D3: Principles of Secure Design

Question 1

Principles of Secure Design

Answer 1

The security requirements of an information system are driven by the security policy of the organization that will use the system

To incorporate the abstract goals of a security policy into an information system’s architecture, you will need to use security models

We serve the business, so ultimately our security stuff should reflect business objectives

Question 2

Security Model

Answer 2

A security model lays out the framework and mathematical models that act as a security related specifications for a system architecture

Question 3

System Architecture

Answer 3

The overall design of the components such as hardware, OS, applications and networks - of an information system

The design should meet the specifications provided by the security model.

Question 4

System

Answer 4

A group of individual components working together towards a common goal or outcome e.g. computers, network segments, departments

Question 5

Security Model Examples and Significance for Exam

Answer 5

State Machine Model
Bell-LaPadula Model**
Biba Model**
Clark-Wilson Model*
Brewer & Nash Model*
Information Flow Model
Non-Interference Model
Lattice Model

Question 6

State Machine Model

Answer 6

The state of a system is its snapshot at any one particular moment. The state machine model describes subjects, objects, and sequences in a system. The focus of this model is to capture the system’s state and ensure its security

When an object accepts input, the value of the state variable is modified. For a subject to access this object or modify the object value, the subject should have appropriate access rights

State transitions refer to activities that alter a system state

**Other models are built off this model
if a system starts, functions, and even fails/shuts down securely - it’s a secure system.&raquo_space; this model instructs you in that unless if you can secure a system in all 3 states, then you don’t have a secure system

A system is most difficult to secure is start-up because all security mechanisms haven’t loaded yet. During the initial load, the system is very vulnerable.

Shutdown - trusted recover, in the event of a violation of the system security, it should be shut down in a way that it protects itself e.g. blue screen of death

Question 7

Bell-LaPadula Model - Overview

• confidentiality

Answer 7

The ONLY model designed for confidentiality aka Confidentiality Model
- a former mathematical model that’s built on the state machine model. so this doesn’t mean anything unless the three states are secure.

Developed by David Elliot Bell and Len LaPadula

• this model focuses on data confidentiality and access to classified information
• a formal model developed for the DoD multilevel security policy
• this formal model divides entities in an information system into subjects and objects
• model is built on the concept of a state machine with different allowable states (i.e. secure state)

Question 8

Bell-LaPadula Model - Three Security Rules to Enforce Confidentiality

Answer 8

1. Simple Security Property - “no read up”
   - a subject cannot read data from a security level higher than subject’s security level
2. • Security Property - “no write down”
     - a subject cannot write data to a security level lower than the subject’s security level. Prevent data leakage from upper levels to lower
3. Strong * Property - “no read/write up or down”
   - a subject with read/write privilege can perform read/write functions only at the subject’s security levels.

Each rule is independent of the other, unless it’s expressly denied then it’s allowed

Having upper and lower bounds help enforce security permissions

Question 9

Biba Integrity Model - Overview

• integrity

Answer 9

The exact oppossite of BL because it focuses on integrity

Developed by Kenneth J. Biba in 1977 based on a set of access control rules designed to ensure data integrity

No subject can depend on an object of lesser integrity

Based on a hierarchal lattice of integrity levels

authorized users must perform correct and safe procedures to protect data integrity

Question 10

Biba Integrity Model - Three Security Rules to Enforce Integrity

Answer 10

Focus on protecting the integrity/sanctity of our knowledge base

Simple Integrity Axiom - “no read down” a subject cannot read data from an object of lower integrity level
- implies and encourages you can read above you

• Integrity Axiom - “no write up” - a subject cannot write data to an object at a higher integrity level

Invocation property - a subject cannot invoke (call upon) subjects at a higher integrity level

Question 11

Clark Wilson Security Model

• integrity

Answer 11

Integrity Model

Model Characteristics:

• Clark Wilson enforces well-informed transactions through the use of the access triple:
• user > transformation procedure > CDI (constrained data item) > deals with all three integrity goals

Separation of Duties

• prevent unauthorized users from making modifications
• prevents authorized users from making improper modifications
• maintain internal and external consistency - reinforces separation of duties

