Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

security

advertisement 
Fighting Mechanism
Population
Infrastructure
Organic Essentials
Leadership
A Security-centric Ring-based
Software Architecture
Jay-Evan J. Tevis
John A. Hamilton, Jr.
Western Illinois University
Macomb, IL
Auburn University
Auburn, AL
A Security-centric Ring-based
Software Architecture
1
Introduction
• Software systems are vulnerable to many different
forms of attack
• Protection of such systems can be improved by
viewing their key components from the
perspective of an enemy attacker
A Security-centric Ring-based
Software Architecture
2
Introduction (continued)
• Colonel John Warden developed a five-ring
system model for military strategic warfare
– It describes the parts of an enemy system as five
concentric rings
– It is designed for use in planning and conducting
strategic targeting against an adversary
A Security-centric Ring-based
Software Architecture
3
Introduction (continued)
• We apply this model to computer software
architecture in a similar manner to identify
– What system-level components are essential
– How these components can be better protected through
a security-focused software architectural design
A Security-centric Ring-based
Software Architecture
4
Overview
1. Security-centric software architectures
2. Design of a ring-based software architecture
3. A computer security adaptation using Warden’s
concentric rings
4. Adapting Warden’s model to computer security
5. Protecting centers of gravity in a software system
6. Conclusion and future plans
A Security-centric Ring-based
Software Architecture
5
1. Security-centric Software
Architectures
A Security-centric Ring-based
Software Architecture
6
1. Security-centric Software Architectures
Critical Concepts in the Security Domain
[Neumann]
• Multi-level security
– Restrict flow of information from higher-security entities to lowersecurity entities
• Multi-level integrity
– Restrict dependencies between entities of higher integrity with
entities of lower integrity
• Multi-level availability
– Restrict dependencies between entities of higher availability with
entities of lower availability
A Security-centric Ring-based
Software Architecture
7
1. Security-centric Software Architectures
Multiple Security Rings [Gemini]
• High assurance security
– Hardware and kernel-enforced protection
• Multi-level security
– Enforcement of organizational access controls
• Cryptographic communication security
– IPSec-based authentication, confidentiality, and integrity
•
Integrated information systems security
– Protection at transport and network layers
A Security-centric Ring-based
Software Architecture
8
1. Security-centric Software Architectures
Properties of Ring-based Software
Architectures [Schell]
• Memory segmentation
• Three protection rings
– (0) Security kernel
• Located in the most protected ring
• Enforces mandatory access controls
– (1) Operating system
– (2) Applications
• According to Schell, such ring-based architectures are
applied in research but are not widely deployed in industry
A Security-centric Ring-based
Software Architecture
9
1. Security-centric Software Architectures
Ring-based Program Execution Policy
[Nguyen and Levin]
• Mandatory access control (All users including root)
• Four ring-based execution domains
–
–
–
–
(0) Operating System
(1) Administration
(2) Privileged application
(3) Unprivileged application
• Programs assigned to a less privileged ring are unable to
execute or access objects allocated in a more privileged ring
A Security-centric Ring-based
Software Architecture
10
2. Design of a Ring-based
Software Architecture
A Security-centric Ring-based
Software Architecture
11
2. Design of a Ring-based Software Architecture
Ring 4
Ring 3
Ring 2
Ring 1
Ring 0
Ring-based Architectural Style
A Security-centric Ring-based
Software Architecture
12
2. Design of a Ring-based Software Architecture
Ring-based Architectural Style
[Bachmann]
• A variation of the layered architectural style
• Innermost ring is the lowest-numbered layer; outermost
ring is the highest-numbered layer
• Geometric adjacency of two rings denotes an “ability to
use” relation
• Each entity in a specific ring can communicate with
another entity
A Security-centric Ring-based
Software Architecture
13
2. Design of a Ring-based Software Architecture
Ring-based Architectural Style
(continued)
• Entities within a ring have no inherent adjacency;
consequently, they are an unordered set
