dcn ds distributed systems security operating … lecture 7.pdf2 page 2 msc in data communications...
TRANSCRIPT
1
Page 1
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z08
Distributed Systems Security
Operating Systems and Enterprise Systems
Prof. Steve [email protected]
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 2
Lecture Objectives
u Identify potential security weaknesses in Operating Systems
u Review assurance criteria from standards bodiesu Review BS7799 Enterprise security policy
framework
2
Page 2
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 3
Trusted Operating Systems
u We place our trust in OSs to enforce/mediate security policy on our behalf
u Generally we do not write our own OS - buy from vendor
u How do we know that its security claims are justified?
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 4
Non-Assurance Methods!u Emphatic Assertion
o Claim by vendor that it is “designed to a certain security level”
o Need independent validation of claimsu Security Through Obscurity
o Security by hiding functionality or data - “needle in a haystack”
o Open Design allows public examination and analysisu “I Couldn’t Find any Flaws”
o Designer/vendor not best placed to find flaws because of constrained mind-set
o Users may discover weaknesses by doing the unexpected
3
Page 3
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 5
Non-Assurance Methods! - 2
u Challenging users to find flaws for a rewardo User may benefit more from exploiting flaw than the
rewardo Vendor may find it too expensive to fix flaw - e.g.
major re-design
u Careful design, organised testing and professional, independent assessment needed
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 6
Secure OS PrinciplesSaltzer and Schroeder (1974, 1975)
u Least Privilege: minimise indvertent damage by using fewest possible privileges
u Economy of Mechanism: Protection system should be small, simple and straightforward. Allows analysi, testing and perhaps, verification
u Open Design: Allows independent confirmation of the design
u Complete Mediation: Every access attempt must be checked - must not be possible to circxumevent mediation
4
Page 4
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 7
Secure OS Principles - 2Saltzer and Schroeder (1974, 1975)
u Permission-based: Default condition must be denial of access
u Separation of privilege: Access to objects should depend on more than one thing, eg. user identity plus encryption key (“belt and braces”)
u Least common mechanism: Keep sharing of objects to minimum - provide potential channels. Use physical or logical separation where possible
u Easy to Use: Complex mechanisms are circumvented if possible or perhaps used incorrectly
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 8
General Purpose OS Security
u Authentication of users
u Protection of memoryo r, w, x access to different segments by hardware/OS
u File and I/O device access controlo access matrix, ACL
u Access control of general objectso concurrency and sync primitives
5
Page 5
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 9
General Purpose OS Security - 2u Enforcement of sharing
o integrity and consistency Fair service guarantee
u Fair Service guarantee
u Inter-process Communication and Synco OS provides support
u Protection of OS protection datao information related to security enforcement must be
protected by OSo eg. capabilities, page tables, file protection info, etc.o use separation, encryption, etc.
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 10
Trusted OS Security
u User identification and authenticationu Mandatory access controlu Discretionary access controlu Object re-use protectionu Complete mediationu Auditu Audit log reductionu Trusted pathu Intrusion detection
6
Page 6
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 11
Trusted OS Security - 2
u Object Re-use Protectiono When memory and disk space are freed up GPOS
usually leaves the pages “dirty”o Security weakness - new user could read before write
to “scavenge” for data from another processo TOS needs to clear object space before re-issue
(preferably on release)
u Complete Mediationo All accesses must be controlled, not just file accesseso Includes network, memory etc.
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 12
Trusted OS Security - 3
u Trusted Patho Need to be sure that security interface is not beeing
spoofed, eg. logging in or changing access permissionso Trust path provides thiso Arranged by unique key sequence designed to only get
to security part of OS, or done at start-up before any other processes run
o Windows NT-4 Ctrl-Alt-Del to login ensures not Trojan Horse
7
Page 7
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 13
Trusted OS Security - 4 u Accountability and Audit
o Need to keep log (audit log or audit trail) of all security related events
o Such events: access to a file, change access permission, etc.
o Audit trail must be protected from outsidersu Audit Log Reduction
o Balance between logging everything and acceptable volume eg. log only opening and closing of files (WP may open many files)
o Some apps continually read/write to single file, so these operations may need to be logged
o Some systems do audit reduction from comprehensive log for most analyses - full log still available if needed
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 14
Trusted OS Security - 5
u Intrusion Detectiono Software to analyse audit logs to detect anomalieso Intrusion and fraud detectiono “Intelligent System” techniques
u See Pfleeger pp 292 foll. For trusted OS design principles
8
Page 8
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 15
Assurance MethodsTestingu detects existence not absence of flaws and
weaknessesu combinatorial explosion of cases means poor
coverage of casesu black-box testing cannot exercise all pathways in
the designu white-box testing needs addition of code to expose
internal state - may later be source of vulnerabilityu penetration or tiger team analysis uses experts to
try to break into system knowing likely weak points from experience - but still only exposes flaws, not correctness (DO NOT try this!)
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 16
Assurance Methods - 2Formal Verification
u Use of theorem proversu Very time consuming:
o assertions need to be stated for each step of algorithm and logical flow verified
u Complex: o generally only feasible for limited algorithms, not
whole OSs. o use on reference monitor or security kernel at mosto ideally, designed with formal verification in mind
9
Page 9
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 17
Assurance Methods - 3Validation
u Includes verification, but more generalu Requirements checking
o cross-check each requirement against source code or execution behaviour
o demonstrates that system does what it should in at least one situation
o may not demonstrate that it does not do anything adverse
u Design and Code Reviewso success depends on rigour of reviewer
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 18
Assurance Methods - 4Validation
u Module and System Testingo independent team selects data to test correctnesso data must be methodically chosen to test all pathso usual problems of combinatorial explosions etc.
10
Page 10
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 19
Evaluationu Most consumers do not have skills to evaluate a
system for securityu Independent third-party evaluation requiredu Need standard schemes for users’ assuranceu Many schemes exist:
o US Orange Book Criteriao German Green Booko UK Criteriao European IT Security Evaluation Criteria (ITSEC)o Others ...o Eventual harmonised international criteria?
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 20
US Orange Booku Trusted Computer System Evaluation Criteria
(TCSEC)
u Class Do no requirements - may or not be secure
u Class C1, C2, B1o need security features common to many commercial
OSsu Class B2
o requiring proof of security of underlying modelo also specification of trusted computing base
u Class B3, A1o more stringent proof of design
11
Page 11
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 21
US Orange Book - 2
u Class C and B1 may be obtainable by adding features to existing OS
u But, for B2 security must be included in the designu And for B3, A1 the OS must start with proof of the
formal model of security
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 22
US Orange Book - 3
u C1: Discretionary Access Controlo separates users from datao but granularity may be > single usero must be controls that appear sufficient for thiso may not be stringently evaluated
u C2: Controlled Access Protectiono Still discretionary, but granularity finero audit trail capable of tracking attempted accesses to
individual objects
12
Page 12
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 23
US Orange Book - 4
u B1: Labeled Security Protectiono all B-level include non-discretionary access controlo for B1 it does not need to control every objecto controlled objects labeled with security levelo labels used for access controlo hierarchical and non-hierarchical categorieso Bell-LaPadula implemented
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 24
US Orange Book - 5
u B2: Structured Protectiono design and implementation must permit more
thorough testing and reviewo verifiable top-level design and confirmation through
testingo internal structure in “well-defined largely independent
modules”o principle of least privilege enforced in designo analysis of covert channels required
13
Page 13
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 25
US Orange Book - 6
u B3: Security Domainso security functions small enough for extensive testingo more stringent design and argument that
implementation matches ito security functions must be tamperproofo system audit facility able to identify when a security
violation is imminent!
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 26
US Orange Book - 7
u A1: Verified Designo formal model of protection and proof of consistency
and adequacyo formal spec of protection and demonstration that this
matches modelo implementation “informally” shown consistent with
specificationo formal analysis of covert channels
14
Page 14
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 27
German Green Booku Eight basic functions suitable for range of policies
o identification and authenticationo administration of rightso verification of rightso audito object re-useo error recovery
H identification when recovery is necessaryo continuity of service
H degree of delay or loss that can be toleratedo data communications security
H peer authentication, data confidentiality, integrity, origin authentication, non-repudiation
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 28
German Green Book - 2u Separates quality from functionalityu Ten functional levels F1 to F10
o F1 to F5 similar in functionality to US C1 to B3o F6 high data and program integrityo F7 high availabilityo F8 to F10 data comms situations
u Eight quality levels Q0 to Q7o Q1 implementation more or less ok - no major errorso Q3 largely resistant to simple penetration attemptso Q6 formally proven that high level spec meets all
requirements of policy and source code analysedo Q7 beyond US A1
15
Page 15
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 29
ITSECu European scheme started in 1991 to harmonise u Combines German and UK (claims based)
approachesu Retains German functionality classes
u Vendor defines Target of Evaluation (TOE) o considered in context of operational environment
(threats)o and enforcement requirements
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 30
ITSEC - 2u Vendor states:
o system security policy/rationaleo security enforcing function o mechanisms in the producto claim of strength of mechanismso target evaluation level (functionality and effectiveness)
u Evaluation determines:o suitability of functiono binding of functionality - work together?o vulnerabilitieso ease of useo strength of mechanism
16
Page 16
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 31
Enterprise Security PolicyBS7799u BS7799 defines process and framework of controls
for thisu Management framework established by:
o defining policyo defining scope of Information Security Management
System o undertaking risk assessmento managing the risko selecting control objectives and controls to be
implementedo Preparing statement of applicability - “critique of the
objectives and controls applicable to the needs of the organisation”
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 32
BS 7799u Requires documentation of evidence of actions
taken, procedures, management frameworku Documentation readily available under version
controlu Records kept to demonstrate compliance, eg.
visitors’ book, audit records
17
Page 17
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 33
BS7799 Controls
u Security Policyo policy document approved by management, reviewed
regularlyu Security Organisation
o Infrastructure: manage information security within organisation - involvement of managers, identification of responsibilities, authorisation processes, specialist advice
o Third Party Access: risk assessment and procedureso Outsourcing: security requirements for outsourcing
management and control of info systems, networks etc
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 34
BS7799 Controls - 2
u Asset Classification and Controlo Inventory of assetso Information classification: classification for
sharing/restricting information, procedures for labelling such information
u Personnel Securityo Job definition: reduce risks from human error;
screening, confidentiality agreementso Training: information security education and trainingo Responding to incidents: minimise damage from
incidents and learn from experience: reporting weaknesses and malfunctions; disciplinary action
18
Page 18
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 35
BS7799 Controls - 3
u Physical and Environmental Securityo Secure areas: prevent unauthorised access: security
perimiter; control of loading bays etco Equipment security: prevent loss or compromise to
assets: siting of equipment, power supplies, cabling, maintenance, off-premises use, disposal of equipment
u General Controlso Prevent compromise or theft of information and IP
facilities (IPF): clear desk/clear screen policy, removal policy
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 36
BS7799 Controls - 4u Comms and Operations Management
o Operational Procedures: ensure correct and secure operation of IPF: separation of duties, documented procedures, change control
o System Planning and Acceptance: capacity planning, acceptance criteria for new systems
o Malicious Software: user awareness plus toolso Housekeeping: integrity and availability of IP and
comms services, back-ups, fault logso Network Management: safeguard information in
network - firewalls etco Media Handling: handling of removable media,
disposal of all media - disclosure and misuse, protection of system documentation
19
Page 19
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 37
BS7799 Controls - 5u Comms and Operations Management
o Exchange of Information and Software: prevent loss or misuse of info passed between organisations: agreements, e-mail security, formal authorisation for release
u Access Controlo Definition of business requirements for access control
policyo User Access Management: registration, privilege
management, password management, access rightso User Responsibilities: password use, unattended
equipmento Network Access Control: routing control, enforced
path, limited use
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 38
BS7799 Controls - 6u Access Control
o OS Access Control: terminal identification, log-on procedures, use of system utilities, duress alarms, limits to connection time
o Application Access Control: restriction of access to information, sensitive system isolation
o Monitoring System Access and Use: to detect unauthorised activities: event logging, clock synchronisation
o Mobile Computing and Tele-working: policy for working in unprotected environments
20
Page 20
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 39
BS7799 Controls - 7u Systems Development and Maintenance
o Security Requirements: to ensure that security is built in to new systems and any modifications
o Security in Applications Systems: to prevent misuse of loss of data in applications: input data validation, internal checks on consistency and integrity of data
o Cryptographic Controls: protect confidentiality, authenticity, integrity of information: policy on crypto-controls, digital signatures, key management, non-repudiation services
o Security of System Files: ensure support activities conducted securely: control of operational software, protection of system test data, access control of source code
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 40
BS7799 Controls - 8u Systems Development and Maintenance
o Development and support: use of change control procedures, restriction on changes to software, covert channels, outsourced software development
u Business Continuity Managemento Interruptions due to major failures and disasters:
process, impact analysis, contingency plans, testing these plans
21
Page 21
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 41
BS7799 Controls - 9u Compliance
o Legal requirements: avoid breaches of law and contracts: Data Protection Act and personal information, regulation of cryptographic controls, collection of evidence
o Review of policy and technical compliance: managers responsible for their areas and systems regularly checked for compliance
o Systems Audit: audits planned to minimise disruption, access to tools limited to prevent misuse
MSc in Data Communications Networks and Distributed Systems, UCL
DCNDS
Z087 - 42
Further Readingu Pfleeger C, “Security in Computing”, 2ed, Prentice Hall,
1997, 0-13-185794-0o Trusted Operating Systems: pp 287-331o ITSEC/Orange Book: pp 313-324
u BS7799 parts 1 and 2 1999