Ch. 5 Security Architecture

System Architecture - 3 main components

CPU � Central Processing UnitStorage devices � includes both long and short-term storage, such as memory and diskPeripherals � includes both input and output devices, such as keyboards and printer

ALU

Arithmetic Logic Unit - Performs mathematical and logical operations on the CPU ("brain of the CPU")

registerGeneral RegistersSpecial Registers

Temporary storage locationGeneral Registers - Hold variables and temporary results from ALU (scratch pad)Special Registers - dedicated registers hold information .. program counter, stack pointer, and program status word (PSW)

Control Unit

manages and synchronizes the system while different applications are running. Overseas instruction sets, fetches the code, interprets the coed (Traffic cop).

Program Counter Register

Contains the memory address of the next instruction to be fetched (secretary and boss)

Stack

Memory segment the process can read from and write to .. cafeteria trays ("last in, first off)

PSW

Program status word - holds condition bits. user mode (problem state) - for application instructionsprivileged mod (kernal or supervisor mode) - for operating system instructions

Address bus

A hardwired connection to the RAM chips in the system and the individual I/O devices (Cd-rom, USB, hard drive)

Data bus

The circuitry associated with the memory or I/O device recognizes the address the CPU sent down the address bus and instructs the memory or device to read the requested data and put it on the data bus.

Multi-Processing - Symmetric

The processors are handed work as needed.

Multi-processing - Assymetric

Dedicated processor for sensitive application. All other commands (other applications and operating system) are sent to other CPUs.

Processor evaluation

Microns - width of smallest wire on CPU chip Clock Speed - Speed at which it can execute instructionsData Width - The amount of data the ALU can accept and processMIPS - millions of instructions per second

mult-programming

More than one process can be loaded into memory at a time

multitasking Cooperative multitasking Preemptive multitasking

Cooperative - required the processes to voluntarily release resources they were using. If the application was the written correctly, the application would not give up resources.Preemptive - Operating system controls how long a procss can use a resource

Process Table

One entry per process. Records process state, stack pointer, memory allocation, program counter and status of open files in use.

Interruptsmaskablenon-maskable

When a device or process needs to communicate with CPU it waits for the interrupt to be called.Maskable - assigned to an interrupt event that is not very important and the program continues to process (ignores interrupt)Non-maskable Interrupts - can never be overridden by an application because the event that has the type of interrupt is critical

Thread

Individual instruction set and the dat that must be worked on by the CPU.

MultiprogrammingMultitaskingMultithreadingMultiprocessing

Multiprogramming - an OS can load more than one program in memory at one timeMultitasking - an OS can handle requests form several different processes and loaded into memory at the same timeMultithreading - An application has the ability to run multiple threads simultaneously.Multiprocessing - a computer has more than one CPU

Time multiplexing

Allows processes to use the same resources

Memory Manager

RelocationProtectionSharingLogical OrganizationPhysical Organization

base registerlimit register

base register - contains the beginning address that was assigned to teh processlimit register - contains the ending address

RAM

Random Access Memory - Temporary data storage facility where data and program instructions can temporarily be held and altered

DRAM

Dynamic RAM - Data being held in RAM memory cells are 'dynamically' being refreshed. (If not the charge w/in the capacitor would go out and you would lose the data).

SRAM

Static RAM - Does not use capacitors, uses transistors which can keep a charge. Because of this it is faster, but takes up more space on the RAMP chip. SRAM is more expensive and is used on the CPU chip. DRAM is cheaper and is used in the RAM chip.

SDRAM

Synchronous DRAM - Synchronizes itself with the system's CPU and RAM input and output - timing of the memory activities are synchronized - increases the sped of transmitting and executing data.

EDO DRAM

Extended Data Out DRAM - Faster than DRAM because DRAM can access only one block of data at a time. EDO DRAM can capture the next block of data while the first block is being processed. (look ahead feature)

BEDO DRAM

Burst EDO DRAM - works like EDO DRAM, but can send more data at one burst. It reads an send up to four memory addresses in a small number of clock cycles.

DDR SDRAM

Instead of carrying out one operation per clock cycle, can carry out two operations per clock cycle. Twice the throughput of SDRAM.

ROM

Read-only memory - nonvolatile memory type - when the power is turned off the data is still held in data chips.

PROM

Programmable Read Only Memory - Form of ROM that can be modified after it has been manufactured. Can only be programmed one time. The instructions are "burned int" PROM using specialized PROM programmer device.

EPROM

Erasable and programmable read-only memory - can be erased, modified, and upgraded.

Flash Memory

Solid-state technology, used more as a hard-drive than as memory

Cache memory

Type of memory that is used for high-speed writing and reading activities.

Memory MappingAbsolute AddressesLogical AddressesRelative Addresses

Absolute addresses - physical memory addresses that the CPU useslogical addresses - Indexed memory addresses that a software usesrelative address - Based on a known address with an offset value applied.

Operating System Protection Rings

Privileged state in the center ring. (Privileged mode). Less access in out rings for other applications (User Mode).

Monolithic Operating System Architecture

Made up of procedures that can be called upon (big mess, MS DOS). All kernal activity performed in privileged mode.

Layered Operating System Architecture

Seperates system functionality into an hierarchy (Layer 0, 1, 2, 3, etc), THE, VAX, VMS, Unix

execution Domain

A process in a privileged domain needs to be able to execute its instructions and process data without being interrupted by other processes

Programmed I/O

CPU send data to an I/O device adn polls the device to see if it is ready to accept more data. This wastes CPU time.

