COMP4690, HKBU 1 Chapter 3 Security Architecture and Models
Jan 05, 2016
COMP4690, HKBU 1
Chapter 3
Security Architecture and Models
COMP4690, HKBU 2
Overview Building an information system requires a balance among various
requirements: capability, flexibility, performance, ease of use, cost, and security.
Security architecture: a view of an overall system architecture from a security perspective. It is fundamental to any information system. It describes how the system is put together to satisfy the security
requirement. It describes at an abstract level the relationships between key elements
of the hardware, operating systems, applications, network, etc., to protect the organization’s interests.
It describes how the functions in the system development process follow the security requirements.
Security model: a statement that outlines the requirements necessary to properly support a security policy. It provides a deeper explanation of how a computer system should be developed to properly support a specific security policy.
COMP4690, HKBU 3
Main Topics
Information protection environment Computer organization & architecture Software Distributed systems
Security models Confidentiality models Integrity models Information flow models
Security Technology and Tools Assurance, Trust, and Confidence Mechanisms
COMP4690, HKBU 4
Computer organization & architecture Architecture is those attributes visible to the
programmer Instruction set, number of bits used for data representation,
I/O mechanisms, addressing techniques. e.g. Is there a multiply instruction?
Organization is how features are implemented Control signals, interfaces, memory technology. e.g. Is there a hardware multiply unit or is it done by
repeated addition? E.g.
All Intel x86 family share the same basic architecture The IBM System/370 family share the same basic
architecture
COMP4690, HKBU 5
Computer Components
COMP4690, HKBU 6
Computer Components
CPU Arithmetic logic unit (ALU): performs arithmetic
and logical operations Control logic Registers: general-purpose registers, instruction
register, program counter, accumulators
COMP4690, HKBU 7
Memory
Cache Relatively small amount of very high speed RAM To reduce the apparent main memory access time
RAM: random access memory Volatile: data is lost if power is off Dynamic RAM (DRAM) vs. Static RAM (SRAM)
PLD: programmable logic device ROM: Read Only Memory PAL: Programmable Array Logic CPLD: Complex Programmable Logic Device FPGA: Field Programmable Gate Array
COMP4690, HKBU 8
Memory
ROM EPROM: erasable programmable read only
memory EAROM: electrically alterable read only memory EEPROM: electrically erasable programmable
read only memory Firmware: the programs stored on these
devices
COMP4690, HKBU 9
Memory Hierarchy
Register Cache Primary memory
directly addressable by CPU; used for the storage of instructions and data; usually RAM
Secondary memory Slower memory such as magnetic disks that provides non-
volatile storage Virtual memory
Use secondary memory in conjunction with primary memory to present a CPU with a larger address space
COMP4690, HKBU 10
Memory addressing modes Register addressing
Addressing the registers within a CPU Direct addressing
Addressing a portion of primary memory by specifying the actual address of the memory location
Absolute addressing Addressing all of the primary memory space
Indexed addressing By adding the contents of the address defined in the program’s instruction to
that of an index register Implied addressing
When operations are internal to the processor, no need to provide an address
Indirect addressing The address location that is specified in the program instruction contains the
address of the final desired location
COMP4690, HKBU 11
Instruction Cycle
Two steps: Fetch and Execute
COMP4690, HKBU 12
Review of Terms CISC: complex-instruction set computer
Uses instructions that perform many operations per instruction RISC: reduced-instruction set computer
Uses instructions that are simpler and require fewer clock cycles to execute
Pipelining Overlapping the steps of different instructions
Scalar Processor A processor that executes one instruction at a time
Superscalar Processor A processor that enables concurrent execution of multiple
instructions in the same pipeline stage as well as in different pipeline stages
COMP4690, HKBU 13
Review of Terms
Multitasking Multiprogramming Multiprocessing Multithreading
COMP4690, HKBU 14
CPU Modes and Protection Rings Operating system needs to ensure that processes do not
negatively affect each other or the critical components of the system itself
Protection Rings Provide strict boundaries and definitions on what the processes
that work within each ring can access and what commands they can successfully execute
The processes that operate within the inner rings have more privileges than the processes operating in the outer rings.
