Term
Formal Models of Security |
|
Definition
Define Security Levels: A > B > C
Subject X is Level A, Subject Y is Level B
Rule: Access (S,O) if and only if Level(S) >= Level(O) |
|
|
Term
|
Definition
Define Security Policy for reference monitor: Allow(Subject, Object, Access) -> {True, False}
For example, Allow(S,O,A) <- -> Owner(S,O) OR IsAdmin(S)
|
|
|
Term
| Bell-LaPadula Policy Model (Short Def) |
|
Definition
Short: hierarchial levels, no read-up, no write-down.
The model focuses on data confidentiality and controlled acces to classified information. |
|
|
Term
|
Definition
Long:
a. There are four componets: (1) Subjects, (2) Objects, (3) Modes of access: read, write, execute, and (4) Security Levels
b. There are three principles:
(1) Simple security property: Read only if Level(S) >= Level(O)
(2) Confinement property (aka. "star" property): Write only if Level(O) >= Level(S).
(3) Tranquility principle: An operation may not change the classification level of the subject.
Issue:
Confidentiality of data is protected, but the fact that users with lower privileges are permitted to write data to objects with a higher sensitivity level does not sit well in many environments.
|
|
|
Term
|
Definition
This security model is directed toward data integrity (rather than confidentiality) and is characterized by the phrase: "no read down, no write up".
The model is designed so that subjects may not corrupt objects in a level ranked higher than the subject, or be corrupted by objects from a lower level than the subject.
In general the model was developed to circumvent a weakness in the Bell-LaPadula which only addresses data confidentiality. |
|
|
Term
|
Definition
The model is primarily concerned with formalizing the notion of information integrity.
The model’s enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the model is based on the notion of a transaction.
- A well-formedtransaction is a series of operations that transition a system from one consistent state to another consistent state.
- In this model the integrity policy addresses the integrity of the transactions.
- The principle of separation of duty requires that the certifier of a transaction and the implementer be different entities.
|
|
|
Term
|
Definition
| Mandatory Access Control (MAC) |
|
|
Term
|
Definition
| Discretionary Access Control (DAC) |
|
|
Term
|
Definition
An abstract machine that mediates all access control decisions.
|
|
|
Term
| Reference Validation Mechanism (RVM) |
|
Definition
| An implementation of a reference monitor. |
|
|
Term
|
Definition
| Software+hardware that implements a reference monitor. |
|
|
Term
| Trusted Computing Base (TCB) |
|
Definition
| All protection mechanism that enforce security policy. |
|
|
Term
| Target of Evaluation (ToE) |
|
Definition
| The subject of evaluation (system or product). |
|
|
Term
| A formal security evaluation requires: (four things) |
|
Definition
1) A system's functional requirements.
2) A system's assurance requirements.
3) A methodology to determine if the system meets these requirements.
4) a measure of evaluation (i.e., a level of trust). |
|
|
Term
| A formal evaluation methodolody is: |
|
Definition
| A technique used to provide a measure of trust based on the security requirements and evidence that the system has met them. |
|
|
Term
| Orange Book Model (a.k.a. Trusted Computer System Evaluation Criteria [TCSEC]) |
|
Definition
| A United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. It is was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information. |
|
|
Term
| Orange Book Fundamental Objectives |
|
Definition
1) Security Policy
1a. DAC requirements
1b. Object reuse requirements: Threats of an attacker gathering information from cache and disk
1c. MAC requirements: BLP, etc.
1d. Marking, i.e., label requirements for subject and objects
2) Accountability
2a. Identification reqs
2b. Authentication reqs
2c. Trusted path reqs: How to communicatio between the TCB and the user process
2d. Audit requirements
3) Assurance
4) Documentation. |
|
|
Term
| Criticism of Orange Book Criteria |
|
Definition
1) Mixes various levels of abstration in a single document
2) Does not address integrity of data
3) Combines functionality and assurance in a single linear rating scale. |
|
|
Term
|
Definition
| Focused on security devices and feature, rather than systems security requirements, it is a framework in which computer system users can specify their security functional and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. I.e., it provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner. |
|
|
Term
|
Definition
| An information assurance (IA) concept in which multiple layers of security controls are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited which can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle. |
|
|
Term
| Data Centric Model Encryption Approaches (two) |
|
Definition
1) File Level
2) Field level |
|
|
Term
Data Centric Model: Encryption Approach: File Level
(examples) |
|
Definition
1) Discretionary Digital Rights Management (DDRM)
2) Manadtory Digital Rights Management (DRM) or Network Tethering |
|
|
Term
Data Centric Model: Encryption Approach: Field Level
(Examples) |
|
Definition
1) Database-level encryption
2) Application field level encryption |
|
|
Term
Data Centric Model: Discretionary Digital Rights Management (DDRM)
(User path) |
|
Definition
1) User Creates file
2) User selects community with which to share file
3) Software retrieves key for community and encrypts file
4) User shares file with community member
5) Member decrypts file using local key |
|
|
Term
Data Centric Model: Discretionary Digital Rights Management (DDRM)
(Pros and Cons) |
|
Definition
Pros:
1) Allows mobile users to accress information remotely with minimal exposure to theft
2) Technology is mature (e.g., PKI, PGP, etc.)
