Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology

The Pennsylvania State UniversityUniversity Park, PA 16802

chu@ist.psu.edu

Security Architecture and Security Architecture and Design: Part IDesign: Part I

LearningbyDoing

Theo

ry

Practi

ce

IST 515

Objectives

• Understand enterprise architecture• Understand security architecture• Understand platform architecture• Understand operating system architecture• Discuss security models and architecture theory• Identify appropriate protection mechanisms• Identify techniques used to provide system

security• Discuss evaluation methods and criteria• Understand the role of assurance evaluations• Explain certification and accreditation

Readings

• Hansche, S., Berti, J. and Hare, C., Official (ISC)2 Guide to the CISSP Exam, Chapter 2, Auerbach, 2004, pp. 79-145. (Required).

• Stephens, B., “Security Architecture for System Wide Information Management,” The 24th Digital Avionics Systems Conference, 2005. DASC 2005, V. 2.

• CIO Council, A Practical Guide to Federal Enterprise Architecture, V 1.0, 2001. http://www.cio.gov

What is Enterprise Architecture?

• An Enterprise Architecture is an integrating framework for enabling the alignment of business strategy and technology capability.

• An Enterprise Architecture (EA) provides the blueprint for integration, change and management of your IT assets within the context of your business vision, goals and objectives. A well-crafted, flexible Enterprise Architecture can be your organization’s most valuable IT asset.

(http://www.neosynthesis.com/architecture.asp)

TransitionArchitecture

InfrastructureOperations

Architecture

SecurityArchitecture

ServiceCompositionArchitecture

TechnologyArchitecture

FunctionalApplicationArchitecture

InformationArchitecture

BusinessArchitecture

VisionMissionStrategyPolicies

EnterpriseArchitecture

MITRE EA Development Process

Information Systems Requirements

Capability. ▪ Ease of Use. Performance. ▪ Business requirements. Flexibility. ▪ Security. Cost. ▪ Innovation.

• Building an information system requires a balance among various requirements.

• Security should be considered as a requirement from the beginning – it is simply another feature that needs to be included.

What is Security Architecture ?

Security architecture is a view of an overall system architecture from a security perspective.

It provides some insight into the security services, mechanisms, technologies, and features

that can be used to satisfy system security requirements. It provides recommendations on where, within the context of the overall system

architecture, security mechanisms should be placed. It describes how the system is put

together to satisfy the security requirements.

Security Architecture 1

Security architecture is not a description of the functions of the system; it is more of a design view, describing at an abstract level the relationships between key elements

of the hardware, operating systems, applications, network and other required components to protect the

organization’s interests. It should also describe how the functions in the system development process follow the

security requirements. For example, if the security requirements specify that system must have a given

level of assurance as to the correctness of the security controls, the security architecture must prescribe these

specifications in the development process.

Security Architecture 2

Security requirements are not added steps to the system development process; instead, the specifications or guidelines of the security architecture provide an

influence during all development processes. During the beginning stages, the security architecture should outline

high-level security issues, such as the system security policy, the level of assurance required, and any potential

impacts security could have on the design process. As the system is developed, the security architecture should

evolve in parallel, and may even need to be slightly ahead of the development process so that the security

requirements will guide the development process.

General Questions to Ask

• Where should the protection take place - at the user’s end, where the data is stored, or by restricting user activities within the environment or a combination of these?

• Where (what layer) should the protection be placed – hardware, kernel, operating systems, service, or program?

• Which processes are within the trusted computing base (TCB)?

• What kind of security mechanisms be used?• How the security mechanisms and processes

will interact with each other? • What is the security perimeter that separates

the trusted and untrusted components?

Security Architecture DesignSecurity Architecture

Requirements

Security ArchitectureLayers

Security Models

Evaluation Methods & Criteria

Certification & Accreditation

Vulnerabilities Threats/Risks Countermeasures

Security Architecture Requirements

• The security architecture is designed so that the Availability, Integrity and Confidentiality (AIC) goals of information security can meet the business and security needs of the organization.

