Security Architecture

NETWORK SECURITY-ITIE533

Security Architecture
At the end of the period, the students should be able to: Identify the different computer components as well as their respective functions Methods on how the security models work Understand the system security model in performing protection mechanism against threats

Architecture
Architecture encompasses all of the components of a computer, including Operating System (Windows, Linux, Solaris etc) Storage (Hard Drives, IDE/ATA, SCSI, Fibre Channel) I/O devices Security components Networking Memory (next) CPU

CPU
CPU the brain of a computer. It fetches instructions from memory and executes them. It consists of multiple components. ALU actually processes instructions Control unit fetches instructions for the ALU to execute.

Registers
Registers small extremely fast memory locations located directly in the CPU, consists of general and special registers.
The Program Counter is a special register, which holds the address in memory of the next instruction to be executed Program Status Word contains flags that describe the status of instructions being run. One of these is flags tells whether the CPU is running in user mode or privileged mode or if there has been an arithmetic overflow.

External Components
Address Bus a series of wires that the CPU and other components share that specific a memory ADDRESS to access Data Bus a series of wires that the CPU and other components share that hold the actual DATA for the memory location currently being accessed

Memory Access
Address (Bus) 00000101 (5) Data (Bus) 00100010 (34) If the CPU wants to access memory location 5, it would put 00000101 on the ADDRESS BUS and issues a READ request.

The memory controller would look up the value in memory location 5 and return the value on the DATA bus, in this case if memory location 5 had the number 34 stored in it. The value returned on the DATA bus would be binary 34 (00100010)

Process management
A process is a computer program that is actually running on a computer. (like Firefox, or MS Word).

Multiprogramming
Multi-programming means that can be running more than one process at a time Even if there is only 1 CPUhow does this happen?

Time Slicing (1 second)

Time Period 0-99 milliseconds
Program Running MS Word

100-199 milliseconds 200-299 milliseconds 300-399 milliseconds 400-499 milliseconds 500-599 milliseconds 600-699 milliseconds 700-799 milliseconds 800-899 milliseconds 900-999 milliseconds

Firefox (web browser)

MS Excel Adobe Photoshop Windows Explorer MS PowerPoint Operating System Adobe Acrobat Reader Anti-Virus Thunderbird (email)

Multi-programming
Co-operative multitasking (used in windows 3.1) one process must specifically release its control of the CPU before another can use the processor.
Pros? Cons?

Pre-emptive multitasking The Operating System takes the processor away from one program and gives it to another in a scheduled manner.
Pros? Cons?

Multi-programming
When there are multiple processes on a computer, these processes can be in one of these states Running process is actually using the CPU Blocked process is waiting for some input that it expects immediately, gives up CPU Sleeping process is waiting for some input but does not expect it for a while, gives up CPU
The processes, their states, and specific information (memory allocation, open files etc) are stored in a process table

Process Table
Progra m Firefox telnet PID 1453 754 State Running Blocked State Info
SP=19024, PC=20000 Memory allocation= SP=1024, PC=2043 Memory allocation= Memory allocation=

mysql
httpd

56
1014

Sleeping SP=40112, PC=4321

Sleeping SP=74123, PC=65123
Memory allocation=

Multi-programming
If a process needs to signal the CPU to perform some action it generates an interrupt. Interrupts tell the CPU to stop what its doing and take some action on behalf of the process. Interrupts fall into two categories Mask able Non-mask able

A thread
A thread is the set of instructions that will be run on a CPU. (this is also the definition of a process) A thread is a light weight process. On modern OSs threads are scheduled for execution. A process may be made up of multiple threads. Thread usually handle some specific part of a program where a program wants to do two or more actions at the same time. (Example, printing, whiled editing explain this, perhaps cloning analogy) A Multi-threaded program is a program that is written such that different parts of the program can run in parallel. Keep in mind that threads can share resources like memory natively. Processes cannot. (explain this)

Process/thread scheduling
Scheduling processes is an important job that the OS must perform. The ideas is to share the CPU effectively while keeping in mind the current demands for resources. Concerns with processes scheduling Effective resource allocation Being fair Time critical processes Deadlocks* - explain (visual?)