– This tends towards more of a peer-to-peer environment within a ring
• Any entity in an inner ring is accessible only by an entity in
the closest outer ring
• To access an inner ring, an entity in the adjacent outer ring
must be used as the mediator or interface
A Security-centric Ring-based
Software Architecture
14
2. Design of a Ring-based Software Architecture
Features of Rings as Interfaces
•
•
•
•
•
•
Confidentiality (privacy)
Authentication (who created or sent the data)
Integrity (data has not been altered)
Non-repudiation (responsibility for the request)
Access control (preventing misuse of resources)
Availability (permanence or non-erasure of data)
A Security-centric Ring-based
Software Architecture
15
2. Design of a Ring-based Software Architecture
Features of Rings as Gates [Fernandez]
• A set of protection rings corresponds to domains of execution
with hierarchical levels of trust
• Gates serve as protected entry points between rings
• Entering a ring is done through a gate that checks the access
rights of a process
A Security-centric Ring-based
Software Architecture
16
2. Design of a Ring-based Software Architecture
Design Patterns for a Ring-based
Software Architecture [Fernandez]
•
•
•
•
•
File authorization
Access control for virtual address space
Execution domain
Reference monitor
Controlled execution environment
A Security-centric Ring-based
Software Architecture
17
3. A Computer Security
Adaptation using Warden’s
Concentric Rings
A Security-centric Ring-based
Software Architecture
18
3. A Computer Security Adaptation using Warden’s Concentric Rings
Fighting Mechanism
Population
Infrastructure
Organic Essentials
Leadership
Warden’s Five-Ring Model [Warden]
A Security-centric Ring-based
Software Architecture
19
3. A Computer Security Adaptation using Warden’s Concentric Rings
Body
State
Drug Cartel
Electric Grid
Leadership
Brain
-eyes
-nerves
Government
-comm.
-security
Leader
-comm.
-security
Central
control
Organic
Essentials
Food and
oxygen
Energy
Money
Coca source
plus conversion
Input
(Hydroelectric)
Infrastructure
Vessels, bones,
muscles
Roads,
airfields,
factories
Roads, airways,
sea lanes
Transmission
lines
Population
Cells
People
Growers
Workers
Fighting
Mechanism
Leukocyte
Military,
firemen
Street soldiers
Lineman
Five-Ring Model Applied to Other Domains [Warden]
A Security-centric Ring-based
Software Architecture
20
3. A Computer Security Adaptation using Warden’s Concentric Rings
Physical security measures
Application software
System bus and data controllers
BIOS, system utilities, drivers
Executable code, sensors
Software Security Adaptation of Warden’s Model
A Security-centric Ring-based
Software Architecture
21
3. A Computer Security Adaptation using Warden’s Concentric Rings
Computer Security Rings
• (Ring 0) The executable code itself and software
controlling the system sensors and I/O sensors
• (Ring 1) BIOS, device drivers, system utilities (scheduler,
swapper, I/O, memory, file system, power)
• (Ring 2) Software controlling the system bus, data lines,
antennas, and converters
• (Ring 3) Application software (handling and transforming
of user data)
• (Ring 4) Software controlling physical security measures
to deal with an external attack or an intrusion
A Security-centric Ring-based
Software Architecture
22
5. Protecting Centers of Gravity
in a Software System
A Security-centric Ring-based
Software Architecture
23
5. Protecting Centers of Gravity in a Software System
Centers of Gravity
• Centers of gravity are the components that are instrumental
to a system’s function and survival
• The five rings in Warden’s model constitute five centers of
gravity
• Each ring is a possible target requiring protection
• Without the functioning inner rings, an outer ring becomes a
useless appendage
• Software engineers should ensure that the security protection
for the software in each ring cannot be easily defeated
A Security-centric Ring-based
Software Architecture
24
5. Protecting Centers of Gravity in a Software System
(0) Leadership Ring
• Consists of the executable code itself and software controlling the system
sensors and I/O sensors
• Failure of any critical components in the leadership ring leads to failure
of the complete system
• Critical components must be identified and given the highest level of
protection
• No vulnerability should exist that would allow changes to the program
executable code without approval of the leadership ring
• Only the leadership ring should be able to disable or change system
sensors