Privileged mode Execute within the inner rings
User mode Execute in the outer rings
COMP4690, HKBU 15
Input/Output System
Programmed IO Interrupt Direct memory access
COMP4690, HKBU 16
Software
High-level language a = b + c; d = a – e;
Assembly language add a, b, c sub d, a, e
Machine language 00000010001100100100000000100000 layout of the instruction is called instruction format
Compiler
Assembler / Linker
COMP4690, HKBU 17
Open and Closed Systems
Open System Vendor-independent systems Have published specifications and interfaces Subject to review and evaluation by independent
parties Closed System
Use vendor-dependent proprietary hardware and/or software
Not compatible with other systems or components May have vulnerabilities that are not known
COMP4690, HKBU 18
Some Concerns
Desktop systems can contain sensitive information Users may generally lack security awareness A desktop PC can provide an avenue of access into
critical information systems of an organization Downloading data from the Internet increases the
risk of infecting corporate systems A desktop system may not be protected from
physical intrusion or theft May lack of proper backup
COMP4690, HKBU 19
Some security mechanisms Email and download/upload policies Robust access control File encryption Separation of the processes that run in privileged or non-privileged processor
states Protection of sensitive disks by locking Distinct labeling of disks and materials according to their classification A centralized backup of desktop system files Regular security awareness training sessions Control of software installed on desktop systems Logging of transactions and transmissions Database management systems restricting access to sensitive information Protection against environmental damage to computers and media Use of formal methods for software development and application Inclusion of desktop systems in disaster recovery and business continuity plans
COMP4690, HKBU 20
Information Security Models Security Policy:
A high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area.
Security models are used to formalize security policies, and to provide a framework for the understanding of fundamental concepts.
Access models Integrity models Information flow models
Object: a passive entity such as a file or a storage resource Subject: an active entity that is seeing rights to a resource or
object. It can be a person, a program, or a process.
COMP4690, HKBU 21
Access Control Models
Access matrix
Object
Subject
File Income File Salaries Process Deductions
Print Server A
Joe Read Read/Write Execute Write
Jane Read/Write Read None Write
Process Check
Read Read Execute None
Program Tax
Read/Write Read/Write Call Write
COMP4690, HKBU 22
Access Control Models
Bell-LaPadula Model Developed to formalize the U.S. Department of Defense
(DoD) multilevel security policy Only deals with confidentiality of classified material.
Doesn’t address integrity or availability. Built on the state machine concept:
A set of allowable state is defined in a system The transition from one state to another upon receipt of an
input is defined by transition functions The objective is to ensure that the initial state is secure and
that the transitions always result in a secure state
COMP4690, HKBU 23
Bell-LaPadula Model (Cont.)
High Sensitivity Level
Medium Sensitivity Level
Low Sensitivity Level
WriteOK
ReadOK
Simple security property: reading of information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not permitted (no read up)
* (star) security property: writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down) – too restrictive
Discretionary security property: uses an access matrix to specify discretionary access control
WriteOK
(violate * property by Trusted Subject)
COMP4690, HKBU 24
Integrity Models
Biba Integrity Model Three integrity axioms:
Simple integrity axiom: a subject at one level of integrity is not permitted to read an object of a lower integrity (no read down)
* (star) integrity axiom: an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up)
A subject at one level of integrity cannot invoke a subject at a higher level of integrity
COMP4690, HKBU 25
Biba Integrity Model (cont.)
High Integrity Level
Medium Integrity Level
Low Integrity Level
ReadOK
WriteOK
Subject
Subject
InvokeNOTOK
COMP4690, HKBU 26
Information Flow Models
Based on a state machine Consists of objects, stat transitions, and
lattice (flow policy) states Each object is assigned a security class and
value, and information is constrained to flow in the directions that are permitted by the security policy
COMP4690, HKBU 27
(cont.)
Confidential(Project X)
Confidential
Unclassified
Confidential(Task 2, Project X)
Confidential(Task 1, Project X)
COMP4690, HKBU 28
Security Technology and Tools
Operating System Protection Memory Protection CPU and I/O Device Protection Application Layer Protection Storage Device Protection Network Protection
COMP4690, HKBU 29
Operating System Protection Three security technologies are used to protect security features
Trusted Computing Base (TCB): the totality of protection mechanisms within a computer system. The TCB maintains the confidentiality and integrity and monitors four basic
functions: Process activation, Execution domain switching, Memory protection, I/O operations
Reference Monitor an access control concept referring to an abstract machine that mediates all
accesses to objects by subjects based on information in an access control database
Security Kernel The hardware, firmware, and software elements of a TCB implementing the
reference monitor concept. It must mediate all accesses (completeness), must be protected from
modification (isolation), must be verifiable as correct (verifiable). The reference monitor is an abstract concept; the security kernel is the
implementation of the reference monitor; and the TCB contains the security kernel along with other protection mechanisms.
