Security Architecture and Models

1

• Chapter 3
• Security Architecture and Models

2
Overview

• Building an information system requires a balance
  among various requirements capability,
  flexibility, performance, ease of use, cost, and
  security.
• Security architecture a view of an overall
  system architecture from a security perspective.
  It is fundamental to any information system.
• It describes how the system is put together to
  satisfy the security requirement.
• It describes at an abstract level the
  relationships between key elements of the
  hardware, operating systems, applications,
  network, etc., to protect the organizations
  interests.
• It describes how the functions in the system
  development process follow the security
  requirements.
• Security model a statement that outlines the
  requirements necessary to properly support a
  security policy. It provides a deeper explanation
  of how a computer system should be developed to
  properly support a specific security policy.

3
Main Topics

• Information protection environment
• Computer organization architecture
• Software
• Distributed systems
• Security models
• Confidentiality models
• Integrity models
• Information flow models
• Security Technology and Tools
• Assurance, Trust, and Confidence Mechanisms

4
Computer organization architecture

• Architecture is those attributes visible to the
  programmer
• Instruction set, number of bits used for data
  representation, I/O mechanisms, addressing
  techniques.
• e.g. Is there a multiply instruction?
• Organization is how features are implemented
• Control signals, interfaces, memory technology.
• e.g. Is there a hardware multiply unit or is it
  done by repeated addition?
• E.g.
• All Intel x86 family share the same basic
  architecture
• The IBM System/370 family share the same basic
  architecture

5
Computer Components
6
Computer Components

• CPU
• Arithmetic logic unit (ALU) performs arithmetic
  and logical operations
• Control logic
• Registers general-purpose registers, instruction
  register, program counter, accumulators

7
Memory

• Cache
• Relatively small amount of very high speed RAM
• To reduce the apparent main memory access time
• RAM random access memory
• Volatile data is lost if power is off
• Dynamic RAM (DRAM) vs. Static RAM (SRAM)
• PLD programmable logic device
• ROM Read Only Memory
• PAL Programmable Array Logic
• CPLD Complex Programmable Logic Device
• FPGA Field Programmable Gate Array

8
Memory

• ROM
• EPROM erasable programmable read only memory
• EAROM electrically alterable read only memory
• EEPROM electrically erasable programmable read
  only memory
• Firmware the programs stored on these devices

9
Memory Hierarchy

• Register
• Cache
• Primary memory
• directly addressable by CPU used for the storage
  of instructions and data usually RAM
• Secondary memory
• Slower memory such as magnetic disks that
  provides non-volatile storage
• Virtual memory
• Use secondary memory in conjunction with primary
  memory to present a CPU with a larger address
  space

10
Memory addressing modes

• Register addressing
• Addressing the registers within a CPU
• Direct addressing
• Addressing a portion of primary memory by
  specifying the actual address of the memory
  location
• Absolute addressing
• Addressing all of the primary memory space
• Indexed addressing
• By adding the contents of the address defined in
  the programs instruction to that of an index
  register
• Implied addressing
• When operations are internal to the processor, no
  need to provide an address
• Indirect addressing
• The address location that is specified in the
  program instruction contains the address of the
  final desired location

11
Instruction Cycle

• Two steps
• Fetch and Execute

12
Review of Terms

• CISC complex-instruction set computer
• Uses instructions that perform many operations
  per instruction
• RISC reduced-instruction set computer
• Uses instructions that are simpler and require
  fewer clock cycles to execute
• Pipelining
• Overlapping the steps of different instructions
• Scalar Processor
• A processor that executes one instruction at a
  time
• Superscalar Processor
• A processor that enables concurrent execution of
  multiple instructions in the same pipeline stage
  as well as in different pipeline stages

13
Review of Terms

• Multitasking
• Multiprogramming
• Multiprocessing
• Multithreading

14
CPU Modes and Protection Rings

• Operating system needs to ensure that processes
  do not negatively affect each other or the
  critical components of the system itself
• Protection Rings
• Provide strict boundaries and definitions on what
  the processes that work within each ring can
  access and what commands they can successfully
  execute
• The processes that operate within the inner rings
  have more privileges than the processes operating
  in the outer rings.
• Privileged mode
• Execute within the inner rings
• User mode
• Execute in the outer rings

15
Input/Output System

• Programmed IO
• Interrupt
• Direct memory access

16
Software

• High-level language
• a b c
• d a e
• Assembly language
• add a, b, c
• sub d, a, e
• Machine language
• 00000010001100100100000000100000
• layout of the instruction is called instruction
  format

