CHAPTER 4_Security Architecture and Design Flashcards
Bullets: Stack
Memory segment used by processes to communicate instructions and data to each other.
Bullets: Packages—EALs
Functional and assurance requirements are bundled into packages for reuse. This component describes what must be met to achieve specific EAL ratings.
Bullets: The *-property rule
A subject cannot write to an object at a lower security level (no write down).
Bullets: Rationale
Justifies the profile and gives a more detailed description of the real-world problem to be solved. The environment, usage assumptions, and threats are illustrated along with guidance on the security policies that can be supported by products and systems that conform to this profile.
Bullets: Noninterference model
This formal multilevel security model states that commands and activities performed at one security level should not be seen by, or affect, subjects or objects at a different security level.
Bullets: Unconstrained data items (UDIs)
Can be manipulated by users via primitive read and write operations
Bullets: Transformation procedures (TPs)
Programmed abstract operations, such as read, write, and modify
Emphasis: Isn’t the Orange Book Dead?
Isn’t the Orange Book Dead?We have moved from the Orange Book to the Common Criteria in the industry, so a common question is, “Why do I have to study this Orange Book stuff?” The Orange Book was the first evaluation criteria and was used for 20 years. Many of the basic terms and concepts that have carried through originated in the Orange Book. And we still have several products with these ratings that eventually will go through the Common Criteria evaluation process.
Explanations: Clark-Wilson Model
The Clark-Wilson model was developed after Biba and takes some different approaches to protecting the integrity of information. This model uses the following elements:
Emphasis: Bell-LaPadula vs. Biba
Bell-LaPadula vs. BibaThe Bell-LaPadula model is used to provide confidentiality. The Biba model is used to provide integrity. The Bell-LaPadula and Biba models are informational flow models because they are most concerned about data flowing from one level to another. Bell-LaPadula uses security levels, and Biba uses integrity levels. It is important for CISSP test takers to know the rules of Biba and Bell-LaPadula. Their rules sound similar: simple and * rules—one writing one way and one reading another way. A tip for how to remember them is that if the word “simple” is used, the rule is talking about reading. If the rule uses * or “star,” it is talking about writing. So now you just need to remember the reading and writing directions per model.
Bullets: Monolithic
All operating system processes run in kernel mode.
Explanation Bullets: The following list shows the different types of functionalities and assurance items tested during an evaluation:
- Security functional requirements
- Identification and authentication
- Audit
- Resource utilization
- Trusted paths/channels
- User data protection
- Security management
- Product access
- Communications
- Privacy
- Protection of the product’s security functions
- Cryptographic support
- Security assurance requirements
- Guidance documents and manuals
- Configuration management
- Vulnerability assessment
- Delivery and operation
- Life-cycle support
- Assurance maintenance
- Development
- Testing
Explanations: Programmable I/O
If an operating system is using programmable I/O, this means the CPU sends data to an I/O device and polls the device to see if it is ready to accept more data. If the device is not ready to accept more data, the CPU wastes time by waiting for the device to become ready. For example, the CPU would send a byte of data (a character) to the printer and then ask the printer if it is ready for another byte. The CPU sends the text to be printed one byte at a time. This is a very slow way of working and wastes precious CPU time. So the smart people figured out a better way: interrupt-driven I/O.
Emphasis: Programmable read-only memory (PROM)
Programmable read-only memory (PROM) is a form of ROM that can be modified after it has been manufactured. PROM can be programmed only one time because the voltage that is used to write bits into the memory cells actually burns out the fuses that connect the individual memory cells. The instructions are “burned into” PROM using a specialized PROM programmer device.
Bullets: Stakeholder
Individual, team, or organization (or classes thereof) with interests in, or concerns relative to, a system.
Explanations: Compartmented Security Mode
Our system has various classifications of data, and each individual has the clearance to access all of the data, but not necessarily the need to know.
Emphasis: Memory Protection Techniques
Memory Protection TechniquesSince your whole operating system and all your applications are loaded and run in memory, this is where the attackers can really do their damage. Vendors of different operating systems (Windows, Unix, Linux, Macintosh, etc.) have implemented various types of protection methods integrated into their memory manager processes. For example, Windows Vista was the first version of Windows to implement address space layout randomization (ASLR), which was first implemented in OpenBSD.
Explanation Bullets: The goals of memory management are to
- Provide an abstraction level for programmers
- Maximize performance with the limited amount of memory available
- Protect the operating system and applications loaded into memory
Bullets: Symmetric mode multiprocessing
When a computer has two or more CPUs and each CPU is being used in a load-balancing method.