COMP4690, HKBU 30
General operating system protection
User identification and authentication Mandatory access control Discretionary access control Complete mediation Object reuse protection Audit Protection of audit logs Audit log reduction Trusted path Intrusion detection
COMP4690, HKBU 31
Memory Protection For single-task system
To prevent the user’s programs from affecting the operating system For multitasking system
To isolate the process’s memory areas from each other Hardware techniques were developed to provide memory protection
In privileged state, only operating system can perform the operations that were critical to controlling and maintaining the protection mechanisms
For multi-user systems, various controls must be built into the operating system for memory protection: Every reference is checked for protection Many different data classes can be assigned different levels of protection Two or more users can share access to the same segment with potentially
different access rights Users cannot access a memory or address segment outside what has been
allocated for them
COMP4690, HKBU 32
CPU and I/O Device Protection The protections for the I/O devices are based on the type of
processor. E.g., Intel 80486 is a 32-bit processor, which defines four
privilege levels (rings). Software could be assigned to the levels as
0 = operating system kernel 1 = I/O drivers 2 = rest of the operating system 3 = application software
If an application in ring 3 needs a service from the operating system in ring 1, it can only invoke some system subroutines and the current privilege level will change from 3 to 1. After returning from the subroutine, the privilege level is changed back to 3.
COMP4690, HKBU 33
Application Layer Protection
All input received from a source external to the application must be validated prior to processing.
Possible sources of data include: User input through data entry screens Output generated by an external program Access requests from an external program Operating system environment Command parameters
Input checking Verify that the input is of the proper type and within
specified ranges
COMP4690, HKBU 34
Storage Device Protection
Access to servers, workstations, and mobile computer storage devices needs security protection such as Removable storage media Encryption software for protection of sensitive files Physical locking devices Locking portable devices in a desk or file cabinet Fixed disk systems may need additional protection
such as lockable enclosures
COMP4690, HKBU 35
Network Protection
Data transmission controls Hash totals Recording of sequence checking Transmission logging Transmission error correction Invalid login, modem error, lost connections, CPU
failure, disk error, line error, etc. Retransmission control
COMP4690, HKBU 36
Assurance, Trust, and Confidence Mechanisms It is important to verify whether the architecture is
secure. Evaluation methods have been developed to assure
that the products provide the necessary security requirements. What is to be evaluated? A product or a system?
A product could be a specific operating system. A system means a collection of products that together meet
the specific requirements of a given application. Available evaluating methods
Trusting the advertisements from the manufacturer/vendor Performing system tests internally within the organization Trusting an impartial, independent assessment authority
COMP4690, HKBU 37
Trusted Computer Security Evaluation Criteria (TCSEC) Produced by National Computer Security Center (NCSC) of U.S. Department of
Defense in 1985, also known as the “orange book”. It only addressed confidentiality, but it provided guidelines for the evaluation of security products, such as hardware and operating systems.
Some criteria: Security policy Marking of objects: labels indicate the sensitivity of objects Identification of subjects: subjects must be identified and authenticated Accountability: security-related events must be contained in audit logs Assurance: operational assurance, lifecycle assurance Documentation Continuous protection
Four security divisions (seven security classes) A: verified protection, the highest assurance level B: mandatory protection (B1, B2, B3), B3 the highest C: discretionary protection (C1, C2), C2 (controlled access protection) is the most
reasonable class for commercial applications D: minimal protection
COMP4690, HKBU 38
Trusted Network Interpretation (TNI) The red book, published in 1987 Using orange book as the basis, it addresses
network and telecommunications. Key features:
Integrity: biba model for integrity Labels: to guarantee mandatory access controls Other security services
Communication integrity: authentication, integrity, non-repudiation
Denial-of-service: continuity of operation, protocol-based protection, and network management
Compromise protection: data confidentiality and traffic confidentiality
COMP4690, HKBU 39
Information Technology Security Evaluation Criteria (ITSEC)
Endorsed by the Council of the European Union in 1995
Includes the concepts from TCSEC, but more flexible
It includes integrity and availability as security goals, along with confidentiality.