This action might not be possible to undo. Are you sure you want to continue?
Smart cards a. Smart cards are more tamperproof than memory cards, but individuals have introduced computational errors into smart cards to uncover the encryption keys used and stored on the cards i. Fault generation attack: encryption functions after introducing an error (e.g. by changing input voltage, clock rate, temperature fluctuations) and reviews the correct result, which the card performs when no errors are introduced. Analysis of the difference can allow the attacker to reverse engineer the encryption process to uncover the encryption key. ii. Side channel attacks: nonintrusive; used to uncover sensitive information by monitoring and capturing the analog characteristics of all supply and interface connections and any other electromagnetic radiation produced by the processor during normal operation 1. Differential power analysis – examining the power emissions released during processing 2. Electromagnetic analysis – examining the frequencies emitted 3. Timing – examining how long a specific process takes b. An ISO/IEC standard, 14443 outlines physical characteristics, initialization and anticollision, and transmission protocol for smart cards i. The DoD is rolling out smart cards across all of their agencies and NIST is developing a framework and conformance testing program for interoperability issues c. Software attacks are noninvasive attacks; input an algorithm on the card that will allow the attacker to extract account information d. Microprobing uses needles and ultrasonic vibration to remove the outer protecting material on the card’s circuits so that data can be accessed and manipulated by tapping into the card’s ROM chips Authorization a. Applications, security add-on packages, and resources can provide authorization functionality b. Granting access rights should be based on the level of trust a company has in a subject and the subject’s need to know. Different access criteria can be enforced by roles, groups, location, time, and transaction types i. A role is based on a job assignment or function ii. If several users require the same type of access to information and resources, putting them into a group and then assigning rights and permissions to that group is easier to manage than assigning rights and permissions to each and every individual separately (one way access control is enforced through a logical access control mechanism) iii. Physical or logical location can be used to restrict access to a resource. This restriction is often implemented to restrict unauthorized individuals from reconfiguring the server remotely 1. Logical location restrictions are done through network address restrictions; network administrator ensures that status requests of an
most Kerberos implementations work with shared secret keys Role-based access control . change. delete. Rights and permission reviews have been incorporated into many regulatory induced processes (including SOX regulations) Single Sign-On a. Kerberos is an authentication protocol designed in the mid-1980s that works in a client/server model and is based on symmetric key cryptography and provides end-to-end security i. Time of day is a (logical) access control mechanism. every platform. Authorization creep: As employees rotate. application. To work. IV. in the same format. Need to know principle individuals should be given access only to the information they absolutely require in order to perform their job duties (Management determine the security requirements of individuals and how access is authorized. Access control mechanisms should default to no access (a user can have read. Kerberos is a single sign-on system for distributed environments and the de factor standard for heterogeneous networks iv. thereby posing a risk to a company because too many users have too much privilege access to the company assets i. and 2008 operating systems ii. the user should not be able to access that resource ii. and Linux 4 all use Kerberos authentication iii. Mac OS X. 2002. full control. reliability and security although its open architecture (vendors can customize a protocol) invites interoperability and incompatibility issues v. Used for years in Unix systems and is currently the default authentication method for Windows 2000. transparency. SSO capabilities allow a user to enter credential one time and access all pre-authorized resources in primary and secondary network domains.III. enables the administrator to streamline user accounts and better control access rights b. or no access permissions i. they are assigned more access rights and permissions. If nothing has been specifically configured for an individual or the group she belongs to. the security administrator configures the security mechanisms to fulfill these requirements) e. Most access control lists that work on routers and packet-filtering firewalls default to no access d. Designed specifically to eliminate the need to transmit passwords over the network. Transaction-type restriction can be used to control what data is accessed during certain types of functions and what commands can be executed on the data c. Solaris. Has scalability. It is rare to see a real SSO environment more common to see a cluster of computers and resources that accept the same credentials c. temporal access can also be based on the creation date of a resource v. intrusion detection management console are accepted only from certain computers on the network using software iv. and resource needs to accept the same credentials. and interpret their meanings similarly i.