Explanations: Random Access Memory
Random access memory (RAM) is a type of temporary storage facility where data and program instructions can temporarily be held and altered. It is used for read/write activities by the operating system and applications. It is described as volatile because if the computer’s power supply is terminated, then all information within this type of memory is lost.
Bullets: Labels
Access control labels must be associated properly with objects.
Emphasis: ISO/IEC 15408-2
ISO/IEC 15408-2 defines the security functional requirements that will be assessed during the evaluation. It contains a catalog of predefined security functional components that maps to most security needs. These requirements are organized in a hierarchical structure of classes, families, and components. It also provides guidance on the specification of customized security requirements if no predefined security functional component exists.
Emphasis: integrity
The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data were only available to authorized individuals. The Biba model is not concerned with security levels and confidentiality, so it does not base access decisions upon this type of lattice. Instead, the Biba model uses a lattice of integrity levels.
Bullets: Trusted computing base
A collection of all the hardware, software, and firmware components within a system that provide security and enforce the system’s security policy.
Emphasis: CPU Operation Modes
CPU Operation ModesAs stated earlier, the CPU provides the ring structure architecture and the operating system assigns its processes to the different rings. When a process is placed in ring 0, its activities are carried out in kernel mode, which means it can access the most critical resources in a nonrestrictive manner. The process is assigned a status level by the operating system (stored as PSW) and when it needs to interact with the CPU, the CPU checks its status to know what it can and cannot allow the process to do. If the process has the status of user mode, the CPU will limit the process’s access to system resources and restrict the functions it can carry out on these resources.
Emphasis: Harrison-Ruzzo-Ullman (HRU)
The Harrison-Ruzzo-Ullman (HRU) model deals with access rights of subjects and the integrity of those rights. A subject can carry out only a finite set of operations on an object. Since security loves simplicity, it is easier for a system to allow or disallow authorization of operations if one command is restricted to a single operation. For example, if a subject sent command X, which only required the operation of Y, this is pretty straightforward and allows the system to allow or disallow this operation to take place. But, if a subject sent a command M and to fulfill that command, operations N, B, W, and P had to be carried out, then there is much more complexity for the system to decide if this command should be authorized. Also the integrity of the access rights needs to be ensured, so in this example if one operation cannot be processed properly, the whole command fails. So while it is easy to dictate that subject A can only read object B, it is not always so easy to ensure each and every function supports this high-level statement. The HRU model is used by software designers to ensure that no unforeseen vulnerability is introduced and the stated access control goals are achieved.
Bullets: Arithmetic logic unit (ALU)
Component of the CPU that carries out logic and mathematical functions as they are laid out in the programming code being processed by the CPU.
Explanations: Trust and Assurance
I trust that you will act properly; thus, I have a high level of assurance in you.Response: You are such a fool.
Explanations: Security Modes of Operation
A multilevel security system can operate in different modes depending on the sensitivity of the data being processed, the clearance level of the users, and what those users are authorized to do. The mode of operation describes the security conditions under which the system actually functions.
Emphasis: multilevel security mode
A system is operating in multilevel security mode when it permits two or more classification levels of information to be processed at the same time when not all of the users have the clearance or formal approval to access all the information being processed by the system. So all users must have formal approval, NDA, need-to-know, and the necessary clearance to access the data that they need to carry out their jobs. In this mode, the user cannot access all of the data on the system, only what she is cleared to access.
Emphasis: separation of duties
A well-formed transaction is a series of operations that are carried out to transfer the data from one consistent state to the other. If Kathy transfers money from her checking account to her savings account, this transaction is made up of two operations: subtract money from one account and add it to a different account. By making sure the new values in her checking and savings accounts are accurate and their integrity is intact, the IVP maintains internal and external consistency. The Clark-Wilson model also outlines how to incorporate separation of duties into the architecture of an application. If we follow our same example of banking software, if a customer needs to withdraw over $10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures.
Bullets: Preemptive multitasking
Multitasking scheduling scheme used by operating systems to allow for computer resource time slicing. Used in newer, more stable operating systems.
Bullets: Identification
Individual subjects must be uniquely identified.
Bullets: Interrupt
Software or hardware signal that indicates that system resources (i.e., CPU) are needed for instruction processing.
Emphasis: Computer security
Computer security can be a slippery term because it means different things to different people. Many aspects of a system can be secured, and security can happen at various levels and to varying degrees. As stated in previous chapters, information security consists of the following main attributes:
Bullets: Brewer and Nash model
This model allows for dynamically changing access controls that protect against conflicts of interest. Also known as the Chinese Wall model.