• With the innermost ring protected, each remaining ring must also be
protected to avoid the threat of strategic paralysis
A Security-centric Ring-based
Software Architecture
25
5. Protecting Centers of Gravity in a Software System
(1) Organic Essentials Ring
• Consists of the BIOS, device drivers, and system utilities
(scheduler, swapper, I/O, memory, file system, power)
• The organic essentials ring must be protected through
redundancy and system surveillance (alternate software,
software checking on each other, and possibly backup
devices)
A Security-centric Ring-based
Software Architecture
26
5. Protecting Centers of Gravity in a Software System
(2) Infrastructure Ring
• Consists of software controlling the system bus, data lines, antennas,
and converters
• The infrastructure ring must also be protected by redundancy
of software, alternate control and alternate data routing
• Backup components are needed for each of the major data
conduits of the software system
– Signals, shared memory, pipes, system bus, communication paths
• The protection facilities must detect and minimize lost
conduits or a denial of service attack and reroute data or
delete data-jamming traffic in order to thwart such an attack
A Security-centric Ring-based
Software Architecture
27
5. Protecting Centers of Gravity in a Software System
(3) Population Ring
• Consists of application software (handling and transforming
of user data)
• Attack of the population ring is less of an impact on the inner
rings because of the low relationship (i.e., dependency) of
the system processes on the the application processes
• One major threat is exhaustion of memory or filling up of
buffers
• Another threat is corruption or destruction of the contents of
the data when in transit into and among processes
• Approaches for protection include buffer monitoring, parity
error-detection mechanisms and sliding window protocols
A Security-centric Ring-based
Software Architecture
28
5. Protecting Centers of Gravity in a Software System
(4) Fighting Mechanism Ring
• Consists of software controlling physical security measures to deal with
an external attack or an intrusion
• The fighting mechanism ring is not as critical if each of the inner rings
has been equipped with software security protection mechanisms
• Nevertheless, centralizing the attacking role in this ring supports the
software engineering principle of cohesion
• Protection includes not only attacking outward, but also the sending of
warnings to inner rings
• When designing security measures, the detection and handling of threats
should always assume a parallel attack in a ring or among rings and also
a diversion attack
• System security should not be centered on a single thread of protection
located in this outermost ring
A Security-centric Ring-based
Software Architecture
29
6. Conclusion and Future Plans
A Security-centric Ring-based
Software Architecture
30
6. Conclusion and Future Plans
Conclusion
• The importance of computer system security demands better
security-centric software architectures
• Warden’s five-ring model provides a way to portray a computer
system as viewed by an enemy attacker
• This modeling technique identifies the software components of
each ring and the centers of gravity needing the most protection
• It also points out the need for layered software defenses against
computer security threats
A Security-centric Ring-based
Software Architecture
31
6. Conclusion and Future Plans
Future Plans
• Compare and contrast the ring-based security-centric
software architecture to the monolithic software
architecture used by the Linux operating system
• Implement a prototype operating system that utilizes a
security-centric ring-based software architecture approach
based on Warden’s model
A Security-centric Ring-based
Software Architecture
32
Related documents
Instruction for Speakers
Instruction for Speakers
Camera Parts Discovery Exercis
Camera Parts Discovery Exercis
Verrry refreshing – die erfrischend freche Modelle von Furrer
Verrry refreshing – die erfrischend freche Modelle von Furrer
RingAssessment
RingAssessment
Search Ring Request Form
Search Ring Request Form
Ringplan - Showdogs
Ringplan - Showdogs
Dairy Cattle Grooming and Showing
Dairy Cattle Grooming and Showing
Laboratory Report
Laboratory Report
Classifying Rings Worksheet.
Classifying Rings Worksheet.
Justification that the Additive Inverse of any Element Is Unique
Justification that the Additive Inverse of any Element Is Unique
Download
advertisement