IEEE P2200 Basic Operating System Security BOSS - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

IEEE P2200 Basic Operating System Security BOSS

Description:

Identify reasonable security expectations expressed so multiple ... Jack Cole. jack.cole_at_ieee.org, 410-278-9276. WG Chair, Sponsor Chair. Gary Stoneburner ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 13
Provided by: garys156
Category:

less

Transcript and Presenter's Notes

Title: IEEE P2200 Basic Operating System Security BOSS


1
IEEE P2200Basic Operating System Security(BOSS)
  • IEEE Information Assurance Standards Workshop
  • December 4, 2003

2
Project Purpose
  • Baseline security requirements for commercial,
    off-the-shelf (COTS) operating systems
  • Identify reasonable security expectations
    expressed so multiple audiences can readily
    understand them (explicit and understandable!)
  • Provides users and industry with the "power of
    the pen" by moving OS security standards from
    government edict to community consensus

3
Project Plan
  • Starting with guidance issued by NIST written as
    a Common Criteria (CC) protection profile (PP)
  • http//www.bosswg.org/basedoc.html
  • Rest of plan working group decides!
  • Type of OS(s) depends on who participates
  • Format group decides
  • Contents group decides
  • Schedule the first order of business for
    working group
  • Final standard need not resemble the NIST document

Project will have large say it defining itself
4
NIST Goals
  • Fulfilling our role according to National
    Technology Transfer and Advancement Act of 1995
    (NTTAA), - promote commercial standards for
    Federal use
  • Help ensure that working group has access to pros
    and cons necessary to make good decisions
  • NISTs technical goals
  • Security expectations are explicit and
    understandable
  • Security expectations match requirements selected
  • Cost-effective assurances (evaluate only if it
    makes sense)
  • No more C2 by 92 fiascos

NIST wants to promote participation and provide
input, not dictate
5
Issues (from BOSS website)
  • Overlaps or Conflicts with DoD Standards?
  • Must Accommodate Range of Situations
  • Must Not Be Too Restrictive
  • Must Not Inadvertently Weaken Controls

Project goal address issues, not overlook them
6
Characteristics of Base Document
  • NISTIR 6985 COTS Security Protection Profile -
    Operating Systems (CSPP-OS)
  • (Worked Example Applying Guidance of NISTIR-6462,
    CSPP)
  • Version 1.0

7
Design Goals for Base Document
  • Specify the requirements necessary to solve the
    security problem that COTS operating systems
    (perhaps with add-on packages) can be expected to
    address in the near-term
  • Specify needs for operating systems in both
    stand-alone and distributed, multi-user
    information systems

8
Key Assumptions
  • The OS is comprised of near-term, commercial off
    the shelf (COTS) information technology
  • Authenticated users recognize the need for a
    secure IT environment
  • Authenticated users can be reasonably trusted to
    correctly apply the organizations security
    policies in their discretionary actions
  • Competent security administration is performed
  • Business/mission process automation is
    implemented with due regard for what can not be
    expected of a CSPP-OS compliant OS.

9
Security Problem Addressed
  • All authenticated users are either
  • Trusted to not maliciously attempt to circumvent
    nor by-pass access controls or
  • Lack the motivation or capability for
    sophisticated penetration attempts.
  • Public access is allowed with environmental
    controls over and beyond the OS supplied security
    mechanisms.

10
Security Expectations
  • OS that can
  • Control a community of benign (i.e., not
    intentionally malicious) authenticated users
  • Provide protection against unsophisticated,
    technical attacks
  • OS that is not expected to
  • Provide sufficient protection against
    sophisticated, technical attacks (to include
    denial-of-service)
  • Protect against malicious abuse of authorized
    privileges

Realistic expectations are essential!
11
Specific Assurance Expectations
  • CSPP-OS is targeted for near-term achievable,
    cost-effective, COTS security. Therefore the
    assurances must
  • be consistent with current good commercial
    practices and
  • enable evaluated products that are competitive
    against non-evaluated products with respect to
    functionality, performance, cost, and
    time-to-market.
  • CSPP-OS is intended to be consistent with current
    and near-term mutual recognition arrangement.
    This requires that the CSPP-OS assurances
  • contain no assurance components first appearing
    in Common Criteria EAL5 or above

Achievable and Cost-effective
12
Project Contacts
  • Jack Colejack.cole_at_ieee.org, 410-278-9276WG
    Chair, Sponsor Chair
  • Gary StoneburnerStoneburner_at_NIST.Gov,
    301-975-5394 NIST Proponent of Base Document,
    Technical Contact
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "IEEE P2200 Basic Operating System Security BOSS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!