As computers and networks have become more complex, so too have approaches evolved for securing them. In this CISSP Essentials Security School lesson, expert Shon Harris investigates the framework and structures that make up typical computer systems. This spotlight article sketches the evolution of security models and evaluation methods as they have struggled to keep pace with changing technology needs.
The key topics in Domain 4, Security Models and Architecture are as follows:
- Computer and security architecture: The framework and structure of a system and how security can be implemented.
- Security models and modes: The symbolic representations of policy that map the objectives of the policy makers to a set of rules which computer systems must follow under various system conditions.
- System evaluation, certification and accreditation: Methods used to examination the security relevant parts of a system (e.g. reference monitor, access control and kernel protection mechanisms, etc.) and how certification and accreditation are confirmed.
- System security threats: Common vulnerabilities specific to system security architecture.
Computer and system architecture
This section explores the components that make up computer systems and how they must be handled to provide optimal security policy enforcement regardless of inputs, system run states or conditions. A detailed discussion of the CPU is provided, including how requests are managed through it and how buffer overflows can take advantage is also presented. Input/output requests, the channels that are used, and how resources are allocated, committed and released, are discussed. Concepts such as protection rings, the difference in memory types (e.g. RAM, ROM and EPROM), cache memory, memory mapping, segmenting memory to isolate concurrent processes and storage types (primary, secondary, real and virtual) are covered. The security challenges posed by different operating states and those posed by the sharing of resources using multi-threading, multi-tasking and multi-processing methods are presented. Other concepts include deadlock state, invoking virtual machines, the execution domain and the difference between a process and a thread are also explored.
Whereas the foregoing focuses on the physical and logical machine, this section explores how confidentiality, integrity and availability controls can be applied to the machine and which components deserve the most attention. The CISSP candidate gains a clear understanding of the tradeoffs between levels of trust, assurance and performance. Security mechanisms placed at the hardware, kernel, operating, services or the program layers are explored, along with the security of open (distributed) and closed (proprietary) systems.
This section also covers the concept of the Trusted Computing Base -- the subset of system components that make up the totality of protective mechanisms. The origins of the TCB are presented as they appear in the Orange Book. Concepts such as the security perimeter, reference monitor and its requirements, the security kernel, object domains (i.e., privileged versus non-privileged), process/resource isolation, trust ratings, security layering and hiding, object and subject classifications, and the concept of least privilege are covered. These concepts are presented as a means by which security structures can be understood, and therefore, responsibly controlled.
Security models and modes
This section explores different types of security models and the attributes and capabilities that distinguish them. The Basic Security Theorem -- if a system initializes in a secure state and all state transitions are secure, then every subsequent state will be secure no matter what inputs occur -- is covered. The Bell-LaPadula model, Biba, the Clark-Wilson Model, the Information Flow Model and the Non-Interference Model -- each of which takes a different approach to managing user privileges with regard to object access are also covered.
Security modes describe the security conditions under which a system functions. Systems can support one or more security modes, thus servicing one or more user security classification groups. This section explores four modes and also introduces the concept of the trust assurance. The level of trust is based on the integrity of the Trusted Computing Base. The concepts of trust and assurance are contrasted, and the detrimental effects of complexity on assurance are also noted.
System evaluation methods
The Common Criteria global evaluation standard has its origins in independent global efforts, one based on U.S. standards and the other representing pan-European standards. The Trusted Computer System Evaluation Criteria (TCSEC), also referred to as the U.S. Orange Book, describes the specific criteria for several evaluation areas (security policy, identification, labels, documentation, accountability, life cycle assurance and continuous protection), and the formal process of evaluation executed by the National Computer Security Center (NCSC), which yield an evaluated product. The European community instead launched what is called the Information Technology Security Evaluation Criteria (ITSEC). ITSEC looks primarily at functionality and assurance as two broad category areas with subheadings. The key difference between the U.S. and European approaches has to do with their rating schema. The European ITSEC applies a separate rating system for security functionality and for assurance, whereas the U.S. TCSEC uses a single-rating system. The confusing relationship between these two rating schema are compared and explored in depth.
As security exceeds the bounds of the computer systems, other books in the U.S. Rainbow series complement the Orange Book. This section covers the Red Book, which addresses security evaluation topics for networks and network components. The Red Book carries its own four level rating system and addresses topics such as communication integrity (i.e., authentication, message integrity and non-repudiation); denial-of-service prevention (i.e., continuity of operations, network management); and compromise protection (i.e., data confidentiality, traffic flow confidentiality and selective routing).
The Common Criteria, established in 1990, was the global compromise standard that superseded both TCSEC and ITSEC. It introduces the concept of protection profiles, which outline specific real-world needs in the industry. Students will need to understand the different components of the Common Criteria and the evaluation process and assurance levels.
Security evaluation yields proof (or lack thereof) of security operational readiness. Confusing terminology, such as the difference between certification (expected versus achieved readiness level) and accreditation (authorization to operate) are contrasted.
Security system threats
This section covers some security threats specific to security models and architecture. Among the threats explored are covert channels, developer backdoors, timing attacks that exploit race conditions at boot time and buffer overflows. Countermeasures are discussed for each.
CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as ISC(2).
