This action might not be possible to undo. Are you sure you want to continue?
Smart cards a. Smart cards are more tamperproof than memory cards, but individuals have introduced computational errors into smart cards to uncover the encryption keys used and stored on the cards i. Fault generation attack: encryption functions after introducing an error (e.g. by changing input voltage, clock rate, temperature fluctuations) and reviews the correct result, which the card performs when no errors are introduced. Analysis of the difference can allow the attacker to reverse engineer the encryption process to uncover the encryption key. ii. Side channel attacks: nonintrusive; used to uncover sensitive information by monitoring and capturing the analog characteristics of all supply and interface connections and any other electromagnetic radiation produced by the processor during normal operation 1. Differential power analysis – examining the power emissions released during processing 2. Electromagnetic analysis – examining the frequencies emitted 3. Timing – examining how long a specific process takes b. An ISO/IEC standard, 14443 outlines physical characteristics, initialization and anticollision, and transmission protocol for smart cards i. The DoD is rolling out smart cards across all of their agencies and NIST is developing a framework and conformance testing program for interoperability issues c. Software attacks are noninvasive attacks; input an algorithm on the card that will allow the attacker to extract account information d. Microprobing uses needles and ultrasonic vibration to remove the outer protecting material on the card’s circuits so that data can be accessed and manipulated by tapping into the card’s ROM chips Authorization a. Applications, security add-on packages, and resources can provide authorization functionality b. Granting access rights should be based on the level of trust a company has in a subject and the subject’s need to know. Different access criteria can be enforced by roles, groups, location, time, and transaction types i. A role is based on a job assignment or function ii. If several users require the same type of access to information and resources, putting them into a group and then assigning rights and permissions to that group is easier to manage than assigning rights and permissions to each and every individual separately (one way access control is enforced through a logical access control mechanism) iii. Physical or logical location can be used to restrict access to a resource. This restriction is often implemented to restrict unauthorized individuals from reconfiguring the server remotely 1. Logical location restrictions are done through network address restrictions; network administrator ensures that status requests of an
the user should not be able to access that resource ii. change. full control. thereby posing a risk to a company because too many users have too much privilege access to the company assets i. intrusion detection management console are accepted only from certain computers on the network using software iv. Designed specifically to eliminate the need to transmit passwords over the network. Used for years in Unix systems and is currently the default authentication method for Windows 2000. Solaris. they are assigned more access rights and permissions. every platform. enables the administrator to streamline user accounts and better control access rights b. transparency.III. Kerberos is a single sign-on system for distributed environments and the de factor standard for heterogeneous networks iv. application. Time of day is a (logical) access control mechanism. Need to know principle individuals should be given access only to the information they absolutely require in order to perform their job duties (Management determine the security requirements of individuals and how access is authorized. Transaction-type restriction can be used to control what data is accessed during certain types of functions and what commands can be executed on the data c. reliability and security although its open architecture (vendors can customize a protocol) invites interoperability and incompatibility issues v. most Kerberos implementations work with shared secret keys Role-based access control . temporal access can also be based on the creation date of a resource v. To work. Kerberos is an authentication protocol designed in the mid-1980s that works in a client/server model and is based on symmetric key cryptography and provides end-to-end security i. Access control mechanisms should default to no access (a user can have read. in the same format. SSO capabilities allow a user to enter credential one time and access all pre-authorized resources in primary and secondary network domains. and Linux 4 all use Kerberos authentication iii. and interpret their meanings similarly i. If nothing has been specifically configured for an individual or the group she belongs to. Rights and permission reviews have been incorporated into many regulatory induced processes (including SOX regulations) Single Sign-On a. delete. Has scalability. It is rare to see a real SSO environment more common to see a cluster of computers and resources that accept the same credentials c. Mac OS X. IV. the security administrator configures the security mechanisms to fulfill these requirements) e. Authorization creep: As employees rotate. and 2008 operating systems ii. and resource needs to accept the same credentials. 2002. Most access control lists that work on routers and packet-filtering firewalls default to no access d. or no access permissions i.