SIMPLY PUT - Keep users out of your stuff or they’ll break it; for example. amazon does not give you access to our stuff and instead uses a trusted interface AKA the frontend
- if amazon allowed free text, people would input information in all different types of formats and a database wouldn’t know what that means. so they give you a drop down, or limit a username field to just 12 characters

EXAM - untrusted entity does not get to access a trusted entity;

User > Interface > Stuff

API: Application Programming Interface - letting an untrusted application to provide access to trusted resources

Question 12

Brewer Nash

• SoDs

Answer 12

Commercial Models: Brewer-Nash

Brewer-Nash Model - aka Chinese Wall
- developed to combat conflict of interest in databases housing competitor information

Publish in 1989 to ensure fair competition

Defines a wall and a sat of rules to ensure that no
subject accesses objects on the other side of the wall
way of separating competitions data within the same integrated database

Shouldn’t go from Visa, recording information, Citi, recording information, etc. - seems like a conflict of interest

Question 13

Information Flow Model

Answer 13

• most likely not testable
• data is compartmentalized based on classification and the need to know

model seeks to eliminate covert channels

model ensures that information always flows from a low security level to higher integrity level to a high integrity level

Whatever component directly affects the flow of information must dominate all components involved with the flow of information

Question 14

Non-interference Model

Answer 14

*most likely not testable

Model Characteristics

• model ensures that actions at a higher security level does not interfere with the actions at a lower security level
• the goal of this model is to protect the state of an entity at the lower security level by actions at the higher security level so that data does not pass through covert or timing channels

Question 15

Lattice Model

Answer 15

*most likely not testable

Model consists of a set of objects constrained between the least upper bound and the greatest lower bound values

the least upper bound is the value that defines the least level of object access rights granted to a subject

the goal of this model is to protect the confidentiality of an object and only allow access by an authorized subject

Question 16

Security Architecture

Answer 16

Security Architecture directs how the components included in the system architecture should be organized to ensure that security requirements are met. The security architecture of an information system should include:

• a description of the locations in the overall architecture where security measures should be placed
• a description of how various components of the architecture should interact to ensure security
• the security specifications to be followed when designing and developing a system

Question 17

Computer Architecture Terminology

Answer 17

Program (app) > Process (loaded program) > Thread (process instructions)

• Program: An application, e.g. Word
• Process: a program loaded into memory
• Thread: Each individual instruction within a process

Multiprogramming: appearance of multiple programs running but they aren’t > no true isolation. Windows appeared open, but weren’t running because the OS didn’t have the means to isolate each process its own set of resources.
– Multi-tasking: you really are running multiple programs and each are allocated its own sets of resources.

Multiprocessing: more than one CPU

Multithreading: If you want to run threads simultaneously. In the past, multiple CPUs were needed - today multi-core processors provide this.

Operating System Architecture
Process Activity
Memory Management
Memory Types - RAM, ROM, etc.
Virtual memory
CPU modes & Protection Rings

Question 18

CPU Modes & Protection Rings

Answer 18

Protection Rings: provide a security mechanisms for an OS by creating boundaries between the various processes operating on a system and also ensures that processes do not affect each other or harm critical system components

Ring 0: Most Privileged - Operating system kernel (supervisor/privilege mode).
- Trusted Computer Base (TCB) - your system is only as trustworthy as your processor, bias, OS kernel

Ring 1: remaining parts of the OS e.g. executive function- memory management
Ring 2: OS and I/O drivers and OS utilities
Ring 3: Least Trusted: Application (programs) and user activity

Clark Wilson - can the inner rings access the outer rings? Yes, but not the only way around

Today, there are only two rings - trusted or not trusted

Question 19

System Architecture - Important Concepts

Answer 19

Trusted Computing Base (TCB)
- firmware - system bios
- hardware - CPU and memory
- specific elements that drive and enforce the security policy
 Security Perimeter
- the fence that isolates the TCB

Defined Subset of Subjects and Objects
- anytime a subject calls on an object, two components of the OS kernel are called into play: reference monitor and the security kernel

Reference Monitor: the LAW, all the rules that controls access to resources. This is checked every time a subject accesses a protected object

Security Kernel: the POLICE, the security kernel enforces AND invokes the reference monitor concept. Has 3 main requirements:

• must facilitate isolation of processes; must be able to allow and deny access as required
• must be invoked at every access attempt
• must be small enough to be tested and verified in a comprehensive manner

Security Policy: a set of rules on how resources are managed within a computer system.

