Cryptography - Lecture 23 - Trusted Computer Systems

1. Trusted Computer Systems

• Information system security is increasingly important
• have varying degrees of sensitivity of information
• subjects (people or programs) have varying rights of access to objects (information)
• want to consider ways of increasing confidence in systems to enforce these rights

2. Information System Security

Information system security is the application of managerial and administrative procedures and technical and physical safeguards to ensure not only the confidentiality, integrity and availability of information which is processed by an information system, but also of the information system itself, together with its environment. Such procedures and safeguards not only need to deter and delay improper access to information systems, they must also ensure that any improper access is detected; that is, individuals have to be made accountable for their actions. [Secman 3 - 103]

3. Issues with Trusted Computer Systems

• need to consider:
  • system security
  • physical security
  • communications security
• here are most concerned here with system security and how we can be assured of its correctness

4. Evaluation Concepts and Relationships

• evaluation -> assurance so that owners -> have confidence -> that countermeasures -> minimise risk -> to assets
• hence evaluation on "trusted computer systems" is key
• systems are evaluated against an evaluation standard

5. Evaluation Concepts and Relationships

• two key aspects evaluated

  Functionality

  functions in system which enforce security

  Assurance

  effectiveness and correctness of systems construction and implementation

6. Trusted Computing Base

• concept of a Trusted Computing Base is central
• includes the hardware and software security-relevant portions of the system,
• mediates all access between subjects and objects
• is tamperproof
• is validated

7. Types of Secure Computing Systems

• distinguish between different categories of secure computing systems
• based on the range of classifications of subjects and objects supported
  • Dedicated (Single-Level) Systems
  • System-High
  • Compartmented
  • Multi-Level Systems

8. Dedicated (Single-Level) Systems

• handles subjects and objects with same classification
• relies on other security procedures (eg physical)
• almost any system can operate in this category

9. System-High

• only provides need-to-know protection between users
• entire system operates at highest classification level
• all users must be cleared for that level of information
• have basic assess controls to provide some protection of data

10. Compartmented

• varaition of System-High which can process two or more types of compartmented information
• not all users are cleared for all compartments, but all must be cleared to the highest level of information processed
• have basic assess controls to provide some protection of data

11. Multi-Level Systems

• is validated for handling subjects and objects with different rights and levels of security simultaneously
• major features of such systems include:
  • user identification and authentication
  • resource access control and object labelling
  • audit trails of all security relevant events
  • external validation of the systems security

12. Evaluation Process

• parties in evaluation are
  • sponsor of system (TOE) being developed
  • developer of system (may be sponsor)
  • evaluation facility which performs evaluation (in Australia a commercial evaluator - eg. Admiral Computing)
  • certification body (in Australia - DSD)

13. Security Evaluation Stages

• phases of evaluation

  pre-evaluation

  defines security target & deliverables

  evaluation

  fulfil required evaluation tasks

  re-evaluation

  following correction of faults of changes

  certification

  confirmation & acceptance of evaluation

14. Apprroaching Security Evaluation Tasks

Defining Security Requirements

• use system specification
• use standards/criteria
• use experience

Risk Assessment

• based on standards/criteria
• based on experience

Theoretical Evaluation

• of functionality required
• to assurance level needed

Practical Testing

• of code checking both normal/erroneaous usage

Examination of the Source Code

• for potential bugs

Penetration

• attempting to hack system using knowledge of it

15. Risk Assessment

• determine what it is you are protecting
• what you are protecting against
• how much the protection is worth to you
• goal: "provide some assurance that cost of security countermeasures is commensurate with risk"
• without it could spend too little or too much

16. Risk Assessment - Yellow Book

• original risk assessment approach in "rainbow book" series
• guiding priciple is that recommended rating of a system depends on differential between user & info levels
• Risk Index (defined in Yellow book) is given by:

      Risk Index = Max Info Sensitivity - Min User Clearance
  

17. Risk Rating Level Table

• the following table defines the Risk Rating Levels
• specified in the Yellow Book

