Download Evaluation and Assurance - NYU Polytechnic School of

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Cracking of wireless networks wikipedia , lookup

Information privacy law wikipedia , lookup

Wireless security wikipedia , lookup

Information security wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Trusted Computing wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Unix security wikipedia , lookup

Mobile security wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Multilevel security wikipedia , lookup

Transcript
Evaluation, Assurance,
Classified Systems
Dr. William Hery
[email protected]
CS 996
Spring 2004
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
Terminology
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Security Capabilities are what a product is supposed to
do for security
• Assurance is the level of trust that it really does
 Assurance is the hard problem!
• Evaluation is the process of determining the assurance
level of a product
• Certification and Accreditation is the process of
deciding that an entire system is secure enough to
process a given class of data (this is in a later talk)
The NSA on Assurance
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
"A lot of you are making security products that are
an attractive nuisance.... Shame on you. [...] I
want you to grow up. I want functions and
assurances in security devices. We do not beta
test on customers. If my product fails, someone
might die." --Brian Snow, INFOSEC Technical
Director at the National Security Agency,
speaking to commercial security product
vendors and users at the Black Hat Briefings
security conference. (As quoted by Bruce
Schneier.)
Recent History
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Early 1980s: DoD is concerned about the confidentiality of
classified information on computers with multiple users (time
sharing systems)
• 1985: DOD 5200.28STD (Orange Book, or TCSEC): standard
reference for computer security for DoD
• Mid 80s-mid 90s:
 The Red Book (Trusted Network Interpretation (TNI) of the Orange
Book)
 The whole “rainbow series”
• FIPS-140 for commercial/civilian government cryptographic
modules (DES, AES)
• Canada, UK, European Community develop standards similar to
and beyond the Orange Book
• Mid 90s onward: Common Criteria
The Rainbow Series
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Available for download at:
 http://www.radium.ncsc.mil/tpep/library/rainbow/
• Downloads are monochrome, not with rainbow colors
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
*Orange
Green
*Lt Yellow
*Yellow
*Tan
*Aqua
*Neon
Orange
*Teal Green
Red
*Ornage 2
*Burgandy
*Dark
Lavender
*Venice Blue
*Dark Red
*Pink
Purple
*Brown
Light Blue
*Medium
Blue
Grey
*Lavender
*Neon
Yellow
DoD Trusted Computer System Evaluation Guide
DoD Password Management Guide
ComSwc Requirements-Guidance for Applying DoD TSEC in
Specific Environments
Technical Rationale Behind ComSec Requirements Guilelines...
Guide to Understanding Audit in Trusted Systems
Trused Product Evaluations: Guide for Vendors
Guide to Understanding Discretionary Access Control in Trusted
Systems
Glossary of COMSEC Terms
Trusted Network Interpretations of TCSEC
A Guide to Understanding Configuration Management in Trusted
Systems
Guide to Understanding Design Documentation in Trusted
Systems
Guide to Understanding Trust Distribution in Trusted Systems
DoD 5200.28.STD
SCS-STD-002-85
CSC-STD-003-85
008-000-00461-7
008-000-00443-9
008-000-00442-1
CSC-STD-004-8
NCSC-TG-001
NCSC-TG-002
NCSC-TG-003
008-000-00441-2
008-000-00508-7
008-000-00539-7
NCSC-TG-004
NCSC-TG-005
NCSC-TG-006
008-000-00522-2
008-000-00486.2
008-000-00507-9
NCSC-TG-007
008-000-00518-4
NCSC-TG-008
008-000-00536-2
Computer Security Subsysem Interpretation of TCSEC
Trusted Network Interpretations Environments Guideline
Rating Maintenance Phase Program Document
Guidelines for Formal Verification Systems
Guide to Understanding Trusted Systems Management
Guide to Understanding Identification and Authentication in
Trusted Systems
Trusted Product Evaluation Questionaire
NCSC-TG-009
NCSC-TG-011
NCSC-TG-013
NCSC-TG-014
NCSC-TG-015
NCSC-TG-017
008-000-00510-9
008-000-00546-1
-
NCSC-TG-019
-
Trusted UNIX Working Group...
Trusted Database Management System Interpretation of the
TCSEC
A Guide to Understanding Trusted Recovery in Trusted Systems
NCSC-TG-020-A
NCSC-TG-021
-
NCSC-TG-022
-
CS 996 Information Security
Management
6
DoD Classification Scheme
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Data classification is based on need for confidentiality
• Levels are based on potential damage if
compromised, and defines treatment rules




