Security Architecture

advertisement
Security Architecture and
Design: Part I
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu
IST 515
Objectives
•
•
•
•
•
•
•
Understand enterprise architecture
Understand security architecture
Understand platform architecture
Understand operating system architecture
Discuss security models and architecture theory
Identify appropriate protection mechanisms
Identify techniques used to provide system
security
• Discuss evaluation methods and criteria
• Understand the role of assurance evaluations
• Explain certification and accreditation
Readings
• Hansche, S., Berti, J. and Hare, C., Official (ISC)2 Guide to
the CISSP Exam, Chapter 2, Auerbach, 2004, pp. 79-145.
(Required).
• Stephens, B., “Security Architecture for System Wide
Information Management,” The 24th Digital Avionics
Systems Conference, 2005. DASC 2005, V. 2.
• CIO Council, A Practical Guide to Federal Enterprise
Architecture, V 1.0, 2001. http://www.cio.gov
What is Enterprise Architecture?
• An Enterprise Architecture is an integrating
framework for enabling the alignment of business
strategy and technology capability.
• An Enterprise Architecture (EA) provides the
blueprint for integration, change and management
of your IT assets within the context of your
business vision, goals and objectives. A wellcrafted, flexible Enterprise Architecture can be
your organization’s most valuable IT asset.
(http://www.neosynthesis.com/architecture.asp)
Enterprise
Architecture
Business
Architecture
Transition
Architecture
Infrastructure
Operations
Architecture
Security
Architecture
Information
Architecture
Vision
Mission
Strategy
Policies
Service
Composition
Architecture
Functional
Application
Architecture
Technology
Architecture
MITRE EA Development Process
Information Systems Requirements
 Capability.
 Performance.
 Flexibility.
 Cost.
▪
▪
▪
▪
Ease of Use.
Business requirements.
Security.
Innovation.
• Building an information system requires a balance
among various requirements.
• Security should be considered as a requirement
from the beginning – it is simply another feature
that needs to be included.
What is Security Architecture ?
Security architecture is a view of an overall
system architecture from a security perspective.
It provides some insight into the security
services, mechanisms, technologies, and features
that can be used to satisfy system security
requirements. It provides recommendations on
where, within the context of the overall system
architecture, security mechanisms should be
placed. It describes how the system is put
together to satisfy the security requirements.
Security Architecture 1
Security architecture is not a description of the functions
of the system; it is more of a design view, describing at
an abstract level the relationships between key elements
of the hardware, operating systems, applications,
network and other required components to protect the
organization’s interests. It should also describe how the
functions in the system development process follow the
security requirements. For example, if the security
requirements specify that system must have a given
level of assurance as to the correctness of the security
controls, the security architecture must prescribe these
specifications in the development process.
Security Architecture 2
Security requirements are not added steps to the system
development process; instead, the specifications or
guidelines of the security architecture provide an
influence during all development processes. During the
beginning stages, the security architecture should outline
high-level security issues, such as the system security
policy, the level of assurance required, and any potential
impacts security could have on the design process. As
the system is developed, the security architecture should
evolve in parallel, and may even need to be slightly
ahead of the development process so that the security
requirements will guide the development process.
General Questions to Ask
• Where should the protection take place - at the user’s end,
where the data is stored, or by restricting user activities
within the environment or a combination of these?
• Where (what layer) should the protection be placed –
hardware, kernel, operating systems, service, or program?
• Which processes are within the trusted computing base
(TCB)?
• What kind of security mechanisms be used?
• How the security mechanisms and processes
will interact with each other?
• What is the security perimeter that separates
the trusted and untrusted components?
Security Architecture Design
Security Architecture
Requirements
Security Architecture
Layers
Vulnerabilities
Threats/Risks
Security Models
Evaluation
Methods & Criteria
Certification &
Accreditation
Countermeasures
Security Architecture Requirements
• The security architecture is designed so that the
Availability, Integrity and Confidentiality (AIC)
goals of information security can meet the business
and security needs of the organization.
• The security architecture can guide the early
decisions and avoid needing to correct or retrofit
the system after development has been completed.