Ensuring security on Multitasking systems

Computers run multiple processes at the same time. These processes need to be protected from each other. They should not be able to access each others resources either intentionally or accidentally. The OS needs to enforce this. They attempt to do this using process isolation which provides the following services.

Ensuring security on Multitasking systems

Encapsulation No process can interact with another process. One process cannot read/write to the process space of another, or even communicate with another process without using some external interface/communications channel.

Ensuring security on Multitasking systems

Naming Distinctions Each process has its own name or id. In Unix and Windows processes have a PID (process id)

Ensuring security on Multitasking systems

Virtual Mapping A process thinks its the only process on the machine (at least with memory) with memory locations from 0 max available process memory. That memory is mapped into actually system memory space by a memory mapper*

Memory Management
Multi-tasking Operating Systems provide memory management. Goals of memory management are Provide abstraction layer for programmers (how) Maximize performance with the limited amount of memory (how) Protect the OS and applications (how) Programs dont need to know the amount or type of memory.

Memory Types
RAM Temporary memory DRAM RAM which requires refreshing SRAM RAM with no refresh needs, much faster and more expensive.

Memory Types
SDRAM timed DRAM

DDR SDRAM SDRAM which operates on both rising and falling of clock (twice as fast)

Memory Types
ROM Read Only Memory non-volatile, non-writable. Good for firmware. Secure as its not writable. (why is this secure?) PROM ROM that can be reprogrammed. EPROM PROM that can be erased (usually with UV light) EEPROM PROM that is erasable but electronically. (what security implications would this have) Flash Memory we all know what this is right? Cache Memory what this, what are its attributes?

Other Memory Terms

Memory Leak what is this, what are issues, what type of attack can exploit a memory leak? What is a countermeasure for Memory Leaks (GC) Virtual Memory using secondary storage to virtually expand your memory. Talk about Swapping Paging Page frames Security concerns with paging, both live and reboots. What can you do to protect on reboots?

CPU Modes and Protection Rings

The operating Systems protects itself by segmenting its components into rings, Each inner ring is more privileged and provides services on behalf of the outer rings. The Number of rings an OS can have is dependant on the type of processor that it runs on. Code in one ring can only access other objects in the same ring, or request a service from the ring beneath it based on well defined standards/APIs

OS protection and memory rings

The Most commonly used architecture (according to the book) uses 4 rings Ring 0 Operating System Kernel Ring 1 Remaining parts of the OS Ring 2 I/O drivers and utilities Ring 3 Applications (ex. Web browser)

Wrap up on OS Modes and Protection Rings

Rings allow the OS to place different components at different levels of security. Things at each level are in the same execution domain Each level closer to the middle is more trusted Each inner level provides services for an outer level. (give an example, i.e. write system call)

Operating Systems Architecture

The operating system can be designed based on multiple models Monolithic kernel* different than real life means all kernel code runs in privileged mode Microkernel minimal kernel services that run in privileged mode and provide services to other kernel components in user mode
Note when code is running as part of the OS kernel. it is running in privileged mode

Virtual Machines
What is a virtual machine. What is the purposes of a virtual machine. What are the strengths. How can a virtual machine help strengthen security? What happens if you are running 16 bit mode on a 32 bit machine. What is thunking? What are some popular virtual environments?

I/O device management

What is an interrupt What is programmed I/O (polling) problems? What is interrupt driven I/O problems? DMA what is it? Premapped I/O Premapped I/O security problems? Fully Mapped I/O virtual I/O devices

System Security Architecture

System Architecture
A OS should be able to enforce the security principals (CIA). How to properly design and build a system is called Security System Architecture. We are going to talk about some terms that are used when discussing System security Architecture

Security Architecture Terms

TCB Trusted Computing Base* - the total combination of protection mechanisms within a computer system. This includes hardware, software and firmware. These are part of the TCB because the systems is sure (trusts) that they will enforce the security policy and not violate it. The TCB must enforce the security rules strictly AND ensure that that components react in a predictable manner. This is an important term, internalize it

Security Terms
Note that the TCB does not address the technical level of security the system provides.. Just the level of trust we have in it. Trusted Path a communications channel between the user/program and the kernel. An example of a trusted path is hitting control-alt-delete on windows. Windows TCB provides that nothing can intercept that sequence and when you hit it you will actually be telling the operating system youd like to login etc.