  Rating	Info Sensitivity	User Clearance
  0	Unclassified	Uncleared
  1	Restricted	Restricted
  2	Restricted (categories) Confidential	Confidential
  3	Confidential (categories) Secret	Secret
  4	Secret (1+ categories)	Top Secret
  5	Secret (2+ categories) Top Secret	Top Secret
  6	Top Secret (1+ categories)	Top Secret - 1 category
  7	Top Secret (2+ categories)	Top Secret - many categories

18. Recommended Systems

• the category of system recommended is:

  Risk Index	Security Mode	Min Class Open Env	Min Class Closed Env
  0	dedicated	none	none
  0	system high	C2	C2
  1	limited access, controlled, compartmented, multi-level	B1	B1
  2	limited access, controlled, compartmented, multi-level	B2	B2
  3	controlled, multi-level	B3	B3
  4	multi-level	A1	B3
  5	multi-level	beyond A1	A1
  >=6	multi-level	beyond A1	beyond A1

19. Risk Analysis - DSD Gateway Certification Guide

• yellow book approach is very narrow and prescriptive
• in practice often need to consider many factors
• DSD include a risk analysis section in their Gateway Certification Guide

20. Process

• asset identification
• threat & threat likelihood estimation
• harm estimation
• risk assessment
• required risk & countermeasure rating

21. Asset Identification

• assets: tangible thing, suitable level of service, staff, information
• and who is responsible for them
• need to be determined in conjuction with owners

22. Threat & Threat Likelihood Estimation

• focus on threats to assets identified
• may have more than one threat per asset
• only interested in threats likely to occur or disasterous if occur
• likely external threats can be identified from CERT reports, news, previous experience, legal requirements, etc
• internal threats harder, need to evaluate organisation, use experience
• then assign likelihood to each threat (negligible - extreme)
• should document sources for threats & likelihood estimation

23. Harm Estimation

• then estimate harm caused if threat to asset realised
• from insignificant - grave
• remember even if threat low, if harm is high there is a risk
• evaluation of harm has to be done with owner of asset
• as against threat likelihood which can be done by security specialist

24. Risk Assessment

• risk = threat likelihood x harm
• use tables of these values to grade risk
• before countermeasures are applied

  	Harm
  T h r e a t	Insignificant Minor Significant Damaging Serious Grave Negligible Nil Nil Nil Nil Nil Nil Very Low Nil Low Low Low Medium Medium Low Nil Low Medium Medium High High Medium Nil Low Medium High High Critical High Nil Medium High High Critical Extreme Very High Nil Medium High Critical Extreme Extreme Extreme Nil Medium High Critical Extreme Extreme
  	Resultant Risk

25. Required Risk & Countermeasure Rating

• required risk = risk level management are prepared to accept
• vs the particular risk assessed for a threat
• remembering that reducing risk comes at a cost
• countermeasure rating = required risk - assessed risk
• provides guidance as to importance of security countermeasures against each threat

26. Summary

• general concept of "trusted computer systems"
• concept of evaluating systems
• risk assessment using Yellow Book or DSD approaches

27. Exercises

• Your advice is requested on an appropriate level of security evaluation to be requested in a tender for a computer system to be used by engineers writing maintenance documentation for a new weapons system. The documents are classified as either Confidential or Secret, whilst some of the staff using the system are cleared to Confidential with others cleared to Secret. Identify the evaluation level nominally required, using the Yellow Book assessment procedure.
• As part of a risk assessment of desktop systems, consider the following: you have identified the following asset "integrity of data files on system"; you have identified the following threat "corruption of data files due to import of a virus onto the system". As part of the risk assessment process you must now:
  • estimate the likelihood of the threat
  • specify the harm caused if the threat is realised
  • assess the resultant risk
  • spcify the risk management are willing to accept
  • hence identify the scale of countermeasures required, and suggest what they might be
  Justify your choices.