Exam Essentials: Chapter 8

Chapter 8: Principles of Security Models, Designs & Capabilities (WIP)

Know details about each of the access control models

• Know the access control models and their functions
• The state machine model ensures that all instances of subjects accessing objects are secure. A state transition occurs when accepting input or producing output, and always results in a new state.
  • A secure state machine model system always boots into a secure state, maintains a secure state across all transitions, and allows subjects to access resources only in a manner compliant with security policy.
  • The secure state machine model is used for the basis for many other security models.
• The information flow model is designed to prevent unauthorised, insecure or restricted information flow.
  • Bell-LaPadula and Biba are both information flow models (concerned with prevenint information flow from a high security level to a low security level, and a low to high security level respectively)
• The non-interference model prevents the actions of one subject from affecting the system state or actions of another subject.
• The Take-Grant model dictates how rights can be passed from one subject to another, or from a subject to an object.
  • A subject with the grant right can grant another subject or another object any other right they possess.
  • A subject with the take iright can take a right from another subject.
• An access control matrix is a table of subjects & objects that indicates the actions or functions that each subject can perform on each object.
  • Each column of the matrix is an access control list (ACL).
  • Each row of the matrix is is a capabilities list.
  • An ACL is tied to an object, and lists valid actions each subject can perform.
  • A capability list is tied to the subject, and lists valid actions that can be taken on each object.
• Bell-LaPadula subjects have a clearance level that allows them to access only those objects with the corresponding clearance levels; this enforces confidentiality.
  • Simple Security Property: A subject may not read information at a higher sensitivity level (no read up)
  • *-Security Property: A subject may not write information to an object at a lower sensitivity level (no write down) – also known as the Confinement Property
  • Discretionary Securtiy Property: States that the system uses an access matrix to enforce discretionary access control
  • Common in government & military applications, where confidentiality is often the most important security tenet
• Biba prevents subjects with lower security levels from writing to objects at higher security levels; this protects integrity.
  • Effectively the inverse of Bell-LaPadula
  • Simple Integrity Axiom: A subject cannot read an object at a lower integrity level (no read down)
  • *-Integrity Axiom: A subject cannot modify an object at a higher integrity level (no write up)
  • More common in commercial settings, where organisations are often more concerned about integriy than confidentiality.
• Clark-Wilson is an integrity model that relies on auditing to ensure that unauthorised subjects cannot access objects, and that authorised users access objects properly.
  • A constrained data item (CDI) is any data item whose integrity is protected by the security model.
  • An unconstrained data item (UDI) is any data item that is not controlled by the security model (this includes any output, as well as any unvalidated input data)
  • An integrity verification procedure (IVP) scans data items and confirms their integrity
  • Transformation procedures (TPs) are the only procedures that are allowed to modify a CDI.
  • Effectively enforces separation of duties.
• Brewer and Nash (aka Chinese Wall) permits access controls to change dynamically based on a usr’s previous activity (making it a kind of state machine model).
• Goguen-Meseguer and Sutherland also focus on integrity.
  • Goguen-Meseguer is based on the predeterming the set or domain (a list of objects that a subject can access), using automation theory & domain separation.
  • Sutherland is based on the idea of defining a set of system states, initial states and state transitions. A common use is to prevent a covert channel from being used to influence the outcome of a process or activity,
• Graham-Denning focuses on the secure creation & deletion of both subjects and objects.

Composition theories

• Some other models that fall into the information flow category work on the relation between inputs and outputs between multiple systems, rather than within an individual system.
• These are called composition theories because they explain how outputs from one system relate to inputs to another system.
• There are three recognised composition theories:
  • Cascading: Input from one system comes from the output of another system.
  • Feedback: One system provides input to another system, which reciprocates by reversing those roles.
  • Hookup: One system sends input to another system, but also sends input to external entities.

Know the definitions of certification & accreditation

• Certification is the technical evaluation of each part of a computer system to assess its adherence to security standards.
  • Only valid for a system in a specific environment and configuration
• Accreditation is the process of formal acceptance of a certified configuration from a designated authority (such as management).

Certification & accreditation systems

• The current DoD standard for certification & accreditation is RMF (Risk Management); replaced DIACAP & DITSCAP.
• The standard for all other US executive branch depts is CNSSP (Committee on National Security Systems Policy); replaced NIACAP.
• Both processes are divided into four phases:
  • Phase 1: Definition
  • Phase 2: Verification
  • Phase 3: Validation (certification & accreditation take place here)
  • Phase 4: Post-Accreditation

Be able to describe open & closed systems

• Open systems are designed using industry standards and are usually easy to integrate with other open systems
  • Because standard communication components are incorporated into open systems, there are far more predictable entry points & methods for launching attacks.
• Closed systems are generally proprietary hardware and/or software. Their specifications are not normally published, and they are usually harder to integrate with other systems.
  • In many cases, attacking a closed system is harder than launching an attack on an open system.
• Different from the concept of open source and closed source; a closed-source program can be either an open system or a closed system, and an open-source program can be either a closed system or an open system.

