security models and architecture cissp exam preparation bernie eydt
TRANSCRIPT
![Page 1: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/1.jpg)
Security Models and ArchitectureCISSP Exam Preparation
Bernie Eydt
![Page 2: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/2.jpg)
2
OverviewOverview
• Basic concepts
• The Models
– Bell-LaPadula (BLP)
– Biba
– Clark-Wilson
– Chinese Wall
• Systems Evaluation
![Page 3: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/3.jpg)
3
Basic Concepts
![Page 4: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/4.jpg)
4
TerminologyTerminology
• Trusted Computing Base (TCB) – combination of protection mechanisms within a computer system
• Subjects / Objects
– Subjects are active (e.g., users / programs)
– Objects are passive (e.g., files)
• Reference Monitor – abstract machine that mediates subject access to objects
• Security Kernel – core element of TCB that enforces the reference monitor’s security policy
![Page 5: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/5.jpg)
5
Types of Access ControlTypes of Access Control
• Discretionary Access Control (DAC) – data owners can create and modify matrix of subject / object relationships (e.g., ACLs)
• Mandatory Access Control (MAC) – “insecure” transactions prohibited regardless of DAC
• Cannot enforce MAC rules with DAC security kernel
– Someone with read access to a file can copy it and build a new “insecure” DAC matrix because he will be an owner of the new file.
![Page 6: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/6.jpg)
6
Information Flow ModelsInformation Flow Models
• Pour cement over a PC and you have a secure system
• In reality, there are state transitions
• Key is to ensure transitions are secure
• Models provide rules for how information flows from state to state.
• Information flow models do not address covert channels
– Trojan horses
– Requesting system resources to learn about other users
![Page 7: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/7.jpg)
7
Access Control Models
![Page 8: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/8.jpg)
8
ModelsModels
• Bell-LaPadula
• Biba
• Clark-Wilson
• Chinese Wall
Good brief summary on Harris p.247
![Page 9: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/9.jpg)
9
Bell-LaPadula (BLP) ModelBell-LaPadula (BLP) Model
• BLP is formal (mathematical) description of mandatory access control
• Three properties:
– ds-property (discretionary security)
– ss-property (simple security – no “read down”)
– *-property (star property – no “write down”)
• A secure system satisfies all of these properties
• BLP includes mathematical proof that if a system is secure and a transition satisfies all of the properties, then the system will remain secure.
![Page 10: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/10.jpg)
10
Bell-LaPadula Model (Continued)Bell-LaPadula Model (Continued)
• Honeywell Multics kernel was only true implementation of BLP, but it never took hold
• DOD information security requirements currently achieved via discretionary access control and segregation of systems rather than BLP-compliant computers
![Page 11: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/11.jpg)
11
Biba ModelBiba Model
• Similar to BLP but focus is on integrity, not confidentiality
• Result is to turn the BLP model upside down
– High integrity subjects cannot read lower integrity objects (no “read down”)
– Subjects cannot move low integrity data to high-integrity environment (no “write up”)
• McLean notes that ability to flip models essentially renders their assurance properties useless
![Page 12: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/12.jpg)
12
Clark-Wilson ModelClark-Wilson Model
• Reviews distinction between military and commercial policy
– Military policy focus on confidentiality
– Commercial policy focus on integrity
• Mandatory commercial controls typically involve who gets to do what type of transaction rather than who sees what (Example: cut a check above a certain dollar amount)
![Page 13: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/13.jpg)
13
Clark-Wilson Model (Continued)Clark-Wilson Model (Continued)
• Two types of objects:
– Constrained Data Items (CDIs)
– Unconstrained Data Items (UDIs)
• Two types of transactions on CDIs in model
– Integrity Verification Procedures (IVPs)
– Transformation Procedures (TPs)
• IVPs certify that TPs on CDIs result in valid state
• All TPs must be certified to result in valid transformation
![Page 14: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/14.jpg)
14
Clark-Wilson Model (Continued)Clark-Wilson Model (Continued)
• System maintains list of valid relations of the form:{UserID, TP, CDI/UDI}
• Only permitted manipulation of CDI is via an authorized TP
• If a TP takes a UDI as an input, then it must result in a proper CDI or the TP will be rejected
• Additional requirements
– Auditing: TPs must write to an append-only CDI (log)
– Separation of duties
![Page 15: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/15.jpg)
15
Clark-Wilson versus BibaClark-Wilson versus Biba
• In Biba’s model, UDI to CDI conversion is performed by trusted subject only (e.g., a security officer), but this is problematic for data entry function.
