a security-centric ring-based software architecture 1 jay-evan j. tevis john a. hamilton, jr....
TRANSCRIPT
A Security-centric Ring-based Software Architecture
1
A Security-centric Ring-based Software Architecture
Jay-Evan J. Tevis John A. Hamilton, Jr.Western Illinois University Auburn University
Macomb, IL Auburn, AL
LeadershipOrganic Essentials
InfrastructurePopulation
Fighting Mechanism
A Security-centric Ring-based Software Architecture
2
Introduction
• Software systems are vulnerable to many different forms of attack
• Protection of such systems can be improved by viewing their key components from the perspective of an enemy attacker
A Security-centric Ring-based Software Architecture
3
Introduction (continued)
• Colonel John Warden developed a five-ring system model for military strategic warfare– It describes the parts of an enemy system as five
concentric rings
– It is designed for use in planning and conducting strategic targeting against an adversary
A Security-centric Ring-based Software Architecture
4
Introduction (continued)
• We apply this model to software architecture in a similar manner to identify– What system-level components are essential
– How these components can be better protected through a security-focused architectural design
A Security-centric Ring-based Software Architecture
5
Overview
• Security-centric software architectures• Design of a ring-based software architecture• A computer security adaptation using Warden’s
concentric rings• Adapting Warden’s model to computer security• Protecting centers of gravity in a software system• Conclusion and future plans
Overview
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
A Security-centric Ring-based Software Architecture
7
Critical Concepts in the Security Domain [Neumann]
• Multi-level security– Restrict flow of information from higher-security entities to lower-
security entities
• Multi-level integrity– Restrict dependencies between entities of higher integrity with
entities of lower integrity
• Multi-level availability– Restrict dependencies between entities of higher availability with
entities of lower availability
Security-centric Software Architectures
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
A Security-centric Ring-based Software Architecture
8
Security-centric Software Architectures
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Multiple Security Rings [Gemini]
• High assurance security– Hardware and kernel-enforced protection
• Multi-level security– Enforcement of organizational access controls
• Cryptographic communication security– IPSec-based authentication, confidentiality, and integrity
• Integrated information systems security– Protection at transport and network layers
A Security-centric Ring-based Software Architecture
9
Seven Ring Gemguard Architecture [Gemini]
Security-centric Software Architectures
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
A Security-centric Ring-based Software Architecture
10
Security-centric Software Architectures
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Properties of Ring-based Software Architectures [Schell]
• Memory segmentation
• Three protection rings– Security kernel
• Located in the most protected ring
• Enforces mandatory access controls
– Operating system
– Applications
• Although applied in research, such ring-based architectures are not widely deployed in industry
A Security-centric Ring-based Software Architecture
11
Security-centric Software Architectures
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Ring-based Program Execution Policy [Nguyen and Levin]
• Mandatory access control (All users including root)
• Four ring-based execution domains– (3) Unprivileged application
– (2) Privileged application
– (1) Administration
– (0) Operating System
• Programs assigned to a less privileged ring are unable to execute or access objects allocated in a more privileged ring
A Security-centric Ring-based Software Architecture
13
Design of a Ring-based Software Architecture
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Ring-based Architectural Style
Ring 0
Ring 1
Ring 2
Ring 3
Ring 4
A Security-centric Ring-based Software Architecture
14
Ring-based Architectural Style
• A variation of the layered architectural style
• Innermost ring is the lowest layer; outermost ring is the highest layer
• Geometric adjacency of two rings denotes an “allowed to use” relation
• Each entity in a specific ring can communicate with another entity
Design of a Ring-based Software Architecture
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
A Security-centric Ring-based Software Architecture
15
Ring-based Architectural Style (continued)
• Entities within a ring have no inherent adjacency; consequently, they are an unordered set– This tends towards more of a distributed environment
• Any entity in an inner ring is accessible only by an entity in the closest outer ring
• To access an inner ring, an entity in the adjacent outer ring must be used as the mediator or interface
Design of a Ring-based Software Architecture
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
A Security-centric Ring-based Software Architecture
16
Features of Rings as Interfaces
• Confidentiality (privacy)
• Authentication (who created or sent the data)
• Integrity (Data has not been altered)
• Non-repudiation (the order is final)
• Access control (prevent misuse of resources)
• Availability (Permanence or non-erasure of data)
Design of a Ring-based Software Architecture
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
A Security-centric Ring-based Software Architecture
17
Features of Rings as Gates [Fernandez]
• A set of protection rings correspond to domains of execution with hierarchical levels of trust
• Gates serve as protected entry points
• Crossing of a ring is done through gates that check the access rights of a process
Design of a Ring-based Software Architecture
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
A Security-centric Ring-based Software Architecture
18
Design Patterns for a Ring-based Software Architecture [Fernandez]
• File authorization
• Access control for virtual address space
• Execution domain
• Reference monitor
• Controlled execution environment
Design of a Ring-based Software Architecture
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
A Security-centric Ring-based Software Architecture
19
A Computer Security Adaptation using Warden’s Concentric Rings
A Security-centric Ring-based Software Architecture
20
Warden’s Five-Ring Model [Warden]
A Computer Security Adaptation using Warden’s Concentric Rings
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Leadership
Organic Essentials
Infrastructure
Population
Fighting Mechanism
A Security-centric Ring-based Software Architecture
21
Five-Ring Model Applied to Other Domains [Warden]
A Computer Security Adaptation using Warden’s Concentric Rings
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Body State Drug Cartel Electric Grid
Leadership Brain-eyes-nerves
Government-comm.-security
