Cryptography - Lecture 23 - Trusted Computer Systems

Objectives

Preliminary Reading

Lecture Content

Trusted Computer Systems

1. Trusted Computer Systems
   • Information system security is increasingly important
   • have varying degrees of sensitivity of information
   • subjects (people or programs) have varying rights of access to objects (information)
   • want to consider ways of increasing confidence in systems to enforce these rights
2. Information System Security
   Information system security is the application of managerial and administrative procedures and technical and physical safeguards to ensure not only the confidentiality, integrity and availability of information which is processed by an information system, but also of the information system itself, together with its environment. Such procedures and safeguards not only need to deter and delay improper access to information systems, they must also ensure that any improper access is detected; that is, individuals have to be made accountable for their actions. [Secman 3 - 103]
3. Issues with Trusted Computer Systems
   • need to consider:
     • system security
     • physical security
     • communications security
   • here are most concerned here with system security and how we can be assured of its correctness
4. Evaluation Concepts and Relationships
   • evaluation -> assurance so that owners -> have confidence -> that countermeasures -> minimise risk -> to assets
   • hence evaluation on "trusted computer systems" is key
   • systems are evaluated against an evaluation standard
5. Evaluation Concepts and Relationships
   • two key aspects evaluated

     Functionality

     functions in system which enforce security

     Assurance

     effectiveness and correctness of systems construction and implementation

6. Trusted Computing Base
   • concept of a Trusted Computing Base is central
   • includes the hardware and software security-relevant portions of the system,
   • mediates all access between subjects and objects
   • is tamperproof
   • is validated
7. Types of Secure Computing Systems
   • distinguish between different categories of secure computing systems
   • based on the range of classifications of subjects and objects supported
     • Dedicated (Single-Level) Systems
     • System-High
     • Compartmented
     • Multi-Level Systems
8. Dedicated (Single-Level) Systems
   • handles subjects and objects with same classification
   • relies on other security procedures (eg physical)
   • almost any system can operate in this category
9. System-High
   • only provides need-to-know protection between users
   • entire system operates at highest classification level
   • all users must be cleared for that level of information
   • have basic assess controls to provide some protection of data
10. Compartmented
    • varaition of System-High which can process two or more types of compartmented information
    • not all users are cleared for all compartments, but all must be cleared to the highest level of information processed
    • have basic assess controls to provide some protection of data
11. Multi-Level Systems
    • is validated for handling subjects and objects with different rights and levels of security simultaneously
    • major features of such systems include:
      • user identification and authentication
      • resource access control and object labelling
      • audit trails of all security relevant events
      • external validation of the systems security
12. Evaluation Process
    • parties in evaluation are
      • sponsor of system (TOE) being developed
      • developer of system (may be sponsor)
      • evaluation facility which performs evaluation (in Australia a commercial evaluator - eg. Admiral Computing)
      • certification body (in Australia - DSD)
13. Security Evaluation Stages
    • phases of evaluation

      pre-evaluation

      defines security target & deliverables

      evaluation

      fulfil required evaluation tasks

      re-evaluation

      following correction of faults of changes

      certification

      confirmation & acceptance of evaluation

14. Apprroaching Security Evaluation Tasks

    Defining Security Requirements

    • use system specification
    • use standards/criteria
    • use experience

    Risk Assessment

    • based on standards/criteria
    • based on experience

    Theoretical Evaluation

    • of functionality required
    • to assurance level needed

    Practical Testing

    • of code checking both normal/erroneaous usage

    Examination of the Source Code

    • for potential bugs

    Penetration

    • attempting to hack system using knowledge of it

Risk Assessment

1. Risk Assessment
   • determine what it is you are protecting
   • what you are protecting against
   • how much the protection is worth to you
   • goal: "provide some assurance that cost of security countermeasures is commensurate with risk"
   • without it could spend too little or too much
2. Risk Assessment - Yellow Book
   • original risk assessment approach in "rainbow book" series
   • guiding priciple is that recommended rating of a system depends on differential between user & info levels
   • Risk Index (defined in Yellow book) is given by:

