+ All Categories
Home > Documents > CISSP-Chapter 11 - Continuation

CISSP-Chapter 11 - Continuation

Date post: 29-Nov-2014
Category:
Upload: ar-wan-el
View: 79 times
Download: 5 times
Share this document with a friend
31
Security Protection Mechanisms Security Models Principles of Computer Design Ronel N. Dadula Reporter
Transcript
Page 1: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

Security Models

Principles of Computer Design

Ronel N. DadulaReporter

Page 2: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

• Technical Mechanisms

• Policy Mechanisms

Page 3: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

Technical Mechanisms

Layering Abstraction Data Hiding Process Isolation Hardware Segmentation

Page 4: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

By layering processes, you implement a structure similar to the ring model used for operating modes and apply it to each operating system process. It puts the most-sensitive functions of a process at the core, surrounded by a series of increasingly larger concentric circles with correspondingly lower sensitivity levels

Technical Mechanisms

Layering Layering

Abstraction

Data Hiding

Process Isolation

Hardware Segmentation

Page 5: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

Abstraction is one of the fundamental principles behind the field known as object-oriented programming.

It is the “black box” doctrine that says that users of an object (or operating system component) don’t necessarily need to know the details of how the object works; they just need to know the proper syntax for using the object and the type of data that will be returned as a result.

Technical Mechanisms

Abstraction Layering

Abstraction

Data Hiding

Process Isolation

Hardware Segmentation

Page 6: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

Data hiding is an important characteristic in multilevel secure systems. It ensures that data existing at one level of security is not visible to processes running at different security levels.

The key concept behind data hiding is a desire to make sure those who have no need to know the details involved in accessing and processing data at one level have no way to learn or observe those details covertly or illicitly.

Technical Mechanisms

Data Hiding Layering

Abstraction

Data Hiding

Process Isolation

Hardware Segmentation

Page 7: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

Process isolation requires that the operating system provide separate memory spaces for each process’s instructions and data. It also requires that the operating system enforce those boundaries, preventing one process from reading or writing data that belongs to another process.

Technical Mechanisms

Process Isolation Layering

Abstraction

Data Hiding

Process Isolation

Hardware Segmentation

Page 8: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

There are two major advantages to using this technique:

1. It prevents unauthorized data access. 2. It protects the integrity of processes.

Technical Mechanisms

Process Isolation Layering

Abstraction

Data Hiding

Process Isolation

Hardware Segmentation

Page 9: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

Hardware segmentation is similar to process isolation in purpose—it prevents the access of information that belongs to a different process/security level. The main difference is that hardware segmentation enforces these requirements through the use of physical hardware controls rather than the logical process isolation controls imposed by an operating system.

Technical Mechanisms

Hardware Segmentation Layering

Abstraction

Data Hiding

Process Isolation

Hardware Segmentation

Page 10: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

Policy Mechanisms

Principle of Least Privilege Separation of Privilege Accountability

Page 11: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

When designing operating system processes, you should always ensure that they run in user mode whenever possible. The greater the number of processes that execute in privileged mode, the higher the number of potential vulnerabilities that a malicious individual could exploit to gain supervisory access to the system.

Policy Mechanisms

Principle of Least Privilege Principle of

Least Privilege

Separation of Privilege

Accountability

Page 12: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

The principle of separation of privilege builds upon the principle of least privilege. It requires the use of granular access permissions; that is, different permissions for each type of privileged operation. This allows designers to assign some processes rights to perform certain supervisory functions without granting them unrestricted access to the system.

Policy Mechanisms

Separation of Privilege Principle of

Least Privilege

Separation of Privilege

Accountability

Page 13: CISSP-Chapter 11 - Continuation

Security Protection Mechanisms

Accountability is an essential component in any security design. Many high-security systems contain physical devices (such as pen registers and non-modifiable audit trails) that enforce individual accountability for privileged functionality.