Leader-comm.-security
Central control
OrganicEssentials
Food and oxygen
EnergyMoney
Coca source plus conversion
Input(Hydro-electric)
Infrastructure Vessels, bones, muscles
Roads, airfields, factories
Roads, airways, sea lanes
Transmission lines
Population Cells People Growers Workers
Fighting Mechanism
Leukocyte Military, firemen
Street soldiers Lineman
A Security-centric Ring-based Software Architecture
22
A Computer Security Adaptation using Warden’s Concentric Rings
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Executable code, sensors
Input data, electrical power
Memory, bus, data cables
Packets, bytes
Physical security measures
Computer Security Adaptation of Warden’s Model
A Security-centric Ring-based Software Architecture
23
Computer Security Rings• (0) Executable code and I/O sensors
• (1) Input/Output data and electrical power
• (2) Memory, system bus, data cables, converters
• (3) Packets, bytes
• (4) Physical security measures called upon by any of the inner rings to deal with an attack or an intrusion
A Computer Security Adaptation using Warden’s Concentric Rings
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Note: Each ring is also a system within itself requiring protection
A Security-centric Ring-based Software Architecture
24
Protecting Centers of Gravity in a Software System
A Security-centric Ring-based Software Architecture
25
Protecting Centers of Gravity in a Software System
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Centers of Gravity
• Centers of gravity are the components that are instrumental to a system’s function and survival
• The five rings in his model constitute five centers of gravity
• Each ring is a possible target requiring protection
• Without the functioning inner rings, an outer ring becomes a useless appendage
• Software engineers should ensure that the security protection in each ring cannot be easily defeated
A Security-centric Ring-based Software Architecture
26
Protecting Centers of Gravity in a Software System
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Leadership Ring
• Failure of any critical components in the leadership ring leads to failure of the complete system
• Critical components must be identified and given the highest level of protection
• No vulnerability should exist that would allow changes to the program executable code without approval of the leadership ring
• Only the leadership ring should be able to disable system sensors
• With the innermost ring protected, each remaining ring must also be protected to avoid the threat of strategic paralysis
A Security-centric Ring-based Software Architecture
27
Protecting Centers of Gravity in a Software System
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Organic Essentials Ring
• The organic essentials ring must be protected through redundancy (battery backup, alternate communication paths)
• Protection must also occur from excessive battery drain or signal jamming– Reduce battery usage, switch frequencies, shut down system
A Security-centric Ring-based Software Architecture
28
Protecting Centers of Gravity in a Software System
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Infrastructure Ring
• The infrastructure ring must also be protected through redundancy (second system bus, additional communication cabling)
• Backup components are needed for each of the major production/transformation components of the software system– Shared memory, pipes, system bus
• The protection facilities must detect and minimize a denial of service attack and delete low priority or data-jamming traffic in order to thwart such an attack
A Security-centric Ring-based Software Architecture
29
Protecting Centers of Gravity in a Software System
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Population Ring
• The population ring is less vulnerable to attack because of the large quantity of data “containers” that a system can produce
• The major threat is exhaustion of memory due to dynamic memory allocation
• Another threat is corruption or destruction of the contents of the data when in transit
• Protection approaches include error-detection mechanisms and sliding window protocols
A Security-centric Ring-based Software Architecture
30
Protecting Centers of Gravity in a Software System
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
Fighting Mechanism Ring
• The fighting mechanism ring is not as vital if each of the inner rings has been equipped with security protection mechanisms
• Nevertheless, centralizing the attacking role in this ring supports the software engineering principle of cohesion
• Protection includes not only attacking via counter measures, but also the sending of warnings and distress signals
• When designing security measures, the detection and handling of threats should always assume a parallel attack– More than one component in the same rings or in different rings may be
attacked simultaneously
– System security should not be centered on a single thread of protection in the outermost ring
A Security-centric Ring-based Software Architecture
32
Conclusion• The importance of computer system security demands better
security-centric software architectures
• Warden’s five-ring model provides a way to portray a computer system as viewed by an enemy attacker
• This modeling technique identifies the components of each ring and the centers of gravity needing the most protection
• It also points out the need for layered defenses against computer security threats
Conclusion and Future Plans
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
A Security-centric Ring-based Software Architecture
33
Related Work• Damage to the center ring of a software system will result in substantial
reduction in the computer’s ability to handle and process information [Kopp]
• The most serious problem in a software system is one of mismatch between the security framework of the legacy system and the target system’s standard protocol [Devanbu and Stubblebine]
• The security architecture can also be viewed as a pyramid [Schaumont and Verbauwhede]– (From top) Circuit, micro-architecture, architecture, algorithm, and protocol
• Fine-grain controls can be used at the level of individual data objects [Ioannidis, Bellovin, Smith]– All data objects are tagged with an identifier upon arrival from remote sources– The object identifier dictates permissions and privileges rather than the file
owner’s user’s ID and permissions as in UNIX
Conclusion and Future Plans
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans
A Security-centric Ring-based Software Architecture
34
Future Plans• Compare and contrast the ring-based architecture to the
monolithic architecture used by Linux
• Implement a prototype operating system that utilizes the security-centric ring-based approach
Conclusion and Future Plans
Security-centric Software ArchitecturesDesign of a Ring-based Software ArchitectureA Computer Security Adaptation using Warden’s Concentric RingsProtecting Centers of Gravity in a Software SystemConclusion and Future Plans