Embed Size (px)
Citation preview
11
Evaluating SystemsEvaluating SystemsCSSE 490 Computer SecurityCSSE 490 Computer Security
Mark Ardis, Rose-Hulman InstituteMark Ardis, Rose-Hulman Institute
May 6, 2004May 6, 2004
22
AcknowledgementsAcknowledgements
Many of these slides came from Many of these slides came from Chris Clifton and Matt Bishop, Chris Clifton and Matt Bishop, author of author of Computer Security: Art Computer Security: Art and Scienceand Science
33
What is Formal What is Formal Evaluation?Evaluation?
Method to achieve Method to achieve TrustTrust– Not a guarantee of securityNot a guarantee of security
Evaluation methodology includes:Evaluation methodology includes:– Security requirementsSecurity requirements– Assurance requirements showing how to establish Assurance requirements showing how to establish
that security requirements are metthat security requirements are met– Procedures to demonstrate that system meets Procedures to demonstrate that system meets
requirementsrequirements– Metrics for results (level of trust)Metrics for results (level of trust)
Examples: TCSEC (Orange Book), ITSEC, CCExamples: TCSEC (Orange Book), ITSEC, CC
44
Formal Evaluation: Formal Evaluation: Why?Why? Organizations require assuranceOrganizations require assurance
– DefenseDefense– Telephone / UtilitiesTelephone / Utilities– ““Mission Critical” systemsMission Critical” systems
Formal verification of entire systems not Formal verification of entire systems not feasiblefeasible
Instead, organizations develop formal Instead, organizations develop formal evaluation methodologiesevaluation methodologies– Products passing evaluation are trustedProducts passing evaluation are trusted– Required to do business with the organizationRequired to do business with the organization
55
TCSEC: The OriginalTCSEC: The Original
Trusted Computer System Evaluation CriteriaTrusted Computer System Evaluation Criteria– U.S. Government security evaluation criteriaU.S. Government security evaluation criteria– Used for evaluating commercial productsUsed for evaluating commercial products
Policy model based on Bell-LaPadulaPolicy model based on Bell-LaPadula Enforcement: Reference Validation Enforcement: Reference Validation
MechanismMechanism– Every reference checked by compact, Every reference checked by compact,
analyzable body of codeanalyzable body of code Emphasis on ConfidentialityEmphasis on Confidentiality Metric: Seven trust levels:Metric: Seven trust levels:
– D, C1, C2, B1, B2, B3, A1D, C1, C2, B1, B2, B3, A1– D is “tried but failed”D is “tried but failed”
66
TCSEC Class TCSEC Class AssurancesAssurances C1: Discretionary ProtectionC1: Discretionary Protection
– IdentificationIdentification– AuthenticationAuthentication– Discretionary access controlDiscretionary access control
C2: Controlled Access ProtectionC2: Controlled Access Protection– Object reuse and auditingObject reuse and auditing– Most common for commercial systemsMost common for commercial systems
B1: Labeled security protectionB1: Labeled security protection– Mandatory access control on limited set of objectsMandatory access control on limited set of objects– Informal model of the security policyInformal model of the security policy
77
TCSEC Class AssurancesTCSEC Class Assurances(continued)(continued) B2: Structured ProtectionsB2: Structured Protections
– Mandatory access control for all objectsMandatory access control for all objects– Trusted path for loginTrusted path for login– Principle of Least PrivilegePrinciple of Least Privilege– Formal model of Security PolicyFormal model of Security Policy– Covert channel analysisCovert channel analysis– Configuration managementConfiguration management
B3: Security DomainsB3: Security Domains– Full reference validation mechanismFull reference validation mechanism– Constraints on code development processConstraints on code development process– Documentation, testing requirementsDocumentation, testing requirements
A1: Verified ProtectionA1: Verified Protection– Formal methods for analysis, verificationFormal methods for analysis, verification– Trusted distributionTrusted distribution
88
How is Evaluation How is Evaluation Done?Done? Government-sponsored Government-sponsored
independent evaluatorsindependent evaluators– Application: Determine if government Application: Determine if government
carescares– Preliminary Technical ReviewPreliminary Technical Review
Discussion of process, schedulesDiscussion of process, schedules Development ProcessDevelopment Process Technical Content, RequirementsTechnical Content, Requirements
– Evaluation PhaseEvaluation Phase
99
TCSEC:TCSEC:Evaluation PhaseEvaluation Phase Three phasesThree phases
– Design analysisDesign analysis Review of design based on documentationReview of design based on documentation
– Test analysisTest analysis– Final ReviewFinal Review
Trained independent evaluationTrained independent evaluation– Results presented to Technical Review BoardResults presented to Technical Review Board– Must approve before next phase startsMust approve before next phase starts
Ratings Maintenance ProgramRatings Maintenance Program– Determines when updates trigger new Determines when updates trigger new
evaluationevaluation
1010
TCSEC: ProblemsTCSEC: Problems
Based heavily on confidentialityBased heavily on confidentiality– Did not address integrity, availabilityDid not address integrity, availability