Top Secret
Secret
Confidential
Unclassified
• Unclassified includes
 Sensitive But Unclassified (SBU); e. g., medical, salary,
performance review data
 For Official Use Only (FOUO). Not subject to release under
the Freedom of Information Act (FOIA). May include
company proprietary information.
DoD Classification Scheme (continued)
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• “Codewords” restrict access to persons with “need to know” and
are only used with a security level; e.g., TS/UMBRA
 Codewords can be project specific or based on nationality; e. g.,
NATO, Coalition, NOFORN (no foreign nationals)
 Multiple codewords may be part of a security label; e. g., a document
that combined information from a TS/UMBRA and a TS/OXCART
would have a label TS/UMBRA/OXCART.
• Clearance of an individual is a level of trust in that individual and is
also at the S or TS level
• Access to information is based on clearance, information
classification (<= clearance), and “need to know”
• The “owner” of information is the final arbiter of who gets access.
This may get very fine grained with very sensitive information.
Orange Book Background
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Defined by NSA for DoD and Intelligence community use.
• Primary goal is to maintain confidentiality by restricting read access
to those with the appropriate clearance and “need to know”
• Assumes multiple system users (computer or network of
computers)
 Also used on single user workstation with a separate windows for
different classifications
• Uses the Bell LaPadula (BLP) model for higher security ratings
 No read up
 No write down
• Also supports codewords to determine access rules
• The set of all labels with level and codewords forms a lattice to
which BLP can be applied
Orange book rating methodology
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Rating combines both security capabilities and
assurance level--both go up as the rating goes up.
• Levels:







Class D: Minimal Protection
Class C1: Discretionary Security Protection
Class C2: Controlled Access Protection
Class B1: Labeled Security Protection
Class B2: Structured Protection
Class B3: Security Domains
Class A1: Verified Design
Core Concepts in the Orange Book
Methodology for High Assurance Systems
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• A reference monitor (RM) that controls all access to
data objects
• A trusted computer base (TCB) (including the reference
monitor) that does all security critical tasks
 TCB includes user authentication, control of credentials
• Labels:
 used for all (mandatory) access control
 TCB includes labeling, and ensures the label on a data object
cannot be modified
 Labels on a new object are automatically created by the system
based on the user level and any other data objects used to
create the new one.
Core (continued)
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• For high assurance, the RM and TCB are subject to rigorous
inspection.
• In some cases, development of the TCB and RM is done by
cleared personnel in a classified environment under rigid control, to
include independent code reviews for correctness, safety in case of
failure, and to ensure that no back doors or cover channels are
included.
• When applied to networked systems, the TCB will include parts of
routers, etc.
• The methodology was applied to Government Off the Shelf
(GOTS) products and custom systems
• Its very hard to build a TCB on modern complex, multithreaded,
caching CPUs.
TCSEC Evaluation
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Evaluations only performed by NSA
• Time consuming, expensive process; worse for higher levels of
assurance
• Products placed on the NSA Evaluated Product List (EPL)
 http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html
• B level required for shared data Secret and above
• Approved B level products:
 Multi-level Secure (MLS) Operating Systems with hardware
 MLS Network Elements
 MLS DB software (running on B level OS)
• Officially superceded by Common Criteria evaluations
MLS Workstation Screenshot
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
Common Criteria
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Intended for both commercial and government use
• Process can be applied to the security characteristics of any IT
product.
• Evaluations can be performed by any certified lab & accepted by
all countries
• Security Capabilities stated in a “Protection Profile” (PP) (User
view of needs)
 Usually defined as a generic for a product class
 May be modified for a specific product into a “Security Target” (ST)
(Vendor view of what they sell)
• Product to evaluate is the “Target of Evaluation” (TOE)
• Assurance rating is the “Evaluated Assurance Level” (EAL)
•
 CC calls this a “grounds for confidence”
 EAL rating is 1 to 7 (high)
CC Slides at http://csrc.nist.gov/cc/Guidance.html
EALs
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Basic Assurance