Interrupt-Driven I/O

The CPU sends a character over to the printer and then goes and works on anothe process request. The printer will send a message that it ready for the next character .. and so on .. The CPU is not waiting for each byte to be printed (programmable I/O) - CPU is wasting time with interrupts

I/O Using DMA

A way of transferring data between I/O devices and the system's memory without the using the CPU. The DMA controller feeds the characters to the printer without bothering the CPU (unmapped I/O.)

Premapped I/O

The CPU sends teh physical memory address of the requesting process to the I/O device, and the I/O device is trusted enough to interact with the contents of the meory directly. The CPU does not control the interaction between teh I/O device and memory.

Fully Mapped I/O

The OS does not fully trust the I/O device. The physical address is not given to the device. The device works purely with logical addresses and works under the security context of the requesting process.

TCB

Trusted Computing Base - total combination of protection mechanisms within the computer system. (hardware, software, and firmware) The system is sure these components will enforce the security policy.

Processes within TCB

Process Activation - activating a process - CPU fills registers with data relating to process( program counter, base and limit addresses, user/prvileged mode) Interupts called upon and process interactes with CPUExecution Domain switching - CPU switches from executing in privileged mode to user modememory protectionI/O protection

reference monitor

abstract machine that mediates all access subjects have to objects, subjects have the necessary access rights .. and to protect the objects from unauthorized access and destructive modification.E.g. Laws = reference monitor

The security kernel

The security kernal is the mechanism tha tactually enforcs the rules of the reference monior concept.The secrurity kernel must 1) isolate processes carrying out the reference monitor concept,2) must be teamperproof3) must be invoked for each access attempt4) msut be small enough to be properly tested

security domain

All othe objects available to a subject

Data hiding

Data hiding occurs when processes work at different layers and have layers of access control between them. Processes need to know how to communicate only with each other's interfaces.

state machine model

deals with the different states a system can enter. If a system starts in a secure state, all transacion sna d and shutdown and fails securely

Lattice Model

lattic model provides an upper bound and lower bound of authorized access for subjects

Information Flow security model

Information Flow security model does not permit data to flow to an object in an insecure manner.

Bell-Lapadula Model

Subject to object model - Objects you are able to accessUsed to provide CONFIDENTIALITYUsed primarily in Military systems3 main rules used and enforced:1) Simple security rule (no read up) - Subject cannot read data at a higher level2) The Star-property rule (no write down) - Subject cannot write data to a lower level3) Strong star property rule - Subject with read/write � only at same level

Biba Security Model

Deals Primarily with INTEGRITYTwo main rules used and enforced1) Star-integrity axiom (no write up) - Subject cannot write data to objects at higher level2) Simple integrity axiom (no read down) - Subject cannot read data from lower level Biba and Bell-LaPadula Model are informational flow models - Concerned with data flowing up or down levels

Clark Wilson Model

Addresses all 3 integrity model goals� Prevent unauthorized users from making modifications� Prevent authorized users from making improper modifications (separation of duties)� Maintain internal/external consistency (well-formed transaction)Dictacts that subjects can only access objects through applicationsclark wilson - it uses access triple, whic is subject-program-object

dedicated security mode

a system has only one level of data classification adn all users must have this level of clearance to be able to use the system.

compartmented and multilevel security modes

enable the system to process data classified at different classification levels

TrustAssurance

Trust - The system uses all of its protection mechanisms properly to process sensitive data for may types of users.Assurance - the level of confidence you have in this trust and that the protection mechanisms behave properly in all circumstances predicably.

The Orange Book/ TCSEC

Trusted Computer System Evaluation Criteria (TCSEC)Developed to evaluate systems built to be used mainly by the milatary. It was expanded to evalueate other types of products. deals maily with stand-alone systems, so a range of books were written to cover many other topics in security. These books are called the rainbow series

ITSEC vs. TCSEC

ITSEC vs. TCSECITSEC evaluations the assurancea dn functionality of a system's protection mechanisms seperately. TCSEC combines the two into one rating.

The Orange book, D

The system provides minimal protection and is used for systems that were evaluated but failed to meet the criteria of higher divisions.

The Orange book, C & C2

deals with discretionary protection (no security labels) C2 requires object reuse protection adn auditing

Orange Book B1 & B2

B1 - first rating that requires security lables. B2 - requries security labels for all subjects and devices, the existence of a trusted path, routine covert channel analysis, and the provision of sepearate administrator functionality

The Common Criteria

The Common Criteria was devleoped to provide globally recognized evaluation criteria and is in use today. It combines sections of the TCSEC, ITSEC, CTCPEC, and the Federal Criteria.Uses protection profiles and ratings from EAL1 to EAL7 (EAL7 - modeled assurance can be mathematically prove)

Security Architecture AttacksCovert Channel - Timing and Storage

Covert Channel - unintended communication path that transfers data in a way that violates the security policy. Timing & storageTiming - enables a process to relay information to another process by modulating its use of system resourcesstorage - enables a process to write data to a storage medium so another process can read it

Security Architecture AttacksA maitenance hook

A maitenance hook is developed to let a programmer into the application quicly for maitenance. This should be removed before the appplciation goes into proedction .. security riskCountermeasures - code review and QA and unit testing

TOC/TOU

Time-of-check/time-of-use. This is a class of asynchronous attacks.Countermeasures - Do not seperate tasks that can have their sequence alteredOS can apply software locks to items - check to see if the user is authorized before it opens a file

Buffer Overflow

I think I know this one