L17: Assurance. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Similar documents
Introduction to Assurance

Amplifying. Only stack module can alter, read x So process doesn t get capability, but needs it when x is referenced a problem!

Amplifying. Examples

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

L1: Computer Security Overview. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

L8: Public Key Infrastructure. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

L9: Stream and Block Ciphers. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Chapter 18: Evaluating Systems

CMSC 435: Software Engineering Section 0201

T Salausjärjestelmät (Cryptosystems) Introduction to the second part of the course. Outline. What we'll cover. Requirements and design issues

CS SOFTWARE ENGINEERING QUESTION BANK SIXTEEN MARKS

Advanced Systems Security: Principles

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Operating systems and security - Overview

Operating systems and security - Overview

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Waterfall Life Cycle Model

Certification Report

Testing in the Agile World

Certification Report

Introduction to Software Engineering

Certification Report

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

CSC Advanced Object Oriented Programming, Spring Overview

System Development Life Cycle Methods/Approaches/Models

SOFTWARE ENGINEERING DECEMBER. Q2a. What are the key challenges being faced by software engineering?

Seminar report Software reuse

Advanced Systems Security: Multics

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

This tutorial also elaborates on other related methodologies like Agile, RAD and Prototyping.

Certification Report

Certification Report

SE351a: Software Project & Process Management. 11 Oct., 2005 SE351a, ECE UWO, (c) Hamada Ghenniwa

Certification Report

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

May 1: Integrity Models

Certification Report

ITC213: STRUCTURED PROGRAMMING. Bhaskar Shrestha National College of Computer Studies Tribhuvan University

SOFTWARE ENGINEERING

Formal methods, design analysis, testing etc.

Software Development Methodologies

Architectural Blueprint

SOFTWARE ENGINEERING

L3: Building Direct Link Networks I. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Certification Requirements for High Assurance Systems

Certification Report

How Manual Testers can execute Test Automation. White Papers. Muthiah Director of Testing. Expedux on How Manual Testers

Asset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if

Requirements and Design Overview

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

TASKS IN THE SYSTEMS DEVELOPMENT LIFE CYCLE

Department of Computer & Information Sciences. CSCI-342: Introduction to Information Security Syllabus

Advanced Systems Security: Ordinary Operating Systems

Specifying and Prototyping

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Java Security HotJava to Netscape and Beyond

Unit title: Programming for Mobile Devices (SCQF level 6)

MILS Multiple Independent Levels of Security. Carol Taylor & Jim Alves-Foss University of Idaho Moscow, Idaho

Certification Report

Certification Report

Certification Report

Introduction to AWS GoldBase

Component-based software engineering. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 19 Slide 1

Computing Accreditation Commission Version 2.0 CRITERIA FOR ACCREDITING COMPUTING PROGRAMS

"Secure" Coding Practices Nicholas Weaver

National Information Assurance Partnership

Certification Report

Certification Report

Why testing and analysis. Software Testing. A framework for software testing. Outline. Software Qualities. Dependability Properties

HUMAN FACTORS IN INDUSTRIAL CYBER SECURITY

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

High-Assurance Security/Safety on HPEC Systems: an Oxymoron?

Certification Report

Architectural Blueprint The 4+1 View Model of Software Architecture. Philippe Kruchten

Trust Relationship Modeling for Software Assurance

COMMON CRITERIA CERTIFICATION REPORT

Distributed Systems Programming (F21DS1) Formal Verification

Introduction and Statement of the Problem

Towards Formal Evaluation of a High-Assurance Guard

Chapter Twelve. Systems Design and Development

Operating System Security

The Evolution of Secure Operating Systems

Trusted OS Design CS461/ECE422

Certification Report

ISO 27001:2013 certification

Trusted Computing. William A. Arbaugh Department of Computer Science University of Maryland cs.umd.edu

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

ARC BRIEF. ISA100 and Wireless Standards Convergence. By Harry Forbes

Compositional Security Evaluation: The MILS approach

Certification Report

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Evaluation of Commercial Web Engineering Processes

Assuring Certainty through Effective Regression Testing. Vishvesh Arumugam

Second. Incremental development model

The requirements engineering process

Accreditation Process. Trusted Digital Identity Framework February 2018, version 1.0

Trust is the Foundations for Computer Security

Certification Report

Transcription:

L17: Assurance Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 11/06/2015 CSCI 451 - Fall 2015 1

Acknowledgement Many slides are from or are revised from the slides of the author of the textbook Matt Bishop, Introduction to Computer Security, Addison- Wesley Professional, October, 2004, ISBN-13: 978-0-321-24774-5. Introduction to Computer Security @ VSU's Safari Book Online subscription http://nob.cs.ucdavis.edu/book/book-intro/slides/ 11/06/2015 CSCI 451 - Fall 2015 2

