Domain 9 Security Architecture and Design

Transcription

1 Domain 9 Security Architecture and Design Common Architecture Frameworks An architecture framework is a structure that can be used to develop a broad range of architectures, which typically provides a method for designing a target state as an integrated set of systems of system components a set of tools to ease architecture development a common vocabulary a set of recommended standards and operational practices information on compliant vendor products, modules, or components that can be used as design elements Strategic alignment means the business drivers and the regulatory and legal requirements are being met by the security architecture Business enablement means the core business processes are integrated into the security operating model they are standards- based and follow risk tolerance- based criteria Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements, return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system Other keywords: process enhancement, process reengineering The Zachman Framework for Enterprise Architecture Not security- specific Two- dimensional model that uses communication interrogatives intersecting with different levels Uses 6 perspectives to describe a holistic information infrastructure

2 What How Where Who When Why Scope context boundary (Planner) Business model concepts (Owner) System model logic (Designer) Technology model physics (Builder) Component configuration (Implementer) Functioning enterprise instances (Worker) SABSA The Sherwood Applied Business Security Architecutre is based on the Zachman framework The process analyses the business requirements at the outset, and creates a chain of traceability through the strategy and concept, design, Figure 1 The SABSA Model

3 implementation, and ongoing manage and measure phases of the lifecycle to ensure that the business mandate is preserved. TOGAF The Open Group s Open Group Architecture Framework was inspired by earlier frameworks from the US DoD ITIL The IT Infrastructure Library, developed by Britain s Central Computer and Telecommunication Agency, is the de facto standard of best practices for IT service management (IT governance) Service portfolio Service strategy Service catalogue Service design Service transition Service operations Continual service improvement Figure 2 ITIL version 3 in a nutshell Note: [HBH03] does not cover ITIL at all Security Models Basic Security Theorem: If a system initializes in a secure state and all allowed state transitions are secure, then every subsequent state will be secure Informal classification of security models [Har10]: State Machine Models Upon its initial start- up, the system checks to determine if it is in a secure state

4 Once the system is determined to be in a secure state, the state machine model will ensure that every time the system is accessed, it will be accessed only in accordance with the security policy rules This process will guarantee that the system will transition only from one secure state to another secure state (Multilevel) Lattice Models [HBH03] Lattice = a structure consisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set An access class consists of a level and a category set, e.g., Top Secret {Iraq, Korea} Partial ordering relationships between access classes A and B: A > B, i.e. A s level B s, and A s category set B s category set A < B A = B, i.e. A > B and A < B None of the above is true System high contain the highest security level and all possible categories, hence dominates all other access classes System low contains no security level or category, hence is dominated by all other access classes Matrix- Based Models Access control matrix: subjects as rows, resources and functions as columns Can specify access in terms of capabilities (e.g., read, write, execute, etc.) Does not describe the relationship between subjects Noninterference Models

5 Any action that takes place at a higher security level does not affect, or interfere with, actions that take place at a lower level Minimizes leakages through covert channels Not concerned with the flow of data, but rather with what a subject knows about the system state Information Flow Models Focus on how information is allowed or not allowed between individual objects Bell- LaPadula Model Key properties: Simple security property: no read up *- property: no write down ds- property: (discretionary security) use of an access matrix to specify discretionary access control Strong *- property: alternative to *- property, where a subject with both read and write capabilities can only perform those functions at the same security level Tranquility principle: subjects and objects cannot change security levels once they have been instantiated Limitations: Only addresses confidentiality Does not address covert channels comprehensively Application limited to systems where security levels are static Biba Model Key properties: Simple integrity axiom: no read down *- integrity axiom: no write up Invocation property: A subject cannot invoke another subject at a higher integrity level Limitations [KAT00]:

6 Developed from a mathematical analysis of security models, so does not model any practical system, unlike Bell- LaPadula which was developed for military security systems Lipner Model Combines elements of Bell LaPadula and Biba with the idea of roles in a novel way to protect both confidentiality and integrity The first to separate objects into data and programs No known implementation of the Lipner model Clark- Wilson Model Key concepts [Fis01]: Well- formed transactions: a user should only manipulate data in constrained ways that preserve or ensure the internal consistency of data Separation of duties: all operations are separated into several subparts and each subpart should be executed by a different person Model elements: Constrained Data Item (CDI): data item within the system to which the policy must be applied Unconstrained Data Item (UDI): data item not covered by the policy (note: new data are put into the system as UDIs but may subsequently be transformed into CDIs) Integrity Verification Procedure (IVP): procedure for verifying that all CDIs in the system conform to the integrity specification at the time the IVPs are executed IVPs check that a system starts in a valid state, and periodically cross- check internal data with the external reality it represents Transformation Procedure (TP): procedure for transforming CDIs from one valid state to another