• Adding security controls after a system has been
developed can lead to user frustration, a lower
security posture, and significantly increased
implementation costs.
Security Architecture Layers
• Platform Architecture that defines how it manages
various system resources or system utilities.
• Operating System Architecture that defines how an
operating system interact with the hardware
components, utilities and applications.
• Application Architecture that defines how
applications interact with OS and provide services to
end users.
• Network Architecture that defines how networked
devices communicate, share common resources with
each other and send and receive information.
Layers of Security Architecture
End
User
Application Programs
End
User
Utilities
Operating System
Computer Hardware
Network
OS
Kernel
Platform Architecture
CPU – Computer Brain
Application Memory/Buffer
Application
Add a + b = c
a=1b=5
Add a + b = c
Instructions
Control
Unit
a=1b=5
Data
C=6
Processor
ALU
Potential Vulnerability in CPU
• System crashes. During the crash, the system
creates a core dump of its internal state, including
RAM and program stacks and CPU registers,
allowing for investigation and identification of
the cause leading to the crash. If the internal state
contains sensitive information and the core dump
data is stored in a file potentially accessed and
read by everyone, inadvertent release of the
sensitive information could occur.
Storage Devices
• Primary Storage (Volatile):
- Cache or registers
- Memory (RAM, ROM, Cache, Flash)
• Secondary Storage (nonvolatile):
- Disk drive
- CD or Tape
• Virtual Memory. A simulated RAM using the
storage disk. The process is called paging or
swapping, which can slow down the system.
Threats of Storage Devices
• If power is interrupted, the data stored in RAM can
be completely lost.
• Removable media and CD, which can be easily
transported and read on other computers, can
increase the organization’s risk of data loss.
Countermeasure:
• Establishing appropriate policy and controls on:
– the use of Uninterruptible Power Supply (UPS) or
backup power supply, and
– where and when removable media and CD drives be
used.
Potential Threat of Virtual Memory
• Data stored in virtual memory remains on the hard
drive when the computer is turned off and may be
recovered from these temporary files. An attacker
may be able to retrieve data from these locations
with little difficulty if access is gained.
Countermeasures:
• Erase the virtual memory files when the system is
shut down.
• Encrypt the swap partition or create a separate
small drive and placing the swap files there
Types of Memory
 Random Access Memory (RAM). It is used to store
program instructions and data, and is accessible directly
by the CPU. Read/write capability.
 Read-only Memory (ROM). It is a built-in memory that
contains data that can only be read. It is usually used for
storing parts of the OS that allows the computer to be
booted.
 Flash Memory. It is a rewritable memory that functions
like RAM and a hard drive combined. It is used primarily
in applications that need high speed and durability, such
as digital cellular phones, digital cameras, PC cards for
notebooks, and pagers.
Memory Management
• To use memory efficiently, OS provides ways of
isolating the addresses used by one program from
those of others - managing memory. This also prevent
errors in one program from corrupting other programs.
• The objective of memory management is to separate
programs into different parts of memory and still have
them work properly.
• Paging. To has certain applications, upon execution,
write “pages’ of information to reserved address space.
• Swapping. Moving an entire memory region
associated with a process or application into a virtual
memory (simulated RAM) using a storage disk.
Potential Threat of Memory Mgmt.
• Although an encryption program can read data
in an encrypted file, decrypt it, and work on the
data while it is in memory, the data can be
transferred onto the hard drive as a result of
paging and swapping process.
Countermeasure:
• The system administrator can implement a
memory lock technique to prevent from paging
or swapping the data to the hard drive from the
memory.
Potential Threats of Flash Memory
• Data lost due to the lose of flash memory devices.
• Another security threat for the use of flash memory
in portable devices such as PDAs is wireless
security, because the data is often being transferred
wirelessly and can be captured wirelessly by hacker.
Countermeasure:
• Encrypting the data in the flash memory device.
• Using a new Mobile Commerce Extension
Specification (MC-ES) developed by the 5C
(Toshiba, Hitachi, San Disk, Matsushita, and
Ingentix).
Peripherals or I/O Devices
• The I/O device usually sends information to
memory, but it can also send information directly
to the CPU. Once the data is copied to the
memory, an interrupt is generated signaling the
CPU that the requested data is now available for
processing.