Outline Trust Problems from lack of assurance Types of assurance Life cycle and assurance Waterfall life cycle model Other life cycle models Adding security afterwards 11/06/2015 CSCI 451 - Fall 2015 3

Secure or Trusted? Two terms Secure systems Trusted systems Secure systems Can we build an absolutely secure system? Ultimate, albeit unachievable goal Trusted systems Trust: a belief or desire that a computer entity will do what it should to protect resources and be safe from attack Trust: has very specific meaning in computer security 11/06/2015 CSCI 451 - Fall 2015 4

Trust Definition An entity is Trustworthy if there is sufficient credible evidence leading one to believe that the system will meet a set of requirements Trust is a measure of trustworthiness relying on the evidence 11/06/2015 CSCI 451 - Fall 2015 5

Assurance Definition Security Assurance, or simply assurance, is confidence that an entity meets its security requirements based on evidence provided by applying assurance techniques 11/06/2015 CSCI 451 - Fall 2015 6

Example Assurance Techniques Formal vs. informal Development methodology Examples Brief description of the methodology to be followed System Security Engineering Capability Maturity Model (SSE- CMM) Formal methods for design analysis Use machine-parsable languages with tools Formal mathematical proof Testing 11/06/2015 CSCI 451 - Fall 2015 7

Assurance, Policy, and Mechanisms Policy Assurance Mechanisms Statement of requirements that explicitly defines the security expectations of the mechanism(s) Provides justification that the mechanism meets policy through assurance evidence and approvals based on evidence Executable entities that are designed and implemented to meet the requirements of the policy 11/06/2015 CSCI 451 - Fall 2015 8

Information Assurance vs. Security Assurance Information assurance Refers to the ability to access information and preserve the quality and security of that information Differs from security assurances Information assurance focuses on the threats to the information and mechanisms used to protect information But not on the correctness, consistency, or completeness of the requirements and implementation of those mechanisms 11/06/2015 CSCI 451 - Fall 2015 9

Trusted System Definition A trusted system is a system that has been shown to meet well-defined requirements under an evaluation by a credible body of experts who are certified to assign trust ratings to evaluate products and systems 11/06/2015 CSCI 451 - Fall 2015 10

Example Evaluation Criteria Two earlier ones Trusted Computer System Evaluation Criteria Information Technology Security Evaluation Criteria Replaced by Common Criteria These mythologies provide a level of trust Each level has more stringent requirements than the previous one Experts evaluate and review the evidence of assurance 11/06/2015 CSCI 451 - Fall 2015 11

Problem Sources 1. Requirements definitions, omissions, and mistakes 2. System design flaws 3. Hardware implementation flaws, such as wiring and chip flaws 4. Software implementation errors, program bugs, and compiler bugs 5. System use and operation errors and inadvertent mistakes 6. Willful system misuse 7. Hardware, communication, or other equipment malfunction 8. Environmental problems, natural causes, and acts of God 9. Evolution, maintenance, faulty upgrades, and decommissions 11/06/2015 CSCI 451 - Fall 2015 12

Examples Challenger explosion Sensors removed from booster rockets to meet accelerated launch schedule Deaths from faulty radiation therapy system Hardware safety interlock removed Flaws in software design Bell V22 Osprey crashes Failure to correct for malfunctioning components; two faulty ones could outvote a third Intel 486 chip Bug in trigonometric functions 11/06/2015 CSCI 451 - Fall 2015 13

Role of Requirements Requirements are statements of goals that must be met Vary from high-level, generic issues to low-level, concrete issues Security objectives are high-level security issues Security requirements are specific, concrete issues 11/06/2015 CSCI 451 - Fall 2015 14

Type of Assurance Policy assurance is evidence establishing security requirements in policy is complete, consistent, technically sound Design assurance is evidence establishing design sufficient to meet requirements of security policy Implementation assurance is evidence establishing implementation consistent with security requirements of security policy Operational assurance is evidence establishing system sustains the security policy requirements during installation, configuration, and day-to-day operation Also called administrative assurance 11/06/2015 CSCI 451 - Fall 2015 15

Life Cycle Conception Manufacture Deployment Fielded Product Life Assurance justification Security requirements 2 Design 4 1 3 Implementation Design and implementation refinement 11/06/2015 CSCI 451 - Fall 2015 16

Conception Idea Decisions to pursue it Proof of concept See if idea has merit High-level requirements analysis What does secure mean for this concept? Is it possible for this concept to meet this meaning of security? Is the organization willing to support the additional resources required to make this concept meet this meaning of security? 11/06/2015 CSCI 451 - Fall 2015 17