7 Access triple: A triple (UserID, TPi, (CDIa, CDIb,...)) that relates a user, a TP, and the data items that the TP may reference on the user s behalf Certification (by security officer, system owner, and system custodian) rules: C1: IVPs must ensure that all CDIs are in a valid state at the time the IVPs are run C2: All TPs must be certified to be valid. The security officer must specify for each TPi a relation (TPi, (CDIa, CDIb,...)), where (CDIa, CDIb,...) defines the set of arguments for which the TP is certified C3: Access triples must be certified to satisfy the separation of duty requirement C4: All TPs must be certified to write to the log (an append- only CDI) all information necessary for the operations to be reconstructed C5: Any TP that takes a UDI as an input value must be certified to perform only valid transformations (that convert a UDI to a CDI), or else no transformations, for any possible value of the UDI Transformation (by system) rules E1: The system must maintain the list of relations specified in rule C2, and must ensure that the only manipulation of any CDI is by a TP, where the TP is operating on the CDI as specified in some relation E2: The system must maintain a list of access triples, and ensure that only executions defined in any of the access triples are performed E3: The system must authenticate the identity of each user attempting to execute a TP E4: A user should not be able to modify the list of programs permitted to manipulate a particular data item, or to modify the list of users permitted to execute a given program Limitations [Fis01, KAT00]:

8 IVPs are difficult to implement in real- world IT systems Does not specify any way to certify TPs Brewer and Nash Model (Chinese Wall Model) Sanitized information is public information relating to all corporations Subject S can read object O if O is in the same company dataset already accessed by that subject, or O belongs to a different conflict of interest class (see Figure 3) Set of all objects Conflict of Interest Class A (e.g., banks) Conflict of Interest Class B (e.g., oil companies) Company dataset x Company dataset y Figure 3 Composition of company information objects in the Chinese Wall policy Subject S can write object O if S can read O by the read rule, and S cannot read any object that belongs to a company dataset different from the one for which write access is requested, and that contains unsanitized information This confines unsanitized information to its own company dataset, but allows sanitized information to flow freely throughout the system Advantages: Object y 1 Object y 2

9 Addresses confidentiality, and can be used to enforce the integrity principle of separation of duty Allows access permissions to change dynamically (so this model cannot be represented by the Bell- LaPadula Model) Limitations: Does not distinguish between human users and computer subjects too restrictive for practical systems [San92] Graham- Denning Model The first Discretionary Access Control model [Li05] The protection state of the system is represented as an access matrix A, with subjects identifying the row and objects the columns The entry A[S, O] contains access attributes specifying the access privileges held by subject S to object O Associated with each type of object is a monitor, through which all access to that type of objects must pass to be validated Rules to be implemented by the access matrix monitor [GD71]: R1: transfer access right R2: grant access right R3: delete access right R4: read access right R5: create object R6: destroy object R7: create subject R8: destroy subject Harrison- Ruzzo- Ullman Model This variation of the Graham- Denning model is designed to prove a point [HRU76, Fis01]: Commands model changes to the states of a system

10 A command takes the form command name (O 1,, O k) if r 1 in A[S 1,O 1] and r m in A[S m,o m] then op 1 op n end if A primitive operation op is one of enter r into A[S, O] delete r from A[S, O] create subject create object destroy subject destroy object The general safety problem for such a protection system is undecidable If a command is restricted to a single operation each, the safety problem is decidable, but this is impractical Security Modes of a Mandatory Access Control System To access any data in any security mode, a user must have signed an NDA, have clearance, formal access approval and a need to know for that data. Dedicated Security Mode: Supports single data classification. To access the system, a user must have clearance, formal access approval, and a need to know for all data on the system. System High- security Mode: Supports single data classification. To access the system, a user must have clearance, formal access approval, but not necessarily a need to know for all data on the system.

11 Compartmented Security Mode: Supports multiple data classifications. To access the system, a user must have clearance, but not necessarily formal access approval or a need to know for all data on the system. Multilevel Security Mode: Supports multiple data classifications. To access the system, a user does not necessarily need to have clearance, formal access approval or a need to know for all data on the system. Evaluation Criteria TCSEC (Trusted Computer System Evaluation Criteria) Aka Orange Book, superseded by Common Criteria The features of a class are a subset of the next higher class The documentation requirements of each class are omitted Class D: Minimal protection Class C1: Discretionary Security Protection Discretionary Access Control (DAC) controls access between named users and named objects Authenticates users (e.g., by passwords) and protects authentication data from unauthorized users TCB protects its own execution domain from tampering Periodically validates correct operation of hardware and software Class C2: Controlled Access Protection Fine- grained DAC (single- user granularity) Secures object reuse by clearing information contained with an object before allocating or reallocating it to any subject Enforces individual accountability by uniquely identifying each user and recording audit trails

12 Creates, maintains, and protects audit trails from tampering (audit trails must comply with a series of detailed requirements) Most general- purpose systems are rated at C2, e.g., Windows NT 4.0 Class B1: Labeled Security Based on an informally defined security policy model Enforces Mandatory Access Control (MAC) over all named subjects and objects under TCB s control Securely imports or exports labels of data under TCB s control Securely labels human- readable output Class B2: Structured Protection Based on a formally defined security policy model Extends DAC and MAC to all subjects and objects in the system (not only the TCB) Securely imports or exports data labels Supports a trusted communication path between users and itself for login and authentication Makes effective use of hardware to separate protection- critical and non- protection- critical elements Developer should conduct a thorough search for covert storage channels and determine the max bandwidth of each identified channel Supports separate operator and administrator functions Configuration management system controls changes to specification, source code, etc.; and ensures new version contains only intended changes Relatively resistant to penetration Class B3: Security Domains Implements reference monitor and be tamper- resistant Structure to exclude code not essential to security policy enforcement System engineering directed toward complexity minimization