Security Perimeter
Not every process falls within the TCB. The security perimeter is the imaginary boundary that divides the trusted from the un trusted. Communications between the trusted and un trusted must be well defined and strictly controlled. (what is an example that falls outside the security perimeter?)

Reference Monitor
Reference Monitor is an abstract machine the mediates all access subjects have to objects. The RM ensures that the subjects have the necessary access rights to the object, as well as protecting the objects from destructive modification. For a system to have a higher level of trust it must require all subjects are authorized prior to allowing access to an object. The RM is an abstract or conceptual idea, its not an actual piece of code

Security Kernel
This is the hardware, software and firmware that fall within the TCB and implements and enforces the reference monitor concept! (understand this relationship for the exam) The security kernel must provide the following 3 items 1. Provide isolation for processes carrying out the reference monitor concept, the processes must be tamperproof (why?) 2. The SK must be invoked for every access attempt and be impossible to circumvent, therefore it must be foolproof (why) 3. It must be small enough to be tested and verified comprehensively*

Terms we need to know before we move on

Before we move on to System specific security models (rather than the company security model from chapter 3) we need to know a couple terms Least privilege a fundamental security concept. Someone should only have the absolutely minimum rights that they NEED to do their job. Multilevel security policy security policies that prevent information from flowing from a high security level to a lower security level.

System Security Models

System Security Model

A security model (system, not company) is a technical model of a system that enforces its security policy. Maps the abstract goals of the policy into data structures and techniques necessary to enforce the security policy. Represented in mathematical and analytical ideas. Which programmer then implement with code.

System Security Model

Example: if a policy states that subjects need to be authorized to access objects, the security model would provide mathematical relationships explaining how x can access y only through outlined methods. Then programmers write code based on this model to implement these relationships.

Systems Security Models

We will cover the following models State Machine Model Bell-LaPadula Model Biba Model Clark Wilson Model Lattice Model Brewer and Nash Model Graham-Denning Model

State machine Model

Need a visualization

State Machine model

Like a flowchart with a number of states and transitions from state to state. A developer needs to look at all the states and ensures that any transition from one state leads to the OS being in a state that is also secure. If something in the OS fails it must fail to a secure state*

Bell-LaPadula Model
Possible the most famous model, and probably the model most needed in your exam studies is the Bell-LaPadula Model. Explain the model here levels and compartments/need to know It was developed by the US military for use on time sharing mainframes* (what is that?) First mathematical model of an MLS*

B-LP
It is also a (big) MAC Model A system that employs B-LP is called an MLS system. It is technically also an information flow model because it is proven that information flows security It uses a Lattice structure Only addresses Confidentiality, not I or A

B-LP
3 main rules Simple security rule subjects must dominate objects for read* *-property rule no write down (why?)* Strong *-property -read and write must be at the same level* You really need to understand this model. see word problems.

Covert Channels
A Covert Channel is a way for an entity to send or receive information in an unauthorized manner. It is an information flow that is not controlled via a security mechanism and was not intended to transfer information. Such methods violate the security policy.

Covert Channels
Two types of CC Storage (give temp file example) Timing hold or not hold an object (give example)

They occur due to one of the following reasons 1. Improper oversight in the development of a product 2. Improper implementation of access controls 3. Existence of a shared resource between to subjects

Biba (Whopper)
Biba layered like the Big Mac..

but its more concerned with integrity and data quality so this one is flamed broiled and much more delicious!

Biba Model
A state machine model similar to Bell-LaPadula, but is only concerned with Integrity (not C or A). 3 rules *-integrity axiom no write up??? WHAT? Explain. Simple Integrity Axiom no read down ?!? Invocation property a subject cannot request services to another SUBJECT (not object)

Biba
Remember Biba is also a MLS type system Also uses lattices of levels Concerned ONLY with integrity 3 rules are pretty much the opposite of the B-LP model.

