dcn ds distributed systems security operating … lecture 7.pdf2 page 2 msc in data communications...

1

MSc in Data Communications Networks and Distributed Systems, UCL

DCNDS

Z08

Distributed Systems Security

Operating Systems and Enterprise Systems

Prof. Steve [email protected]


DCNDS

Z087 - 2

Lecture Objectives

u Identify potential security weaknesses in Operating Systems

u Review assurance criteria from standards bodiesu Review BS7799 Enterprise security policy

framework

2


DCNDS

Z087 - 3

Trusted Operating Systems

u We place our trust in OSs to enforce/mediate security policy on our behalf

u Generally we do not write our own OS - buy from vendor

u How do we know that its security claims are justified?


DCNDS

Z087 - 4

Non-Assurance Methods!u Emphatic Assertion

o Claim by vendor that it is “designed to a certain security level”

o Need independent validation of claimsu Security Through Obscurity

o Security by hiding functionality or data - “needle in a haystack”

o Open Design allows public examination and analysisu “I Couldn’t Find any Flaws”

o Designer/vendor not best placed to find flaws because of constrained mind-set

o Users may discover weaknesses by doing the unexpected

3


DCNDS

Z087 - 5

Non-Assurance Methods! - 2

u Challenging users to find flaws for a rewardo User may benefit more from exploiting flaw than the

rewardo Vendor may find it too expensive to fix flaw - e.g.

major re-design

u Careful design, organised testing and professional, independent assessment needed


DCNDS

Z087 - 6

Secure OS PrinciplesSaltzer and Schroeder (1974, 1975)

u Least Privilege: minimise indvertent damage by using fewest possible privileges

u Economy of Mechanism: Protection system should be small, simple and straightforward. Allows analysi, testing and perhaps, verification

u Open Design: Allows independent confirmation of the design

u Complete Mediation: Every access attempt must be checked - must not be possible to circxumevent mediation

4


DCNDS

Z087 - 7

Secure OS Principles - 2Saltzer and Schroeder (1974, 1975)

u Permission-based: Default condition must be denial of access

u Separation of privilege: Access to objects should depend on more than one thing, eg. user identity plus encryption key (“belt and braces”)

u Least common mechanism: Keep sharing of objects to minimum - provide potential channels. Use physical or logical separation where possible

u Easy to Use: Complex mechanisms are circumvented if possible or perhaps used incorrectly


DCNDS

Z087 - 8

General Purpose OS Security

u Authentication of users

u Protection of memoryo r, w, x access to different segments by hardware/OS

u File and I/O device access controlo access matrix, ACL

u Access control of general objectso concurrency and sync primitives

5


DCNDS

Z087 - 9

General Purpose OS Security - 2u Enforcement of sharing

o integrity and consistency Fair service guarantee

u Fair Service guarantee

u Inter-process Communication and Synco OS provides support

u Protection of OS protection datao information related to security enforcement must be

protected by OSo eg. capabilities, page tables, file protection info, etc.o use separation, encryption, etc.


DCNDS

Z087 - 10

Trusted OS Security

u User identification and authenticationu Mandatory access controlu Discretionary access controlu Object re-use protectionu Complete mediationu Auditu Audit log reductionu Trusted pathu Intrusion detection

6


DCNDS

Z087 - 11

Trusted OS Security - 2

u Object Re-use Protectiono When memory and disk space are freed up GPOS

usually leaves the pages “dirty”o Security weakness - new user could read before write

to “scavenge” for data from another processo TOS needs to clear object space before re-issue

(preferably on release)

u Complete Mediationo All accesses must be controlled, not just file accesseso Includes network, memory etc.


DCNDS

Z087 - 12


u Trusted Patho Need to be sure that security interface is not beeing

spoofed, eg. logging in or changing access permissionso Trust path provides thiso Arranged by unique key sequence designed to only get

to security part of OS, or done at start-up before any other processes run

o Windows NT-4 Ctrl-Alt-Del to login ensures not Trojan Horse

7


DCNDS

Z087 - 13

Trusted OS Security - 4 u Accountability and Audit

o Need to keep log (audit log or audit trail) of all security related events

o Such events: access to a file, change access permission, etc.

o Audit trail must be protected from outsidersu Audit Log Reduction

o Balance between logging everything and acceptable volume eg. log only opening and closing of files (WP may open many files)

o Some apps continually read/write to single file, so these operations may need to be logged

o Some systems do audit reduction from comprehensive log for most analyses - full log still available if needed


DCNDS

Z087 - 14


u Intrusion Detectiono Software to analyse audit logs to detect anomalieso Intrusion and fraud detectiono “Intelligent System” techniques

u See Pfleeger pp 292 foll. For trusted OS design principles

8


DCNDS

Z087 - 15

Assurance MethodsTestingu detects existence not absence of flaws and

weaknessesu combinatorial explosion of cases means poor

coverage of casesu black-box testing cannot exercise all pathways in

the designu white-box testing needs addition of code to expose

internal state - may later be source of vulnerabilityu penetration or tiger team analysis uses experts to

try to break into system knowing likely weak points from experience - but still only exposes flaws, not correctness (DO NOT try this!)