Compiler
Assembler / Linker
17
Open and Closed Systems

• Open System
• Vendor-independent systems
• Have published specifications and interfaces
• Subject to review and evaluation by independent
  parties
• Closed System
• Use vendor-dependent proprietary hardware and/or
  software
• Not compatible with other systems or components
• May have vulnerabilities that are not known

18
Some Concerns

• Desktop systems can contain sensitive information
• Users may generally lack security awareness
• A desktop PC can provide an avenue of access into
  critical information systems of an organization
• Downloading data from the Internet increases the
  risk of infecting corporate systems
• A desktop system may not be protected from
  physical intrusion or theft
• May lack of proper backup

19
Some security mechanisms

• Email and download/upload policies
• Robust access control
• File encryption
• Separation of the processes that run in
  privileged or non-privileged processor states
• Protection of sensitive disks by locking
• Distinct labeling of disks and materials
  according to their classification
• A centralized backup of desktop system files
• Regular security awareness training sessions
• Control of software installed on desktop systems
• Logging of transactions and transmissions
• Database management systems restricting access to
  sensitive information
• Protection against environmental damage to
  computers and media
• Use of formal methods for software development
  and application
• Inclusion of desktop systems in disaster recovery
  and business continuity plans

20
Information Security Models

• Security Policy
• A high-level statement of enterprise beliefs,
  goals, and objectives and the general means for
  their attainment for a specified subject area.
• Security models are used to formalize security
  policies, and to provide a framework for the
  understanding of fundamental concepts.
• Access models
• Integrity models
• Information flow models
• Object a passive entity such as a file or a
  storage resource
• Subject an active entity that is seeing rights
  to a resource or object. It can be a person, a
  program, or a process.

21
Access Control Models

• Access matrix

22
Access Control Models

• Bell-LaPadula Model
• Developed to formalize the U.S. Department of
  Defense (DoD) multilevel security policy
• Only deals with confidentiality of classified
  material. Doesnt address integrity or
  availability.
• Built on the state machine concept
• A set of allowable state is defined in a system
• The transition from one state to another upon
  receipt of an input is defined by transition
  functions
• The objective is to ensure that the initial state
  is secure and that the transitions always result
  in a secure state

23
Bell-LaPadula Model (Cont.)
Simple security property reading of information
by a subject at a lower sensitivity level from an
object at a higher sensitivity level is not
permitted (no read up) (star) security
property writing of information by a subject at
a higher level of sensitivity to an object at a
lower level of sensitivity is not permitted (no
write down) too restrictive Discretionary
security property uses an access matrix to
specify discretionary access control
High Sensitivity Level
Write OK
Medium Sensitivity Level
Read OK
Write OK (violate property by Trusted Subject)
Low Sensitivity Level
24
Integrity Models

• Biba Integrity Model
• Three integrity axioms
• Simple integrity axiom a subject at one level of
  integrity is not permitted to read an object of a
  lower integrity (no read down)
• (star) integrity axiom an object at one level
  of integrity is not permitted to modify an object
  of a higher level of integrity (no write up)
• A subject at one level of integrity cannot invoke
  a subject at a higher level of integrity

25
Biba Integrity Model (cont.)
High Integrity Level
Subject
Invoke NOT OK
Read OK
Medium Integrity Level
Subject
Write OK
Low Integrity Level
26
Information Flow Models

• Based on a state machine
• Consists of objects, stat transitions, and
  lattice (flow policy) states
• Each object is assigned a security class and
  value, and information is constrained to flow in
  the directions that are permitted by the security
  policy

27
(cont.)
Confidential (Project X)
Confidential
Confidential (Task 2, Project X)
Confidential (Task 1, Project X)
Unclassified
28
Security Technology and Tools

• Operating System Protection
• Memory Protection
• CPU and I/O Device Protection
• Application Layer Protection
• Storage Device Protection
• Network Protection

29
Operating System Protection

• Three security technologies are used to protect
  security features
• Trusted Computing Base (TCB) the totality of
  protection mechanisms within a computer system.
• The TCB maintains the confidentiality and
  integrity and monitors four basic functions
  Process activation, Execution domain switching,
  Memory protection, I/O operations
• Reference Monitor
• an access control concept referring to an
  abstract machine that mediates all accesses to
  objects by subjects based on information in an
  access control database
• Security Kernel
• The hardware, firmware, and software elements of
  a TCB implementing the reference monitor concept.
• It must mediate all accesses (completeness), must
  be protected from modification (isolation), must
  be verifiable as correct (verifiable).
• The reference monitor is an abstract concept the
  security kernel is the implementation of the
  reference monitor and the TCB contains the
  security kernel along with other protection
  mechanisms.

