Documente Academic
Documente Profesional
Documente Cultură
Security Architecture
Domain #5
Hardware Components
CPU
Primary Storage
Control Unit
Coordinates activities during instruction execution
Does not process data
Memory Types
Primary Memory (RAM/ROM/EPROM/EE)
Real Memory
Available to users
Cache Memory
Buffers used to increase performance
Holds data that is accessed often
Virtual Memory
Combination of real and secondary storage
Memory Management
Protection Rings
Organize Code and components in an
operating system into concentric rings
Modern OSs use a 4-ring model
Ring 0 highest privilege kernel
Ring 1 remainder of the OS
Ring 2 drivers and utilities
Ring 3 applications and programs user
mode
Hardware Bus
Data Bus
Transfers instructions and data
Differs based on architectures
EISA 8/16
MCA 16/32
VLB 32
PCI 32/64
AGP - 32
Threads
Advantages
Much quicker to create than a process
Much quicker to switch between threads
Share data easier
Used in browsers and windowing systems
Disadvantages
No security between threads
If one user thread blocks, all are blocked
Process States
Stopped not running
Waiting waiting for interrupt
Running being executed by the CPU
Ready available and waiting for instruction
System Functionality
Multithreading
Several threads processing at one time
Multitasking
Several processes at one time
Multiprocessing
Multiple CPU available
Security Modes
Dedicated Mode
Single state system
All have need to know and clearance
Compartmented Mode
Not all have access for all information
Multilevel Mode
Not all have clearance or need-to-know
System Protection
Reference Monitor
Access control concept that is referred to as an
abstract machine that mediates all accesses
Controls relationship between subjects and
objects
Security Kernel
Enforces the reference monitors rules
Physical implementation of reference monitor
Part of TCB concerned with access control
Information Flow
Information must flow securely through the
system
Bell Lapadula
Biba
Clark-Wilson
Take-Grant
Access Control Matrix
Noninterference
Bell LaPadula
Confidentiality Model
Information cannot flow to an object of
lesser classification
Mathematical model uses a set theory to
define access rights
Maps a subjects clearance and an objects
classification and creates a relationship
Rules
Subjects cannot read data from an object in
a higher security level
No Read Up simple security property
No Write Up star property
No Write Up and No Read Down strong star
Biba
Integrity Model
No subject can depend on an object of lesser
integrity
Based on hierarchical lattice
Prevents modification of objects by
unauthorized subjects
Prevents unauthorized modification by
authorized users
Rules of Biba
No Write Up integrity axiom
No writing data at a higher integrity level
Disadvantages
Does not address confidentiality
Does not address control management nor
provide a way to change classification levels
Clark - Wilson
Integrity Model
Model for commercial integrity
Requires well formed transactions and
separation of duties
Does not use lattice approach, partitions objects
into programs and data
Access triple subject must go through a
program to access and modify data
Separation of duties with auditing required
Non-Interference
Based on theory where users are separated
into different domains
An output stream remains unchanged when
inputs come from levels that are less
dominant
Subject cannot be influenced by the
behavior of other subjects at higher security
levels
Lattice Based
Every subject and object relationship has a
partially ordered set with a lower and upper
bounds
Rules are set that dictate how information
can flow from one class to another
Confidential can flow to secret but secret cannot
flow to confidential
Access Control
Relational table
Specifies the operations and rights allowed
for each subject
Access Control Lists DACL, trustees
Brewer - Nash
Also known as Chinese Wall
Mathematical theory used to implement
dynamically changing access permissions
Defines a wall and develops a set of rules
that ensures no subject accesses objects on
the other side
Enforces no conflict of interest rules
Allows separation of competitors data
Take Grant
Mathematical framework for granting and
revoking access authorization
Analytical tool for auditors to test software
security
Rules for how users transfer their
permissions to others
Requirements of TCSEC
Security Policy
Marking labels associated with objects
Identification individual ID of subjects
Accountability audit data collected
Assurance each mechanism evaluated
Continuous protection mechanisms
always protected against unauthorized
changes
TCSEC Ratings
A1 Verified Protection
B3,B2,B1 Mandatory Protection
C2,C1 Discretionary Protection
D Minimal Security
Red Book Trusted Network Interpretation
Layers of TCSEC
ITSEC
Advantages
More granular approach
Goes beyond the Orange Book
Disadvantages
Increased amount of rating combinations
Still does not provide all the answers
Common Criteria
Covert Channels
Timing Channels conveys information by
altering the performance of a system
component in a predictable manner
Storage Channels conveys information by
writing data to a common storage area
where another process can read it.
Level B2 address covert channels
Level B3 address covert timing
Accreditation
Management decides the certification of the
system satisfies their needs
Other Threats
Back Doors
Maintenance Hooks
Asynchronous Attack TOC/TOU
Race Attacks
Data Validation (Unicode attack)
Buffer Overflow (Use input controls)
SYN Flood
Ping of Death
More Attacks
TCP Session Hijacking
Web Spoofing
DNS Poisoning