Domain 6

Security Architecture and Models

9-8-99 2

Domain Objective

The objective of this domain is to understand:• security models in terms of confidentiality, integrity,

availability, operations, and government versus commercial requirements

• system models and the different industry standards that apply to them

• the technical platforms that security operates on in

terms of hardware, firmware, and software

9-8-99 3

Availability

ConfidentialityIntegrity

A-I-C Triad

9-8-99 4

Domain Summary

The information for this domain represents 10% of the CISSP exam content. This domain contains information on security architecture concepts, principles, structures, and standards. Computer and network organizations that work with the security architecture. Also, architecture along with some of the common security issues pertaining to security models and system application.

Information Technology

Technical Platforms

9-8-99 6

Operating System Utilities and Software

Application Programs

Utilities

Operating System

Computer Hardware

9-8-99 7

Computer Hardware(SRV Theory 601.1)

• Central Processing Unit (CPU) – the control unit, arithmetic and logic unit, and primary storage unit- Supervisor state – program can access entire system - Problem state – only non-privileged instructions executed

• Memory Types- real – main storage area in virtual computer memory, real

and main storage are identical - virtual – storage space on a computer used as addressable

memory - random memory – all of the computer’s primary working

memory

9-8-99 8

Computer Hardware(SRV Theory 601.1)

• Bus - the internal connection inside the computer between devices, power, and internal circuit boards

• Channels - the path which data can be sent between main memory and a peripheral device

• Storage - computer memory, disks, or tapes used for holding data during processing

9-8-99 9

9-8-99 10

Computer Software(SRV Theory 601.2)

Operating System Software four components:• process management - controls program execution to

make sure that programs share resources• I/O device management - issues commands to

devices that read and write to the system • memory management - keeps track of which parts of

memory are in use or not in use• system file management - read, write, erase functions

that the operating system uses to manage files

9-8-99 11

System Recovery(SRV Theory 601.3)

There are three general operating system failure recovery actions:

• system reboot - system is shutdown in a controlled manner and is restarted to free up resources

• emergency system restart - system is locked and is unresponsive; a system maintenance mode is started and system is recovered with a restart

• system cold start - system is locked and will not restart; physical intervention is needed to reset system and load system from bootstrap

Information Security Architecture

Framework and Concepts

9-8-99 13

IT Architecture(SRV Theory 602.2)

Information Technology (IT) architecture is an integrated framework for managing IT goals and business

• Logical architecture - provides high-level description of a company’s functional requirements for information and system processing

• Technical architecture - defines specific IT standards and rules that are physically used to implement the logical architecture

9-8-99 14

Security System Architecture

• Execution domain – OS system area protected from both deliberate tampering and inadvertent modification

• Enforcement of least privilege:- processes have no more privilege than needed to perform

functions- only modules needing complete system privileges are

located in kernel- other modules call on more privileged routines only as

needed and as long as needed

9-8-99 15

Security System Architecture

• Protection mechanisms:- layering – processes constructed in layers where each layer

deals with specific activity- abstraction – establishment of specific set of permissible

values and operations- data hiding – layer in one hierarchy has no access to data in

another layer

• Process isolation – ensures multiple processes run concurrently without conflicting with each other

• Resource access control - process of limiting access to resources of a system

9-8-99 16

Security System Architecture

• Token – a specific privilege or capability conferred based on authentication from an electronically coded device (SRV Theory 602.2)

• Capability – a defined representation (i.e. token) of the resource and access rights to a resource (SRV Theory 602.2)

• Security labels - a designation assigned to a resource used to identify a security purpose (SRV Theory 602.2)

9-8-99 17

Open and Closed Systems(SRV Theory 602.4)

• Open system - is not a secure system- system employing standard user interfaces- user provided with access to total system capability- system open to spiteful acts- most computer systems operate in a open environment

• Closed system - is a secure system - system without standard user interfaces- user limited to single proprietary language or application- Lacks interoperability with other vendor systems

9-8-99 18

Objects and Subjects(SRV Theory 602.10)

Important concepts to remember for this domain:

• Object - a passive entity that contains or receives information– can be hardware, software, and well as system processes

• Subject - is an active entity that causes information to flow among objects– can be a person, process, or device

9-8-99 19

Access Controls(SRV Theory 602.5)

• Mandatory - restrict access to objects based on sensitivity of information and subject’s authorization– mandatory access is usually controlled through security

labels– a subject cannot delegate their access to another

• Discretionary - restrict access to objects based on subject’s identity and need-to-know– a subject can delegate their access to another– system has the ability to control information on an individual

basis

9-8-99 20

Reference Monitor(SRV Theory 602.11)

• Reference monitor – conceptual access control device that mediates all accesses to objects by subjects; a kernel– security kernel – the hardware, firmware, and software elements of a

trusted computing base that implement the reference monitor concept– Trusted Computing Base (TCB) – all protection mechanisms within a

computer system used for enforcing a security policy

• Security perimeter - a boundary in which a reference monitor operates- the security kernel as well as other security related system functions, are

within the (imaginary) boundary of the TCB - system elements outside the security perimeter need not be trusted

• (SRV Theory 602.1)

9-8-99 21

Architectural Foundation(SRV Theory 602.1)

• Elements of computer trustworthiness– trusted computing base– enforcement of security policy– domain separation