Manufacture Develop detailed plans for each group involved May depend on use; internal product requires no sales Implement the plans to create entity Includes decisions whether to proceed, for example due to market needs 11/06/2015 CSCI 451 - Fall 2015 18

Deployment Delivery Assure that correct masters are delivered to production and protected Distribute to customers, sales organizations Installation and configuration Ensure product works appropriately for specific environment into which it is installed Service people know security procedures 11/06/2015 CSCI 451 - Fall 2015 19

Fielded Product Life Routine maintenance, patching Responsibility of engineering in small organizations Responsibility may be in different group than one that manufactures product Customer service, support organizations Retirement or decommission of product 11/06/2015 CSCI 451 - Fall 2015 20

Waterfall Life Cycle Model Requirements definition and analysis Functional and non-functional General (for customer), specifications System and software design Implementation and unit testing Integration and system testing Operation and maintenance 11/06/2015 CSCI 451 - Fall 2015 21

Relationship of Stages Requirements definition and analysis System and software design Implementation and unit testing Inte gration and system testing Operation and maintenance 11/06/2015 CSCI 451 - Fall 2015 22

Other Models of Software Development Exploratory programming Prototyping Formal transformation System assembly from reusable components Extreme programming 11/06/2015 CSCI 451 - Fall 2015 23

Exploratory Programming Develop working system quickly Used when detailed requirements specification cannot be formulated in advance, and adequacy is goal No requirements or design specification, so low assurance 11/06/2015 CSCI 451 - Fall 2015 24

Prototyping Objective is to establish system requirements Future iterations (after first) allow assurance techniques 11/06/2015 CSCI 451 - Fall 2015 25

Formal Transformation Create formal specification Translate it into program using correctnesspreserving transformations Very conducive to assurance methods 11/06/2015 CSCI 451 - Fall 2015 26

System Assembly System assembly from reusable components Depends on whether components are trusted Must assure connections, composition as well Very complex, difficult to assure 11/06/2015 CSCI 451 - Fall 2015 27

Extreme Programming Rapid prototyping and best practices Project driven by business decisions Requirements open until project complete Programmers work in teams Components tested, integrated several times a day Objective is to get system into production as quickly as possible, then enhance it Evidence adduced after development needed for assurance 11/06/2015 CSCI 451 - Fall 2015 28

Security: Built In or Add On? Think of security as you do performance You do not build a system, then add in performance later Can tweak system to improve performance a little Much more effective to change fundamental algorithms, design You need to design it in Otherwise, system lacks fundamental and structural concepts for high assurance 11/06/2015 CSCI 451 - Fall 2015 29

Reference Validation Mechanism Reference monitor is access control concept of an abstract machine that mediates all accesses to objects by subjects Reference validation mechanism (RVM) is an implementation of the reference monitor concept. Tamperproof Complete (always invoked and can never be bypassed) Simple (small enough to be subject to analysis and testing, the completeness of which can be assured) Last engenders trust by providing assurance of correctness 11/06/2015 CSCI 451 - Fall 2015 30

Examples Security kernel combines hardware and software to implement reference monitor Trusted computing base (TCB) is all protection mechanisms within a system responsible for enforcing security policy Includes hardware and software Generalizes notion of security kernel 11/06/2015 CSCI 451 - Fall 2015 31

Adding On Security Key to problem: analysis and testing Designing in mechanisms allow assurance at all levels Too many features adds complexity, complicates analysis Adding in mechanisms makes assurance hard Gap in abstraction from requirements to design may prevent complete requirements testing May be spread throughout system (analysis hard) Assurance may be limited to test results 11/06/2015 CSCI 451 - Fall 2015 32

Example 2 AT&T products Add mandatory controls to UNIX system SV/MLS Add MAC to UNIX System V Release 3.2 SVR4.1ES Re-architect UNIX system to support MAC 11/06/2015 CSCI 451 - Fall 2015 33

Comparison: Architecture Architecting of System SV/MLS: used existing kernel modular structure; no implementation of least privilege SVR4.1ES: restructured kernel to make it highly modular and incorporated least privilege 11/06/2015 CSCI 451 - Fall 2015 34

Comparison: File Attributes File Attributes (inodes) SV/MLS added separate table for MAC labels, DAC permissions UNIX inodes have no space for labels; pointer to table added Problem: 2 accesses needed to check permissions Problem: possible inconsistency when permissions changed Corrupted table causes corrupted permissions SVR4.1ES defined new inode structure Included MAC labels Only 1 access needed to check permissions 11/06/2015 CSCI 451 - Fall 2015 35

Summary Assurance is critical for determining trustworthiness of systems Different levels of assurance, from informal evidence to rigorous mathematical evidence Assurance needed at all stages of system life cycle Building security in is more effective than adding it later 11/06/2015 CSCI 451 - Fall 2015 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback