Government models of security Doug Tygar doug tygar gmail com October 31 2005 Need to know Three models of security Classification unclassified classified secret top secret Compartmentalization nuclear crypto weapons specific Discretionary access control Distribution lists cs161 org October 31 2005 Military models of security Doug Tygar 2005 cs161 org What clearance means October 31 2005 Doug Tygar 2005 cs161 org Two ways to rank systems Clearance is primarily a restriction on what you can release How much do they protect military models of classification Declassification permission to discuss Everyday example Non disclosure agreements What is the strength of mechanism Advice Be careful before agreeing to clearance or NDAs October 31 2005 Doug Tygar 2005 cs161 org History Doug Tygar 2005 cs161 org US levels US Orange book Trusted Computer Security Evaluation Criteria TCSEC Rainbow Series D minimal protection C1 discretionary access control C2 controlled access control Europe Harmonized Criteria UK Germany France Holland ITSEC B1 labeled security protection B2 structured protection Canada CTCPEC B3 security domains Internationalization A1 verified design Common Criteria now on version 3 0 October 31 2005 October 31 2005 A2 verified implementation never achieved Doug Tygar 2005 cs161 org October 31 2005 Doug Tygar 2005 cs161 org 1 Key ideas More on the star property Bell Lapudula Star property acts as a King Midas touch We trust people not processes Once a process reads a classified file its security level is boosted to that of the file Small trusted computing base TCB Then everything it writes modifies deletes etc is at the same security level Includes a security kernel Processes read down Processes write up star property October 31 2005 Doug Tygar 2005 cs161 org Problem covert channels Existence of a file System load Paging behavior This means that high classification processes are heavily restricted Doug Tygar 2005 cs161 org What killed the Orange Book System performance was poor Often 1 000 to 10 000 times worse than unsecure operating systems Using special hardware was expensive Formal methods for evaluation never really worked User interface was horrible Evaluation took years and was expensive October 31 2005 Covert channels are virtually impossible to remove entirely So we restrict the bandwidth of what can transmitted Example TENEX passwords Doug Tygar 2005 cs161 org Covert channels There is more than one way to leak information October 31 2005 October 31 2005 Doug Tygar 2005 cs161 org October 31 2005 Doug Tygar 2005 cs161 org The last great evaluated system Windows NT was evaluated at the C 2 level of security as long as you didn t hook it up to a network October 31 2005 Doug Tygar 2005 cs161 org 2 Today s problems the Orange book Problems we face today seem strangely distant from the Orange book Common Criteria Protection Profile Security Target Denial of service worms privacy aggregation of data none of these are addressed October 31 2005 Doug Tygar 2005 cs161 org October 31 2005 Doug Tygar 2005 cs161 org Common Criteria Levels EAL 1 functionally tested US between D C1 EAL 2 structurally tested US C1 EAL 3 methodically tested checked US C2 EAL 4 methodically designed tested reviewed US B1 EAL 5 semiformally designed tested US B2 EAL 6 semiformally verified design tested US B3 EAL 7 formally verified design tested US A1 October 31 2005 Doug Tygar 2005 cs161 org 3
View Full Document
Unlocking...