• domain is the set of objects that a subject can access

• separation is the mechanism that protects objects in the system

– defined subset - only TCB controlled subjects can access all objects

– resource isolation - the containment of subjects and objects to assure TCB control is maintained

9-8-99 22

Architectural Foundation(SRV Theory 602.1)

• Elements of computer trustworthiness (continued)

– hardware isolation – TCB separated from untrusted parts of the system

– software isolation – containment of subjects and objects to an application

– software meditation – control of subject access to system resources

9-8-99 23

Modes of Operation(SRV Theory 602.14)

Operation modes are the conditions a computer security system functions based on authorization and data sensitivity:

• Dedicated security mode - all users have access to all data• System high mode – all personnel have passed clearance and

formal access approval but not necessarily the need-to-know for all data

• Partitioned (compartmented) mode – each user with access needs must meet security criteria for area

• Multilevel secure (MLS) mode – not all personnel have the same clearance or formal access approval, individuals have the multiple levels of clearance to information

9-8-99 24

Certification and Accreditation (SRV Theory 602.3)

Certification and accreditation – are a set of procedures and judgements regarding suitability of a system to securely operate in its intended environment

• Certification - technical evaluation of system security features for the purpose of accreditation – ideally it is an ongoing set of validation processes

– should be reviewed whenever a major change occurs

• Accreditation - official management decision to operate the system- approval of given operational concept and environment

- risks formally accepted

Information Security Structures

Standards and Models

9-8-99 26

IETF Security Architecture (SRV Theory 602.6)

IP security architecture (IPSEC) RFC 2401- IP security is designed to provide interoperable, high-quality, cryptographical based security for IP v4 and v6- Not developed as an overall Internet security architecture- Addresses security at the Internet protocol layer – gateway

and firewall systems- Critically dependent on security of environment

- operating system security

- system management

- random number sources

- system time variations

9-8-99 27

IETF Security Architecture(SRV Theory 602.6)

IPSEC protocols for communications security:• IP Authentication Header (AH)

- provides connectionless integrity, data origin authentication, and an optional anti-replay service

• Encapsulating Security Payload (ESP)- provides confidentiality (encryption) and limited traffic flow

confidentiality- may provide connectionless integrity, data origin

authentication, and anti-replay service

9-8-99 28

Security Association (SA)

• All IPSEC implementations must support a security association

• Simplex - (one-way) connection that affords security services to the IP traffic carried by it

• Security services are afforded by the use of AH or ESP protocol but not both

• A security association is uniquely identified by a triple relationship- security parameter index (SPI), an IP destination address,

and a security protocol (AH or ESP)

9-8-99 29

Security Association (SA)

• Security associations may be combined in 2 ways- transport adjacency – applying more than one security

protocol to the same IP datagram, without invoking tunneling- allows for only one level of combination

- processing is performed at one IPSec instance

- iterated tunneling – application of multiple layers of security protocols

- allows for multiple levels of security protocol nesting

- each tunnel can originate or terminate at a different IPSec site along the transmission path

9-8-99 30

ITSEC Standard(SRV Theory 602.7)

Information Technology Security Evaluation Criteria (ITSEC) - European standard for IT security criteria

• Scope - addresses three basic threats, has three functional levels, eight basic security functions, ten functionality classes, eight hierarchical assurance levels, and seven levels of correctness of security mechanisms– IT product - off-the-shelf hardware or software package – IT system - designed and built product for specific needs– criteria is not a design guide for secure products or systems

– Target of Evaluation (TOE) - refers to product or system to be evaluated

– closely maps to Orange book criteria

9-8-99 31

TCSEC Standard(SRV Theory 602.8)

Trusted Computer System Evaluation Criteria (TCSEC) - US DoD standard for security criteria (Orange book)

• Scope - six fundamental security requirements and four evaluation criteria divisions– standard has been superseded, no longer in use– Classes:

• D - minimal protection, has only one class • C - discretionary protection, has two classes• B - mandatory protection, has three classes• A - verified protection, has only one class

9-8-99 32

Security Models(SRV Theory 602.12)

• Bell – LaPadula - information flow security model

- abstract formal treatment of DoD security policy- uses mathematics and set theory to define

concept of secure state- explicitly defines fundamental modes of access

(read, write)- rules for controlling subjects access to objects- information will not flow to an object of lesser

classification

9-8-99 33

Security Models(SRV Theory 602.12)

• Biba - integrity model in which no subject may depend on a less trusted object, including another subject

- first to address integrity in computer systems- based on hierarchical lattice of integrity levels- elements

- set of subjects (active, information processing)- set of objects (passive, information repository)- addresses first goal of integrity – prevent unauthorized

users from making modifications- mathematical dual confidentiality policy

9-8-99 34

Security Models(SRV Theory 602.12)

• Clark & Wilson - data integrity model for common commercial activities- addresses all 3 integrity goals

- preventing unauthorized users from making modifications

- maintaining internal and external consistency

- preventing authorized from making improper modifications

- well-formed transaction- preserve/ensure internal consistency

- user can manipulate data only in ways that ensure internal consistency

9-8-99 35

Common Flaws(SRV Theory 603)

Security flaws within system architectures and designs:• Covert channels - a valid communication path

misused by a subject to cover an unauthorized transfer of information

• Asynchronous attacks - an attack that exploits the interval between a defensive act and a normal operation in order to gain operational control– TOCTOU - Time of check vs. time of use – a class of

asynchronous attack