I/O
I/O
• Processors are designed to deal
Controller
Controller
with interruptions in program
execution caused by the program
Memory
itself, by user requests, or
hardware failure.
CPU
• I/O is a privileged operation
carried out only by the OS.
Software Interrupt
• Exceptions and traps are the software equivalent
of a hardware interrupt.
• When a program attempts to execute a privileged
instruction while in user mode, an exception
occur, generally causing the failure of he
program.
• Exception can also occur due to code errors
created when the program was written.
Potential Threats of I/O 1
• Hardware Interrupt. The hardware interrupt is a special
input to the CPU specifying an address in the interrupt
vector table. The interrupt vector table provides the
location of the program addressing the condition specified
in the interrupt, called the interrupt handler. When an
interrupt occurs, the system saves its current state on the
stack and then execute the interrupt handler. During this
event, control is taken from the user program.
Countermeasure:
• Making sure that the system is restored to a proper
state, such as cleaning the supervisor status bit, before
returning the control to the user program.
Potential Threats of I/O 2
• Another security flaw could exist if other
interrupts arrived while the processor was dealing
with a current interrupt. If the new interrupt has a
higher priority than the current interrupt being
handled, the processor would then have to transfer
execution to the interrupt handler with the higher
priority. The interrupt with lower priority will be
cached. If interrupt handling is not handled
securely, a breach may occur, allowing a previous
process to gain the supervisor status of an
operation system call.
Potential Threats of I/O 3
• Redirection of Interrupt. A malicious code could be
executed whenever the corresponding interrupt occurs
causing a redirection of an interrupt attack, which is
difficult to detect because:
– It does not change the original interrupt handler.
– Without prior knowledge of where the interrupt
handlers are located in memory and what the
contents of the interrupt vector table should be, it is
almost impossible to detect these changes.
– Operating systems do not currently provide an
integrity check or control mechanism to prevent
interrupt or system call redirection.
Illustration of Operating Systems
Memory
I/O Controller
Programs
and Data
I/O Controller
I/O Controller
...
Processor
...
...
Processor
OS
Program
Data
Storage
Operating
System
Software
Objectives of OS
• To control the use of the system’s resources. The
OS must share the computer’s resources among a
number of simultaneous users or, if the computer
only has one user, share resources between multiple
tasks.
• To provide a convenient and easy-to-understand
view or interface of the computer to its users
(people or programs), which is usually done
through a graphical user interface (GUI).
OS Services
Services
• Program creation.
• Program execution.
• Access to input/output
devices.
• Controlled access to files.
• System access.
• Error detection and
response.
• Accounting.
Operations
• Process
• Spooling
• Multitasking
• Multithreading
• Multiprogramming
• Multiprocessing
Special Operations of OS
• Multitasking. Is the ability of allowing a user to
perform more than one task at the same time.
• Multithreading. Is the ability of allowing more
than one user to access a program at the same time.
• Multiprogramming. Is the ability of allowing for
the interleaved execution of two or more programs
by a processor.
• Multiprocessing. Is the ability of coordinated
processing of two or more programs by a processor
that contains parallel processors.
Illustration of Spooling
2. Document is retrieved
from storage device and
stored in RAM
1. Request (system call) such
as accessing a document
from the hard disk
Memory
(RAM)
3. Request (System Call),
such as printing a file
CPU
Potential Vulnerabilities of OS 1
• Object Reuse (for single processor, multiprogramming
system). Storage residues occur when data is left behind in the
memory area that could be allocated to new processes. Storage
residues should be avoid or the OS must scrub the RAM to
prevent storage residue.
• Time of Check/Time of Use (TOC/TOU) (for multiple
processors, multiprogramming system). An asynchronous
attack that occurs when one process passes pointers to
parameters residing in its virtual memory to the OS. At the
same time, another process, with access to the same memory,
modifies the parameters between the time the OS validates
them and the time they are used.
Potential Vulnerabilities of OS 2
• Maintenance Hooks. Commonly referred to
trapdoors or backdoors, are undocumented features
remained in the software code allowing designers for
easy maintenance and additional feature
development. An unauthorized user who knows the
entry point could gain access to information or insert
malicious code into the software.