Base TCSEC geared to operating Base TCSEC geared to operating systemssystems– TNI: Trusted Network InterpretationTNI: Trusted Network Interpretation– TDI: Trusted Database management TDI: Trusted Database management
System InterpretationSystem Interpretation
1111
Later StandardsLater Standards
CTCPEC – CanadaCTCPEC – Canada ITSEC – European StandardITSEC – European Standard
– Did not define criteriaDid not define criteria– Levels correspond to strength of evaluationLevels correspond to strength of evaluation– Includes code evaluation, development methodology Includes code evaluation, development methodology
requirementsrequirements– Known vulnerability analysisKnown vulnerability analysis
CISR: Commercial outgrowth of TCSECCISR: Commercial outgrowth of TCSEC FC: Modernization of TCSECFC: Modernization of TCSEC FIPS 140: Cryptographic module validationFIPS 140: Cryptographic module validation Common Criteria: International StandardCommon Criteria: International Standard SSE-CMM: Evaluates developer, not productSSE-CMM: Evaluates developer, not product
1212
ITSEC: LevelsITSEC: Levels
E1: Security target defined, testedE1: Security target defined, tested– Must have informal architecture descriptionMust have informal architecture description
E2: Informal description of designE2: Informal description of design– Configuration control, distribution controlConfiguration control, distribution control
E3: Correspondence between code and security E3: Correspondence between code and security targettarget
E4: Formal model of security policyE4: Formal model of security policy– Structured approach to designStructured approach to design– Design level vulnerability analysisDesign level vulnerability analysis
E5: Correspondence between design and codeE5: Correspondence between design and code– Source code vulnerability analysisSource code vulnerability analysis
E6: Formal methods for architectureE6: Formal methods for architecture– Formal mapping of design to security policyFormal mapping of design to security policy– Mapping of executable to source codeMapping of executable to source code
1313
ITSEC Problems:ITSEC Problems:
No validation that security No validation that security requirements made senserequirements made sense– Product meets goalsProduct meets goals– But does this meet user But does this meet user
expectations?expectations? Inconsistency in evaluationsInconsistency in evaluations
– Not as formally defined as TCSECNot as formally defined as TCSEC
1414
Replaced TCSEC, ITSECReplaced TCSEC, ITSEC
1.1. CC DocumentsCC Documents– Functional requirementsFunctional requirements– Assurance requirementsAssurance requirements– Evaluation Assurance Levels (EAL)Evaluation Assurance Levels (EAL)
2.2. CC Evaluation MethodologyCC Evaluation Methodology– Detailed evaluation guidelines for each EALDetailed evaluation guidelines for each EAL
3.3. National Scheme (Country specific)National Scheme (Country specific)
1515
Common Criteria:Common Criteria:OriginOrigin
1616
Some AbbreviationsSome Abbreviations
CC: Common CriteriaCC: Common Criteria PP: Protection ProfilePP: Protection Profile ST: Security TargetST: Security Target TOE: Target of EvaluationTOE: Target of Evaluation TSF: TOE Security FunctionTSF: TOE Security Function TSP: TOE Security PolicyTSP: TOE Security Policy
1717
CC Evaluation 1:CC Evaluation 1:Protection Protection ProfileProfile
Implementation Implementation independent, domain-independent, domain-specific set of security specific set of security requirementsrequirements
Narrative OverviewNarrative Overview Product/System Product/System
descriptiondescription Security Environment Security Environment
(threats, overall policies)(threats, overall policies) Security Objectives: Security Objectives:
System, EnvironmentSystem, Environment IT Security RequirementsIT Security Requirements
– Functional requirements Functional requirements drawn from CC setdrawn from CC set
– Assurance levelAssurance level Rationale for objectives Rationale for objectives
and requirementsand requirements
1818
CC Evaluation CC Evaluation 2:2:Security Security TargetTarget
Specific Specific requirements used requirements used to evaluate systemto evaluate system
Narrative Narrative introductionintroduction
EnvironmentEnvironment Security ObjectivesSecurity Objectives
– How metHow met Security Security
RequirementsRequirements– Environment and Environment and
systemsystem– Drawn from CC setDrawn from CC set
Mapping of Function Mapping of Function to Requirementsto Requirements
Claims of Claims of Conformance to Conformance to Protection ProfileProtection Profile
1919
Common Criteria:Common Criteria:Functional RequirementsFunctional Requirements
362 page document362 page document 11 Classes11 Classes
– Security Audit, Communication, Security Audit, Communication, Cryptography, User data protection, Cryptography, User data protection, ID/authentication, Security ID/authentication, Security Management, Privacy, Protection of Management, Privacy, Protection of Security Functions, Resource Utilization, Security Functions, Resource Utilization, Access, Trusted pathsAccess, Trusted paths
Several families per classSeveral families per class Lattice of components in a familyLattice of components in a family
2020
Class Example:Class Example:CommunicationCommunication
Non-repudiation of originNon-repudiation of origin1.1. Selective Proof. Capability to request Selective Proof. Capability to request
verification of originverification of origin