Know what confinement, bounds & isolation are

• Confinement restricts a process to reading from and writing to certain memory locations (also known as sandboxing).
  • Can be implemented through the OS, a confinement application/service such as Sandboxie, or a virtualisation/hypervisor solution.
• Bounds are the limits of memory a process cannot exceed when reading or writing.
• Isolation is the mode a process runs in when it is confined through the use of memory bounds.

Be able to define object and subject in terms of access

• The subject is the user or process that makes a request to access a resource.
• The object is the resource a user or process wants to access.
• Transitive trust is the concept that if A trusts B and B trusts C, then A trusts C (it inherits trust of C through the transitive property).

Know how security controls work and what they do

• Security controls use access rules to limit the access by a subject to an object.
• The primary goal of controls is to ensure the confidentiality & integrity of data by disallowing unauthorised access by authorised or unauthorised subjects.

Be able to list the classes of TCSEC, ITSEC and the Common Criteria

• The classes of TCSEC (Orange Book) include verified protection (A or A1), mandatory protection (B), discretionary protection (C) and minimal protection (D).
  • C is split into C1 (discretionary security protection) and C2 (controlled access protection), where C2 is more secure than C1.
  • B is split into B1 (labelled security), B2 (structured protection) and B3 (security domain, where B3 is the most secure in the class.
• ITSEC rates the functionality of the system from F-D through F-B3, mirroring TCSEC classes (though there is no F-A1), and the assurance of a system from E0-E6.
• The Common Criteria specifies 7 Evaluation Assurance Levels
  • EAL1: Functionally tested
  • EAL2: Structurally tested
  • EAL3: Methodically tested & checked
  • EAL4: Methodically designed, tested & reviewed
  • EAL5: Semi-formally designed & tested
  • EAL6: Semi-formally verified, designed & tested
  • EAL7: Formally verified, designed & tested
• These map to TCSEC and ITSEC as per the table below:

TCSEC	ITSEC	Common Criteria	Description
D	F-D + E0	EAL0, EAL1	Minimal/no protection
C1	F-C1 + E1	EAL2	Discretionary security mechanims
C2	F-C2 + E2	EAL3	Controlled access protection
B1	F-B1 + E3	EAL4	Labelled security protection
B2	F-B2 + E4	EAL5	Structured security protection
B3	F-B3 + E5	EAL6	Security domains
A1	F-B3 + E6	EAL7	Verified security design

Common Criteria terms

• Target of evaluation (TOE) is the system being evaluated (term also used in ITSEC).
• A protection profile (PP) specifies the security requirements and protections that apply to a particular class of product (e.g. a firewall)
• A security target (ST) specifies the claims of security from the vendor.
• The PP is compared to various STs from the selected vendors TOEs.

Trust & assurance

• Security must be integrated before and during the design & architectural period in order to produce a reliably secure product; baked in, not sprayed on!
• A trusted system is one in which all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable & secure computing environment.
• Assurance is simply the degree of confidence in satisfaction of security needs. It must be continually maintained, updated & reverified if the system experiences a known change or a significant amount of time has passed.
• Trust can be built into a system by implementing specific security features; acssurance is an assessment of the reliablity & usability of those security features in a real-world situation.

Tokens, capabilities & labels

• A security token is a separate object associated with a resource, describing its security attributes. It can communicate security information about an object prior to requsting access to the actually object.
• A capabilities list maintains a row of security attributes for each controlled object. Although not as flexible as the token approach, capabilities lists generally offer quicker lookups when a subject requests access to an object.
• A third common type of attribute storage is a security label, which is generally a permanent part of the object to which it is attached. Once a security label is set, it usually cannot be altered. This provides another safeguard against tampering that neither tokens nor capabilities lists provide.

Define a trusted computing base (TCB)

• A TCB is the combination of hardware, software and controls that form a trusted base that enforces the security policy.
• The TCB is a subset of a complete information system, and it should be as small as possible to allow detailed analysis to reasonable ensure that the system meets design specifications & requirements.
• The TCB is the only portion of the system that can be trusted to adher to and enforce the security policy; it is not necessary that all every component in a system be trusted.

Be able to explain what a security perimeter is

• A security perimeter is the imaginary boundary that separates the TCB from the rest of the system.
• TCB components communicate with non-TCB components using trusted paths.

Know what a reference model & the security kernel are

• The reference monitor is the logical part of the TCB that confirms whether a subject has the right to use a resource prior to granting access.
• The security kernel is the collection of TCB components that implement the functionality of the reference monitor.

Understand the security capabilities of information systems

• Common security capabilities include memory protection, virtualisation and TPM (Trusted Platform Module).
• Constrained or restricted interfaces limit the actions that users can take within a system.