Developing High Assurance Building Blocks

1

Mapping Enterprise Security Assurance with
Visual NRM
Andrew Moore Center for High Assurance Computer
Systems, Code 5542 Naval Research
Laboratory Washington, D.C. (202)404-7289
(fax) http//www.chacs.itd.nrl.navy.mil/Projects/V
isualNRM/
Visual NRM Development Personnel Andrew
Moore Bruce Montrose Beth Strohmayer NRL, Code
5542 NRL, Code 5542 ITT Industries,
Inc. moore_at_itd.nrl.navy.mil montrose_at_itd.nrl.navy
.mil strohmayer_at_itd.nrl.navy.mil (202)767-6698 (
202)767-0485 (202)404-3798
2
What is Visual NRM?

• Visual NRM - method/tool for characterizing,
  analyzing security assurance
• affordable assurance requires considering
  enterprise as a whole
• enterprise includes people, operations, physical
  structures, technology
• method derives from
• Network Rating Methodology (DoD)
• Assumptions/Assertions Method (NRL)
• Framework for Reasoning about Assurance (ARCA)
• Visual NRM helps users
• characterize security protection provided by
  enterprise
• identify security vulnerabilities of enterprise
• understand certainty that all security
  vulnerabilities are identified
• tradeoff function, protection, vulnerability to
  balance mission, security, cost
• document security-related enterprise design
  decisions/rationale
• outline argument that enterprise satisfies
  particular security properties
• Visual NRM Notation - Composite Assurance Mapping
  Language (CAML)
• Goal Structuring Notation (DRA, York University)
• Methodically Organized Argument Trees (UVA)

3
Why do we need assurance maps? Diverse Sources
of Enterprise Security Assurance
Security Concerns
Integrity
Confidentiality
Availability
Security Assurance Argument
Physical Security
Personnel Security
Strength of locks, safes, SCIFs,
tamper- proofing, ...
background investigations, comprehension
assessment, performance appraisals, ...
Technological Security
Operational Security
testing, simulation, inspections, formal
proof, covert channel analysis, ...
Effectiveness of procedures, policies,
guidelines, ...
Assurance Techniques
4
Visual NRM Process Support
enterprise design and implementation
Risk Analysis
Engineering
vulnerability analysis
design rationale
Visual NRM
risk assessment
enterprise documentation
assurance evidence
Evaluation
5
Structure of Discussion
?p
?x

• Notation - represent map of enterprise security
  assurance
• Methods - how to construct, analyze, and maintain
  mapping
• Tools - facilitate application of methods with
  automation

?yf(y)
6
Notation
7
What Makes a Map Effective?
LATITUDE NORTH EQUATOR
He had bought a large map representing the
sea, Without the least vestige of land And
the crew were much pleased when they found it
to be A map they could all understand.
SOUTH POLE EQUINOX EAST ZENITH
LONGITUDE
NADIR NORTH POLE WEST MERIDIAN TORRID
ZONE
Scale of Miles
OCEAN-CHART
The Hunting of the Snark, Lewis Carroll
8
What Makes a Map Effective?
?

• An effective map must contain enough detail to
  make its study worthwhile, but not so much as to
  overwhelm our capacity to understand it.

9
CAML Assurance Mapping
validating claim
architectural diagram
Claim
Strategy
Reason
Model
Assumption
AND
Validating claim
Claim
CAML Tree
another page
Assumption
Assumption
OR
detailed evidence
detailed evidence
Evidence
Evidence
10
CAML Primitives
Claim (Clm) - a property of the
enterprise Evidence (Evd) - how a claim is
verified And/Or Refinement - logical
conjunction/disjunction Strategy (Str) - approach
to satisfying a claim Model (Mdl) - structure for
understanding a claim decomposition Reasoning
(Rsn) - why a decomposition satisfies a
claim Assumption (Asm) - basis for sufficiency of
a claim decomposition CAML Tree - a refinement
expanded elsewhere Objective - an objective of
the enterprise Threat - an event that could harm
the enterprise
/
AND
OR
11
Argument Patterns