The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs) e. Authorization can be specified to an individual or group i. Physically constraining a user interface can be implemented by providing only certain keys on a keypad or certain touch buttons on a screen d. A capability table specifies the access rights a certain subject posses pertaining to specific objects. used when corporations employ e-mail filters that look for specific strings h. A stateful firewall understands the necessary steps of communication for specific protocols and will not allow packets to go through that do not follow this sequence (stateful – understands the necessary steps of a dialog session) IDS Sensors – filters received data. g. An access control matrix is a table of subjects and objects indicating what actions individual subjects can take on individual objects (usually an attribute of DAC models).g. Menus – the options users are given are the command they execute. the shell only contains the commands the administrators wants the users to be able to execute. Rule-based access is used in other systems and applications (e. Restrict users’ access abilities by preventing them from requesting certain functions or information or accessing specific system resources ii. content filtering) ii. Content-dependent access control – access to objects is determined by the content within the object. iii. Routers and firewalls use rules to determine which types of packets are allowed into a network c. The ticket (token/key) is a capability table. and detects suspicious activity . Constrained User Interfaces i. If restricted shells are used. the ACL corresponds to a column of the matrix. The capability corresponds to the subject’s row in the access control matrix. A capability component is a data structure that contains a unique object identifier and the access rights the subject has to that object f. discards irrelevant information.VI. i. Access control lists are lists of subjects that are authorized to access and specific object (and define what level of authorization is granted). It is the user’s interface to the operating system and works as a command interpreter. Whereas a capability corresponds to a row in the access control matrix. a shell is a type of virtual environment within a system. Kerberos is a capability-based system. Map values from the access control matrix to the object. Firewalls make context-based access decisions when they collect state information on a packet before allowing it into the network ii. Context-dependent access control it based on the context of a collection of information rather than on the sensitivity of the data i. been used in MAC systems as an enforcement mechanism of the complex rules of access that MAC systems provide. Database views are mechanism used to restrict user access to data contained in databases iv.
attacks may go unnoticed. Sensors should be placed in highly sensitive areas.VII. They can be placed outside a firewall to detect attacks and inside a firewall (in the perimeter network) to detect actual instrusions c. The relative addresses are based on a known address with an offset value added. to entice attackers. The indexed memory addresses that software uses are regerred to as logical ddresses. and extranets. the system is not locked down and has open ports and services enabled. It is more difficult for NIDS to work on a switched network because data are transferred through independent virtual circuits and not broadcasted. and this information is displayed to a user and/or captured in logs ii. Hackers can use network sniffers to learn about what type of data is passed over a specific network segment and to modify the data in an unauthorized manner Memory mapping a. The IDS sensor acts as a sniffer and cannot access all traffic in these individual circuits. All the data on each individual virtual private network must be copied and placed on one port (spanning port) where the sensor is located. This enables the administrator to know when certain types of attacks occur so he can fortify the environment and perhaps identify the hacker ii. A honeypot is a computer set up as a “sacrificial lamb” on the network. a. In very high traffic environments. Traffic that is transferred over a network medium is transmitted as electric signals encoded in binary representation. The sniffer must access a network adaptor that works in promiscuous mode and a driver the captures the data. The physical memory addresses that the CPU uses are called absolute addresses. A packet or network sniffer is a general term for programs or devices that can examine traffic on a LAN segment. They honeypot contains no real company information i. The filtered data are stored in a buffer. the intruder is induced to commit a crime) c. A monitoring console monitors all sensors and supplies the network staff with an overview of the activities of all sensors in the network i. VIII. the administrator charges him with trespassing (i. the physical addresses are loaded into the base and limit registers. . Traditional IDs only detects that something bad may be taking place b. When a thread indicates the instructions need to be processed it provides a logical address. i. When an application needs its instructions and data processed by the CPU. i. Enticement: the system only has open ports and services that an attacker might want to exploit iii. multiple sensors should be in place to ensure all packets are investigated Intrusion Prevention Systems a.e. Entrapment: the system has a web page indicating the user can download files then one the user does this. The sniffer has a protocol analysis capability to recognize the different protocol values to properly interpet their meaning. b. ii. DMZs. If the network traffic volume exceeds the IDS system’s threshold.