• The security architecture can guide the early decisions and avoid needing to correct or retrofit the system after development has been completed.

• Adding security controls after a system has been developed can lead to user frustration, a lower security posture, and significantly increased implementation costs.

Security Architecture Layers

• Platform Architecture that defines how it manages various system resources or system utilities.

• Operating System Architecture that defines how an operating system interact with the hardware components, utilities and applications.

• Application Architecture that defines how applications interact with OS and provide services to end users.

• Network Architecture that defines how networked devices communicate, share common resources with each other and send and receive information.

Layers of Security Architecture

Network

Computer Hardware

Operating System

Utilities

Application Programs

OSKernel

EndUser

EndUser

Pla

tfor

m A

rch

itec

ture

CPU – Computer Brain

Application Memory/Buffer

Add a + b = cInstructions

a = 1 b = 5Data

Processor

ALU

ControlUnit

C = 6Add a + b = c

a = 1 b = 5

Application

Potential Vulnerability in CPU

• System crashes. During the crash, the system creates a core dump of its internal state, including RAM and program stacks and CPU registers, allowing for investigation and identification of the cause leading to the crash. If the internal state contains sensitive information and the core dump data is stored in a file potentially accessed and read by everyone, inadvertent release of the sensitive information could occur.

Storage Devices

• Primary Storage (Volatile):- Cache or registers- Memory (RAM, ROM, Cache, Flash)

• Secondary Storage (nonvolatile):- Disk drive- CD or Tape

• Virtual Memory. A simulated RAM using the storage disk. The process is called paging or swapping, which can slow down the system.

Threats of Storage Devices

• If power is interrupted, the data stored in RAM can be completely lost.

• Removable media and CD, which can be easily transported and read on other computers, can increase the organization’s risk of data loss.

Countermeasure:

• Establishing appropriate policy and controls on:– the use of Uninterruptible Power Supply (UPS) or

backup power supply, and

– where and when removable media and CD drives be used.

Potential Threat of Virtual Memory

• Data stored in virtual memory remains on the hard drive when the computer is turned off and may be recovered from these temporary files. An attacker may be able to retrieve data from these locations with little difficulty if access is gained.

Countermeasures:• Erase the virtual memory files when the system is

shut down.• Encrypt the swap partition or create a separate

small drive and placing the swap files there

Types of Memory

Random Access Memory (RAM). It is used to store program instructions and data, and is accessible directly by the CPU. Read/write capability.

Read-only Memory (ROM). It is a built-in memory that contains data that can only be read. It is usually used for storing parts of the OS that allows the computer to be booted.

Flash Memory. It is a rewritable memory that functions like RAM and a hard drive combined. It is used primarily in applications that need high speed and durability, such as digital cellular phones, digital cameras, PC cards for notebooks, and pagers.

Memory Management

• To use memory efficiently, OS provides ways of isolating the addresses used by one program from those of others - managing memory. This also prevent errors in one program from corrupting other programs.

• The objective of memory management is to separate programs into different parts of memory and still have them work properly.

• Paging. To has certain applications, upon execution, write “pages’ of information to reserved address space.

• Swapping. Moving an entire memory region associated with a process or application into a virtual memory (simulated RAM) using a storage disk.

Potential Threat of Memory Mgmt.

• Although an encryption program can read data in an encrypted file, decrypt it, and work on the data while it is in memory, the data can be transferred onto the hard drive as a result of paging and swapping process.

Countermeasure: • The system administrator can implement a

memory lock technique to prevent from paging or swapping the data to the hard drive from the memory.

Potential Threats of Flash Memory

• Data lost due to the lose of flash memory devices.

• Another security threat for the use of flash memory in portable devices such as PDAs is wireless security, because the data is often being transferred wirelessly and can be captured wirelessly by hacker.

Countermeasure:

• Encrypting the data in the flash memory device.

• Using a new Mobile Commerce Extension Specification (MC-ES) developed by the 5C (Toshiba, Hitachi, San Disk, Matsushita, and Ingentix).