• Affordable, scaleable application requires
  mechanisms for reuse
• bottom-up, or middle-out, construction
• leverage off concepts for reuse in the OO world
• design pattern - abstraction from concrete
  recurring solution that solves a problem in a
  certain context
• argument pattern - abstraction from concrete
  recurring reasoning that provides assurance in a
  certain context
• argument patterns permit benefiting from previous
  experience
• benefits analogous to those of software
  modularization and software reuse library
• CAML Pattern structure (evolving)
• Name - mnemonic identifier
• Classification - primary security discipline(s)
• Intent - what does pattern accomplish
• Applicability - where can pattern be legitimately
  used
• Consequences - how does pattern support its
  objectives
• Framework - parameterized CAML spec
• Examples - suitable applications

12
CAML Pattern Mult.1 Trustworthy Role-Based
Application
Classification technological, physical,
personnel, operational Intent provide framework
for arguing the secure application of critical
function by trustworthy user role following
defined manual procedures Applicability contexts
where full automation of critical function is not
feasible and/or not cost-effective Consequences
low trust in technology with low automation of
critical function high trust in personnel with
large demand in executing critical
function Framework
Examples Admin add user account, information
downgrade
13
Example Instantiation of Mult.1
Mult.1(mission goal ? downgrade information
technology ? Information Downgrader
user role ? Downgrade Officer (DO)
manual procedures ? Downgrade Procedures)
14
CAML Pattern Tech.1Audit-Based Risk Reduction
Classification Technological Intent provide
framework for arguing that technology satisfies
some critical property based on both audit-based
detection of attempted violations and guaranteed
technology enforcement of the property Applicabili
ty contexts where assurance that technology
enforces a critical property provides
insufficient assurance and the possibility of
detecting violations exists Consequences defense
in depth helps to mitigate the risks associated
with inadequate review of audit logs and/or
critical function not sufficient to satisfy
critical property Framework Examples
Password checker with failed attempt restriction
15
Example Instantiation of Tech.1
Tech.1(technology ? Company Computers
critical property ? all users are authorized
critical function ? password
authentication that restricts number
of consecutive failed attempts to 3/minute)
16
Refinement Composition
Mult.1Clm1 critical property
? that only user role may
mission goal Tech.1Clm1
17
Fully Instantiated Composition
Mult.1Clm1 critical property ? only user
role may mission
goal, user role ? Downgrade Officer
(DO), mission goal ? downgrade
information, technology ? Information
Downgrader, manual procedures ? Downgrade
Procs, critical function ? restrict
information downgrade to people with DO
privilege. Tech.1Clm1
18
Method
19
Top-Down/Bottom-Up/Middle-Out Refinement
Mission Objectives
Working CAML Mapping
Enterprise
Protection Needs
decomposition
Decompose
composition
System
decomposition
composition
Component
decomposition
Instantiate and Compose
composition
Primitive Safeguard
CAML Pattern Library
20
Example CAML Vulnerability Analysis
Technological
Objective provide secure way to downgrade files
for High network to Low network Strategy manual
down-grade by trustworthy Downgrade Officer (DO)

• Claims
• Downgrader ensures that only
• DO downgrades files.

• Assumptions
• DO trustworthy to down-
• grade files properly.
• Only DO may modify down-
• grade function.

Physical

• Claims
• Downgrader locked in
• cabinet.
• Breaking cabinet/lock
• disables downgrade
• capability.

Personnel

• Vulnerabilities
• Investigative Procs. do not
• predict trustworthiness.
• Denial of downgrade service
• disrupts mission.
• DO overlooks information of
• High sensitivity in file.

• Claims
• DO passes personal
• background investigation.
• DO trained on Down-
• grade Procedures.