Least Privilege: on process has no more privileges than it needs

Question 20

Secure Modes of Operation

Answer 20

State = Classification

Single State

• one classification of data
• a filing cabinet with one drawer and everything is top secret - need to have clearance for everything in that system

Multi-State
- filing cabinet with multiple drawers; need clearance for drawers with the same level

Compartmented

• need to know; not enough to have top secret clearance unless there is a need to know
• systems that can understand different levels of ‘need to know’ along with clearances and classifications
• have to have an additional way to determine need-to-know outside of clearance

Dedicated
- a system that doesn’t need to differentiate ‘need to know’ buckets

Combos
- single state compartmented; need to have clearance for everything but need-to-know
single state dedicated - need clearance and need-to-know for everything
- multistate compartmented - clearance for drawer you’ll access, and need to know for what you’ll access
- multi-state dedicated - clearance for what you will access and need-to-know for everything at that level

Question 21

Evaluation Criteria

Answer 21

Why Evaluate? To carefully examine the security-related components of a system

• trust vs. assurance: the two elements that are evaluated
• trust: the function of the product; what does the product do?
• assurance: the reliability of the process; was the product designed well with reliable processes
• Example: a product that is SUPER cool, but broke after the first week = high trust, low assurance

CMMI: maturity of processes, will determine maturity of product and assurance in product

The Orange Book (TCSEC)
The Orange Book & Rainbow Series
ITSEC (InfoTech Security Evaluation Criteria)
Common Criteria

Question 22

Trusted Computer Security Evaluation Criteria (TCSEC)

Answer 22

Developed by the National Computer Security Center
AKA the Orange Book

Based on the Bell-LaPadula model (deals only with confidentiality

Uses a hierarchically ordered series of evaluation classes

Defines Trust and Assurance, but does not allow for them to be evaluated independently

Not ideal, because it didn’t look at trust and assurance separately and it was like a report card with grades - no context

Ratings:
A1: verified protection
B1, B2, B3: mandatory protection
- b1 is lowest, b2 adds on, etc
C1, C2: discretionary protection
D: minimal security

Question 23

IT Security Evaluation Criteria (ITSEC)

Answer 23

Created by a collection of European nations in 1991 as a standard to evaluate security attributes of computer systems

The first Criteria to evaluate functionality and assurance separately

F1 to F10 rates for functionality
E0 to E6 for assurance

Question 24

Common Criteria ISO 15408

Answer 24

International Standard

Protection Profile: system requirements from Agency or Customer

Target of Evaluation (ToE): System Designed by Vendor based on Protection Profile

Security Target Documentation: Documents how ToE meets Protection Profile; how vendor is filling the need

Evaluation Assurance Level (EAL 1-7): objective third-party describes the level to which ToE meets Protection Profile

Designed to work based on the need of the agency

WHATEVER THE EXAM QUESTION; ANSWER IS EAL 4

EXAMPLE:

Protection Profile: Agency wants a phone case that won’t break
ToE: a case created that can’t break
EAL 1-3 - simple tests getting more aggressive; 1 ft drop, 5 ft drop,
EAL 4: certain degree of testing; dropped from rooftop
EAL 5: 10 story drops and shatters

why not build a level 7 case? not worth the price

Question 25

Common Criteria EAL Ratings

Answer 25

WHATEVER THE EXAM QUESTION; ANSWER IS EAL 4

EAL 1: functionally tested

2: structurally tested
3: methodically tested and checked
4: methodically designed, tested, and reviewed
5: semi-formally designed and tested
6: semi-formally verified, designed and tested
7: formally verified, designed and tested

Question 26

Certification and Accreditation

Answer 26

Certification: a process that ensures systems and major applications adhere to formal and established security requirements that are well documented and authorized

• is usually performed by the vendor
• technical review of the security mechanisms of a product

Accreditation/Authorization: a formal declaration by a Designated Accrediting Authority (DAA) that info systems are approved to operate at an acceptable level of risk based on the implementation of an approved set of technical, managerial, and procedural safeguards
- management’s approval of a product