Security Architecture and Design: Part I Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu IST 515 Objectives • • • • • • • Understand enterprise architecture Understand security architecture Understand platform architecture Understand operating system architecture Discuss security models and architecture theory Identify appropriate protection mechanisms Identify techniques used to provide system security • Discuss evaluation methods and criteria • Understand the role of assurance evaluations • Explain certification and accreditation Readings • Hansche, S., Berti, J. and Hare, C., Official (ISC)2 Guide to the CISSP Exam, Chapter 2, Auerbach, 2004, pp. 79-145. (Required). • Stephens, B., “Security Architecture for System Wide Information Management,” The 24th Digital Avionics Systems Conference, 2005. DASC 2005, V. 2. • CIO Council, A Practical Guide to Federal Enterprise Architecture, V 1.0, 2001. http://www.cio.gov What is Enterprise Architecture? • An Enterprise Architecture is an integrating framework for enabling the alignment of business strategy and technology capability. • An Enterprise Architecture (EA) provides the blueprint for integration, change and management of your IT assets within the context of your business vision, goals and objectives. A wellcrafted, flexible Enterprise Architecture can be your organization’s most valuable IT asset. (http://www.neosynthesis.com/architecture.asp) Enterprise Architecture Business Architecture Transition Architecture Infrastructure Operations Architecture Security Architecture Information Architecture Vision Mission Strategy Policies Service Composition Architecture Functional Application Architecture Technology Architecture MITRE EA Development Process Information Systems Requirements Capability. Performance. Flexibility. Cost. ▪ ▪ ▪ ▪ Ease of Use. Business requirements. Security. Innovation. • Building an information system requires a balance among various requirements. • Security should be considered as a requirement from the beginning – it is simply another feature that needs to be included. What is Security Architecture ? Security architecture is a view of an overall system architecture from a security perspective. It provides some insight into the security services, mechanisms, technologies, and features that can be used to satisfy system security requirements. It provides recommendations on where, within the context of the overall system architecture, security mechanisms should be placed. It describes how the system is put together to satisfy the security requirements. Security Architecture 1 Security architecture is not a description of the functions of the system; it is more of a design view, describing at an abstract level the relationships between key elements of the hardware, operating systems, applications, network and other required components to protect the organization’s interests. It should also describe how the functions in the system development process follow the security requirements. For example, if the security requirements specify that system must have a given level of assurance as to the correctness of the security controls, the security architecture must prescribe these specifications in the development process. Security Architecture 2 Security requirements are not added steps to the system development process; instead, the specifications or guidelines of the security architecture provide an influence during all development processes. During the beginning stages, the security architecture should outline high-level security issues, such as the system security policy, the level of assurance required, and any potential impacts security could have on the design process. As the system is developed, the security architecture should evolve in parallel, and may even need to be slightly ahead of the development process so that the security requirements will guide the development process. General Questions to Ask • Where should the protection take place - at the user’s end, where the data is stored, or by restricting user activities within the environment or a combination of these? • Where (what layer) should the protection be placed – hardware, kernel, operating systems, service, or program? • Which processes are within the trusted computing base (TCB)? • What kind of security mechanisms be used? • How the security mechanisms and processes will interact with each other? • What is the security perimeter that separates the trusted and untrusted components? Security Architecture Design Security Architecture Requirements Security Architecture Layers Vulnerabilities Threats/Risks Security Models Evaluation Methods & Criteria Certification & Accreditation Countermeasures Security Architecture Requirements • The security architecture is designed so that the Availability, Integrity and Confidentiality (AIC) goals of information security can meet the business and security needs of the organization. • The security architecture can guide the early decisions and avoid needing to correct or retrofit the system after development has been completed. • Adding security controls after a system has been developed can lead to user frustration, a lower security posture, and significantly increased implementation costs. Security Architecture Layers • Platform Architecture that defines how it manages various system resources or system utilities. • Operating System Architecture that defines how an operating system interact with the hardware components, utilities and applications. • Application Architecture that defines how applications interact with OS and provide services to end users. • Network Architecture that defines how networked devices communicate, share common resources with each other and send and receive information. Layers of Security Architecture End User Application Programs End User Utilities Operating System Computer Hardware Network OS Kernel Platform Architecture CPU – Computer Brain Application Memory/Buffer Application Add a + b = c a=1b=5 Add a + b = c Instructions Control Unit a=1b=5 Data C=6 Processor ALU Potential Vulnerability in CPU • System crashes. During the crash, the system creates a core dump of its internal state, including RAM and program stacks and CPU registers, allowing for investigation and identification of the cause leading to the crash. If the internal state contains sensitive information and the core dump data is stored in a file potentially accessed and read by everyone, inadvertent release of the sensitive information could occur. Storage Devices • Primary Storage (Volatile): - Cache or registers - Memory (RAM, ROM, Cache, Flash) • Secondary