• Assumptions
• Interruption of down-
• grade service tolerable.
• Only DO has keys to
• cabinet.

• Assumptions
• Investigative Procedures
• are effective.
• Downgrade Procs ensure
• proper downgrade.

Operational

• Claims
• Downgrade Procs require that
• every file be inspected by DO.
• Downgrade Procs require that
• DO not downgrade High info.
• Physical Access Procs require
• only DO has keys to cabinet.

• Assumptions
• DO can distinguish information
• of High sensitivity.

21
CAML Incremental Refinement
Protection Needs
Technological Security
Physical Security
vulnerabilities
Personnel Security
Operational Security
22
CAML Pattern Pers.1 Procedure Adherence
Classification Personnel Intent provide
framework for arguing that personnel follow
procedures based on their trustworthiness and
ability Applicability contexts where security
depends on the user performing some critical
function Consequences relying on the user to
perform critical functions requires allocating
resources to assuring the trustworthiness of the
user and to preparing users for the job at hand
Examples Downgrader with manual Downgrade
Procedures
Framework
23
CAML Pattern Oper.1 Personnel Quality Assurance
Classification Operational Intent provide
framework for assuring the qualities of personnel
through regular execution of an
operation Applicability contexts where security
depends on certain testable qualities of the
user Consequences qualities of personnel assured
using well-trained professionals (investigators,
trainers, evaluators) Examples trustworthiness
of personnel through background investigations,
understanding of personnel through training,
ability of personnel through performance
appraisal
Framework
24
Validation Composition
Pers.1Asm1 test ? background
investigation, personnel quality ?
trustworthiness Oper.1Clm1
25
Tools
26
Visual NRM Tool Architecture

• Features
• Central storage of assurance artifacts
• Windows/NT Explorer like interface to database
• Based on familiar COTS components
• Simple drag and drop construction
• Hyperlinking of CAML specs
• Automatic labeling
• Automatic generation of Word templates
• User defined dictionary with term highlighting
• View diagrams at multiple levels of abstraction
• Access to Visio shapes for constructing
  architectural models
• Hyperlinking to URLs or local HTML files for
  detailed evidence, reasoning, models, etc.

27
Future Enhancements
World Wide Web
Evaluator Web Server Dynamic Page Server
Developer Web Server Dynamic Page Server
Pattern Library
Firewall
Firewall
Evaluator SubWeb
Developer SubWeb
Evaluation (VNDB) Data Server
Development (VNDB) Data Server
Client 1
Client 1
Client n
Client m
Web Browser Evaluation Tools Visual NRM
Web Browser Evaluation Tools Visual NRM
Web Browser Development Tools Visual NRM
Web Browser Development Tools Visual NRM
. . .
. . .
Private Workspace
Private Workspace
Private Workspace
Private Workspace

• Features
• Platform independence (Java-based)
• Multi-user, distributed access to generic
  assurance database
• Support for pattern construction, instantiation,
  and composition
• Pattern Library support
• Incremental, evaluator review and feedback

28
Conclusion
29
Review of Visual NRM Claims

• Visual NRM helps
• characterize security protection provided by
  enterprise
• claim decomposition incrementally refines
  security protections
• rich pattern library source for expert knowledge
• CAML graphically portrays information represented
  by CC PP/ST
• VNRM approach permits trading off
  responsibilities among disciplines
• CC PP/ST source for VNRM patterns
• identify security vulnerabilities of enterprise
• assumptions not validated
• reasoning must assure that sub-claims or evidence
  supports claim refined, given assumptions
• gaps in reasoning suggest missing assumption
  (potential vulnerability)
• understand certainty that all security
  vulnerabilities are identified
• reasoning and evidence permit qualitative
  assessment, e.g., legal field
• Substantial Evidence (a considerable amount)
• Preponderance of Evidence (more than the evidence
  against)
• Clear and Convincing Evidence (what a reasonable
  person would believe)
• Evidence Beyond a Reasonable Doubt (no reasonable
  person can doubt)