EAL1: Functional Test
EAL2: Structural Test
EAL3: Methodical Test and Check
EAL4: Methodical Design, Test, and Review
• Medium Assurance
 EAL5: Semiformal Design and Test
• High Assurance
 EAL6: Semiformally Verified Design and Test
 EAL7: Formally Verified Design and Tested ed
Common Criteria Developers
US
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
National Institute of Standards and Technology,
National Security Agency
Communications Security Establishment
Canada
Communications-Electronic Security Group
UK
Bundesamt fur Sicherbeit in der Informationstechnik
Germany
Service Central de la Securite des Systemes d’Information
France
Netherlands
National Institute of Standards and Technology
National Security Agency
Uses of the Common Criteria
Procurement
Specifications
Product
Development
Common
Criteria
Evaluation
Programs
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
Certification
&
Accreditations
Security Objectives ~ The “Focal” Point
TOE Requirements
Assumptions
Threats
Policies
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
Security
Objectives
IT Environment
Requirements
Non-IT Environment
Requirements
Protection Profiles and Evaluated
Products
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• US Government Protection profiles at
 http://niap.nist.gov/cc-scheme/pp_registry.htm
 23 categories of profiles
 Within firewalls, 4 profiles
• Evaluated Products List at:
 http://niap.nist.gov/cc-scheme/pp_registry.html#firewalls
 28 categories of products???
 ~30 firewalls evaluated, EALs 1-4
• Windows 2000 Professional
 OS rated at EAL 4
Issues with Common Criteria
•
•
•
•
•
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
Time and cost of evaluation
Re-evaluations for patches, new versions, etc.
Does the PP really match the user requirements?
Environment, policies enforced by people not included
Configuration is not part of the evaluation
 Impact of weak default configurations
• International acceptance of rating can be rejected in
any country for “national security” reasons. Effectively,
NSA still evaluates products for classified use, and they
want EAL 5 or better.
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
DoD Architectures for AIS with
Classified Data
Modes of Operation for AIS with
Classified Data
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Terms defined in the Orange Book
• AIS may be a processor or a collection of processors
on a network
• Dedicated--all users have clearance and need to know
for all data
• System High--all users have clearance, but not
necessarily need to know for all data
• Compartmented--All users have the clearance, but not
approval for access to all data
• Multilevel--Not all users have clearance to access all
data
MLS System Architectures
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• In principle, systems could be built from MLS
workstations, MLS network elements, etc. But:
 MLS components are much more expensive
 Long evaluation time means they are often not state of the art
 Use and management of MLS systems is less convenient
• Systems that are not connected by physically secure
connections could be linked using MLS crypto
equipment
• This used to be the goal of NSA for classified systems
Multiple System Level Architectures
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Instead, systems are sometimes built from enclaves of
workstations and network elements
 Within the enclave everything is at one level
 Commercial Off The Shelf (COTS) products (workstations, network
elements) can be used
 C2 (Orange book) or lower EAL (common criteria) is OK
 Enclaves can be linked to enclaves of other levels through “guards”
that enforce BLP: information moves only from low to high. This is
used to bring data into a classified environment.
 An MLS network backbone can also be used to connect many
enclaves in a “multi level” location to other enclaves at the same level
 Enclaves that are not connected by physically secure connections
could be linked using single level NSA approved crypto equipment
• This cuts back the need for costly MLS/NSA equipment to the
boundaries of enclaves
Example I: Multiple enclaves
