* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Evaluation and Assurance - NYU Polytechnic School of
Cracking of wireless networks wikipedia , lookup
Information privacy law wikipedia , lookup
Wireless security wikipedia , lookup
Information security wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Trusted Computing wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Unix security wikipedia , lookup
Mobile security wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Computer security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Evaluation, Assurance, Classified Systems Dr. William Hery [email protected] CS 996 Spring 2004 QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. Terminology QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Security Capabilities are what a product is supposed to do for security • Assurance is the level of trust that it really does Assurance is the hard problem! • Evaluation is the process of determining the assurance level of a product • Certification and Accreditation is the process of deciding that an entire system is secure enough to process a given class of data (this is in a later talk) The NSA on Assurance QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. "A lot of you are making security products that are an attractive nuisance.... Shame on you. [...] I want you to grow up. I want functions and assurances in security devices. We do not beta test on customers. If my product fails, someone might die." --Brian Snow, INFOSEC Technical Director at the National Security Agency, speaking to commercial security product vendors and users at the Black Hat Briefings security conference. (As quoted by Bruce Schneier.) Recent History QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Early 1980s: DoD is concerned about the confidentiality of classified information on computers with multiple users (time sharing systems) • 1985: DOD 5200.28STD (Orange Book, or TCSEC): standard reference for computer security for DoD • Mid 80s-mid 90s: The Red Book (Trusted Network Interpretation (TNI) of the Orange Book) The whole “rainbow series” • FIPS-140 for commercial/civilian government cryptographic modules (DES, AES) • Canada, UK, European Community develop standards similar to and beyond the Orange Book • Mid 90s onward: Common Criteria The Rainbow Series QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Available for download at: http://www.radium.ncsc.mil/tpep/library/rainbow/ • Downloads are monochrome, not with rainbow colors QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. *Orange Green *Lt Yellow *Yellow *Tan *Aqua *Neon Orange *Teal Green Red *Ornage 2 *Burgandy *Dark Lavender *Venice Blue *Dark Red *Pink Purple *Brown Light Blue *Medium Blue Grey *Lavender *Neon Yellow DoD Trusted Computer System Evaluation Guide DoD Password Management Guide ComSwc Requirements-Guidance for Applying DoD TSEC in Specific Environments Technical Rationale Behind ComSec Requirements Guilelines... Guide to Understanding Audit in Trusted Systems Trused Product Evaluations: Guide for Vendors Guide to Understanding Discretionary Access Control in Trusted Systems Glossary of COMSEC Terms Trusted Network Interpretations of TCSEC A Guide to Understanding Configuration Management in Trusted Systems Guide to Understanding Design Documentation in Trusted Systems Guide to Understanding Trust Distribution in Trusted Systems DoD 5200.28.STD SCS-STD-002-85 CSC-STD-003-85 008-000-00461-7 008-000-00443-9 008-000-00442-1 CSC-STD-004-8 NCSC-TG-001 NCSC-TG-002 NCSC-TG-003 008-000-00441-2 008-000-00508-7 008-000-00539-7 NCSC-TG-004 NCSC-TG-005 NCSC-TG-006 008-000-00522-2 008-000-00486.2 008-000-00507-9 NCSC-TG-007 008-000-00518-4 NCSC-TG-008 008-000-00536-2 Computer Security Subsysem Interpretation of TCSEC Trusted Network Interpretations Environments Guideline Rating Maintenance Phase Program Document Guidelines for Formal Verification Systems Guide to Understanding Trusted Systems Management Guide to Understanding Identification and Authentication in Trusted Systems Trusted Product Evaluation Questionaire NCSC-TG-009 NCSC-TG-011 NCSC-TG-013 NCSC-TG-014 NCSC-TG-015 NCSC-TG-017 008-000-00510-9 008-000-00546-1 - NCSC-TG-019 - Trusted UNIX Working Group... Trusted Database Management System Interpretation of the TCSEC A Guide to Understanding Trusted Recovery in Trusted Systems NCSC-TG-020-A NCSC-TG-021 - NCSC-TG-022 - CS 996 Information Security Management 6 DoD Classification Scheme QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Data classification is based on need for confidentiality • Levels are based on potential damage if compromised, and defines treatment rules Top Secret Secret Confidential Unclassified • Unclassified includes Sensitive But Unclassified (SBU); e. g., medical, salary, performance review data For Official Use Only (FOUO). Not subject to release under the Freedom of Information Act (FOIA). May include company proprietary information. DoD Classification Scheme (continued) QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • “Codewords” restrict access to persons with “need to know” and are only used with a security level; e.g., TS/UMBRA Codewords can be project specific or based on nationality; e. g., NATO, Coalition, NOFORN (no foreign nationals) Multiple codewords may be part of a security label; e. g., a document that combined information from a TS/UMBRA and a TS/OXCART would have a label TS/UMBRA/OXCART. • Clearance of an individual is a level of trust in that individual and is also at the S or TS level • Access to information is based on clearance, information classification (<= clearance), and “need to know” • The “owner” of information is the final arbiter of who gets access. This may get very fine grained with very sensitive information. Orange Book Background QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Defined by NSA for DoD and Intelligence community use. • Primary goal is to maintain confidentiality by restricting