30
Review of Visual NRM Claims (cont.)

• Visual NRM helps
• tradeoff function, protection, vulnerability to
  balance mission, security, cost
• stronger claims ? ?protection, ?vulnerability,
  ?development cost
• stronger assumptions ? ?protection,
  ?vulnerability, ?development cost
• mission explicitly considered in CAML spec. as
  needed
• different patterns may reflect different
  tradeoffs
• document security-related enterprise design
  decisions/rationale
• claim refinement permits documenting strategy,
  context, reasoning
• consistency across branches must be manually
  maintained
• outline argument that enterprise satisfies
  particular security properties
• CAML spec. decomposes properties as sequence of
  justified claim refinements
• CAML reasoning and evidence holds argument
  together
• CAML specifier decides where to draw line between
  map (overview) and evidence (details)

31
Key Benefits of Visual NRM Approach

• Better understanding of when, how, and why
  security components and controls can be composed
  and the aggregate assurance that results
• Improved information security design by having
  methods available to help determine the trade-off
  between alternative designs with respect to
  mitigating security vulnerabilities
• Expanded capability to reason about the strength
  and effectiveness of different combinations of
  security services and policies
• Reduced lifecycle cost by enabling reuse of
  independently developed components and their
  assurance arguments in composite systems
• Freedom to use a degree of rigor chosen by the
  developer as appropriate for the application of
  interest
• Enhanced maintainability by having argument map
  well documented and tools available that help
  predict security impact of modifications to the
  argument and suggest ways to compensate
• Increased objectivity of system evaluation and
  accreditation decision

32
References

• VNRM Web Site http//chacs.nrl.navy.mil/Projects/
  VisualNRM
• VNRM Users Manual Moore, Strohmayer, Visual
  NRM Users Manual, NRL Technical Memorandum
  5540-122aapm, Sep 1999. (VNRM Web Site under
  Documentation)
• VNRM Tutorial QuickTour VNRM Web Site under
  Documentation
• NRM DoD, The Network Rating Methodology a
  Framework for Assessing Network Security, Sep
  1997. (VNRM Web Site under Related Links)
• Assumptions/Assertions Payne, Froscher,
  Landwehr, Toward a Comprehensive INFOSEC
  Certification Methodology, Proc. Of the 16th
  NCSC, pages 165-172, Baltimore, MD, Sep 93.
  (http//www.itd.nrl.navy.mil/ITD/5540/publications
  /CHACS/index.html)
• Assurance Framework Williams, Jelen, A
  Framework for Reasoning about Assurance, Arca
  Systems, Inc. Doc. ATR 97043, Vienna, VA Apr
  1998. (http//users.erols.com/jsquared/publication
  s /index.html)
• GSN/SAM Wilson, Kelly, McDermid, Safety Case
  Development Current Practice, Future Prospects,
  in Proc. of 1st ENCRESS/5th CSR Workshop,
  Springer-Verlag, Sep 1995.
  (http//www-users.cs.york.ac.uk/tpk
  /newtpk.html)
• GSN Patterns Kelly, McDermid, Safety Case
  Patterns - Reusing Successful Arguments, in
  Proc. Of IEE Colloquium on Understanding Patterns
  and Their Application to System Engineering, IEE
  Savoy Place, London, April 1998.
• MOAT Kienzle, Wulf, A Practical Approach to
  Security Assessment, Proc. Of New Security
  Paradigms Workshop, Langdale, Cumbria UK, Sep
  1997. (http//www.cs.virginia.edu/dmk8r/)
• General Moore, Klinker, Mihelcic, How to
  Construct Formal Arguments that Persuade
  Certifiers, in chapter of book Industrial
  Strength Formal Methods, Academic Press, ed.,
  Hinchey and Bowen, Sep 1999.