computer’s hard drive. iv. A garbage collector is software that runs an algorithm to identify unused committd memory and then tell the OS to mark that memory as available Virtual memory a. Routines should erase swap spaces after a processes is done with it and before a system shuts down iv.nonvolatile storage media (e. Absolute addresses are loaded into the CPU’s registers b. Secondary storage. they will be decrypted when used y the controlling program. it should tell the operating system to release the memory so it is available to other applications i. When the application is done with memory. or processes that were using the swap space are terminated. memory manager looks up which segments are allocated w=to that process. the system could write out the data to the swap space on the hard drive. it writes data from memory onto the hard drive.g. keep track of what page frames are residing in RAM and what is available “offline” iii. memory manager returns data held in memory 2. X. When a system fills up its volatile memory space. CPU Modes and Protection Rings a. the pointers to the pages are reset to available even though the actual data written to the disk is still physically there (can be compromised or captured) 1. or data are encrypted and saved on the hard drive. it is allocated a specific memory amount by the operating system. in their unencrypted state. and CD-ROMS) b.IX. file. While these unencrypted data are sitting in RAM. and software drivers ii. The memory manager maps the logical address to the physical address so the CPU knows where the instruction is located. When an application makes a request for a memory segment. Virtual memory – system uses hard drive space to extend its RAM memory space i. Windows use the pagefile. Some applications are written poorly and do not indicate to the system that this memory is no longer in use. 1. applications. maintained by the OS. memory leaks can be caused by OS. iii. Application requests access to memory. Swap space – reserved hard drive space used to extend RAM capabilities. memory manager accesses memory frame for process.sys file to reserve this space ii. Protection rigns provide strict boundaries and definitions for what the processes that work within each ring can access and what operations that can successfully execute . floppy disks. When a system is shut down. it is retrieved from the hard drive back into memory in specific units (pages) a. Hackers can exploit memory leaks using denial-of-service (DoS) attacks iii. Virtual memory paging: When a program requests access to this data. Internal control locks. If a program.
each subject and object is logically assigned a number depending upon the level of trust the OS assigns it. Multics. 1. Processes that operate within the inner rings have more privileges than process operating in the outer rings because the inner rings only permit the most trusted components and processes to operate within them ii. layer 0 controlled access to the processor and provided multiprogramming functionality. layer 2 provided inter-process communication. Protections ring sprovide an intermediate layer between subjects and objects. layer 3 deal with I/O devices. i.XI. . and Unix – separates system functionality into hierarchical layers i. Provide data hiding – instructions and data (packaged up as procedures) at various layers do not have direct access to instructions and data at any other layers 1. the CPU treats this violation as an exception and may shoe a general protection fault or exception error and try to shut down the application c. Processes in the inner rings exist in privileged or supervisor mode while processes in outer rings execute in user ode iii. A monolithic operating system architecture – modules of code can call upon each other as needed. Layered operating system (THE. The most common architecture provides four rings: Ring 0 – operating system kernel. VAX/VMS. The hardware chip is constructed to provide a certain number of rings and the operating system must be developing to work in this ring structure. OS components operate in a ring that gives them the most access to memory locations. Each procedure at each layer has access only to its own data and a set of functions that is requires to carry out its own tasks. THE (Technische Hogeschool Eindhoven) multiprogramming system had five layers of functionality. Ring 1 – Remaining parts of the OS. Ring 3 – Applications and user activity i. layer 5 was the user layout and not implemented directly by THE ii. Entities can only access and directly communicate with objects in their own ring. it makes a request of the OS to perform the necessary tasks through system calls Operating system architecture a. and sensitive configuration parameters. Ring 2 – I/O drivers and utilities. Operating system architecture is the framework that dictates how the OS’s services and functions are placed and how they interact b. peripheral devices. layer 4 was where the application resided. b. When an application needs access to components in rings it cannot directly access. If an application tries to send instructions to the CPU that fall outside its permission level. i. layer 1 carried out memory management. system drivers. The actual ringer architecture used y a system is dictator by the processor and operating system. communication between different modiles is not structured and controlled and data hiding is not provided. MS_DOS is a monolithic operating system c.