Storage (nonvolatile): - Disk drive - CD or Tape • Virtual Memory. A simulated RAM using the storage disk. The process is called paging or swapping, which can slow down the system. Threats of Storage Devices • If power is interrupted, the data stored in RAM can be completely lost. • Removable media and CD, which can be easily transported and read on other computers, can increase the organization’s risk of data loss. Countermeasure: • Establishing appropriate policy and controls on: – the use of Uninterruptible Power Supply (UPS) or backup power supply, and – where and when removable media and CD drives be used. Potential Threat of Virtual Memory • Data stored in virtual memory remains on the hard drive when the computer is turned off and may be recovered from these temporary files. An attacker may be able to retrieve data from these locations with little difficulty if access is gained. Countermeasures: • Erase the virtual memory files when the system is shut down. • Encrypt the swap partition or create a separate small drive and placing the swap files there Types of Memory Random Access Memory (RAM). It is used to store program instructions and data, and is accessible directly by the CPU. Read/write capability. Read-only Memory (ROM). It is a built-in memory that contains data that can only be read. It is usually used for storing parts of the OS that allows the computer to be booted. Flash Memory. It is a rewritable memory that functions like RAM and a hard drive combined. It is used primarily in applications that need high speed and durability, such as digital cellular phones, digital cameras, PC cards for notebooks, and pagers. Memory Management • To use memory efficiently, OS provides ways of isolating the addresses used by one program from those of others - managing memory. This also prevent errors in one program from corrupting other programs. • The objective of memory management is to separate programs into different parts of memory and still have them work properly. • Paging. To has certain applications, upon execution, write “pages’ of information to reserved address space. • Swapping. Moving an entire memory region associated with a process or application into a virtual memory (simulated RAM) using a storage disk. Potential Threat of Memory Mgmt. • Although an encryption program can read data in an encrypted file, decrypt it, and work on the data while it is in memory, the data can be transferred onto the hard drive as a result of paging and swapping process. Countermeasure: • The system administrator can implement a memory lock technique to prevent from paging or swapping the data to the hard drive from the memory. Potential Threats of Flash Memory • Data lost due to the lose of flash memory devices. • Another security threat for the use of flash memory in portable devices such as PDAs is wireless security, because the data is often being transferred wirelessly and can be captured wirelessly by hacker. Countermeasure: • Encrypting the data in the flash memory device. • Using a new Mobile Commerce Extension Specification (MC-ES) developed by the 5C (Toshiba, Hitachi, San Disk, Matsushita, and Ingentix). Peripherals or I/O Devices • The I/O device usually sends information to memory, but it can also send information directly to the CPU. Once the data is copied to the memory, an interrupt is generated signaling the CPU that the requested data is now available for processing. I/O I/O • Processors are designed to deal Controller Controller with interruptions in program execution caused by the program Memory itself, by user requests, or hardware failure. CPU • I/O is a privileged operation carried out only by the OS. Software Interrupt • Exceptions and traps are the software equivalent of a hardware interrupt. • When a program attempts to execute a privileged instruction while in user mode, an exception occur, generally causing the failure of he program. • Exception can also occur due to code errors created when the program was written. Potential Threats of I/O 1 • Hardware Interrupt. The hardware interrupt is a special input to the CPU specifying an address in the interrupt vector table. The interrupt vector table provides the location of the program addressing the condition specified in the interrupt, called the interrupt handler. When an interrupt occurs, the system saves its current state on the stack and then execute the interrupt handler. During this event, control is taken from the user program. Countermeasure: • Making sure that the system is restored to a proper state, such as cleaning the supervisor status bit, before returning the control to the user program. Potential Threats of I/O 2 • Another security flaw could exist if other interrupts arrived while the processor was dealing with a current interrupt. If the new interrupt has a higher priority than the current interrupt being handled, the processor would then have to transfer execution to the interrupt handler with the higher priority. The interrupt with lower priority will be cached. If interrupt handling is not handled securely, a breach may occur, allowing a previous process to gain the supervisor status of an operation system call. Potential Threats of I/O 3 • Redirection of Interrupt. A malicious code could be executed whenever the corresponding interrupt occurs causing a redirection of an interrupt attack, which is difficult to detect because: – It does not change the original interrupt handler. – Without prior knowledge of where the interrupt handlers are located in memory and what the contents of the interrupt vector table should be, it is almost impossible to detect these changes. – Operating systems do not currently provide an integrity check or control mechanism to prevent interrupt or system call redirection. Illustration of Operating Systems Memory I/O Controller Programs and Data I/O Controller I/O Controller ... Processor ... ... Processor OS Program Data Storage Operating System Software Objectives of OS • To control the use of the system’s resources. The OS must share the computer’s resources among a number of simultaneous users or, if the computer only has one user, share resources between multiple tasks. • To provide a convenient and easy-to-understand view or interface of the computer to its users (people or programs), which is usually done through a graphical user interface (GUI). OS Services Services • Program creation. • Program execution. • Access to input/output devices. • Controlled access to files. • System access. • Error detection and response. • Accounting. Operations • Process • Spooling • Multitasking • Multithreading • Multiprogramming • Multiprocessing Special Operations of OS • Multitasking. Is the ability of allowing a user to perform more than one task at the same time. • Multithreading. Is the ability of allowing more than one user to access a program at the same time. • Multiprogramming. Is the ability of allowing for the interleaved execution of two or more programs by a processor. • Multiprocessing. Is the ability of coordinated processing of two or more programs by a processor that contains parallel processors. Illustration of Spooling 2. Document is retrieved from storage device and stored in RAM 1. Request (system call) such as accessing a document from the hard disk Memory (RAM) 3. Request (System Call), such as printing a file CPU Potential Vulnerabilities of OS 1 • Object Reuse (for single processor, multiprogramming system). Storage residues occur when data is left behind in the memory area that could be allocated to new processes. Storage residues should be avoid or the OS must scrub the RAM to prevent storage residue. • Time of Check/Time of Use (TOC/TOU) (for multiple processors, multiprogramming system). An asynchronous attack that occurs when one process passes pointers to parameters residing in its virtual memory to the OS. At the same time, another process, with access to the same memory, modifies the parameters between the time the OS validates them and the time they are used. Potential Vulnerabilities of OS 2 • Maintenance Hooks. Commonly referred to trapdoors or backdoors, are undocumented features remained in the software code allowing designers for easy maintenance and additional feature development. An unauthorized user who knows the entry point could gain access to information or insert malicious code into the software. • Countermeasure: Ideally, maintenance hooks should never be inserted into the program during development. At a minimum, they should be removed prior to live implementation. OS Security I • A secure OS also uses the layer structure to assist in the achievement of some assurance goals. The security primitives should be placed in a lower layer, with additional security elements implemented at all layers. A clear understanding the security requirements at each layer during the design phases is important. • Reasons for putting security mechanisms in a lower layer are: – To increase the performance of the system (the overhead within the OS is lower). – To allow for a complete check on the security mechanisms to ensure that they cannot be circumvented. OS Security II • Security technologies used by OS include: – Reference monitor. – Security kernel. – The trusted computing base. • Reference Monitor: A reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. OS Security III • A Security Kernel is a small module in the Operating System where all security features are located. It is a self-contained usually small collection of key security-related statements that (a) works as a part of an operating system to prevent unauthorized access to, or use of, the system and (b) contains criteria that must be met before specified programs can be accessed. Audit File Subjects Reference Monitor (Policy) Security Kernel Database Objects Trusted Computing Base (TCB) The trusted computing base (TCB) is everything in a computing system that provides a secure environment. This includes the operating system and its provided security mechanisms, hardware, physical locations, network hardware and software, and prescribed procedures. Typically, there are provisions for controlling access, providing authorization to specific resources, supporting user authentication, guarding against viruses and other forms of system infiltration, and backup of data. It is assumed that the trusted computing base has been or should be tested or verified. Protection Rings Privilege Level Ring 3 Most Privileged Ring 2 Ring 1 Ring 0 OS Kernel OS Services Utilities Device Drivers Email Clients, MS Office, Web Browser Applications Programs Least Privileged Application Architecture • Applications Architecture is an infrastructure to ensure the suite of applications being used by an organization is scalable, reliable, available and manageable. • The applications architecture is specified on the basis of business requirements, which involve defining the interactions between application packages, databases, and middleware systems in terms of functional coverage. • Applications Architecture means managing how multiple applications are poised to work together. It is different from software architecture, which deals with design concerns of one application. Process vs. Thread • Applications are ran in user mode. Each application is a process. A thread is the smallest unit of processing or execution in a program. • The implementation of threads and processes differs from one operating system to another, but in most cases, a thread is contained inside a process. Multiple threads can exist within the same process and share resources such as memory, while different processes do not share these resources. • On a single processor, multithreading generally occurs by time-division multiplexing; the processor switches between different threads. On a multiprocessor, the threads or tasks will actually run at the same time, with each processor or core running a particular thread or task. Network Architecture • A network is a data communication system allowing a number of devices to communicate with each other. • A network allows the users of the network to share common resources and to send and receive information. • The network provides an interface for the users of the network resources, just as an operating system provides an interface consisting of system calls. • For two entities to communicate with each other, they must agree on common protocols, or a set of rules. Layered of Network Architecture User Transmit Data Application Layer OSI Model Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer Physical Link Receive Data Threats to Shared Environments • Unconfigured or misconfigured file protection controls. • Database corruption. • Unsecured remote access. • Unsecured locations and physical accessibility. • Lack of built-in security controls. • Multiple control points. • Inconsistent user identification and authentication across networks. • Multiple administrative processes and appearances. • Multiple administrators. • Malicious codes. • Hidden escape mechanisms. • Lack of multiple-log and journal synchronization. • Lack of audit trail data control. • Lack of alarm notification To be Continued This is the end of part I of the lecture. Please continue to review part II.