54 terms

Trusted Operating System

Physical Protection in S&S Paper
Wall, door, guard, and check
The identity of the user to be associated with a "process/program/principal" in the computer system. It is not typically secret not public
Information pertaining to the identified entity that can be used to validate the claim of identification. Authentication provides credibility of users
Authentication Information
It includes something you know (password), something that you have (token, sensor), and something that you are (biometrics, sensors)
Something you know problems
Password creates some problems: writing it down, length and how to transfer it securely over a network or storage
Something you have problems
Token creates some problems: availability, mechanical virus, MITM attacks, and forgery
Something you are problems
Biometric creates some problems: liveness, sanitization, compromised, usability, probability of match, duress, retinal scanner, fingerprints and gummy bears
Null hypothesis
The biometric collected from the device matches the specified entry in the biometric database. This indicates the person is authentic, and the claim of identity is true
Alternative hypothesis
The biometric collected from the device matches the specified entry in the biometric database. This indicates the person is a fraud, and the claim of identification is false
Type 1 Error
This type of error also is called false positive. It is the error of rejecting the null hypothesis given that it is actually true
Type II Error
This type of error is called false negative. It is the error of failing to reject the null hypothesis given that the alternative hypothesis is actually true
Type 1
It means that the legitimate authentication was rejected (false positive)
Type 2
It means that the false authentication claim was accepted (false negative)
Crossover Error Rate
This rate represents the point at which the false rejection rate equals the false acceptance rate. The lower CER rate, the better
Authentication: 2 way street
The system needs assurance about the user identity and the system identity
Trusted Path
This path provides assurance that the user is indeed communicating with the trusted content
Non-user authentication
Authenticates both software and hardware
Trusted Computing Base
It is the totality of protection mechanisms within a computer system - including hardware, firmware, and software - the combination of which is responsible for enforcing a security policy
Trusted Computing Base Isolation and Containment
Isolation applies a two state machine
A high assurance design reference for trusted Operating System
Components of Trusted Computing Base
This includes hardware, primitive file system (identification, authentication, authorization, access control), memory protection mechanism (RVM), and Intel process communication mechanisms
Four aspects of building a trusted operating system
They are policy, model, design, and trust
It is a set of well-defined, consistent, implementable rules that have been clearly expressed
It is a computable model of the policies to be enforced
It comprises of chosen features, and design strategies
It is a basis that the system operates as expected
Two additional aspects of building a Trusted Operating System
The two aspects are implementation, and lifecycle management
Creation of mechanism with assurance against unanticipated conditions that may violate policy
Lifecycle Management
Assuring the management of security throughout the operating system lifecycle
Two important polices
Military and Commercial policies
Two important models
Bell Lapadula, and Biba
Four important design
Strategies: Trusted Computing Base, layered design, and multics
Components of a policy
The components are users, objects, and expectations
Access control primitives (Policy)
Confidentiality and Integrity. Military policies only need confidentiality, while commercial policies need both confidentiality and integrity
Mandatory Access Control
The access control decisions are made beyond control of the individual owner of an object
Discretionary Access Control
The object's owner, or someone who is authorized, has much authority to make access control decisions about the object at their decision
How to form the groups? (Policy)
They are role-based access control, content based access control, procedure-oriented access control
Role-based access control
The groups of members are determined by the role or job that each and every member of that group performs
Content-based access control
Two choices are appropriate labels, and deep content inspection
Procedure-oriented access control
Operating systems provide limited granularity in what a subject can do with an object
Military Security Policies
The policies based on the need for protecting information classified at different levels of sensitivity and divided into compartments
Military Security Policy rules
Each object is labeled with its level of sensitivity and compartment. An object is associated with one and only one level of sensitivity. A level of sensitivity is associated with zero or more objects. An object is associated with zero or more compartments. A compartment is associated with zero or more objects
A person who needs access to classified information must be cleared. Clearance of a person is expressed as <sensitivity; compartments>
Set of all possible labels
Set of all possible labels = {levels of sensitivity} x {all possible subsets of the set of compartments}
Lattice Model
A lattice represents a partial ordering of concepts by their sensitivity and compartments. The dominances relationship is the partial order, and most sensitive information at the top and the least sensitive information at the bottom
The dominance relationship
Subjects s can read object o if subject s dominates o. Sensitivity of s is at least as high as sensitivity of o, and compartment of s includes all of compartment of o.
Multilevel Security for Confidentiality of Information
Information flow and dominance goes from unclassified to top secret.
Aggregation problem
Several information objects put together may yield a more sensitive result than the original information objects themselves
Sanitization problem
Sanitization of a classified document may yield information at a lower level of sensitivity
Commercial Security Policies
Polices are required in the cases: prevent conflict of interest, deter corporate espionage, maintain corporate interests, business process integrity, regulatory compliance, and backup
Commercial Security Policy models
The policy includes the Chinese Wall Model, and Clark and Wilson Model
Chinese Wall Model
A subject S can have access to information from one and only one company dataset among the company datasets within a single conflict class. It prevents conflicts of interest and aggregation problem.
Clark and Wilson Model
Specification of this model include users, constrained data items, and transformation procedures
The Bell Lapadula Model (Model)
Multilevel security model based on finite state machines with well-defined states and transitions among them