• Countermeasure: Ideally, maintenance hooks should
never be inserted into the program during
development. At a minimum, they should be
removed prior to live implementation.
OS Security I
• A secure OS also uses the layer structure to assist in the
achievement of some assurance goals. The security
primitives should be placed in a lower layer, with
additional security elements implemented at all layers.
A clear understanding the security requirements at each
layer during the design phases is important.
• Reasons for putting security mechanisms in a lower
layer are:
– To increase the performance of the system (the overhead
within the OS is lower).
– To allow for a complete check on the security
mechanisms to ensure that they cannot be circumvented.
OS Security II
• Security technologies used by OS include:
– Reference monitor.
– Security kernel.
– The trusted computing base.
• Reference Monitor: A reference monitor concept
defines a set of design requirements on a
reference validation mechanism, which enforces
an access control policy over subjects' (e.g.,
processes and users) ability to perform operations
(e.g., read and write) on objects (e.g., files and
sockets) on a system.
OS Security III
• A Security Kernel is a small module in the Operating System
where all security features are located. It is a self-contained
usually small collection of key security-related statements that (a)
works as a part of an operating system to prevent unauthorized
access to, or use of, the system and (b) contains criteria that must
be met before specified programs can be accessed.
Audit
File
Subjects
Reference
Monitor (Policy)
Security Kernel
Database
Objects
Trusted Computing Base (TCB)
The trusted computing base (TCB) is everything in a
computing system that provides a secure environment. This
includes the operating system and its provided security
mechanisms, hardware, physical locations, network
hardware and software, and prescribed procedures.
Typically, there are provisions for controlling access,
providing authorization to specific resources, supporting
user authentication, guarding against viruses and other
forms of system infiltration, and backup of data. It is
assumed that the trusted computing base has been or should
be tested or verified.
Protection
Rings
Privilege Level
Ring 3
Most
Privileged
Ring 2
Ring 1
Ring 0
OS Kernel
OS Services
Utilities
Device Drivers
Email Clients, MS
Office, Web Browser
Applications
Programs
Least
Privileged
Application Architecture
• Applications Architecture is an infrastructure to ensure
the suite of applications being used by an organization is
scalable, reliable, available and manageable.
• The applications architecture is specified on the basis of
business requirements, which involve defining the
interactions between application packages, databases,
and middleware systems in terms of functional
coverage.
• Applications Architecture means managing how
multiple applications are poised to work together. It is
different from software architecture, which deals with
design concerns of one application.
Process vs. Thread
• Applications are ran in user mode. Each application is a
process. A thread is the smallest unit of processing or
execution in a program.
• The implementation of threads and processes differs from one
operating system to another, but in most cases, a thread is
contained inside a process. Multiple threads can exist within
the same process and share resources such as memory, while
different processes do not share these resources.
• On a single processor, multithreading generally occurs by
time-division multiplexing; the processor switches between
different threads. On a multiprocessor, the threads or tasks will
actually run at the same time, with each processor or core
running a particular thread or task.
Network Architecture
• A network is a data communication system allowing a
number of devices to communicate with each other.
• A network allows the users of the network to share
common resources and to send and receive
information.
• The network provides an interface for the users of the
network resources, just as an operating system
provides an interface consisting of system calls.
• For two entities to communicate with each other, they
must agree on common protocols, or a set of rules.
Layered of Network Architecture
User
Transmit
Data
Application Layer
OSI Model
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Physical Link
Receive
Data
Threats to Shared Environments
• Unconfigured or
misconfigured file protection
controls.
• Database corruption.
• Unsecured remote access.
• Unsecured locations and
physical accessibility.
• Lack of built-in security
controls.
• Multiple control points.
• Inconsistent user identification
and authentication across
networks.
• Multiple administrative
processes and appearances.
• Multiple administrators.
• Malicious codes.
• Hidden escape mechanisms.
• Lack of multiple-log and
journal synchronization.
• Lack of audit trail data
control.
• Lack of alarm notification
To be Continued
This is the end of part I of the lecture. Please
continue to review part II.
Download