Lecture 10 Notes Flashcards
reference monitor
part of the TCB that validates access to every resource prior to granting access requests
stands between each subject and object
may be a conceptual part of the TCB
security kernel
The collection of components in the TCB that work together to implement reference monitor functions
security perimeter
imaginary boundary that separates the TCB from the rest of the system
trusted paths
For the TCB to communicate with the rest of the system, it must create secure channels called, also called
TCSEC guidelines on trusted paths
B2 and higher systems
State Machine Model
The state machine model describes a system that is secure in every of its possible states, and it is based on the notion of Finite State Machine (FSM)
A state is a snapshot of a system at a specific moment in time
Next state and output are a function of current state and input
Information Flow Model
The information flow model focuses on the flow of information
Based on a state machine model
Designed to prevent unauthorized, insecure, or restricted information flow
Bell-LaPadula and Biba Model Type
Information Flow Model
Bell-LaPadula
preventing information from flowing from a high security level to a low security level
This is accomplished by blocking lower-classified subjects from accessing higher-classified objects
With these restrictions, the model is focused on maintaining the confidentiality of objects, but it does not address integrity and availability
Biba
preventing information from flowing from a low security level to a high security level
Noninterference Model
The noninterference model is loosely based on the information flow model
However, it is concerned with how the actions of a subject at a higher security level affect the system state or actions of a subject at a lower security level
The actions of a higher level subject A should not affect the actions of lower level subject B or even be noticed by B
composition theories
explain how outputs from one system relate to inputs to another system
Cascading
Input for one system comes from the output of another system
Feedback
One system provides input to another system, and vice versa
Hookup
One system sends input to another system and also to external entities
Take-Grant Model
The Take-Grant model employs a directed graph to dictate how rights can be passed
from one subject to another
from a subject to an object
Access Control Matrix
An access control matrix is a table of subjects and objects indicating the actions or functions that each subject can perform on each object
access control list (ACL)
An ACL is tied to the object: it lists valid actions each subject can perform
Each column of the matrix is an access control list (ACL)
capabilities list
A capability list is tied to the subject: it lists valid actions that can be taken on each object
From an administration perspective, using only capability lists for access control is a management nightmare
To remove access to a particular object, every user (subject) that has access to it must be individually manipulated
Each row of the matrix is a capabilities list
Properties of Bell-LaPadula State Machine
Focused on Confidentiality
The Simple Security Property states that a subject may not read information at a higher sensitivity level (no read up)
The * (star) Security Property states that a subject may not write information to an object at a lower sensitivity level (no write down)
This is also known as the confinement property
The Discretionary Security Property states that the system uses an access matrix to enforce discretionary access control (need-to-know)
Properties of Biba State machine
Focused on integrity
The Simple Integrity Property states that a subject cannot read an object at a lower integrity level (no read down)
The * (star) Integrity Property states that a subject cannot modify an object at a higher integrity level (no write up)
As with Bell-LaPadula, Biba requires that all subjects and objects have a classification label
Brewer and Nash Model
AKA Chinese Wall
Creates security domains that are sensitive to conflict of interest
Closed System
Designed to work with a narrow range of other systems, generally all from the same manufacturer
Standards for closed systems are often proprietary and not normally disclosed
In closed-source (or commercial) solutions source code and internal logic are hidden from the public
Open System
Designed using agreed-upon industry standards
Much easier to integrate with systems from different manufacturers
In open-source solutions source code and internal logic are exposed to the public
Confinement
Process confinement allows a process to read from and write to only certain memory locations and resources
Bounds
Each process that runs on a system is assigned an authority level (e.g., user and kernel)
Isolation
When a process is confined through enforcing access bounds, that process runs in isolation
Controls
Controls use access rules to limit the access by a subject to an object
Trust
A trusted system is one in which all protection mechanisms and security components work together to process sensitive data for many types of users while maintaining a stable and secure computing environment
Assurance
Assurance is simply defined as the degree of confidence in the satisfaction of security needs
TCSEC
AKA “Orange Book”
The TCSEC established guidelines to evaluate a stand-alone computer from the security perspective
Category A: Verified protection
Category B: Mandatory protection
Category C: Discretionary protection
Category D: Minimal protection
ITSEC
The ITSEC represents an initial attempt to create security evaluation criteria in Europe
The ITSEC guidelines evaluate the functionality and assurance of a system using separate ratings for each category
The functionality rating of a system states how well the system performs all necessary functions based on its design and intended purpose
Rating scale: F-D (F1) – F-B3 (F6)
The assurance rating represents the degree of confidence that the system will work properly in a consistent manner
Rating scale: E0 – E6
ITSEC addresses concerns about loss of integrity and availability in addition to confidentiality
Common Criterion
The Common Criteria represent a global effort that involves everybody who worked on TCSEC and ITSEC as well as other players
This document was converted by ISO into an official standard
ISO 15408, Evaluation Criteria for Information Technology Security
Protection Profiles (PPs) specify the security requirements and protections of a product that is to be evaluated (Target of Evaluation, TOE)
Security Targets (STs) specify the claims of security from the vendor that are built into a TOE
Common Criterion Assurance Levels
Assurance levels
EAL1: Functionally tested
EAL2: Structurally tested
EAL3: Methodically tested and checked
EAL4: Methodically designed, tested, and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified, designed, and tested
EAL7: Formally verified, designed, and tested
Covert Channel
A covert channel is a method to pass information over a path that is not normally used for communication
All levels at or above B2 must contain controls to detect and prohibit covert channels (TCSEC)
Covert storage channels
Conveys information by writing data to a common storage area where another process can read it
Covert timing channels
Conveys information by altering the performance of a system component or modifying a resource’s timing in a predictable manner
Payment Card Industry – Data Security Standard (PCI-DSS)
PCI-DSS is a collection of requirements for improving the security of electronic payment transactions
International Organization for Standardization (ISO)
ISO is a worldwide standards-setting group of representatives from various national standards organizations
ISO defines standards for industrial and commercial equipment, software, protocols, and management, among others
Certification
Internal comprehensive evaluation of the technical and nontechnical security features of an IT system
Accreditation
A formal declaration by a Designated Approving Authority (DAA) that an IT system is approved to operate in a particular security mode using prescribed safeguards at an acceptable level of risk (external evaluation)