• In Clark-Wilson, TPs are specified for particular users and functions. Biba’s model does not offer this level of granularity.
![Page 16: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/16.jpg)
16
Chinese WallChinese Wall
Focus is on conflicts of interest.
• Principle: Users should not access the confidential information of both a client organization and one or more of its competitors.
• How it works
– Users have no “wall” initially.
– Once any given file is accessed, files with competitor information become inaccessible.
– Unlike other models, access control rules change with user behavior
![Page 17: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/17.jpg)
17
Systems Evaluation
![Page 18: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/18.jpg)
18
Trusted Computer System Evaluation (TCSEC)Trusted Computer System Evaluation (TCSEC)
• Criteria published in the Orange Book
• Officially replaced by Common Criteria
• Four Levels
– A Verified protectionA1 Verified design
– B Mandatory protectionB1 Labeled SecurityB2 Structured ProtectionB3 Security Domains
– C Discretionary protectionC1 Discretionary securityC2 Controlled access
– D Minimal security
![Page 19: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/19.jpg)
19
Information Technology Security Evaluation Criteria (ITSEC)Information Technology Security Evaluation Criteria (ITSEC)
• Used primarily in Europe
• Target of Evaluation (TOE) is either product or system
• Two ratings
– Functionality rating (F1 to F10)
– Assurance Rating (E0 to E6)
• Rough mapping exists between TCSEC and ITSEC (see Harris p.260)
![Page 20: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/20.jpg)
20
Common CriteriaCommon Criteria
• ISO standard evaluation criteria that combines several different criteria, including TCSEC and ITSEC
• Participating governments recognize Common Criteria certifications awarded in other nations
• Seven Evaluation Assurance Levels (EAL 1-7)
• Utilize protection profiles (see Harris p.262)
![Page 21: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/21.jpg)
21
Evaluation Assurance Levels - Overview
Common Criteria – Evaluation Assurance LevelsCommon Criteria – Evaluation Assurance Levels
• Define a scale for measuring the criteria for the evaluation of PPs (Protection Profiles) and STs (Security Targets)
• Constructed using components from the assurance families
• Organization
– Seven hierarchically ordered EALs in a uniformly increasing scale of assurance
![Page 22: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/22.jpg)
22
CC EALs - ReferenceCC EALs - Reference
Level Short TitleUS
TCSEC
EAL 7 Formally verified design and tested
A1
EAL 6 Semi-formally verified design and tested
B3
EAL 5 Semi-formally designed and tested
B2
EAL 4 Methodically designed, tested and reviewed
B1
C2EAL 3 Methodically tested and checked
EAL 2 Structurally tested C1
EAL 1 Functionally tested
HigherAssurance
LowerAssurance
![Page 23: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/23.jpg)
23
CC EALs – Summary 1-3CC EALs – Summary 1-3
• EAL 1 - Functionally tested– “Applicable where some confidence in correct operation is
required, but the threats to security are not viewed as serious”
• EAL 2 - Structurally tested
– “Applicable where developers or users require a low to moderate level of independently assured security”
• EAL 3 - Methodically tested and checked– “Applicable where the requirement is for a moderate level
of independently assured security”
![Page 24: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/24.jpg)
24
CC EALs – Summary 4-5CC EALs – Summary 4-5
• EAL 4 - Methodically designed, tested and reviewed
– “Applicable where developers or users require a moderate to high level of independently assured security”
• EAL 5 - Semi-formally designed and tested
– “Applicable where the requirement is for a high level of independently assured security”
![Page 25: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/25.jpg)
25
CC EALs – Summary 6-7CC EALs – Summary 6-7
• EAL 6 - Semi-formally verified design and tested
– “Applicable to the development of specialised TOEs (Targets of Evaluation), for high risk situations ”
• EAL 7 - Formally verified design and tested
– “Applicable to the development of security TOEs for application in extremely high risk situations
![Page 26: Security Models and Architecture CISSP Exam Preparation Bernie Eydt](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d175503460f949ed06b/html5/thumbnails/26.jpg)
26
CC EALs - Web ReferencesCC EALs - Web References
• Common Criteria.org Web Site
– Main page
• http://www.commoncriteria.org/index.html
– Formal specification document
• http://www.commoncriteria.org/cc/cc.html
– Introductory overviews
• http://www.commoncriteria.org/ introductory_overviews/index.html