access ControlObject Access Control Discretionary Access Discretionary Access
ControlControl Memory ProtectionMemory Protection Penetration TestingPenetration TestingC1C1
DD
Controlled Access ProtectionControlled Access Protection
C2C2
C1C1
DD
Single User Access Control
Object Reuse Audit Logs
Labeled Security ProtectionLabeled Security Protection
B1B1
C2C2
C1C1
DD
Mandatory Access Control
Labeled Objects Need to Know Access
Policy Hierarchical Nonhierarchical
Structured ProtectionStructured Protection
B2B2
B1B1
C2C2
C1C1
DD
Test and review of design
Principle of Least Privilege
Trusted Paths Covert Channel
Analysis
Security DomainsSecurity Domains
Extensive Testing Full Access Control Active Audits and
Alerts Resistant to
Penetration
B3B3
B2B2
B1B1
C2C2
C1C1
DD
Verified DesignVerified Design
A1A1
B3B3
B2B2
B1B1
C2C2
C1C1
DD
Formally Verifiable Design
Formal Top-Down Spec.
Informal demonstration that spec. is consistent with design
Formal Analysis of Covert Channels
Orange Book WeaknessesOrange Book Weaknesses
All or NothingAll or Nothing for Level Certification for Level Certification Local software can invalidateLocal software can invalidate OS Patches can invalidateOS Patches can invalidate Mandatory Access Control can be difficult Mandatory Access Control can be difficult
to set upto set up Viruses not taken into considerationViruses not taken into consideration Common Criteria
Class-family-component basedClass-family-component based International systemInternational system
Common Criteria ClassesCommon Criteria Classes
FunctionalityFunctionality Identification and Identification and
AuthenticationAuthentication Trusted PathTrusted Path Security AuditSecurity Audit Invocation of Security Invocation of Security
FunctionsFunctions User Data ProtectionUser Data Protection Resource UtilizationResource Utilization Protection of the Protection of the
Trusted Security Trusted Security FunctionsFunctions
PrivacyPrivacy CommunicationCommunication
AssuranceAssurance DevelopmentDevelopment TestingTesting Vulnerability Vulnerability
AssessmentAssessment Configuration Configuration
ManagementManagement Life-cycle SupportLife-cycle Support Guidance DocumentsGuidance Documents Delivery and OperationDelivery and Operation
Common CriteriaCommon Criteria
ClassClassClassClass
FamilyFamilyFamilyFamily
ComponentComponentComponentComponentComponentComponentComponentComponent
ComponentComponentComponentComponentPackagePackagePackagePackage
PackagePackagePackagePackagePackagePackagePackagePackage
Protection ProfileProtection ProfileSecurity TargetSecurity Target
Protection ProfileProtection ProfileSecurity TargetSecurity Target
ComponentComponentComponentComponent