Security Models and Architecture

Topics Covered:

• Operating system architectures
• Trusted computing base and security mechanisms
• Protection mechanisms within an operating system
• Various security models
• Assurance evaluation criteria and ratings
• Attack Types

Operation System Architecture

Process Management

A process is the set of instructions actually running. A program is no considered a process until it is loaded into memory and activated by the operating system (OS). Today's OSs provide multi-programming, which means that more than one program or process can be loaded into memory at the same time.
Operating Systems started out cooperative and evolved to preemptive multitasking. Cooperative multitasking required the processes to voluntarily release resources that they were using. With preemptive multitasking the OS controls how long a process can use a resource.
A process can run in running state (CPU is executing its instructions and data), ready state (waiting to send instructions to the CPU), or blocked state (waiting for input data).
The OS keeps a process table. The table contains each individual process's state, stack pointer, memory allocation, program counter and status of open files in use.

Thread Management

A thread is made us of an individual instruction set and the data that needs to be worked on by the CPU.

Process Scheduling
Process Activity


To protect processes from each other, OSs can implement process isolation. It ensures communication in a secure manner and efficiently operating and completing tasks. When a process is encapsulated, no other process understands or interacts with its internal programming code. Time multiplexing is a technology that allows processes to use the same resources.

Memory Management

• Relocation
• Protection
• Sharing
• Logical Organization
  
• Physical Organization

Memory Types

Random Access Memory (RAM), Static Ram (SRAM), Synchronous DRAM (SDRAM), Extended data out DRAM (EDO DRAM), Burst EDO DRAM (BEDO DRAM) Double data rate SDRAM (DDR SDRAM)
Read-Only Memory (ROM), Programmable read-only memory (PROM)
Cache Memory - used for high speed writing and reading activities.

A monolithic operating system architecture is mainly made up of various procedures that can call upon each other in a haphazard manner.
A layered operating system architecture separates system functionality into hierarchical layers

Domains
A domain is defined as a set of objects that s subject is able to access. A process that resides in a privileged domain needs to be able to execute its instructions and process its data with the assurance that programs in a different domain cannot negatively affect its environment (execution domain).

Layering and Data Hiding
Virtual Machines
Input/Output Device Management
Interrupts

• Programmable I/O
• Interrupt-Driven I/O
• I/O Using Direct memory access (DMA)
• Premapped I/O
• Fully Mapped I/O

Trusted Computing Base (TCB)

A trusted path is a communication channel between the user, or program, and the kernel. The TCB provides protection resources to ensure that this channel cannot be compromised in any way. A trusted shell means that someone who is working in that shell cannon leave it and other processes are not able to enter it.
Developers of the OS must make sure that processes have their own execution domain. This means that they reside in the inner most ring, ring 0, their instructions are executed in privileged state, and no less trusted processes can directly interact with them. Process activation deals with the activities that have to take place when a process is going to have its instructions and data processed by the CPU. Execution domain switching takes place when a process needs to call upon a process in a higher protection ring.

Protection Rings can be explained in greater detail here.

Protection Mechanisms

Security Perimeter
Some processes and resources fall outside the TCB therefore they fall outside of this imaginary boundary called the security perimeter. The security perimeter is a boundary that divides the trusted from the untrusted.

Reference Monitor is an abstract machine that mediates all access subjects have to objects, both to ensure that the subjects have the necessary access rights and to protect the objects from unauthorized access and destructive modification
Security Kernel is made up of hardware, software, and firmware components that fall within the TCB and implements and enforces the reference monitor concept.

Security Models

State Machine Model - to verify the security of a system, the state is used, which means that all current permissions and current instances of subjects accessing objects must be captured.

Bell-LaPadula Model - in the 1970s the U.S. military used time-sharing mainframe systems and was concerned about the security of these systems. It is the first mathematical model of multilevel security policy used to define the concept of a secure state machine and modes of access and outlined rules of access.

• Simple security rule (no read up)
• *-property rule (no write down)
• Strong star property rule - a subject can perform read and write functions only to the objects at its same security level.
  

Biba Model - it is a state machine model and is very similar to the Bell-LaPadula model. It address the integrity of data within applications.

• *-integrity axiom ("no write up")
  
• Simple integrity axiom ("no read down")

Clark-Wislon Model - this model uses the following elements

• Users - active agents
• Transformation procedures (TPs)
• Constrained data items (CDIs)
• Unconstrained data items (UDIs)
• Integrity verification procedures (IVPs)

Subjects can access objects only though authorized programs. Separation of duties in enforced. Auditing is required.

Information Flow Model - The Bell-LaPadula model focuses on preventing information from flowing grom a high security level to a low security level. The Biba model focueses on preventing information from flowing from a low integrity to a high integrity level. Both of these models were built upon the information flow model.
A covert channel is a way for an entity to receive information in an unauthorized manner. In a covert storage channel, one process writes data to a storage location and another process directly, or indirectly, reads it.

Noninterference Model

Lattice Model

Brewer and Nash Model - (Chinese Wall Model) was constructed to provide information security access controls that can change dynamically.

Graham-Denning Model - 8 primitive protection rights:

1. How to securely create an object
2. How to securely create a subject
3. How to securely delete an object
4. How to securely delete a subject
5. How to securely provide the read access right
6. How to securely provide the grant access right
7. How to securely provide the delete access right
8. How to securely provide transfer access rights

Security Modes
Dedicated Security Mode, System High-Security Mode, Compartmented Security Mode, Multilevel Security Mode

Reference page 299 CISSP.

Systems Evaluation Methods

A security evaluation examines the security-relevant parts of a system, meaning the TCB, access control mechanisms, reference monitor, kernel, and protection mechanisms.

The Orange Book
The U.S. Department of defense developed the Trusted computer System Evaluation Criteria (TCSEC), which is used to evaluate OSs, applications, and different products. This evaluation criteria is published in a book with an orange cover called the Orange Book.
TCSEC provides a classification system:

• A Verified protection

A1: Verified Design

• B Mandatory protection

B1: Labeled Security
B2: Structured Protection
B3: Security Domains

• C Discretionary protection

C1: Discretionary Security Protection
C2: Controlled Access Protection

• D Minimal security
  

Red Book
The Orange book addresses single-system security, but networks are a combination of systems, and each network needs to be secure without having to fully trust each and every system connected to it. The Trusted Network Interpretation (TNI) or Red Book addresses these security items:
Communication integrity

• Authentication
• Message integrity
• Non repudiation
  

Denial-of-service prevention

• Continuity of operations
• Network management

Compromise protection

• Data confidentiality
  
• Traffic flow confidentiality
  
• Selective routing

Information Technology Security Evaluation Criteria

The Information Technology Security Evaluation Criteria (ITSEC) was the first attempt at establishing a single standard for evaluating security attributes of computer systems.

More info here: ITSEC or TCSEC

Common Criteria

Under the Common Criteria model, and evaluation is carried out on a product and is assigned an Evaluation Assurance Level (EAL):

• EAL 1 Functionally tested
• EAL 2 Structurally tested
• EAL 3 Methodically tested and checked
• EAL 4 Methodically designed, tested, and reviewed
• EAL 5 Semi formally designed and tested
• EAL 6 Semi formally verified design and tested
• EAL 7 Formally verified design and tested
  

A Few Threats to Security Models and Architectures

Maintenance Hooks - a type of backdoor
Time-of-Check/Time-of-Use Attack - deals with the sequence of steps that a system uses to complete a task
Buffer Overflow - takes place when too much data is accepted as input to an application or operation system.