DCNDS

Z087 - 16

Assurance Methods - 2Formal Verification

u Use of theorem proversu Very time consuming:

o assertions need to be stated for each step of algorithm and logical flow verified

u Complex: o generally only feasible for limited algorithms, not

whole OSs. o use on reference monitor or security kernel at mosto ideally, designed with formal verification in mind

9


DCNDS

Z087 - 17

Assurance Methods - 3Validation

u Includes verification, but more generalu Requirements checking

o cross-check each requirement against source code or execution behaviour

o demonstrates that system does what it should in at least one situation

o may not demonstrate that it does not do anything adverse

u Design and Code Reviewso success depends on rigour of reviewer


DCNDS

Z087 - 18

Assurance Methods - 4Validation

u Module and System Testingo independent team selects data to test correctnesso data must be methodically chosen to test all pathso usual problems of combinatorial explosions etc.

10


DCNDS

Z087 - 19

Evaluationu Most consumers do not have skills to evaluate a

system for securityu Independent third-party evaluation requiredu Need standard schemes for users’ assuranceu Many schemes exist:

o US Orange Book Criteriao German Green Booko UK Criteriao European IT Security Evaluation Criteria (ITSEC)o Others ...o Eventual harmonised international criteria?


DCNDS

Z087 - 20

US Orange Booku Trusted Computer System Evaluation Criteria

(TCSEC)

u Class Do no requirements - may or not be secure

u Class C1, C2, B1o need security features common to many commercial

OSsu Class B2

o requiring proof of security of underlying modelo also specification of trusted computing base

u Class B3, A1o more stringent proof of design

11


DCNDS

Z087 - 21

US Orange Book - 2

u Class C and B1 may be obtainable by adding features to existing OS

u But, for B2 security must be included in the designu And for B3, A1 the OS must start with proof of the

formal model of security


DCNDS

Z087 - 22

US Orange Book - 3

u C1: Discretionary Access Controlo separates users from datao but granularity may be > single usero must be controls that appear sufficient for thiso may not be stringently evaluated

u C2: Controlled Access Protectiono Still discretionary, but granularity finero audit trail capable of tracking attempted accesses to

individual objects

12


DCNDS

Z087 - 23

US Orange Book - 4

u B1: Labeled Security Protectiono all B-level include non-discretionary access controlo for B1 it does not need to control every objecto controlled objects labeled with security levelo labels used for access controlo hierarchical and non-hierarchical categorieso Bell-LaPadula implemented


DCNDS

Z087 - 24

US Orange Book - 5

u B2: Structured Protectiono design and implementation must permit more

thorough testing and reviewo verifiable top-level design and confirmation through

testingo internal structure in “well-defined largely independent

modules”o principle of least privilege enforced in designo analysis of covert channels required

13


DCNDS

Z087 - 25

US Orange Book - 6

u B3: Security Domainso security functions small enough for extensive testingo more stringent design and argument that

implementation matches ito security functions must be tamperproofo system audit facility able to identify when a security

violation is imminent!


DCNDS

Z087 - 26

US Orange Book - 7

u A1: Verified Designo formal model of protection and proof of consistency

and adequacyo formal spec of protection and demonstration that this

matches modelo implementation “informally” shown consistent with

specificationo formal analysis of covert channels

14


DCNDS

Z087 - 27

German Green Booku Eight basic functions suitable for range of policies

o identification and authenticationo administration of rightso verification of rightso audito object re-useo error recovery

H identification when recovery is necessaryo continuity of service

H degree of delay or loss that can be toleratedo data communications security

H peer authentication, data confidentiality, integrity, origin authentication, non-repudiation


DCNDS

Z087 - 28

German Green Book - 2u Separates quality from functionalityu Ten functional levels F1 to F10

o F1 to F5 similar in functionality to US C1 to B3o F6 high data and program integrityo F7 high availabilityo F8 to F10 data comms situations

u Eight quality levels Q0 to Q7o Q1 implementation more or less ok - no major errorso Q3 largely resistant to simple penetration attemptso Q6 formally proven that high level spec meets all

requirements of policy and source code analysedo Q7 beyond US A1

15


DCNDS

Z087 - 29

ITSECu European scheme started in 1991 to harmonise u Combines German and UK (claims based)

approachesu Retains German functionality classes

u Vendor defines Target of Evaluation (TOE) o considered in context of operational environment

(threats)o and enforcement requirements


DCNDS

Z087 - 30

ITSEC - 2u Vendor states:

o system security policy/rationaleo security enforcing function o mechanisms in the producto claim of strength of mechanismso target evaluation level (functionality and effectiveness)

u Evaluation determines:o suitability of functiono binding of functionality - work together?o vulnerabilitieso ease of useo strength of mechanism