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
Top Secret Intranet
H
Partner
SCI
LAN
F
L
SCI
LAN
F
Intellink
F
SIPRNET
G
SCI
LAN
G
G
G
H
G
Internet
F
L
Unclassified Networks
Node
H
Host
L
H
Secret Networks
L
LAN
F
Firewall
G
Guard
Example II: enclaves to crypto
Unclass
Router
Secret
Router
TS
Router
IP to IP/ATM
IP to IP/ATM
IP to IP/ATM
Multiple Enclaves
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
UNCLASS
UNENCRYPTED
SECRET
UNENCRYPTED
TS
KG75
Fastlane
KG75
Fastlane
ATM
SW
Public
Network
Example III: MLS network to MLS crypto
IP to IP/ATM
MLS
Router
(user net)
UNCLASS
UNENCRYPTED
SECRET
IP to IP/ATM
UNENCRYPTED
TS
IP to IP/ATM
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
Public
Network
MLS
KG75
ATM
Fastlane
MUX
ATM
SW
Stovepipes
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
Report Gen.
Report Gen.
Report Gen.
Data Analysis
Data Analysis
Data Analysis
Data Processing
Data Processing
Data Processing
Data Collection
Data Collection
Data Collection
Sample desktops
•
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
For accessing Secret and below, people often have two desktop
computers: one on a secret network, and one on an unclassifies network
that may bee linked to the Internet (e. g., thru NIPRNET)
 Both may be only C2 or EAL 3-4
 The Secret computer may not have an capability to write to removable media
 But it may be able to read removable media from the unclassified computer for
a “sneakernet” one way link (BLP model)
•
Higher level classified work is done in very secure, locked rooms or areas
with strict physical access control, such as a “Secure Compartmentalized
Information Facility” (SCIF).
 The SCIF will have only secure or encrypted network links to other top secret
locations.
 Removable media can only be removed under very controlled circumstances.
Term Project
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Teams of ~3 students
• Pick a system (discuss choice with me)
 Want simple functionality, security issues, whole system (e. g., client
and server side)
•
•
•
•
•
Submit a 1-2 page proposal to management (Dr. Hery)
Assess risks, threats, vulnerabilities
Develop a security policy
Do a high level system security design
Present a “preliminary design review” (PDR) to management
(include risk analysis, policies, system architecture)
• Iterate on risk assessment, policy, design
• Present a final “critical design review” (CDR) to management and
the class
• Write a final report to management on above
Example Project
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• System should have at least 2 elements that
communicate to perform a function
 e. g., client server, peer to peer
• Pick a useful system, not an underlying technology
• Start with a “mission need statement”
 e. g., “Provide a remote credit card verification service”
• State assumptions about environment
 e. g., remote site is on a wired LAN connected to the Internet;
verification data is on a well protected server connected to the
Internet through a firewall
Example Project (continued)
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• State the basic system functions; e. g.:
 Read card magnetic strip
 Send card data, transaction data to verification server
 Server verifies card is valid, not reported lost/stolen
 If invalid, send back reject message
 Server verifies sufficient credit for transaction
 If invalid, send back reject message
 If sufficient
 Send authorization message
 Post transaction to account (debits account)
• The above steps should all be in the initial project
proposal
Example Project (continued)
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
• Your project should be somewhat more complex than this
• Make explicit (and probably realistic) assumptions about
infrastructure
• Major project steps:
 Thorough risk analysis
 Develop security policies
 Perform security system engineering. Use the policy to determine the
security functions needed, and then to develop an architecture that
has all the security functions and hardware, software components to
enforce the security policies
• Major project deliverables:




Proposal
Preliminary design review
Critical design review to class
Final report on the design