2.2. Enforced Proof. All communication Enforced Proof. All communication includes verifiable originincludes verifiable origin
2121
Class Example: PrivacyClass Example: Privacy
1.1. PseudonymityPseudonymity1.1. The TSF shall ensure that The TSF shall ensure that
[assignment: [assignment: set of users set of users and/or subjectsand/or subjects] are unable to ] are unable to determine the real user name determine the real user name bound to [assignment: bound to [assignment: list of list of subjects and/or operations subjects and/or operations and/or objectsand/or objects]]
2.2. The TSF shall be able to provide The TSF shall be able to provide [assignment: [assignment: number of number of aliasesaliases] aliases of the real user ] aliases of the real user name to [assignment: name to [assignment: list of list of subjectssubjects]]
3.3. The TSF shall [selection: The TSF shall [selection: determine an alias for a user, determine an alias for a user, accept the alias from the useraccept the alias from the user] ] and verify that it conforms to and verify that it conforms to the [assignment: the [assignment: alias metricalias metric]]
2.2. Reversible PseudonimityReversible Pseudonimity1.1. ……
3.3. Alias PseudonimityAlias Pseudonimity1.1. ……
2222
Common Criteria:Common Criteria:Assurance RequirementsAssurance Requirements
216 page document216 page document 10 Classes10 Classes
– Protection Profile Evaluation, Security Target Protection Profile Evaluation, Security Target EvaluationEvaluation
– Configuration management, Delivery and Configuration management, Delivery and operation, Development, Guidance, Life operation, Development, Guidance, Life cycle, Tests, Vulnerability assessmentcycle, Tests, Vulnerability assessment
– MaintenanceMaintenance Several families per classSeveral families per class Lattice of components in familyLattice of components in family
2323
Example:Example:Protection Profile Protection Profile EvaluationEvaluation
Security environment Security environment In order to determine whether the In order to determine whether the
IT security requirements in the PP IT security requirements in the PP are sufficient, it is important that are sufficient, it is important that the security problem to be solved is the security problem to be solved is clearly understood by all parties to clearly understood by all parties to the evaluation.the evaluation.
1.1. Protection Profile, Security Protection Profile, Security environment, Evaluation environment, Evaluation requirementsrequirements– Dependencies: No Dependencies: No
dependencies.dependencies.– Developer action elements:Developer action elements:
The PP developer shall provide a The PP developer shall provide a statement of TOE security statement of TOE security environment as part of the PP.environment as part of the PP.– Content and presentation of Content and presentation of
evidence elements:...evidence elements:...
2424
Example:Example:Delivery and OperationDelivery and Operation
Installation, generation and start-upInstallation, generation and start-upA.A. Installation, generation, and start-up proceduresInstallation, generation, and start-up procedures
– Dependencies: AGD_ADM.1 Administrator guidanceDependencies: AGD_ADM.1 Administrator guidanceB.B. Developer action elements:Developer action elements:
– The developer shall document procedures necessary for the secure The developer shall document procedures necessary for the secure installation, generation, and start-up of the TOE.installation, generation, and start-up of the TOE.
C.C. Content and presentation of evidence elements:Content and presentation of evidence elements:– The documentation shall describe the steps necessary for secure The documentation shall describe the steps necessary for secure
installation, generation, and start-up of the TOE.installation, generation, and start-up of the TOE.D.D. ……....
2525
Common Criteria:Common Criteria:Evaluation Assurance Evaluation Assurance LevelsLevels
1.1. Functionally testedFunctionally tested2.2. Structurally tested (TCSEC C1)Structurally tested (TCSEC C1)3.3. Methodically tested and checked (C2)Methodically tested and checked (C2)4.4. Methodically designed, tested, and reviewed Methodically designed, tested, and reviewed
(B1)(B1)5.5. Semi-formally designed and tested (B2)Semi-formally designed and tested (B2)6.6. Semi-formally verified design and tested (B3)Semi-formally verified design and tested (B3)7.7. Formally verified design and tested (A1)Formally verified design and tested (A1)
2626
Common Criteria:Common Criteria:Evaluation ProcessEvaluation Process
National Authority authorizes National Authority authorizes evaluatorsevaluators– U.S.: NIST accredits commercial U.S.: NIST accredits commercial
organizationsorganizations– Fee charged for evaluationFee charged for evaluation
Team of four to six evaluatorsTeam of four to six evaluators– Develop work plan and clear with NISTDevelop work plan and clear with NIST– Evaluate Protection Profile firstEvaluate Protection Profile first– If successful, can evaluate Security TargetIf successful, can evaluate Security Target
2727
Common Criteria:Common Criteria:StatusStatus
About 80 registered productsAbout 80 registered products– Only one at level 5Only one at level 5
(Java Smart Card)(Java Smart Card)– Several OS at 4Several OS at 4– Likely many more not registeredLikely many more not registered
New versions appearing on New versions appearing on regular basisregular basis