The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs) e. Context-dependent access control it based on the context of a collection of information rather than on the sensitivity of the data i. i. and detects suspicious activity . been used in MAC systems as an enforcement mechanism of the complex rules of access that MAC systems provide. discards irrelevant information. Constrained User Interfaces i. A capability component is a data structure that contains a unique object identifier and the access rights the subject has to that object f. iii. Restrict users’ access abilities by preventing them from requesting certain functions or information or accessing specific system resources ii. Authorization can be specified to an individual or group i. Physically constraining a user interface can be implemented by providing only certain keys on a keypad or certain touch buttons on a screen d. Firewalls make context-based access decisions when they collect state information on a packet before allowing it into the network ii. g. the shell only contains the commands the administrators wants the users to be able to execute. Routers and firewalls use rules to determine which types of packets are allowed into a network c. The capability corresponds to the subject’s row in the access control matrix. Rule-based access is used in other systems and applications (e. Kerberos is a capability-based system. Database views are mechanism used to restrict user access to data contained in databases iv. The ticket (token/key) is a capability table. A stateful firewall understands the necessary steps of communication for specific protocols and will not allow packets to go through that do not follow this sequence (stateful – understands the necessary steps of a dialog session) IDS Sensors – filters received data. Content-dependent access control – access to objects is determined by the content within the object. A capability table specifies the access rights a certain subject posses pertaining to specific objects. Access control lists are lists of subjects that are authorized to access and specific object (and define what level of authorization is granted). An access control matrix is a table of subjects and objects indicating what actions individual subjects can take on individual objects (usually an attribute of DAC models).VI. If restricted shells are used. Map values from the access control matrix to the object.g. It is the user’s interface to the operating system and works as a command interpreter. content filtering) ii. the ACL corresponds to a column of the matrix. Whereas a capability corresponds to a row in the access control matrix. a shell is a type of virtual environment within a system. Menus – the options users are given are the command they execute. used when corporations employ e-mail filters that look for specific strings h.
The IDS sensor acts as a sniffer and cannot access all traffic in these individual circuits. All the data on each individual virtual private network must be copied and placed on one port (spanning port) where the sensor is located. Sensors should be placed in highly sensitive areas. to entice attackers. The physical memory addresses that the CPU uses are called absolute addresses. This enables the administrator to know when certain types of attacks occur so he can fortify the environment and perhaps identify the hacker ii. The sniffer must access a network adaptor that works in promiscuous mode and a driver the captures the data. They can be placed outside a firewall to detect attacks and inside a firewall (in the perimeter network) to detect actual instrusions c. multiple sensors should be in place to ensure all packets are investigated Intrusion Prevention Systems a.e. A honeypot is a computer set up as a “sacrificial lamb” on the network. Enticement: the system only has open ports and services that an attacker might want to exploit iii. It is more difficult for NIDS to work on a switched network because data are transferred through independent virtual circuits and not broadcasted. If the network traffic volume exceeds the IDS system’s threshold. The filtered data are stored in a buffer. and this information is displayed to a user and/or captured in logs ii. In very high traffic environments. attacks may go unnoticed. i. The indexed memory addresses that software uses are regerred to as logical ddresses. ii. The sniffer has a protocol analysis capability to recognize the different protocol values to properly interpet their meaning. A monitoring console monitors all sensors and supplies the network staff with an overview of the activities of all sensors in the network i. Traffic that is transferred over a network medium is transmitted as electric signals encoded in binary representation. the physical addresses are loaded into the base and limit registers. i. When a thread indicates the instructions need to be processed it provides a logical address. They honeypot contains no real company information i. DMZs. the intruder is induced to commit a crime) c.VII. the administrator charges him with trespassing (i. When an application needs its instructions and data processed by the CPU. b. Hackers can use network sniffers to learn about what type of data is passed over a specific network segment and to modify the data in an unauthorized manner Memory mapping a. VIII. Entrapment: the system has a web page indicating the user can download files then one the user does this. Traditional IDs only detects that something bad may be taking place b. The relative addresses are based on a known address with an offset value added. and extranets. . the system is not locked down and has open ports and services enabled. a. A packet or network sniffer is a general term for programs or devices that can examine traffic on a LAN segment.