read access to those with the appropriate clearance and “need to know” • Assumes multiple system users (computer or network of computers) Also used on single user workstation with a separate windows for different classifications • Uses the Bell LaPadula (BLP) model for higher security ratings No read up No write down • Also supports codewords to determine access rules • The set of all labels with level and codewords forms a lattice to which BLP can be applied Orange book rating methodology QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Rating combines both security capabilities and assurance level--both go up as the rating goes up. • Levels: Class D: Minimal Protection Class C1: Discretionary Security Protection Class C2: Controlled Access Protection Class B1: Labeled Security Protection Class B2: Structured Protection Class B3: Security Domains Class A1: Verified Design Core Concepts in the Orange Book Methodology for High Assurance Systems QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • A reference monitor (RM) that controls all access to data objects • A trusted computer base (TCB) (including the reference monitor) that does all security critical tasks TCB includes user authentication, control of credentials • Labels: used for all (mandatory) access control TCB includes labeling, and ensures the label on a data object cannot be modified Labels on a new object are automatically created by the system based on the user level and any other data objects used to create the new one. Core (continued) QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • For high assurance, the RM and TCB are subject to rigorous inspection. • In some cases, development of the TCB and RM is done by cleared personnel in a classified environment under rigid control, to include independent code reviews for correctness, safety in case of failure, and to ensure that no back doors or cover channels are included. • When applied to networked systems, the TCB will include parts of routers, etc. • The methodology was applied to Government Off the Shelf (GOTS) products and custom systems • Its very hard to build a TCB on modern complex, multithreaded, caching CPUs. TCSEC Evaluation QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Evaluations only performed by NSA • Time consuming, expensive process; worse for higher levels of assurance • Products placed on the NSA Evaluated Product List (EPL) http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html • B level required for shared data Secret and above • Approved B level products: Multi-level Secure (MLS) Operating Systems with hardware MLS Network Elements MLS DB software (running on B level OS) • Officially superceded by Common Criteria evaluations MLS Workstation Screenshot QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. Common Criteria QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Intended for both commercial and government use • Process can be applied to the security characteristics of any IT product. • Evaluations can be performed by any certified lab & accepted by all countries • Security Capabilities stated in a “Protection Profile” (PP) (User view of needs) Usually defined as a generic for a product class May be modified for a specific product into a “Security Target” (ST) (Vendor view of what they sell) • Product to evaluate is the “Target of Evaluation” (TOE) • Assurance rating is the “Evaluated Assurance Level” (EAL) • CC calls this a “grounds for confidence” EAL rating is 1 to 7 (high) CC Slides at http://csrc.nist.gov/cc/Guidance.html EALs QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Basic Assurance EAL1: Functional Test EAL2: Structural Test EAL3: Methodical Test and Check EAL4: Methodical Design, Test, and Review • Medium Assurance EAL5: Semiformal Design and Test • High Assurance EAL6: Semiformally Verified Design and Test EAL7: Formally Verified Design and Tested ed Common Criteria Developers US QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. National Institute of Standards and Technology, National Security Agency Communications Security Establishment Canada Communications-Electronic Security Group UK Bundesamt fur Sicherbeit in der Informationstechnik Germany Service Central de la Securite des Systemes d’Information France Netherlands National Institute of Standards and Technology National Security Agency Uses of the Common Criteria Procurement Specifications Product Development Common Criteria Evaluation Programs QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. Certification & Accreditations Security Objectives ~ The “Focal” Point TOE Requirements Assumptions Threats Policies QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. Security Objectives IT Environment Requirements Non-IT Environment Requirements Protection Profiles and Evaluated Products QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • US Government Protection profiles at http://niap.nist.gov/cc-scheme/pp_registry.htm 23 categories of profiles Within firewalls, 4 profiles • Evaluated Products List at: http://niap.nist.gov/cc-scheme/pp_registry.html#firewalls 28 categories of products??? ~30 firewalls evaluated, EALs 1-4 • Windows 2000 Professional OS rated at EAL 4 Issues with Common Criteria • • • • • QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. Time and cost of evaluation Re-evaluations for patches, new versions, etc. Does the PP really match the user requirements? Environment, policies enforced by people not included Configuration is not part of the evaluation Impact of weak default configurations • International acceptance of rating can be rejected in any country for “national security” reasons. Effectively, NSA still evaluates products for classified use, and they want EAL 5 or better. QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. DoD Architectures for AIS with Classified Data Modes of Operation for AIS with Classified Data QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Terms defined in the Orange