Emphasis: Division A: Verified Protection
Division A: Verified ProtectionFormal methods are used to ensure that all subjects and objects are controlled with the necessary discretionary and mandatory access controls. The design, development, implementation, and documentation are looked at in a formal and detailed way. The security mechanisms between B3 and A1 are not very different, but the way the system was designed and developed is evaluated in a much more structured and stringent procedure.
Bullets: Traffic flow confidentiality
Ensures that unauthorized entities are not aware of routing information or frequency of communication via traffic analysis. Mechanisms include padding messages, sending noise, or sending false messages.
Bullets: Evaluation assurance requirements
Establishes the type and intensity of the evaluation.
Emphasis: Abstraction
Abstraction means that the details of something are hidden. Developers of applications do not know the amount or type of memory that will be available in each and every system their code will be loaded on. If a developer had to be concerned with this type of detail, then her application would be able to work only on the one system that maps to all of her specifications. To allow for portability, the memory manager hides all of the memory issues and just provides the application with a memory segment. The application is able to run without having to know all the hairy details of the operating system and hardware it is running on.
Bullets: Authentication
Protects against masquerading and playback attacks. Mechanisms include digital signatures, encryption, timestamp, and passwords.
Bullets: Security functional requirements
Individual security functions which must be provided by a product.
Emphasis: Read-Only Memory
Read-Only MemoryRead-only memory (ROM) is a nonvolatile memory type, meaning that when a computer’s power is turned off, the data are still held within the memory chips. When data are written into ROM memory chips, the data cannot be altered. Individual ROM chips are manufactured with the stored program or routines designed into it. The software that is stored within ROM is called firmware.
Bullets: Clark-Wilson model
This integrity model is implemented to protect the integrity of data and to ensure that properly formatted transactions take place. It addresses all three goals of integrity:
Bullets: Virtual memory
Combination of main memory (RAM) and secondary memory within an operating system.
Explanations: Lattice Model
A lattice is a mathematical construct that is built upon the notion of a group. The most common definition of the lattice model is “a structure consisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set.”
Bullets: ISO/IEC 42010:2007
International standard that provides guidelines on how to create and maintain system architectures.
Goals of Integrity Models : The following are the three main goals of integrity models:
- Prevent unauthorized users from making modifications
- Prevent authorized users from making improper modifications (separation of duties)
- Maintain internal and external consistency (well-formed transaction)
Emphasis: Operating System Architectures
Operating System ArchitecturesWe started this chapter by looking at system architecture approaches. Remember that a system is made up of all the necessary pieces for computation: hardware, firmware, and software components. The chapter moved into the architecture of a CPU, which just looked at the processor. Now we will look at operating system architectures, which deal specifically with the software components of a system.
Bullets: Cache memory
Fast and expensive memory type that is used by a CPU to increase read and write operations.
Emphasis: Why Put a Product Through Evaluation?
Why Put a Product Through Evaluation?Submitting a product to be evaluated against the Orange Book, Information Technology Security Evaluation Criteria, or Common Criteria is no walk in the park for a vendor. In fact, it is a really painful and long process, and no one wakes up in the morning thinking, “Yippee! I have to complete all of the paperwork that the National Computer Security Center requires so my product can be evaluated!” So, before we go through these different criteria, let’s look at why anyone would even put themselves through this process.
Explanation Bullets: Goals of Integrity Models
The following are the three main goals of integrity models:
- Prevent unauthorized users from making modifications
- Prevent authorized users from making improper modifications (separation of duties)
- Maintain internal and external consistency (well-formed transaction)
Emphasis: strong star property rule
The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the “no read up” rule, and the *-property rule is referred to as the “no write down” rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classification must be equal.
Emphasis: Security Kernel
Security KernelThe security kernel is made up of hardware, software, and firmware components that fall within the TCB, and it implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems. The security kernel has three main requirements:
Bullets: Time-of-check/time-of-use (TOC/TOU) attack
Attacker manipulates the “condition check” step and the “use” step within software to allow for unauthorized activity.
Emphasis: buffer overflow
A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. So, the purpose of a buffer overflow may be either to make a mess, by shoving arbitrary data into various memory segments, or to accomplish a specific task, by pushing into the memory segment a carefully crafted set of data that will accomplish a specific task. This task could be to open a command shell with administrative privilege or execute malicious code.
Emphasis: Other Types of Covert Channels
Other Types of Covert ChannelsAlthough we are looking at covert channels within programming code, covert channels can be used in the outside world as well. Let’s say you are going to attend one of my lectures. Before the lecture begins, you and I agree on a way of communicating that no one else in the audience will understand. I tell you that if I twiddle a pen between my fingers in my right hand, that means there will be a quiz at the end of class. If I twiddle a pen between my fingers in my left hand, there will be no quiz. It is a covert channel, because this is not a normal way of communicating and it is secretive. (In this scenario, I would twiddle the pen in both hands to confuse you and make you stay after class to take the quiz all by yourself. Shame on you for wanting to be forewarned about a quiz!)