Lattice Model
A lattice is a mathematical construct that is built upon the notion of a group. A structure consisting of a finite partially ordered set together with least upper bound and greatest lower bound on the set.* (memorize this definition) Pretty much this model (which Biba and Bell Ladula uses) has multiple levels of classification and people also are classified, and permissions are determined based on these levels of classification

Clark Wilson
Also concerned with integrity, but uses a different approach, has 5 elements Users Transformation procedures Constrained Data Items Unconstrained Data Items Integrity Verification Procedures Lets look at CW a bit more

Clark Wilson
Basic ideas is as follows Data is classified as highly protected (constrained) or not highly protected (unconstrained) Users cannot modify constrained items directly, they must use software that has Transformation Procedures (TPs) that operated on the data on behalf of the users. TPs ensure the security and validity of the operations on the data by the users.

Clark Wilson
All accesses to Constrained data are checked via an access triple which defines (users, TP, data) that is what TPs a user can invoke on what data. Unconstrained data items, are not protected via TPs. The Integrity Verification Procedures ensure that specific integrity rules are being carried out , these rules are abstract and are be defined by the vendor of the system based on the needs of the client. The kind of audit the TP actions on the data.

Clark Wilson
The IVPs ensure that the CDI data is consistent* Using TPs to modify CDIs is referred to as a wellformed transaction* (a series of operations to transfer the data from one consistent state to another consistent state.

Review of goals of Integrity Models

Prevent unauthorized users from making modifications Prevent authorized users from making improper modifications Maintain internal and external consistency (via well-formed transactions)

Non Interference Model

Non interference is not concerned with data flow, but instead how actions by subjects at one level may interfere with subjects at another. If a lower level entity was aware of activity that took place by an entity at a higher level it may be able to deduce too much information about the higher level activities

Non-Interference
Users at one level should not have knowledge of the commands of users in another level. The commands the users run should not affect other in any way such that they can infer what is going on. Give example from top of 348 regarding Tom and Russian file information.

Non Interference

Brewer Nash / Chinese Wall

A data flow model, who's purpose is to protect against conflicts. A BN mode can change dynamically to protect the interest of the model Example: An accounting company has two clients in the same industry. When accountant A is working on Clients Xs data, he cannot access Client Ys data. There is a Chinese wall between them. Thats all you really need to know about this model.

Graham-Denning Model
A model more concerned with actual implementation than abstract concepts. GD outlines 8 operations that define how objects should be created and deleted. It addresses how to assign specific access rights. The 8 operations specifically are

GD model
How to securely create an object How to securely create a subject How to securely delete an object How to securely delete a subject How to securely provide the read access right How to securely provide the grant access right How to securely provide the delete access right How to securely provide transfer access rights

Security Modes of Operation

Security Modes of Operation

A system can operate in different modes depending on the sensitivity of the data being processed and the clearance level of users. The mode of operation describes the security conditions under which the system actually functions. The modes are used in MAC systems which hold one or more classifications of data. (TS, Secret, Confidential etc) We will describe the different modes now.

Dedicated Security Mode (352)

A system is operating in dedicated security mode if All users have a clearance for and a Need do know about ALL data on the system. All users have been given formal approval for data All users have signed an NDA. Generally this is used if a system only processes one level of data and ALL users on the system are cleared for this level.*

System High Security Mode

Similar to Dedicated, all users have NDAs Proper clearance for the highest level of data on the system However not all users have a NEED to KNOW for all data on the system.

Compartmented Security Mode (352)

A system is in CSM mode when all users have the clearance to access ALL information proceeded on the system. However they might NOT have Need to know Formal access approval A CMW enables a user to process multiple compartments of data at the same time if they have the necessary clearance and need to know.

The difference between SHS mode and CSW is that in SHS users have formal approval for ALL data on the system, where in CSW they only have formal approval for the data they will need to access

Multilevel Security Mode

Bell LaPadula is an example of an MLS. There may be multiple levels of data on a system, and users with multiple levels of access where NOT everyone has clearance for all data.

Guards
Software and Hardware Guards allow the exchange of data between trusted and less trusted systems. Example if a system is working in Dedicated security mode (high) and needs to talk to a MLS system with multiple classifications. They must talk through a guard, which accepts requests for data, reviews the request to make sure its allowed and then submits the request to a end system.

Summary
In this lesson, you have learned: System Security Architecture System Security Models Security Mode Operation System High Security Mode Dedicated Security Mode Compartmented security mode Multilevel security mode

Any Questions?

Thank You!