Chapter 8 Principles of Security Models Design and

Chapter 8: Principles of Security Models, Design, and Capabilities

Implement and Manage Engineering Processes Using Secure Design Principles • Objects and subjects • Closed and open systems • Techniques for ensuring confidentiality, integrity, and availability • Controls • Trust and assurance

Objects and Subjects • Subject (often a user) • Object (a resource) • Managing relationship between subject and object is access control • Transitive trust

Closed and Open Systems • Closed system – Proprietary standards – Hard to integrate – Possibly more secure • Open system – Open or industry standards – Easier to integrate • Open source vs. closed source

Techniques for Ensuring Confidentiality, Integrity, and Availability • Confinement – Sandboxing • Bounds • Isolation

Controls • Discretionary access control • Mandatory access control • Rule-based access control

Trust and Assurance • Integrated before and during design • Security must be: – Engineered, implemented, tested, audited, evaluated, certified, and accredited • Trusted system – Security mechanisms work together to provide a secure computing environment • Assurance – Degree of confidence in satisfaction of security needs

Understand the Fundamental Concepts of Security Models • • • • Trusted Computing Base State Machine Model Information Flow Model Noninterference Model Take-Grant Model Access Control Matrix Bell-La. Padula Model Biba Model Clark-Wilson Model Brewer and Nash Model (aka Chinese Wall) Goguen-Meseguer Model Sutherland Model Graham-Denning Model

Trusted Computing Base • Defined in Do. D 5200. 28 Orange Book • Security perimeter • Trusted paths • Reference monitor • Security kernel

State Machine Model • Always secure no matter what state it is in • Finite state machine (FSM) • State transition • Secure state machine • The basis for most other security models

Information Flow Model • Based on the state machine model • Prevent unauthorized, insecure, or restricted information flow • Controls flow between security levels • Can be used to manage state transitions

Noninterference Model • Based on information flow model • Separates actions of subjects at different security levels • Composition theories – Cascading – Feedback – Hookup

Take-Grant Model • Dictates how rights can be passed between subjects • Take rule • Grant rule • Create rule • Remove rule

Access Control Matrix • A table of subjects, objects, and access • Columns are ACLs • Rows are capability lists • Can be used in DAC, MAC, or RBAC

Bell-La. Padula Model • Based on Do. D multilevel security policy • Focuses only on confidentiality • Lattice-based access control • Simple security property • * (star) security property • Discretionary security property

Biba Model • Based on the inverse of Bell. La. Padula • Focuses only on integrity • Simple integrity property • * (star) integrity property

Clark-Wilson Model • Focuses on integrity • Access control triplet • Controls access through an intermediary program or restricted interface • Well-formed transactions • Separation of duties

Brewer and Nash Model (aka Chinese Wall) • Prevents conflicts of interest • Based on dynamic access changes based on user activity • Access to conflicting data is temporarily blocked

Goguen-Meseguer Model • Focuses on integrity • The basis of the noninterference model • Based on a predetermined set/domain of objects a subject can access • Based on automation theory and domain separation

Sutherland Model • Focuses on integrity • Prevent interference in support of integrity • Defines a set of system states, initial states, and state transitions • Commonly used to prevent covert channels from influencing processes

Graham-Denning Model • • Securely manage objects and subjects Securely create object/subject Securely delete object/subject Securely provide read access right Securely provide grant access right Securely provide delete access right Securely provide transfer access right

Select Controls and Countermeasures Based on Systems Security Evaluation Models • Rainbow Series • ITSEC Classes and Required Assurance and Functionality • Common Criteria • Industry and International Security Implementation Guidelines • Certification and Accreditation

Rainbow Series • TCSEC – Orange Book – Confidentiality – D, C 1, C 2, B 1, B 2, B 3, A 1 • Red Book – Trusted Network Interpretation of TCSEC – Confidentiality and integrity – None, C 1, C 2, B 2 • Green Book – Password management guidelines

ITSEC Classes and Required Assurance and Functionality • Rates functionality (F) and assurance (E) • F-D through F-B 3 • E 0 through E 6 • Confidentiality, integrity, and availability

Common Criteria • • • Designed to replace prior systems ISO 15408 Protection profiles Security targets Evaluation Assurance Level (EAL)

Industry and International Security Implementation Guidelines • Payment Card Industry – Data Security Standards (PCI-DSS) • International Organization for Standardization (ISO)

Certification and Accreditation • Certification – Comprehensive evaluation of security against security requirements • Accreditation – Formal designation by DAA that system meets organizational security needs • Risk Management Framework (RMF) • Committee on National Security Systems Policy (CNSSP) – Definition, verification, validation, postaccreditation

Understand Security Capabilities of Information Systems • Memory protection • Virtualization • Trusted Platform Module – Hardware security module (HSM) • Interfaces • Fault tolerance