Cons:
1) Mobile users may copy information to unencrypted media
2) Allows users to decide when to encrypt information
3) Admins have super-decryption keys
|
|
|
Term
Data Centric Model: Network Tethering or Mandatory Digital Rights Management (MDRM) or just DRM
(User path) |
|
Definition
1. User Creates file
2. User selects community with which to share information
3. Software retrieves key for community, encrypts file and stores on secure storage
4. User share file with community member.
5. Member must authenticate within network to retrieve key and view file. |
|
|
Term
Data Centric Model: Network Tethering or Mandatory Digital Rights Management (MDRM) or just DRM
(Pros and Cons) |
|
Definition
Pros:
1) Allows mobile users to accress information remotely while data never leaves netork.
2) Technology is mature (e.g., PKI, SSL, etc.)
Cons:
1) Mobile users may copy information to unencrypted media, usually with difficulty.
2) Allows users to decide when to encrypt information
3) Admins have super-decryption keys |
|
|
Term
| Data Centric Model: Database Level (User Path) |
|
Definition
1. Database Administrator (DBA) createa database scema, specifying fields requrieing encryption.
2. DBA grants rights to certain application community (perhaps at server level)
3. DBMS encrypts specified fields with keys and restricts key access to application users.
4. All users log into app to either store or retrieve data. |
|
|
Term
| Data Centric Model: Database Level (Pros and Cons) |
|
Definition
Pros:
1) Users cannot copy unencrypted data in bulk, restricted to application functionality.
2) Does not rely on correct user behavior or application code.
Cons:
1) DBA and Application Support still have keys to kingdom (though may be audited)
2) Anyone with direct DB access using application DB ID may still bulk-download (audit not likely)
3) Makes cross-DB queries difficult if not impossible. |
|
|
Term
Application Field Level (sometimes just Field Level)
(User path) |
|
Definition
1) Application developer designs encrytion Application Programming Interfaces (APIs) that encrypt prior to store and decrypt up DB retrieval; DB schema is equipped with shadow query field.
2) Application admin grants rights to users based on need to know
3) APIs encrypt specified fields with keys encrypted by user-level keys and requires user to present private key to decrypt.
4) All users log into app and present keys to store or retrieve data. |
|
|
Term
Application Field Level (sometimes just Field Level)
(Pros and Cons) |
|
Definition
Pros:
1) Users cannot copy unencrypted data in bulk, restricted to application functionality.
2) Technology is mature (e.g., PKI, SSL, etc.)
Cons:
1) Correct implementation relies on application source code.
2) Shadow field may introduce synchronization issues
3) Super-admin still has keys to kingdon (though can be minimized via obscurity) |
|
|
Term
| Functional Model: What are the main parts? |
|
Definition
1) Identity and Entitlements
2) Information Confidentiality and Integriy Mechanisms
3) Configuration
4) Real Time Monitor
5) Log Management
6) Alerting Mchanisms
7) Recovery Processes |
|
|
Term
| Functional Model: Identity Management |
|
Definition
| Authoritative lists of authorized users combine with identity verification capability. |
|
|
Term
| Functional Model: Entitlements |
|
Definition
| Map from identities to data-driven business requirements for access control |
|
|
Term
| Functional Model: Confidentiality and Integrity Mechanisms |
|
Definition
| Access control embedded in business logic |
|
|
Term
| Functional Model: Configuration |
|
Definition
| Security mechanisms suchs as Single Sign On, Network Isolation, Platform Authorization, and Monitoring Configurations |
|
|
Term
| Functional Model: Real Time Monitor |
|
Definition
| Identifies configuration change events that should cause alerts |
|
|
Term
| Functional Model: Log Management |
|
Definition
| Records and detects indications of obvious harm or patterns of suspicious activities |
|
|
Term
| Functional Model: Alerting Mechanisms |
|
Definition
| Initiates automated or manual incident response and, if necessary, recovery |
|
|
Term
| Functional Model: Recovery Processes |
|
Definition
| Methods for maintaining data integrity and availability as well as configuration integrity |
|
|
Term
Services Model (Main Parts) |
|
Definition
A. Prevent
1) Authenication
2) Authorization
3) Acces Control Enforcement
4) Transaction Privacy
5) Non-repudiation
6) Protected Communications
B. Recover
7) Audit
8) Proof of wholeness
9) Restore "Secure" state
10) Intrusion Detection and Containment
C. Support
11) Identification (and naming)
12) Cryptographic Key Management
13) Security Administration
14) System Protections (least privilege, object reuse, process separtion, etc.) |
|
|
Term
| Domain Level Model (High level breakdown) |
|
Definition
Breaks systems into:
A. Layers: Are a hierarchy of equipment and facilities groupings.
1) Infrastructure Security layer
2) Services Security Layer
3) Applications Security Layer
B. Planes: Represent the types of activities that occur on a network.
1) Management Security Plane
2) Control/Signaling Security Plane
3) End-User Security Plane
Each security plane is applied to every security layer to yield nine security perspectives. |
|
|
Term
Agile Security Patterns (acronym definition)
|
|
Definition
SAREPH
S - Self organizing
A - Adapting to upredictable situations with reconfigurable, readily employed resources
R - Reactively resilient: Able to continue, perhaps with reduced functionality, while recovering.
E - Evolving in concert with a changing environment
P - Proactively innovative: acting preemptively, perhaps unpredictably, to gain advantage
H - Harmonious with system purpose: aiding rather than degrading system and user productivity. |
|
|
Term
| Situational Pattern Example: Dynamic Phalanx Defense |
|
Definition
Intercept and disperse; resource accepts requests as desired
|
|
|
Term
| Situational Pattern Example: Peer Behavior Monitoring |
|
Definition
| A peer goes bad; some peers note and report or decide locally |
|
|