13 Monitors for accumulation of security auditable events and notifies the security administrator when thresholds are exceeded Developer should conduct a thorough search for covert channels (both timing and storage) and determine the max bandwidth of each identified channel Ensures security administrator to perform functions after only taking a distinct auditable action Post- failure trusted recovery (no protection compromise) Highly resistant to penetration Class A1: Verified Design Functionality identical to B3 but more formal design and verification Common Criteria Protection profile: defines the environmental assumptions, the objectives, the functional and assurance level expectations Target of evaluation: Product proposed to provide a needed security solution Security target: Vendor s written explanation of security functionality and assurance mechanisms that meet the needed security solution ( This is what our product does and how it does it ) Product to be configured according to vendor s documentation to achieve rated security level EAL1: Functionally tested EAL2: Structurally tested EAL3: Methodically tested and checked EAL4: Methodically designed, tested and reviewed EAL5: Semiformally designed and tested EAL6: Semiformally verified, designed and tested EAL7: Formally verified, designed and tested

14 Note: wording semiformally verified design and tested and formally verified design and test in the original document suspected to be typo Computing Systems Types of read- only memory PROM can be programmed only once EPROM can erased using UV light EEPROM can be erased electrically one byte at a time Flash memory can be erased electrically one block at a time Operating System Multiprogramming: More than one program at a time Multitasking: More than one process at a time Multithreading: More than one thread per process at a time Multiprocessing: More than one CPU in the system Memory manager The memory manager has the following responsibilities: Physical organization Segment the physical memory space for application and operating system processes Relocation Swap contents from RAM to the hard drive as needed Provide pointers for applications if their instructions and memory segment have been relocated Protection Limit process to interact only with memory segment assigned to them Provide access control (read, write, execute) to memory segments Sharing

15 Use complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments Allow many users with different access rights to interact with the same application running in one memory segment Allow for the sharing of specific software modules, such as dynamic link library (DLL) procedures ([Har10] classifies this as logical organization) Input/Output Interrupted- driven I/O Programmed I/O (not Programmable I/O as in [Har10]) Synchronous because the processor is in direct control of every word of data transferred to or from the I/O device Unmapped I/O A DMA scheme where the software specifies physical addresses in memory The software trusts the I/O device that accesses the memory directly Premapped I/O (aka Virtual I/O) Unlike the unmapped case, the software specifies virtual addresses The processor checks whether the I/O device has the appropriate access permissions to the locations If yes, the processor translates the virtual addresses into physical addresses, before passing the physical addresses to the I/O device Fully mapped I/O More secure than premapped I/O The I/O device gets only virtual addresses Dedicated hardware translates virtual addresses to physical addresses on each memory reference made by the I/O device

16 Capability Maturity Model (CMM) The CMM describes procedures, principles, and practices that underlie software development process maturity It was developed to help software vendors improve their development process Five levels: Initial: Development process is ad hoc or even chaotic Repeatable: A formal management structure, change control and quality assurance are in place, but formal process models are not defined Defined: Formal procedures are in place that allow for quantitative process improvement Managed: Formal processes are in place to collect and analyze qualitative data, and metrics are defined and fed into the process- improvement program, to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications Optimizing: The company has budgets and integrated plans for continuous process improvement References [Fis01] S. Fischer- Hubner, IT- Security and Privacy: Design and Use of Privacy- Enhancing Security Mechanisms, Springer- Verlag Berlin Heidelberg, [GD71] G. S. Graham and P. J. Denning, Protection: principles and practice, in Proceedings of the spring joint computer conference (AFIPS '72 (Spring)), pp , ACM, [HBH03] S. Hansche, J. Berti, and C. Hare, Official (ISC)2 Guide to the CISSP Exam, Auerbach Publications, [Har10] S. Harris, CISSP All- in- One Exam Guide, Fifth Edition, McGraw- Hill Osborne Media, 2010.

17 [HRU76] Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman, Protection in operating systems, Commun. ACM 19, 8 (August 1976), pp , [KAT00] Paul A. Karger, Vernon R. Austel, and David C. Toll, A New Mandatory Security Policy Combining Secrecy and Integrity, IBM Research Report RC (97406), [Li05] N. Li and M. V. Tripunitara, On safety in discretionary access control, IEEE Symposium on Security and Privacy, pp , 8-11 May 2005, doi: /SP [San92] R. S. Sandhu, Lattice- based enforcement of Chinese Walls, Computers & Security, Volume 11, Issue 8, December 1992, Pages , ISSN , DOI: / (92) A. [Tip09] H. F. Tipton, Official (ISC)2 Guide to the CISSP CBK, Second Edition, Auerbach Publications, 2009.