keep track of what page frames are residing in RAM and what is available “offline” iii. the pointers to the pages are reset to available even though the actual data written to the disk is still physically there (can be compromised or captured) 1. A garbage collector is software that runs an algorithm to identify unused committd memory and then tell the OS to mark that memory as available Virtual memory a. iv. memory leaks can be caused by OS. or data are encrypted and saved on the hard drive. maintained by the OS. floppy disks. While these unencrypted data are sitting in RAM. X.g. Swap space – reserved hard drive space used to extend RAM capabilities. When an application makes a request for a memory segment. Virtual memory paging: When a program requests access to this data. The memory manager maps the logical address to the physical address so the CPU knows where the instruction is located. When the application is done with memory. and CD-ROMS) b. memory manager returns data held in memory 2. 1. memory manager accesses memory frame for process. Virtual memory – system uses hard drive space to extend its RAM memory space i. memory manager looks up which segments are allocated w=to that process.IX. it writes data from memory onto the hard drive. Secondary storage. When a system fills up its volatile memory space. Some applications are written poorly and do not indicate to the system that this memory is no longer in use. the system could write out the data to the swap space on the hard drive. or processes that were using the swap space are terminated. file. If a program. it is retrieved from the hard drive back into memory in specific units (pages) a. When a system is shut down. they will be decrypted when used y the controlling program.sys file to reserve this space ii. Internal control locks. applications. iii. Hackers can exploit memory leaks using denial-of-service (DoS) attacks iii. Absolute addresses are loaded into the CPU’s registers b. it is allocated a specific memory amount by the operating system. Application requests access to memory.nonvolatile storage media (e. it should tell the operating system to release the memory so it is available to other applications i. Windows use the pagefile. computer’s hard drive. in their unencrypted state. CPU Modes and Protection Rings a. and software drivers ii. Routines should erase swap spaces after a processes is done with it and before a system shuts down iv. Protection rigns provide strict boundaries and definitions for what the processes that work within each ring can access and what operations that can successfully execute .
i. Ring 3 – Applications and user activity i. b. system drivers. VAX/VMS. 1. the CPU treats this violation as an exception and may shoe a general protection fault or exception error and try to shut down the application c. A monolithic operating system architecture – modules of code can call upon each other as needed. layer 1 carried out memory management.XI. layer 0 controlled access to the processor and provided multiprogramming functionality. MS_DOS is a monolithic operating system c. Ring 2 – I/O drivers and utilities. layer 5 was the user layout and not implemented directly by THE ii. layer 2 provided inter-process communication. Processes that operate within the inner rings have more privileges than process operating in the outer rings because the inner rings only permit the most trusted components and processes to operate within them ii. peripheral devices. . If an application tries to send instructions to the CPU that fall outside its permission level. OS components operate in a ring that gives them the most access to memory locations. Protections ring sprovide an intermediate layer between subjects and objects. The actual ringer architecture used y a system is dictator by the processor and operating system. layer 4 was where the application resided. The most common architecture provides four rings: Ring 0 – operating system kernel. Each procedure at each layer has access only to its own data and a set of functions that is requires to carry out its own tasks. THE (Technische Hogeschool Eindhoven) multiprogramming system had five layers of functionality. each subject and object is logically assigned a number depending upon the level of trust the OS assigns it. Entities can only access and directly communicate with objects in their own ring. communication between different modiles is not structured and controlled and data hiding is not provided. i. Processes in the inner rings exist in privileged or supervisor mode while processes in outer rings execute in user ode iii. When an application needs access to components in rings it cannot directly access. Multics. Ring 1 – Remaining parts of the OS. and Unix – separates system functionality into hierarchical layers i. and sensitive configuration parameters. it makes a request of the OS to perform the necessary tasks through system calls Operating system architecture a. Operating system architecture is the framework that dictates how the OS’s services and functions are placed and how they interact b. layer 3 deal with I/O devices. The hardware chip is constructed to provide a certain number of rings and the operating system must be developing to work in this ring structure. Layered operating system (THE. Provide data hiding – instructions and data (packaged up as procedures) at various layers do not have direct access to instructions and data at any other layers 1.