30
General operating system protection

• User identification and authentication
• Mandatory access control
• Discretionary access control
• Complete mediation
• Object reuse protection
• Audit
• Protection of audit logs
• Audit log reduction
• Trusted path
• Intrusion detection

31
Memory Protection

• For single-task system
• To prevent the users programs from affecting the
  operating system
• For multitasking system
• To isolate the processs memory areas from each
  other
• Hardware techniques were developed to provide
  memory protection
• In privileged state, only operating system can
  perform the operations that were critical to
  controlling and maintaining the protection
  mechanisms
• For multi-user systems, various controls must be
  built into the operating system for memory
  protection
• Every reference is checked for protection
• Many different data classes can be assigned
  different levels of protection
• Two or more users can share access to the same
  segment with potentially different access rights
• Users cannot access a memory or address segment
  outside what has been allocated for them

32
CPU and I/O Device Protection

• The protections for the I/O devices are based on
  the type of processor.
• E.g., Intel 80486 is a 32-bit processor, which
  defines four privilege levels (rings).
• Software could be assigned to the levels as
• 0 operating system kernel
• 1 I/O drivers
• 2 rest of the operating system
• 3 application software
• If an application in ring 3 needs a service from
  the operating system in ring 1, it can only
  invoke some system subroutines and the current
  privilege level will change from 3 to 1. After
  returning from the subroutine, the privilege
  level is changed back to 3.

33
Application Layer Protection

• All input received from a source external to the
  application must be validated prior to
  processing.
• Possible sources of data include
• User input through data entry screens
• Output generated by an external program
• Access requests from an external program
• Operating system environment
• Command parameters
• Input checking
• Verify that the input is of the proper type and
  within specified ranges

34
Storage Device Protection

• Access to servers, workstations, and mobile
  computer storage devices needs security
  protection such as
• Removable storage media
• Encryption software for protection of sensitive
  files
• Physical locking devices
• Locking portable devices in a desk or file
  cabinet
• Fixed disk systems may need additional protection
  such as lockable enclosures

35
Network Protection

• Data transmission controls
• Hash totals
• Recording of sequence checking
• Transmission logging
• Transmission error correction
• Invalid login, modem error, lost connections, CPU
  failure, disk error, line error, etc.
• Retransmission control

36
Assurance, Trust, and Confidence Mechanisms

• It is important to verify whether the
  architecture is secure.
• Evaluation methods have been developed to assure
  that the products provide the necessary security
  requirements.
• What is to be evaluated? A product or a system?
• A product could be a specific operating system.
• A system means a collection of products that
  together meet the specific requirements of a
  given application.
• Available evaluating methods
• Trusting the advertisements from the
  manufacturer/vendor
• Performing system tests internally within the
  organization
• Trusting an impartial, independent assessment
  authority

37
Trusted Computer Security Evaluation Criteria
(TCSEC)

• Produced by National Computer Security Center
  (NCSC) of U.S. Department of Defense in 1985,
  also known as the orange book. It only
  addressed confidentiality, but it provided
  guidelines for the evaluation of security
  products, such as hardware and operating systems.
• Some criteria
• Security policy
• Marking of objects labels indicate the
  sensitivity of objects
• Identification of subjects subjects must be
  identified and authenticated
• Accountability security-related events must be
  contained in audit logs
• Assurance operational assurance, lifecycle
  assurance
• Documentation
• Continuous protection
• Four security divisions (seven security classes)
• A verified protection, the highest assurance
  level
• B mandatory protection (B1, B2, B3), B3 the
  highest
• C discretionary protection (C1, C2), C2
  (controlled access protection) is the most
  reasonable class for commercial applications
• D minimal protection

38
Trusted Network Interpretation (TNI)

• The red book, published in 1987
• Using orange book as the basis, it addresses
  network and telecommunications.
• Key features
• Integrity biba model for integrity
• Labels to guarantee mandatory access controls
• Other security services
• Communication integrity authentication,
  integrity, non-repudiation
• Denial-of-service continuity of operation,
  protocol-based protection, and network management
• Compromise protection data confidentiality and
  traffic confidentiality

39
Information Technology Security Evaluation
Criteria (ITSEC)

• Endorsed by the Council of the European Union in
  1995
• Includes the concepts from TCSEC, but more
  flexible
• It includes integrity and availability as
  security goals, along with confidentiality.