16


DCNDS

Z087 - 31

Enterprise Security PolicyBS7799u BS7799 defines process and framework of controls

for thisu Management framework established by:

o defining policyo defining scope of Information Security Management

System o undertaking risk assessmento managing the risko selecting control objectives and controls to be

implementedo Preparing statement of applicability - “critique of the

objectives and controls applicable to the needs of the organisation”


DCNDS

Z087 - 32

BS 7799u Requires documentation of evidence of actions

taken, procedures, management frameworku Documentation readily available under version

controlu Records kept to demonstrate compliance, eg.

visitors’ book, audit records

17


DCNDS

Z087 - 33

BS7799 Controls

u Security Policyo policy document approved by management, reviewed

regularlyu Security Organisation

o Infrastructure: manage information security within organisation - involvement of managers, identification of responsibilities, authorisation processes, specialist advice

o Third Party Access: risk assessment and procedureso Outsourcing: security requirements for outsourcing

management and control of info systems, networks etc


DCNDS

Z087 - 34

BS7799 Controls - 2

u Asset Classification and Controlo Inventory of assetso Information classification: classification for

sharing/restricting information, procedures for labelling such information

u Personnel Securityo Job definition: reduce risks from human error;

screening, confidentiality agreementso Training: information security education and trainingo Responding to incidents: minimise damage from

incidents and learn from experience: reporting weaknesses and malfunctions; disciplinary action

18


DCNDS

Z087 - 35

BS7799 Controls - 3

u Physical and Environmental Securityo Secure areas: prevent unauthorised access: security

perimiter; control of loading bays etco Equipment security: prevent loss or compromise to

assets: siting of equipment, power supplies, cabling, maintenance, off-premises use, disposal of equipment

u General Controlso Prevent compromise or theft of information and IP

facilities (IPF): clear desk/clear screen policy, removal policy


DCNDS

Z087 - 36

BS7799 Controls - 4u Comms and Operations Management

o Operational Procedures: ensure correct and secure operation of IPF: separation of duties, documented procedures, change control

o System Planning and Acceptance: capacity planning, acceptance criteria for new systems

o Malicious Software: user awareness plus toolso Housekeeping: integrity and availability of IP and

comms services, back-ups, fault logso Network Management: safeguard information in

network - firewalls etco Media Handling: handling of removable media,

disposal of all media - disclosure and misuse, protection of system documentation

19


DCNDS

Z087 - 37

BS7799 Controls - 5u Comms and Operations Management

o Exchange of Information and Software: prevent loss or misuse of info passed between organisations: agreements, e-mail security, formal authorisation for release

u Access Controlo Definition of business requirements for access control

policyo User Access Management: registration, privilege

management, password management, access rightso User Responsibilities: password use, unattended

equipmento Network Access Control: routing control, enforced

path, limited use


DCNDS

Z087 - 38

BS7799 Controls - 6u Access Control

o OS Access Control: terminal identification, log-on procedures, use of system utilities, duress alarms, limits to connection time

o Application Access Control: restriction of access to information, sensitive system isolation

o Monitoring System Access and Use: to detect unauthorised activities: event logging, clock synchronisation

o Mobile Computing and Tele-working: policy for working in unprotected environments

20


DCNDS

Z087 - 39

BS7799 Controls - 7u Systems Development and Maintenance

o Security Requirements: to ensure that security is built in to new systems and any modifications

o Security in Applications Systems: to prevent misuse of loss of data in applications: input data validation, internal checks on consistency and integrity of data

o Cryptographic Controls: protect confidentiality, authenticity, integrity of information: policy on crypto-controls, digital signatures, key management, non-repudiation services

o Security of System Files: ensure support activities conducted securely: control of operational software, protection of system test data, access control of source code


DCNDS

Z087 - 40

BS7799 Controls - 8u Systems Development and Maintenance

o Development and support: use of change control procedures, restriction on changes to software, covert channels, outsourced software development

u Business Continuity Managemento Interruptions due to major failures and disasters:

process, impact analysis, contingency plans, testing these plans

21


DCNDS

Z087 - 41

BS7799 Controls - 9u Compliance

o Legal requirements: avoid breaches of law and contracts: Data Protection Act and personal information, regulation of cryptographic controls, collection of evidence

o Review of policy and technical compliance: managers responsible for their areas and systems regularly checked for compliance

o Systems Audit: audits planned to minimise disruption, access to tools limited to prevent misuse


DCNDS

Z087 - 42

Further Readingu Pfleeger C, “Security in Computing”, 2ed, Prentice Hall,

1997, 0-13-185794-0o Trusted Operating Systems: pp 287-331o ITSEC/Orange Book: pp 313-324

u BS7799 parts 1 and 2 1999

dcn ds distributed systems security operating … lecture 7.pdf2 page 2 msc in data communications...

Documents