1. The CISSP Prep Guide
Chapter 5
Security Architecture
and Models
The CISSP®
Prep Guide: Mastering the Ten Domains of Computer Security
by Ronald L. Krutz, Russell Dean Vines (August 24, 2001),
John Wiley & Sons. ISBN: 0471413569
2. Topics in Chapter 5
• Computer Organization
• Hardware Components
• Software/Firmware Components
• Open Systems
• Distributed Systems
• Protection Mechanism
• Evaluation Criteria
3. Topics in Chapter 5
• Certification and Accreditation
• Formal Security Models
• Confidentiality Models
• Integrity Models
• Information Flow Models
4. Computer Architecture
• CPU – ALU and Control Unit
• Memory
– Cache, RAM, PLD, ROM, Real/Primary and
Secondary memory, Sequential and Random
Access Memory, Virtual Memory
– Addressing: Register, Direct, Absolute,
Implied, Indirect Addressing
– Memory Protection
9. Distributed Architecture
Security Concerns
• Desktop Systems may be at risk of being
exposed, and as entry for critical
information
• Users may lack security awareness
• Modem and dial-up access to corporate
network
• Download or Upload of critical information
• Lack of proper backup or disaster recovery
10. For Protection Mechanisms
• Email and download/upload policies
• Robust access control and biometrics
• Graphical user interface mechanism
• File encryption
• Separation of privileged process and others
• Protection domain, disks, systems, laptops
• Labeling and classification
11. For Protection Mechanisms
• Centralized backup for desktop systems
• Security awareness and regular training
• Control of software on desktop systems
• Encryption
• Logging of transaction and transmission
• Appropriate access controls
• Protection of applications and database
12. For Protection Mechanisms
• Security Formal methods in Software
Development, Change Control,
Configuration Management, and
Environmental Change
• Disaster Recovery and Business Continuity
Planning, for all systems including desktop,
file system and storages, database and
applications, data and information
13. Protected Mechanisms
• Trusted Computing Base (TCB)
• Security Perimeter
• Trusted Path
• Trusted Computer System
• Abstraction, Encapsulation, and
Information Hiding
16. Additional Considerations
• Covert Channel
• Lack of Parameter Checking
• Maintenance Hook and Trapdoor
• Time of Check to Time of Use (TOC/TOU)
Attack
17. Assurance
• Evaluation Criteria
– TCSEC by NCSC
Trusted Computer System Evaluation Criteria
– Classes of Security
• D – Minimal protection
• C – Discretionary protection (C1 and C2)
• B – Mandatory protection (B1, B2, B3)
• A – Verified protection; formal methods (A1)
– ITSEC
18. Certification and Accreditation
• Certification
– The comprehensive evaluation of the technical
and non-technical security features of an
information system and the other safeguards,
which are created in support of the
accreditation process, to establish the extent in
which a particular design and implementation
meets the set of specified security
19. Certification and Accreditation
• Accreditation
– A formal declaration by a Designated
Approving Authority (DAA) where an
information system is approved to operate in a
particular security mode using a prescribed set
of safeguards at an acceptable level of risk
20. Certification and Accreditation
• DITSCAP
– Defense Information Technology Security
Certification and Accreditation Process
– Phase 1 Definition
– Phase 2 Verification
– Phase 3 Validation
– Phase 4 Post Accreditation
21. • NIACAP
– National Information Technology Security
Certification and Accreditation Process
– Site Accreditation
– Type Accreditation for Application or System
– System Accreditation for major application or
general support system
22. Information Security Models
• Access Control Models
– The Access Matrix
– Take-Grant Model
– Bell-LaPadula Model
• Integrity Models
– The Biba Integrity Model
– The Clark-Wilson Integrity Model
• Information Flow Models
– Non-interference Model
– Composition Theories
23. Bell-LaPadula Model
• DoD, Multilevel security policy
– Individual’s Need-to-Know Basis
– Security-labeled Materials and
– Clearance of Confidential, Secret, or Top Secret
– Thus dealing only with confidentiality of
classified material, but not with integrity or
availability
– Input, State, Function and State Transition
24. Bell-LaPadula Model
1. The Simple Security Property
(ss Property).
States that reading of information by a
subject at a lower sensitivity level from an
object at a higher level is not permitted
(No Read Up)
25. Bell-LaPadula Model
2. The * (star) Security Property
States that writing of information by a
subject at a higher level of sensitive to an
object at a lower level of sensitivity is not
permitted.
(No Write Down)
26. Bell-LaPadula Model
3. The Discretionary Security Property
Uses an access matrix to specify
discretionary access control
But Write-Up, Read-Down are OK.
• Authorization
• Control
– Content-Dependent, Context-Dependent
27. Integrity Model
• Goals
1. The data is protected from modification by
unauthorized users
2. The data is protected from unauthorized
modification by authorized users
3. The data is internally and externally
consistent – the data held in a database must
balance internally and must correspond to the
external, real-world situation.
28. Biba Integrity Model
• In 1977, lattice-based model
• Using “less than” or “equal to” relationship
• least upper bound (LUB) and greatest lower
bound (GLB)
• The Lattice as a set of integrity classes (IC)
and an ordered relationship among classes
• A Lattice as (IC, <=, LUB, GUB)
29. Biba Integrity Model
1. The Simple Integrity Axiom
States that a subject at one level of
integrity is not permitted to observe (read)
an object of a lower integrity
No Read Down
30. Biba Integrity Model
2. The * (Star) Integrity Axiom,
States that an object at one level of
integrity is not permitted to modify (write
to) an object of a higher level of integrity.
No Write Up
31. Biba Integrity Model
3. A subject at one level of integrity cannot
invoke a subject at a higher level of
integrity
32. Clark-Wilson Integrity Model
• Clark-Wilson, 1987
• Constrained Data Item (CDI)
– A Data item whose integrity is to be preserved
• Integrity Verification Procedure (IVP)
– Confirms that all CDIs through a well-formed
transaction, which transforms a CDI from one valid
integrity state to another valid integrity state
• Unconstrained Data Item (UDI)
– Data items outside of the control area of the modeled
environment such as input information