Dec 9, 2004TrustRelationshipsProblem Sources (Neumann)Types of AssuranceWaterfall Life Cycle ModelOther Models of Software DevelopmentModelsArchitectural considerations for assuranceArchitectural considerations Example: Four layer architectureTrusted Computing Base (Security an integral part)Trusted Computing BaseTechniques for Design AssuranceDesign meets requirements?Requirement mapping and informal correspondenceDesign meets requirements?Implementation considerations for assuranceImplementation meets Design?Code development and testingOperation and maintenance assuranceSlide 21What is Formal Evaluation?Formal Evaluation: Why?TCSEC: The OriginalTCSEC Class AssurancesTCSEC Class Assurances (continued)TCSEC: Evaluation processTCSEC: ProblemsLater StandardsSlide 30Common Criteria: OriginCommon Criteria: Functional RequirementsCommon Criteria: Assurance RequirementsCommon Criteria: Evaluation Assurance LevelsCommon Criteria: Evaluation ProcessCommon Criteria: StatusWhat is Malicious Code?Types of Malicious CodeTrojan HorsePropagationVirusVirus TypesVirus Types/PropertiesWormsWe can’t detect it: Now what? DetectionDetectionDefenseSlide 49Slide 50Slide 51Risk ManagementRiskRisk Assessment/AnalysisRisk Assessment stepsRisk Assessment steps (2)Example 1Example 2Example 2 (2)Some Arguments against Risk AnalysisSlide 61Laws and SecurityCopyrightsCopyright infringementPatentSlide 66Trade SecretComparisonComputer crimeComputer Crime related lawsEthicsLaw vs EthicsEthical reasoningEthics ExampleCodes of ethicsCourtesy of Professors Chris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security1Dec 9, 2004Dec 9, 2004Assurance & EvaluationAssurance & EvaluationMalicious code, Risk ManagementMalicious code, Risk ManagementLegal IssuesLegal IssuesLecture 10Lecture 10INFSCI 2935: Introduction to Computer Security 2TrustTrustTrustworthyTrustworthy entity has sufficient credible entity has sufficient credible evidence leading one to believe that the system evidence leading one to believe that the system will meet a set of requirementswill meet a set of requirementsTrustTrust is a measure of trustworthiness relying on is a measure of trustworthiness relying on the evidencethe evidenceAssuranceAssurance is confidence that an entity meets its is confidence that an entity meets its security requirements based on evidence security requirements based on evidence provided by the application of assurance provided by the application of assurance techniquestechniquesFormal methods, design analysis, testing etc.INFSCI 2935: Introduction to Computer Security 3RelationshipsRelationshipsPolic yMechanismsAssuranceStatement of requirements that explicitly definesthe security expectations of the mechanism(s)Provides justification that the mechanism meets policythrough assurance evidence and approvals based onevidenceExecutable entities that are designed and implementedto meet the requirements of the policyEvaluation standardsTrusted Computer System Evaluation Criteria Information Technology Security Evaluation Criteria Common CriteriaINFSCI 2935: Introduction to Computer Security 4Problem Sources (Neumann)Problem Sources (Neumann)1.1.Requirements definitions, omissions, and mistakesRequirements definitions, omissions, and mistakes2.2.System design flawsSystem design flaws3.3.Hardware implementation flaws, such as wiring and chip Hardware implementation flaws, such as wiring and chip flawsflaws4.4.Software implementation errors, program bugs, and Software implementation errors, program bugs, and compiler bugscompiler bugs5.5.System use and operation errors and inadvertent mistakesSystem use and operation errors and inadvertent mistakes6.6.Willful system misuseWillful system misuse7.7.Hardware, communication, or other equipment malfunctionHardware, communication, or other equipment malfunction8.8.Environmental problems, natural causes, and acts of GodEnvironmental problems, natural causes, and acts of God9.9.Evolution, maintenance, faulty upgrades, and Evolution, maintenance, faulty upgrades, and decommissionsdecommissionsINFSCI 2935: Introduction to Computer Security 5Types of AssuranceTypes of AssurancePolicy assurancePolicy assurance is evidence establishing security is evidence establishing security requirements in policy is complete, consistent, requirements in policy is complete, consistent, technically soundtechnically soundDesign assuranceDesign assurance is evidence establishing design is evidence establishing design sufficient to meet requirements of security policysufficient to meet requirements of security policyImplementation assuranceImplementation assurance is evidence establishing is evidence establishing implementation consistent with security requirements of implementation consistent with security requirements of security policysecurity policyOperationalOperational assuranceassurance is evidence establishing system is evidence establishing system sustains the security policy requirements during sustains the security policy requirements during installation, configuration, and day-to-day operationinstallation, configuration, and day-to-day operationINFSCI 2935: Introduction to Computer Security 6Waterfall Life Cycle ModelWaterfall Life Cycle ModelRequirementsdefinition andanalysisSystem andsoftwaredesignImplementationand unittestingIntegrationand systemtestingOperationandmaintenanceINFSCI 2935: Introduction to Computer Security 7Other Models of Other Models of Software DevelopmentSoftware DevelopmentExploratory programmingExploratory programmingDevelop working system quicklyNo requirements or design specification, so low assurancePrototyping (Similar to Exploratory)Prototyping (Similar to Exploratory)Objective is to establish system requirementsFuture iterations (after first) allow assurance techniquesFormal transformationFormal transformationCreate formal specificationVery conducive to assurance methodsINFSCI 2935: Introduction to Computer Security 8ModelsModelsSystem assembly from reusable componentsSystem assembly from reusable componentsDepends on whether components are trustedMust assure connections, composition as wellVery complex, difficult to assureThis is common approach to building secure and trusted systemsExtreme programmingExtreme programmingRapid prototyping and “best practices”Project driven by business decisionsRequirements open until project completeComponents tested,