Less privileged processes call upon the processes with complete system privileges in the kernel to process sensitive operations . Least privilege – a process has no more privileges than necessary to fulfill its functions i. the client is either a user process or another O/S process ii. For the security kernel to operate. If a process needs to have its status elevated so it can interact directly with a system resource. or process server (called subsystems). I/o server. The client portion of the application resides on the work stations and the server portion is usually a back-end database or server. and attacks at different layers of the system i. and the isolation of processes so their access can be controlled and the activities performed on them can be audited 1. intentional. The requesting process is referred to as the client. each layer should provide its own security and access control 1. a rating is assigned to the system. The goal of a client/server architecture is to move as much code as possible from working in kernel mode (privileged mode) so the system has a leaner kernel (microkernel) 1. The OS functions are divided into different processes that run in user mode i. explicit domains. The serve process can be a file systems server. the process’s status should be dropped as soon as its tasks are complete 1. Multilevel security policies prevent information from flowing from a higher security level to a lower security level c. iii. In a network . When a system is testing against specific criteria. The criteria will determine if the security policy is being properly supported and enforced. A trusted system must have an architecture that provides the capabilities to protect itself from untrusted processes. an application works in a client/server model because it provides distributed computing capabilities. Trust ratings obtained through formal evaluations require a defined subset of subjects and objects. Another approach works within a client/server architecture – portions of software and functionality that were previously in the monolithic kernel are now at the higher levels of the operating system. A monolithic OS provides only ne ayer of security. Modularizing software and code increases the assurance level of the system d. and the processes that fulfills the request is called the server 2. The security kernel comprises all resources that supervise system activity in accordance with the system’s security policy and is part of the operating system that controls access to system resources 1. or accidentally compromises. while in a layered system. the individual processes must be isolated from each other and domains must be defined to dictate which objects are available to which subjects b. memory server. ii. Security Policy – provides the framework for the system’s security architecture a.XII.
A model is a symbolic representation of a policy that maps the desires of policymakers into a set of rules that a computer system must follow i. Security Models a.XIII. the system is secure iii. and evidence of reference monitor enforcement must be available i. The system compares the security labels to ensure that requested actions are acceptable. A given state consists of all current permission and all current instances of subjects accessing the objects. The architecture is based on the Bell-LaPadula security model. Data leaving the system also have an accurate security level. developers of an operating system need to look at different state transitions to determine if a system that starts up in a secure state can be put into an insecure state 2. they must be tested to verify that the overall machine state will not be compromised b. Developers must identify all the initial states (default variable values) and outline how these values can be changed so the resulting values (final states) still ensure the system is safe c. To allow a transition. B1: Labeled Security – each data object must have a classification label. and the system design and implemtnation are subjected to more thorough review . When an object accepts an input. The security model is represented by mathematical relationships and formulas.g. A state machine model provides mathematical constructs that represent sets (subjects and objects) and sequences. [Name. 1. Division B – Mandatory Protection – MAC is enforced through security labels. each subject must have a clearance label. If subjects can access objects only by means that are concurrent with the security policy. which are mapped to system specifications and then developed by programmers through programming code b. Developers must define and identify allowable state transition functions a. this modifies a state variable ( e. Value]) 1. A security model maps the abstract goals of the policy to information system terms by specifying explicit data structures and techniques necessary to enforce the security policy ii. State machine models – an abstract mathematical model that uses state variables to represent the system state i. After the state transition functions are defined. Developers must define what and where the state variables and then define a secure state for each state variable 2. State transitions – activities that can alter the state. The security policy is based on an informal statement and the design specifications are reviewed and verified ii. A system that has employed a state model will be in a secure state in each and every instance of its existence ii. B2: Structured Protection – the security policy is clearly defined and coumented. the object’s security attributes and the access rights of the subject must be reviewed and allowed by the operating system 3.