         Risk Index = Max Info Sensitivity - Min User Clearance
     

3. Risk Rating Level Table
   • the following table defines the Risk Rating Levels
   • specified in the Yellow Book

     Rating	Info Sensitivity	User Clearance
     0	Unclassified	Uncleared
     1	Restricted	Restricted
     2	Restricted (categories) Confidential	Confidential
     3	Confidential (categories) Secret	Secret
     4	Secret (1+ categories)	Top Secret
     5	Secret (2+ categories) Top Secret	Top Secret
     6	Top Secret (1+ categories)	Top Secret - 1 category
     7	Top Secret (2+ categories)	Top Secret - many categories

4. Recommended Systems
   • the category of system recommended is:

     Risk Index	Security Mode	Min Class Open Env	Min Class Closed Env
     0	dedicated	none	none
     0	system high	C2	C2
     1	limited access, controlled, compartmented, multi-level	B1	B1
     2	limited access, controlled, compartmented, multi-level	B2	B2
     3	controlled, multi-level	B3	B3
     4	multi-level	A1	B3
     5	multi-level	beyond A1	A1
     >=6	multi-level	beyond A1	beyond A1

     This table states what type of system should be used given the risk index computed.

5. Risk Analysis - DSD Gateway Certification Guide
   • yellow book approach is very narrow and prescriptive
   • in practice often need to consider many factors
   • DSD include a risk analysis section in their Gateway Certification Guide
6. Process
   • asset identification
   • threat & threat likelihood estimation
   • harm estimation
   • risk assessment
   • required risk & countermeasure rating
7. Asset Identification
   • assets: tangible thing, suitable level of service, staff, information
   • and who is responsible for them
   • need to be determined in conjuction with owners
8. Threat & Threat Likelihood Estimation
   • focus on threats to assets identified
   • may have more than one threat per asset
   • only interested in threats likely to occur or disasterous if occur
   • likely external threats can be identified from CERT reports, news, previous experience, legal requirements, etc
   • internal threats harder, need to evaluate organisation, use experience
   • then assign likelihood to each threat (negligible - extreme)
   • should document sources for threats & likelihood estimation
9. Harm Estimation
   • then estimate harm caused if threat to asset realised
   • from insignificant - grave
   • remember even if threat low, if harm is high there is a risk
   • evaluation of harm has to be done with owner of asset
   • as against threat likelihood which can be done by security specialist
10. Risk Assessment
    • risk = threat likelihood x harm
    • use tables of these values to grade risk
    • before countermeasures are applied

      	Harm
      T h r e a t	Insignificant Minor Significant Damaging Serious Grave Negligible Nil Nil Nil Nil Nil Nil Very Low Nil Low Low Low Medium Medium Low Nil Low Medium Medium High High Medium Nil Low Medium High High Critical High Nil Medium High High Critical Extreme Very High Nil Medium High Critical Extreme Extreme Extreme Nil Medium High Critical Extreme Extreme
      	Resultant Risk

11. Required Risk & Countermeasure Rating
    • required risk = risk level management are prepared to accept
    • vs the particular risk assessed for a threat
    • remembering that reducing risk comes at a cost
    • countermeasure rating = required risk - assessed risk
    • provides guidance as to importance of security countermeasures against each threat

Summary

1. Summary
   • general concept of "trusted computer systems"
   • concept of evaluating systems
   • risk assessment using Yellow Book or DSD approaches

Exercises

1. Exercises
   • Your advice is requested on an appropriate level of security evaluation to be requested in a tender for a computer system to be used by engineers writing maintenance documentation for a new weapons system. The documents are classified as either Confidential or Secret, whilst some of the staff using the system are cleared to Confidential with others cleared to Secret. Identify the evaluation level nominally required, using the Yellow Book assessment procedure.
   • As part of a risk assessment of desktop systems, consider the following: you have identified the following asset "integrity of data files on system"; you have identified the following threat "corruption of data files due to import of a virus onto the system". As part of the risk assessment process you must now:
     • estimate the likelihood of the threat
     • specify the harm caused if the threat is realised
     • assess the resultant risk
     • spcify the risk management are willing to accept
     • hence identify the scale of countermeasures required, and suggest what they might be
     Justify your choices.

Additional References