Book • AIS may be a processor or a collection of processors on a network • Dedicated--all users have clearance and need to know for all data • System High--all users have clearance, but not necessarily need to know for all data • Compartmented--All users have the clearance, but not approval for access to all data • Multilevel--Not all users have clearance to access all data MLS System Architectures QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • In principle, systems could be built from MLS workstations, MLS network elements, etc. But: MLS components are much more expensive Long evaluation time means they are often not state of the art Use and management of MLS systems is less convenient • Systems that are not connected by physically secure connections could be linked using MLS crypto equipment • This used to be the goal of NSA for classified systems Multiple System Level Architectures QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Instead, systems are sometimes built from enclaves of workstations and network elements Within the enclave everything is at one level Commercial Off The Shelf (COTS) products (workstations, network elements) can be used C2 (Orange book) or lower EAL (common criteria) is OK Enclaves can be linked to enclaves of other levels through “guards” that enforce BLP: information moves only from low to high. This is used to bring data into a classified environment. An MLS network backbone can also be used to connect many enclaves in a “multi level” location to other enclaves at the same level Enclaves that are not connected by physically secure connections could be linked using single level NSA approved crypto equipment • This cuts back the need for costly MLS/NSA equipment to the boundaries of enclaves Example I: Multiple enclaves QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. Top Secret Intranet H Partner SCI LAN F L SCI LAN F Intellink F SIPRNET G SCI LAN G G G H G Internet F L Unclassified Networks Node H Host L H Secret Networks L LAN F Firewall G Guard Example II: enclaves to crypto Unclass Router Secret Router TS Router IP to IP/ATM IP to IP/ATM IP to IP/ATM Multiple Enclaves QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. UNCLASS UNENCRYPTED SECRET UNENCRYPTED TS KG75 Fastlane KG75 Fastlane ATM SW Public Network Example III: MLS network to MLS crypto IP to IP/ATM MLS Router (user net) UNCLASS UNENCRYPTED SECRET IP to IP/ATM UNENCRYPTED TS IP to IP/ATM QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. Public Network MLS KG75 ATM Fastlane MUX ATM SW Stovepipes QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. Report Gen. Report Gen. Report Gen. Data Analysis Data Analysis Data Analysis Data Processing Data Processing Data Processing Data Collection Data Collection Data Collection Sample desktops • QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. For accessing Secret and below, people often have two desktop computers: one on a secret network, and one on an unclassifies network that may bee linked to the Internet (e. g., thru NIPRNET) Both may be only C2 or EAL 3-4 The Secret computer may not have an capability to write to removable media But it may be able to read removable media from the unclassified computer for a “sneakernet” one way link (BLP model) • Higher level classified work is done in very secure, locked rooms or areas with strict physical access control, such as a “Secure Compartmentalized Information Facility” (SCIF). The SCIF will have only secure or encrypted network links to other top secret locations. Removable media can only be removed under very controlled circumstances. Term Project QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Teams of ~3 students • Pick a system (discuss choice with me) Want simple functionality, security issues, whole system (e. g., client and server side) • • • • • Submit a 1-2 page proposal to management (Dr. Hery) Assess risks, threats, vulnerabilities Develop a security policy Do a high level system security design Present a “preliminary design review” (PDR) to management (include risk analysis, policies, system architecture) • Iterate on risk assessment, policy, design • Present a final “critical design review” (CDR) to management and the class • Write a final report to management on above Example Project QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • System should have at least 2 elements that communicate to perform a function e. g., client server, peer to peer • Pick a useful system, not an underlying technology • Start with a “mission need statement” e. g., “Provide a remote credit card verification service” • State assumptions about environment e. g., remote site is on a wired LAN connected to the Internet; verification data is on a well protected server connected to the Internet through a firewall Example Project (continued) QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • State the basic system functions; e. g.: Read card magnetic strip Send card data, transaction data to verification server Server verifies card is valid, not reported lost/stolen If invalid, send back reject message Server verifies sufficient credit for transaction If invalid, send back reject message If sufficient Send authorization message Post transaction to account (debits account) • The above steps should all be in the initial project proposal Example Project (continued) QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. • Your project should be somewhat more complex than this • Make explicit (and probably realistic) assumptions about infrastructure • Major project steps: Thorough risk analysis Develop security policies Perform security system engineering. Use the policy to determine the security functions needed, and then to develop an architecture that has all the security functions and hardware, software components to enforce the security policies • Major project deliverables: Proposal Preliminary design review Critical design review to class Final report on the design