and attacks at different layers of the system i. The criteria will determine if the security policy is being properly supported and enforced. Multilevel security policies prevent information from flowing from a higher security level to a lower security level c. the process’s status should be dropped as soon as its tasks are complete 1. A trusted system must have an architecture that provides the capabilities to protect itself from untrusted processes. explicit domains. the individual processes must be isolated from each other and domains must be defined to dictate which objects are available to which subjects b. an application works in a client/server model because it provides distributed computing capabilities. memory server. When a system is testing against specific criteria. a rating is assigned to the system. In a network . The security kernel comprises all resources that supervise system activity in accordance with the system’s security policy and is part of the operating system that controls access to system resources 1. ii.XII. The serve process can be a file systems server. I/o server. Least privilege – a process has no more privileges than necessary to fulfill its functions i. For the security kernel to operate. A monolithic OS provides only ne ayer of security. each layer should provide its own security and access control 1. Trust ratings obtained through formal evaluations require a defined subset of subjects and objects. Modularizing software and code increases the assurance level of the system d. or process server (called subsystems). The goal of a client/server architecture is to move as much code as possible from working in kernel mode (privileged mode) so the system has a leaner kernel (microkernel) 1. the client is either a user process or another O/S process ii. Less privileged processes call upon the processes with complete system privileges in the kernel to process sensitive operations . The requesting process is referred to as the client. The OS functions are divided into different processes that run in user mode i. and the isolation of processes so their access can be controlled and the activities performed on them can be audited 1. while in a layered system. Another approach works within a client/server architecture – portions of software and functionality that were previously in the monolithic kernel are now at the higher levels of the operating system. or accidentally compromises. The client portion of the application resides on the work stations and the server portion is usually a back-end database or server. If a process needs to have its status elevated so it can interact directly with a system resource. and the processes that fulfills the request is called the server 2. iii. intentional. Security Policy – provides the framework for the system’s security architecture a.
The security model is represented by mathematical relationships and formulas. A model is a symbolic representation of a policy that maps the desires of policymakers into a set of rules that a computer system must follow i. Division B – Mandatory Protection – MAC is enforced through security labels. The architecture is based on the Bell-LaPadula security model. A state machine model provides mathematical constructs that represent sets (subjects and objects) and sequences. the system is secure iii. A given state consists of all current permission and all current instances of subjects accessing the objects. and evidence of reference monitor enforcement must be available i. A security model maps the abstract goals of the policy to information system terms by specifying explicit data structures and techniques necessary to enforce the security policy ii. developers of an operating system need to look at different state transitions to determine if a system that starts up in a secure state can be put into an insecure state 2. State machine models – an abstract mathematical model that uses state variables to represent the system state i. Value]) 1. Security Models a. Data leaving the system also have an accurate security level. each subject must have a clearance label. the object’s security attributes and the access rights of the subject must be reviewed and allowed by the operating system 3. A system that has employed a state model will be in a secure state in each and every instance of its existence ii. After the state transition functions are defined. State transitions – activities that can alter the state. and the system design and implemtnation are subjected to more thorough review . When an object accepts an input. which are mapped to system specifications and then developed by programmers through programming code b. Developers must identify all the initial states (default variable values) and outline how these values can be changed so the resulting values (final states) still ensure the system is safe c. 1. To allow a transition. Developers must define what and where the state variables and then define a secure state for each state variable 2. Developers must define and identify allowable state transition functions a. [Name.XIII. they must be tested to verify that the overall machine state will not be compromised b. B2: Structured Protection – the security policy is clearly defined and coumented. If subjects can access objects only by means that are concurrent with the security policy. B1: Labeled Security – each data object must have a classification label. this modifies a state variable ( e. The system compares the security labels to ensure that requested actions are acceptable.g. The security policy is based on an informal statement and the design specifications are reviewed and verified ii.