Bullets: *-integrity axiom
A subject cannot write data to an object at a higher integrity level (referred to as “no write up”).
Emphasis: Certification vs. Accreditation
Certification vs. AccreditationWe have gone through the different types of evaluation criteria that a system can be appraised against to receive a specific rating. This is a very formalized process, following which the evaluated system or product will be placed on an EPL indicating what rating it achieved. Consumers can check this listing and compare the different products and systems to see how they rank against each other in the property of protection. However, once a consumer buys this product and sets it up in their environment, security is not guaranteed. Security is made up of system administration, physical security, installation, configuration mechanisms within the environment, and continuous monitoring. To fairly say a system is secure, all of these items must be taken into account. The rating is just one piece in the puzzle of security.
Explanations: Security Models
An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policymakers into a set of rules that a computer system must follow.
Explanations: A Few Threats to Review
Now that we have talked about how everything is supposed to work, let’s take a quick look at some of the things that can go wrong when designing a system.
Explanations: Time-of-Check/Time-of-Use Attacks
Specific attacks can take advantage of the way a system processes requests and performs tasks. A time-of-check/time-of-use (TOC/TOU) attack deals with the sequence of steps a system uses to complete a task. This type of attack takes advantage of the dependency on the timing of events that take place in a multitasking operating system.
Bullets: Central processing unit (CPU)
A silicon component made up of integrated chips with millions of transistors that carry out the execution of instructions within a computer.
Bullets: The simple integrity axiom
A subject cannot read data at a lower integrity level (no read down).
Emphasis: Reference Monitor
Reference MonitorUp to this point we have a CPU that provides a ringed structure and an operating system that places its components in the different rings based upon the trust level of each component. We have a defined security policy, which outlines the level of security we want our system to provide. We have chosen the mechanisms that will enforce the security policy (TCB) and implemented security perimeters (interfaces) to make sure these mechanisms communicate securely. Now we need to develop and implement a mechanism that ensures that the subjects that access objects within the operating system have been given the necessary permissions to do so. This means we need to develop and implement a reference monitor.
Bullets: Extended data out DRAM (EDO DRAM)
This is faster than DRAM because DRAM can access only one block of data at a time, whereas EDO DRAM can capture the next block of data while the first block is being sent to the CPU for processing. It has a type of “look ahead” feature that speeds up memory access.
Bullets: Burst EDO DRAM (BEDO DRAM)
Works like (and builds upon) EDO DRAM in that it can transmit data to the CPU as it carries out a read option, but it can send more data at once (burst). It reads and sends up to four memory addresses in a small number of clock cycles.
Emphasis: ISO/IEC 15408-3
ISO/IEC 15408-3 defines the assurance requirements, which are also organized in a hierarchy of classes, families, and components. This part outlines the evaluation assurance levels, which is a scale for measuring assurance of TOEs, and it provides the criteria for evaluation of protection profiles and security targets.
Bullets: Hypervisor
Central program used to manage virtual machines (guests) within a simulated environment (host).
Bullets: *-property rule
A subject cannot write to an object at a lower security level (the “no write down” rule).
Bullets: Harrison-Ruzzo-Ullman model
This model shows how a finite set of procedures can be available to edit the access rights of a subject.
Bullets: Bell-LaPadula model
This is the first mathematical model of a multilevel security policy that defines the concept of a secure state and necessary modes of access. It ensures that information only flows in a manner that does not violate the system policy and is confidentiality focused.
Explanations: Memory Mapping
Okay, here is your memory, here is my memory, and here is Bob’s memory. No one use each other’s memory!
Explanations: The Central Processing Unit
Response: Black magic. It uses eye of bat, tongue of goat, and some transistors.
Emphasis: microarchitecture
The microarchitecture contains the things that make up the physical CPU (registers, logic gates, ALU, cache, etc.). The CPU knows mechanically how to use all of these parts; it just needs to know what the operating system wants it to do. A chef knows how to use all of his pots, pans, spices, and ingredients, but he needs an order from the menu so he knows how to use all of these properly to achieve the requested outcome. Similarly, the CPU has a “menu” of operations the operating system can “order” from, which is the instruction set. The operating system puts in its order (render graphics on screen, print to printer, encrypt data, etc.), and the CPU carries out the request and provides the result.