e. B3: Security Domains – More granularity is provided in each protection mechanism and the programming code that is not necessary to support the security policy is excluded. it must be done in an initial secure state to ensure that any weakness of the system cannot be exploited in this slice of time. The Orange Book emphasizes controlling which users can access a system and not what they can fo with the information once authorized. When the system starts up and loads its operating system and components. Subjects and devices need labels and the system cannot allow covert channels. TCSEC addresses confidentiality but not integrity The Orange Book and Rainbow Series a. A more stringent change configuration is implemented and the overall design can be verified. ii. programmers should use atomic operations when only one system call is used to check authentication and then grant access in one task. Division A: Verified Protection – formal methods used to ensure that all subjects and objects are controlled with the necessary DAC and MAC i. requires more stringent authentication mechanisms and well-defined interfaces among layers. It focuses mainly on one attribute of security – confidentiality iii. To protect against race condition attacks. Formal techniques prove the equivalence between the specifications and the security policy model. . The reference monitor components must be small enough to test and tamperproof. and the level of detail in verification techniques. This should prevent the processor from switiching to another process in between two tasks.XIV. It has a relatively small number of ratings b. etc. It works with government classifications and not the protection classifications commercial industries use iv. A trusted path for logon and authentication processes must exist (that cannot be compromised). Delivery to the customer may also be scrutinized. TOC/TOU countermeasures a. databases. Commercial organizations are more concerned about the integrity of their data. It looks specifically at the OS and not at other issues like networking. Distinct address spaces must isolate processes and a covert channel analysis should be conducted. A1: Verified Design – The assurance of an A1 system is higher than a B3 system because of the formality in the way the A1 system was designed. iii. XV. The security administrator role is clearly defined. d. the way the specifications were developed. Many people within the security field have pointed out several deficiencies in the Orange Book when it is being applied to systems that are to be used in commercial areas i. Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. and testing procedures. The Orange Book mainly addresses government and military requirements and expectations for their computer systems.
or to accomplish a specific task by pushing into the memory segment a carefully crafted set of data 1. Requesting applications must conduct bounds checking to ensure the inputted data are of an acceptable length e. Software may be written to accept data from a user. i. To avoid TOC/TOU attacks. . Locks can be applied to files easily but it is more difficult to secure database components and table entries XVI. Data accepted from an outside entity is placed in a variable which resides in a buffer. A procedure is code than can carry out a specific type of function on the data and return the result to the requesting software. When the software calls upon a procedure to execute. A buffer is an allocated segment of memory. followed by the commands the attacker wants executed. i. The applications places on top of the return pointer the rest of the data inputted and sends a request to the procedure to execute the calculation c. The buffers can hold data which are placed on a memory stack XVII. The purpose of a buffer flow may be to make a mess by shoving arbitrary data into various memory segments. ii. the operating system should apply software locks to items it will use when it is carrying out its “checking” tasks (e. website. This allows the malicious instructions to be executed in the security context of the requesting application.g. iii. In a carefully crafter buffer overflow attack. a. The stack is just a segment in memory that allows communication between the requesting application and procedure or subroutine i. Parameters are passed into empty variables and put into a linear construct (memory stack) which acts like a queue for the procedure to pull from while it carries out a calculation a. it stacks the necessary instructions and data in a memory segment for the procedure to read from. database or another application. When a programmer writes a piece of software that will accept data. the stack is filled properly so the return pointer can be overwritten and control is given to the malicious instructions that have been loaded onto the stack instead of back to the requesting application.b. b. The task could be to open a command shell with administrative privilege or execute malicious code b. The return pointer is a pointer to the requesting application’s memory address that tells the procedure to return control to the requesting application after the procedure has worked through all values on the stack. if a user requests access to a file. An attacker can insert code of a specific length into the bugger. Buffer Overflows – occur when too much data are accepted as input to an application or operating system. while the system is validating the user’s authorization. The procedure takes the data off the stack starting at the top and carries out its functions on all the data and returns the result and control back to the application once it hits the return pointer d. it should put a software lock on the file being requested) i. The buffer must be the right size to accept the inputted data. this data will be stored in a variable.
it calls upon a system service via an API call. Specific commands can provide access to low-level memory addresses without carrying out bounds checking The C functions that do perform the necessary boundary checking include strncpy(). i. When a procedure needs to call on the oepratin gsystem to conduct some task. ii. When a buffer overflow is identified. and vsnprintf().f. strncat(). Windows’ core is written in the C language and has layers and layers of object-oriented code on top of it. Some products installed on systems can alsowatch for input values that might result in buffer overflows . The C language is susceptible to buffer overflow attacks because it allows for direct pointer manipulations to occur. the vendor usually sends out a patch. snprintf().