Policy Mechanisms

Accountability Principle of

Least Privilege

Separation of Privilege

Accountability

Page 14: CISSP-Chapter 11 - Continuation

Security Models

Page 15: CISSP-Chapter 11 - Continuation

Security ModelsIn information security, models

provide a way to formalize security policies. Such models can be abstract or intuitive, but all are intended to provide an explicit set of rules that a computer can follow to implement the fundamental security concepts, processes, and procedures that make up a security policy.

These models offer a way to deepen your understanding of how a computer operating system should be designed and developed to support a specific security policy.

Page 16: CISSP-Chapter 11 - Continuation

Security Models

State machine model Information flow model Noninterference model Take-Grant model Access control matrix Bell-LaPadula Biba Clark-Wilson Brewer and Nash model

Page 17: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

The state machine model describes a system that is always secure no matter what state it is in. It’s based on the computer science definition of a finite state machine (FSM).

Many security models are based on the secure state concept. According to the state machine model, a state is a snapshot of a system at a specific moment in time. If all aspects of a state meet the requirements of the security policy, that state is considered secure.

State Machine Model

Page 18: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

The information flow model focuses on the flow of information. Information flow models are based on a state machine model. Information flow models are designed to prevent unauthorized, insecure, or restricted information flow.

Information Flow Model

Page 19: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

The noninterference model is loosely based on the information flow model. However, instead of being concerned about the flow of information, the noninterference model is concerned with how the actions of a subject at a higher security level affect the system state or actions of a subject at a lower security level.

Noninterference Model

Page 20: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

The Take-Grant model employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object.

Simply put, a subject with the grant right can grant another subject or another object any other right they possess. Likewise, a subject with the take right can take a right from another subject.

Take-Grant Model

Page 21: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

An access control matrix is a table of subjects and objects that indicates the actions or functions that each subject can perform on each object.

Implementing an access control matrix model usually involves constructing an environment that can create and manage lists of subjects and objects and a function that can return the type associated with whatever object is supplied to that function as input

Access Control Matrix

Page 22: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

Access Control Matrix

TABLE 1. An Access Control Matrix

Page 23: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

The Bell-LaPadula model was developed out of the U.S. Department of Defense (DoD) multilevel security policy. The DoD’s policy includes four levels of classification, from most sensitive to least: top secret, secret, confidential, and unclassified.

Bell-LaPadula model is focused on maintaining the confidentiality of objects. Bell-LaPadula does not address the aspects of integrity or availability for objects.

Bell-LaPadula Model

Page 24: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

By design, the Bell-LaPadula model prevents the leaking or transfer of classified information to less-secure clearance levels. This is accomplished by blocking lower-classified subjects from accessing higher-classified objects.

Bell-LaPadula Model

Page 25: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

Bell-LaPadula efficiently manages confidentiality, but it fails to address or manage numerous other important issues:

• It does not address integrity or availability.• It does not address access control

management, nor does it provide a way to assign or change an object’s or subject’s classification level.

• It does not prevent covert channels. • It does not address file sharing (a common

feature on networked systems).

Bell-LaPadula Model

Page 26: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

The Biba Model or Biba Integrity Model, is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity.

In general the model was developed to circumvent a weakness in the Bell–LaPadula model which only addresses data confidentiality.

Biba Model

Page 27: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

Biba was designed to address three integrity issues:

1. Prevent modification of objects by unauthorized subjects.

2. Prevent unauthorized modification of objects by authorized subjects.

3. Protect internal and external object consistency.

Biba Model

Page 28: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.

The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent.

Clark-Wilson Model

Page 29: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules.

Clark-Wilson Model

Page 30: CISSP-Chapter 11 - Continuation

State machine

Information flow

Noninterference

Take-Grant

Access control matrix

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Security Models

This model was created to permit access controls to change dynamically based on a user’s previous activity (making it a kind of state machine model as well). This model applies to a single integrated database; it seeks to create security domains that are sensitive to the notion of conflict of interest.

Brewer and Nash Model (a.k.a. Chinese Wall)

Page 31: CISSP-Chapter 11 - Continuation

The End


Recommended