Explanation Bullets: Logical organization
- Segment all memory types and provide an addressing scheme for each at an abstraction level
- Allow for the sharing of specific software modules, such as dynamic link library (DLL) procedures
Explanations: Premapped I/O
Premapped I/O and fully mapped I/O (described next) do not pertain to performance, as do the earlier methods, but provide two approaches that can directly affect security. In a premapped I/O system, the CPU sends the physical memory address of the requesting process to the I/O device, and the I/O device is trusted enough to interact with the contents of memory directly, so the CPU does not control the interactions between the I/O device and memory. The operating system trusts the device to behave properly. Scary.
Bullets: Trusted Computer System Evaluation Criteria (TCSEC)
(aka Orange Book) U.S. DoD standard used to assess the effectiveness of the security controls built into a system. Replaced by the Common Criteria.
Bullets: Mode transition
When the CPU has to change from processing code in user mode to kernel mode. This is a protection measure, but it causes a performance hit.
Emphasis: state transitions
In state machine models, to verify the security of a system, the state is used, which means that all current permissions and all current instances of subjects accessing objects must be captured. Maintaining the state of a system deals with each subject’s association with objects. If the subjects can access objects only by means that are concurrent with the security policy, the system is secure. A state of a system is a snapshot of a system at one moment of time. Many activities can alter this state, which are referred to as state transitions. The developers of an operating system that will implement the state machine model need to look at all the different state transitions that are possible and assess whether a system that starts up in a secure state can be put into an insecure state by any of these events. If all of the activities that are allowed to happen in the system do not compromise the system and put it into an insecure state, then the system executes a secure state machine model.
Emphasis: System Architecture
System ArchitectureIn Chapter 2 we covered enterprise architecture frameworks and introduced their direct relationship to system architecture. As explained in that chapter, an architecture is a tool used to conceptually understand the structure and behavior of a complex entity through different views. An architecture description is a formal description and representation of a system, the components that make it up, the interactions and interdependencies between those components, and the relationship to the environment. An architecture provides different views of the system, based upon the needs of the stakeholders of that system.
Bullets: Maskable interrupt
Interrupt value assigned to a noncritical operating system activity.
Bullets: RAM
Memory sticks that are plugged into a computer’s motherboard and work as volatile memory space for an operating system.
Bullets: Strong star property rule
For a subject to be able to read and write to an object, the subject’s clearance and the object’s classification must be equal.
Emphasis: protection profiles
The Common Criteria uses protection profiles in its evaluation process. This is a mechanism used to describe a real-world need for a product that is not currently on the market. The protection profile contains the set of security requirements, their meaning and reasoning, and the corresponding EAL rating that the intended product will require. The protection profile describes the environmental assumptions, the objectives, and the functional and assurance level expectations. Each relevant threat is listed along with how it is to be controlled by specific objectives. The protection profile also justifies the assurance level and requirements for the strength of each protection mechanism.
Bullets: Interrupts
Values assigned to computer components (hardware and software) to allow for efficient computer resource time slicing.
Emphasis: open
Systems described as open are built upon standards, protocols, and interfaces that have published specifications. This type of architecture provides interoperability between products created by different vendors. This interoperability is provided by all the vendors involved who follow specific standards and provide interfaces that enable each system to easily communicate with other systems and allow add-ons to hook into the system easily.
Bullets: Certification
Technical evaluation of the security components and their compliance to a predefined security policy for the purpose of accreditation.
Bullets: Data hiding
Use of segregation in design decisions to protect software components from negatively interacting with each other. Commonly enforced through strict interfaces.
Bullets: Limit registers
Ending of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries.
Bullets: Closed system
Designs are built upon proprietary procedures, which inhibit interoperability capabilities.
Bullets: Development assurance requirements
Identifies the specific requirements the product or system must meet during the development phases, from design to implementation.
Bullets: Garbage collector
Tool that marks unused memory segments as usable to ensure that an operating system does not run out of memory.
Bullets: Common Criteria
International standard used to assess the effectiveness of the security controls built into a system from functional and assurance perspectives.
Bullets: Architectural description (AD)
Collection of document types to convey an architecture in a formal manner.
Bullets: Address space layout randomization (ASLR)
Memory protection mechanism used by some operating systems. The addresses used by components of a process are randomized so that it is harder for an attacker to exploit specific memory vulnerabilities.
Explanations: Covert Channels
I have my decoder ring, cape, and pirate’s hat on. I will communicate to my spy buddies with this tribal drum and a whistle.
Explanations: Relocation
• Swap contents from RAM to the hard drive as needed (explained later in the “Virtual Memory” section of this chapter)