a security-centric ring-based software architecture 1 jay-evan j. tevis john a. hamilton, jr....

A Security-centric Ring-based Software Architecture

1


Jay-Evan J. Tevis John A. Hamilton, Jr.Western Illinois University Auburn University

Macomb, IL Auburn, AL

LeadershipOrganic Essentials

InfrastructurePopulation

Fighting Mechanism


2

Introduction

• Software systems are vulnerable to many different forms of attack

• Protection of such systems can be improved by viewing their key components from the perspective of an enemy attacker


3

Introduction (continued)

• Colonel John Warden developed a five-ring system model for military strategic warfare– It describes the parts of an enemy system as five

concentric rings

– It is designed for use in planning and conducting strategic targeting against an adversary


4

Introduction (continued)

• We apply this model to software architecture in a similar manner to identify– What system-level components are essential

– How these components can be better protected through a security-focused architectural design


5

Overview

• Security-centric software architectures• Design of a ring-based software architecture• A computer security adaptation using Warden’s

concentric rings• Adapting Warden’s model to computer security• Protecting centers of gravity in a software system• Conclusion and future plans

Overview

Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans


6

Security-centric Software Architectures


7

Critical Concepts in the Security Domain [Neumann]

• Multi-level security– Restrict flow of information from higher-security entities to lower-

security entities

• Multi-level integrity– Restrict dependencies between entities of higher integrity with

entities of lower integrity

• Multi-level availability– Restrict dependencies between entities of higher availability with

entities of lower availability




8



Multiple Security Rings [Gemini]

• High assurance security– Hardware and kernel-enforced protection

• Multi-level security– Enforcement of organizational access controls

• Cryptographic communication security– IPSec-based authentication, confidentiality, and integrity

• Integrated information systems security– Protection at transport and network layers


9

Seven Ring Gemguard Architecture [Gemini]




10



Properties of Ring-based Software Architectures [Schell]

• Memory segmentation

• Three protection rings– Security kernel

• Located in the most protected ring

• Enforces mandatory access controls

– Operating system

– Applications

• Although applied in research, such ring-based architectures are not widely deployed in industry


11



Ring-based Program Execution Policy [Nguyen and Levin]

• Mandatory access control (All users including root)

• Four ring-based execution domains– (3) Unprivileged application

– (2) Privileged application

– (1) Administration

– (0) Operating System

• Programs assigned to a less privileged ring are unable to execute or access objects allocated in a more privileged ring


12

Design of a Ring-based Software Architecture


13



Ring-based Architectural Style

Ring 0

Ring 1

Ring 2

Ring 3

Ring 4


14

Ring-based Architectural Style

• A variation of the layered architectural style

• Innermost ring is the lowest layer; outermost ring is the highest layer

• Geometric adjacency of two rings denotes an “allowed to use” relation

• Each entity in a specific ring can communicate with another entity




15

Ring-based Architectural Style (continued)

• Entities within a ring have no inherent adjacency; consequently, they are an unordered set– This tends towards more of a distributed environment

• Any entity in an inner ring is accessible only by an entity in the closest outer ring

• To access an inner ring, an entity in the adjacent outer ring must be used as the mediator or interface




16

Features of Rings as Interfaces

• Confidentiality (privacy)

• Authentication (who created or sent the data)

• Integrity (Data has not been altered)

• Non-repudiation (the order is final)

• Access control (prevent misuse of resources)

• Availability (Permanence or non-erasure of data)




17

Features of Rings as Gates [Fernandez]

• A set of protection rings correspond to domains of execution with hierarchical levels of trust

• Gates serve as protected entry points

• Crossing of a ring is done through gates that check the access rights of a process




18

Design Patterns for a Ring-based Software Architecture [Fernandez]

• File authorization

• Access control for virtual address space

• Execution domain

• Reference monitor

• Controlled execution environment




19

A Computer Security Adaptation using Warden’s Concentric Rings


20

Warden’s Five-Ring Model [Warden]



Leadership

Organic Essentials

Infrastructure

Population

Fighting Mechanism


21

Five-Ring Model Applied to Other Domains [Warden]



Body State Drug Cartel Electric Grid

Leadership Brain-eyes-nerves

Government-comm.-security

Leader-comm.-security

Central control

OrganicEssentials

Food and oxygen

EnergyMoney

Coca source plus conversion

Input(Hydro-electric)