Peripherals or I/O Devices

• The I/O device usually sends information to memory, but it can also send information directly to the CPU. Once the data is copied to the memory, an interrupt is generated signaling the CPU that the requested data is now available for processing.

• Processors are designed to deal with interruptions in program execution caused by the program itself, by user requests, or hardware failure.

• I/O is a privileged operation carried out only by the OS.

I/O Controller

I/O Controller

Memory

CPU

Software Interrupt

• Exceptions and traps are the software equivalent of a hardware interrupt.

• When a program attempts to execute a privileged instruction while in user mode, an exception occur, generally causing the failure of he program.

• Exception can also occur due to code errors created when the program was written.

Potential Threats of I/O 1

• Hardware Interrupt. The hardware interrupt is a special input to the CPU specifying an address in the interrupt vector table. The interrupt vector table provides the location of the program addressing the condition specified in the interrupt, called the interrupt handler. When an interrupt occurs, the system saves its current state on the stack and then execute the interrupt handler. During this event, control is taken from the user program.

Countermeasure:• Making sure that the system is restored to a proper

state, such as cleaning the supervisor status bit, before returning the control to the user program.

Potential Threats of I/O 2

• Another security flaw could exist if other interrupts arrived while the processor was dealing with a current interrupt. If the new interrupt has a higher priority than the current interrupt being handled, the processor would then have to transfer execution to the interrupt handler with the higher priority. The interrupt with lower priority will be cached. If interrupt handling is not handled securely, a breach may occur, allowing a previous process to gain the supervisor status of an operation system call.

Potential Threats of I/O 3

• Redirection of Interrupt. A malicious code could be executed whenever the corresponding interrupt occurs causing a redirection of an interrupt attack, which is difficult to detect because: – It does not change the original interrupt handler.– Without prior knowledge of where the interrupt

handlers are located in memory and what the contents of the interrupt vector table should be, it is almost impossible to detect these changes.

– Operating systems do not currently provide an integrity check or control mechanism to prevent interrupt or system call redirection.

Illustration of Operating Systems

OperatingSystem

Software

Memory

Programsand Data

Processor Processor

I/O Controller

I/O Controller

I/O Controller

. . .

. . .

. . .

OSProgram

Data

Storage

Objectives of OS

• To control the use of the system’s resources. The OS must share the computer’s resources among a number of simultaneous users or, if the computer only has one user, share resources between multiple tasks.

• To provide a convenient and easy-to-understand view or interface of the computer to its users (people or programs), which is usually done through a graphical user interface (GUI).

OS Services

Services

• Program creation.

• Program execution.

• Access to input/output devices.

• Controlled access to files.

• System access.

• Error detection and response.

• Accounting.

Operations

• Process

• Spooling

• Multitasking

• Multithreading

• Multiprogramming

• Multiprocessing

Special Operations of OS

• Multitasking. Is the ability of allowing a user to perform more than one task at the same time.

• Multithreading. Is the ability of allowing more than one user to access a program at the same time.

• Multiprogramming. Is the ability of allowing for the interleaved execution of two or more programs by a processor.

• Multiprocessing. Is the ability of coordinated processing of two or more programs by a processor that contains parallel processors.

Illustration of Spooling

Memory(RAM) CPU

2. Document is retrieved from storage device and

stored in RAM

1. Request (system call) such as accessing a documentfrom the hard disk

3. Request (System Call),

such as printing a file

Potential Vulnerabilities of OS 1

• Object Reuse (for single processor, multiprogramming system). Storage residues occur when data is left behind in the memory area that could be allocated to new processes. Storage residues should be avoid or the OS must scrub the RAM to prevent storage residue.

• Time of Check/Time of Use (TOC/TOU) (for multiple processors, multiprogramming system). An asynchronous attack that occurs when one process passes pointers to parameters residing in its virtual memory to the OS. At the same time, another process, with access to the same memory, modifies the parameters between the time the OS validates them and the time they are used.