The Orange Book mainly addresses government and military requirements and expectations for their computer systems.XIV. TCSEC addresses confidentiality but not integrity The Orange Book and Rainbow Series a. Subjects and devices need labels and the system cannot allow covert channels. B3: Security Domains – More granularity is provided in each protection mechanism and the programming code that is not necessary to support the security policy is excluded. It focuses mainly on one attribute of security – confidentiality iii. Distinct address spaces must isolate processes and a covert channel analysis should be conducted. e. and the level of detail in verification techniques. requires more stringent authentication mechanisms and well-defined interfaces among layers. programmers should use atomic operations when only one system call is used to check authentication and then grant access in one task. It looks specifically at the OS and not at other issues like networking. To protect against race condition attacks. the way the specifications were developed. A1: Verified Design – The assurance of an A1 system is higher than a B3 system because of the formality in the way the A1 system was designed. Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. When the system starts up and loads its operating system and components. etc. A trusted path for logon and authentication processes must exist (that cannot be compromised). The reference monitor components must be small enough to test and tamperproof. it must be done in an initial secure state to ensure that any weakness of the system cannot be exploited in this slice of time. Delivery to the customer may also be scrutinized. ii. . and testing procedures. Formal techniques prove the equivalence between the specifications and the security policy model. Division A: Verified Protection – formal methods used to ensure that all subjects and objects are controlled with the necessary DAC and MAC i. Commercial organizations are more concerned about the integrity of their data. It works with government classifications and not the protection classifications commercial industries use iv. Many people within the security field have pointed out several deficiencies in the Orange Book when it is being applied to systems that are to be used in commercial areas i. It has a relatively small number of ratings b. databases. A more stringent change configuration is implemented and the overall design can be verified. d. TOC/TOU countermeasures a. The Orange Book emphasizes controlling which users can access a system and not what they can fo with the information once authorized. XV. iii. The security administrator role is clearly defined. This should prevent the processor from switiching to another process in between two tasks.
b. In a carefully crafter buffer overflow attack. An attacker can insert code of a specific length into the bugger. Locks can be applied to files easily but it is more difficult to secure database components and table entries XVI. website. i. Buffer Overflows – occur when too much data are accepted as input to an application or operating system.b. The stack is just a segment in memory that allows communication between the requesting application and procedure or subroutine i. this data will be stored in a variable. it stacks the necessary instructions and data in a memory segment for the procedure to read from. The return pointer is a pointer to the requesting application’s memory address that tells the procedure to return control to the requesting application after the procedure has worked through all values on the stack. The buffer must be the right size to accept the inputted data. The applications places on top of the return pointer the rest of the data inputted and sends a request to the procedure to execute the calculation c. followed by the commands the attacker wants executed. The buffers can hold data which are placed on a memory stack XVII. Parameters are passed into empty variables and put into a linear construct (memory stack) which acts like a queue for the procedure to pull from while it carries out a calculation a. it should put a software lock on the file being requested) i.g. The purpose of a buffer flow may be to make a mess by shoving arbitrary data into various memory segments. When a programmer writes a piece of software that will accept data. A buffer is an allocated segment of memory. if a user requests access to a file. . A procedure is code than can carry out a specific type of function on the data and return the result to the requesting software. Software may be written to accept data from a user. Data accepted from an outside entity is placed in a variable which resides in a buffer. The procedure takes the data off the stack starting at the top and carries out its functions on all the data and returns the result and control back to the application once it hits the return pointer d. To avoid TOC/TOU attacks. the operating system should apply software locks to items it will use when it is carrying out its “checking” tasks (e. database or another application. This allows the malicious instructions to be executed in the security context of the requesting application. while the system is validating the user’s authorization. Requesting applications must conduct bounds checking to ensure the inputted data are of an acceptable length e. The task could be to open a command shell with administrative privilege or execute malicious code b. a. ii. the stack is filled properly so the return pointer can be overwritten and control is given to the malicious instructions that have been loaded onto the stack instead of back to the requesting application. i. When the software calls upon a procedure to execute. or to accomplish a specific task by pushing into the memory segment a carefully crafted set of data 1. iii.
f. When a buffer overflow is identified. The C language is susceptible to buffer overflow attacks because it allows for direct pointer manipulations to occur. the vendor usually sends out a patch. ii. snprintf(). When a procedure needs to call on the oepratin gsystem to conduct some task. i. strncat(). Specific commands can provide access to low-level memory addresses without carrying out bounds checking The C functions that do perform the necessary boundary checking include strncpy(). Windows’ core is written in the C language and has layers and layers of object-oriented code on top of it. Some products installed on systems can alsowatch for input values that might result in buffer overflows . and vsnprintf(). it calls upon a system service via an API call.
This action might not be possible to undo. Are you sure you want to continue?