Infrastructure Vessels, bones, muscles

Roads, airfields, factories

Roads, airways, sea lanes

Transmission lines

Population Cells People Growers Workers

Fighting Mechanism

Leukocyte Military, firemen

Street soldiers Lineman


22



Executable code, sensors

Input data, electrical power

Memory, bus, data cables

Packets, bytes

Physical security measures

Computer Security Adaptation of Warden’s Model


23

Computer Security Rings• (0) Executable code and I/O sensors

• (1) Input/Output data and electrical power

• (2) Memory, system bus, data cables, converters

• (3) Packets, bytes

• (4) Physical security measures called upon by any of the inner rings to deal with an attack or an intrusion



Note: Each ring is also a system within itself requiring protection


24

Protecting Centers of Gravity in a Software System


25



Centers of Gravity

• Centers of gravity are the components that are instrumental to a system’s function and survival

• The five rings in his model constitute five centers of gravity

• Each ring is a possible target requiring protection

• Without the functioning inner rings, an outer ring becomes a useless appendage

• Software engineers should ensure that the security protection in each ring cannot be easily defeated


26



Leadership Ring

• Failure of any critical components in the leadership ring leads to failure of the complete system

• Critical components must be identified and given the highest level of protection

• No vulnerability should exist that would allow changes to the program executable code without approval of the leadership ring

• Only the leadership ring should be able to disable system sensors

• With the innermost ring protected, each remaining ring must also be protected to avoid the threat of strategic paralysis


27



Organic Essentials Ring

• The organic essentials ring must be protected through redundancy (battery backup, alternate communication paths)

• Protection must also occur from excessive battery drain or signal jamming– Reduce battery usage, switch frequencies, shut down system


28



Infrastructure Ring

• The infrastructure ring must also be protected through redundancy (second system bus, additional communication cabling)

• Backup components are needed for each of the major production/transformation components of the software system– Shared memory, pipes, system bus

• The protection facilities must detect and minimize a denial of service attack and delete low priority or data-jamming traffic in order to thwart such an attack


29



Population Ring

• The population ring is less vulnerable to attack because of the large quantity of data “containers” that a system can produce

• The major threat is exhaustion of memory due to dynamic memory allocation

• Another threat is corruption or destruction of the contents of the data when in transit

• Protection approaches include error-detection mechanisms and sliding window protocols


30



Fighting Mechanism Ring

• The fighting mechanism ring is not as vital if each of the inner rings has been equipped with security protection mechanisms

• Nevertheless, centralizing the attacking role in this ring supports the software engineering principle of cohesion

• Protection includes not only attacking via counter measures, but also the sending of warnings and distress signals

• When designing security measures, the detection and handling of threats should always assume a parallel attack– More than one component in the same rings or in different rings may be

attacked simultaneously

– System security should not be centered on a single thread of protection in the outermost ring


31

Conclusion and Future Plans


32

Conclusion• The importance of computer system security demands better

security-centric software architectures

• Warden’s five-ring model provides a way to portray a computer system as viewed by an enemy attacker

• This modeling technique identifies the components of each ring and the centers of gravity needing the most protection

• It also points out the need for layered defenses against computer security threats




33

Related Work• Damage to the center ring of a software system will result in substantial

reduction in the computer’s ability to handle and process information [Kopp]

• The most serious problem in a software system is one of mismatch between the security framework of the legacy system and the target system’s standard protocol [Devanbu and Stubblebine]

• The security architecture can also be viewed as a pyramid [Schaumont and Verbauwhede]– (From top) Circuit, micro-architecture, architecture, algorithm, and protocol

• Fine-grain controls can be used at the level of individual data objects [Ioannidis, Bellovin, Smith]– All data objects are tagged with an identifier upon arrival from remote sources– The object identifier dictates permissions and privileges rather than the file

owner’s user’s ID and permissions as in UNIX




34

Future Plans• Compare and contrast the ring-based architecture to the

monolithic architecture used by Linux

• Implement a prototype operating system that utilizes the security-centric ring-based approach




35


Any Questions?

a security-centric ring-based software architecture 1 jay-evan j. tevis john a. hamilton, jr....

Documents

computer security adaptation

highersecurity entities

software system conclusion

introduction software

ring system model

ring gemguard

wardens concentric rings

systemlevel components