Potential Vulnerabilities of OS 2

• Maintenance Hooks. Commonly referred to trapdoors or backdoors, are undocumented features remained in the software code allowing designers for easy maintenance and additional feature development. An unauthorized user who knows the entry point could gain access to information or insert malicious code into the software.

• Countermeasure: Ideally, maintenance hooks should never be inserted into the program during development. At a minimum, they should be removed prior to live implementation.

OS Security I

• A secure OS also uses the layer structure to assist in the achievement of some assurance goals. The security primitives should be placed in a lower layer, with additional security elements implemented at all layers. A clear understanding the security requirements at each layer during the design phases is important.

• Reasons for putting security mechanisms in a lower layer are:– To increase the performance of the system (the overhead

within the OS is lower). – To allow for a complete check on the security

mechanisms to ensure that they cannot be circumvented.

OS Security II

• Security technologies used by OS include:– Reference monitor.– Security kernel.– The trusted computing base.

• Reference Monitor: A reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system.

OS Security III

• A Security Kernel is a small module in the Operating System where all security features are located. It is a self-contained usually small collection of key security-related statements that (a) works as a part of an operating system to prevent unauthorized access to, or use of, the system and (b) contains criteria that must be met before specified programs can be accessed.

Reference Monitor (Policy)

Security Kernel Database

AuditFile

ObjectsSubjects

Trusted Computing Base (TCB)

The trusted computing base (TCB) is everything in a computing system that provides a secure environment. This

includes the operating system and its provided security mechanisms, hardware, physical locations, network hardware and software, and prescribed procedures.

Typically, there are provisions for controlling access, providing authorization to specific resources, supporting user authentication, guarding against viruses and other forms of system infiltration, and backup of data. It is

assumed that the trusted computing base has been or should be tested or verified.

Protection Rings

Ring 0

Ring 1

Ring 2

Ring 3

OS Kernel

OS Services

UtilitiesDevice Drivers

ApplicationsPrograms

Email Clients, MS Office, Web Browser

MostPrivileged

LeastPrivileged

Pri

vile

ge L

evel

Application Architecture

• Applications Architecture is an infrastructure to ensure the suite of applications being used by an organization is scalable, reliable, available and manageable.

• The applications architecture is specified on the basis of business requirements, which involve defining the interactions between application packages, databases, and middleware systems in terms of functional coverage.

• Applications Architecture means managing how multiple applications are poised to work together. It is different from software architecture, which deals with design concerns of one application.

Process vs. Thread

• Applications are ran in user mode. Each application is a process. A thread is the smallest unit of processing or execution in a program.

• The implementation of threads and processes differs from one operating system to another, but in most cases, a thread is contained inside a process. Multiple threads can exist within the same process and share resources such as memory, while different processes do not share these resources.

• On a single processor, multithreading generally occurs by time-division multiplexing; the processor switches between different threads. On a multiprocessor, the threads or tasks will actually run at the same time, with each processor or core running a particular thread or task.

Network Architecture

• A network is a data communication system allowing a number of devices to communicate with each other.

• A network allows the users of the network to share common resources and to send and receive information.

• The network provides an interface for the users of the network resources, just as an operating system provides an interface consisting of system calls.

• For two entities to communicate with each other, they must agree on common protocols, or a set of rules.

Layered of Network Architecture

Physical Layer

Data Link Layer

Network Layer

Transport Layer

Session Layer

Presentation Layer

Application Layer

User

Physical Link

TransmitData

ReceiveData

OS

I M

odel

Threats to Shared Environments

• Unconfigured or misconfigured file protection controls.

• Database corruption.• Unsecured remote access.• Unsecured locations and

physical accessibility.• Lack of built-in security

controls.• Multiple control points. • Inconsistent user identification

and authentication across networks.

• Multiple administrative processes and appearances.

• Multiple administrators.

• Malicious codes.

• Hidden escape mechanisms.

• Lack of multiple-log and journal synchronization.

• Lack of audit trail data control.

• Lack of alarm notification

To be Continued

This is the end of part I of the lecture. Please continue to review part II.