Ch. 5 Security Architecture

• CPU – Central Processing Unit
• Storage devices – includes both long and short-term storage, such as memory and disk
• Peripherals – includes both input and output devices, such as keyboards and printer

Arithmetic Logic Unit - Performs mathematical and logical operations on the CPU ("brain of the CPU")

• Temporary storage location
• General Registers - Hold variables and temporary results from ALU (scratch pad)
• Special Registers - dedicated registers hold information .. program counter, stack pointer, and program status word (PSW)

manages and synchronizes the system while different applications are running. Overseas instruction sets, fetches the code, interprets the coed (Traffic cop).

Contains the memory address of the next instruction to be fetched (secretary and boss)

Memory segment the process can read from and write to .. cafeteria trays ("last in, first off)

• Program status word - holds condition bits.
• user mode (problem state) - for application instructions
• privileged mod (kernal or supervisor mode) - for operating system instructions

A hardwired connection to the RAM chips in the system and the individual I/O devices (Cd-rom, USB, hard drive)

The circuitry associated with the memory or I/O device recognizes the address the CPU sent down the address bus and instructs the memory or device to read the requested data and put it on the data bus.

The processors are handed work as needed.

Dedicated processor for sensitive application. All other commands (other applications and operating system) are sent to other CPUs.

• Microns - width of smallest wire on CPU chip
• Clock Speed - Speed at which it can execute instructions
• Data Width - The amount of data the ALU can accept and process
• MIPS - millions of instructions per second

More than one process can be loaded into memory at a time

• Cooperative - required the processes to voluntarily release resources they were using. If the application was the written correctly, the application would not give up resources.
• Preemptive - Operating system controls how long a procss can use a resource

One entry per process. Records process state, stack pointer, memory allocation, program counter and status of open files in use.

When a device or process needs to communicate with CPU it waits for the interrupt to be called.

Maskable - assigned to an interrupt event that is not very important and the program continues to process (ignores interrupt)

Non-maskable Interrupts - can never be overridden by an application because the event that has the type of interrupt is critical

Individual instruction set and the dat that must be worked on by the CPU.

Multiprogramming - an OS can load more than one program in memory at one time

Multitasking - an OS can handle requests form several different processes and loaded into memory at the same time

Multithreading - An application has the ability to run multiple threads simultaneously.

Multiprocessing - a computer has more than one CPU

Allows processes to use the same resources

• Relocation
• Protection
• Sharing
• Logical Organization
• Physical Organization

base register - contains the beginning address that was assigned to teh process

limit register - contains the ending address

Random Access Memory - Temporary data storage facility where data and program instructions can temporarily be held and altered

Dynamic RAM - Data being held in RAM memory cells are 'dynamically' being refreshed. (If not the charge w/in the capacitor would go out and you would lose the data).

Static RAM - Does not use capacitors, uses transistors which can keep a charge. Because of this it is faster, but takes up more space on the RAMP chip. SRAM is more expensive and is used on the CPU chip. DRAM is cheaper and is used in the RAM chip.

Synchronous DRAM - Synchronizes itself with the system's CPU and RAM input and output - timing of the memory activities are synchronized - increases the sped of transmitting and executing data.

Extended Data Out DRAM - Faster than DRAM because DRAM can access only one block of data at a time. EDO DRAM can capture the next block of data while the first block is being processed. (look ahead feature)

Burst EDO DRAM - works like EDO DRAM, but can send more data at one burst. It reads an send up to four memory addresses in a small number of clock cycles.

Instead of carrying out one operation per clock cycle, can carry out two operations per clock cycle. Twice the throughput of SDRAM.

Read-only memory - nonvolatile memory type - when the power is turned off the data is still held in data chips.

Programmable Read Only Memory - Form of ROM that can be modified after it has been manufactured. Can only be programmed one time. The instructions are "burned int" PROM using specialized PROM programmer device.

Erasable and programmable read-only memory - can be erased, modified, and upgraded.

Solid-state technology, used more as a hard-drive than as memory

Type of memory that is used for high-speed writing and reading activities.

Absolute addresses - physical memory addresses that the CPU uses

logical addresses - Indexed memory addresses that a software uses

relative address - Based on a known address with an offset value applied.

Privileged state in the center ring. (Privileged mode). Less access in out rings for other applications (User Mode).

Made up of procedures that can be called upon (big mess, MS DOS). All kernal activity performed in privileged mode.

Seperates system functionality into an hierarchy (Layer 0, 1, 2, 3, etc), THE, VAX, VMS, Unix

A process in a privileged domain needs to be able to execute its instructions and process data without being interrupted by other processes

CPU send data to an I/O device adn polls the device to see if it is ready to accept more data. This wastes CPU time.

The CPU sends a character over to the printer and then goes and works on anothe process request. The printer will send a message that it ready for the next character .. and so on .. The CPU is not waiting for each byte to be printed (programmable I/O) - CPU is wasting time with interrupts

A way of transferring data between I/O devices and the system's memory without the using the CPU. The DMA controller feeds the characters to the printer without bothering the CPU (unmapped I/O.)

The CPU sends teh physical memory address of the requesting process to the I/O device, and the I/O device is trusted enough to interact with the contents of the meory directly. The CPU does not control the interaction between teh I/O device and memory.

The OS does not fully trust the I/O device. The physical address is not given to the device. The device works purely with logical addresses and works under the security context of the requesting process.

Trusted Computing Base - total combination of protection mechanisms within the computer system. (hardware, software, and firmware) The system is sure these components will enforce the security policy.

Process Activation - activating a process - CPU fills registers with data relating to process( program counter, base and limit addresses, user/prvileged mode) Interupts called upon and process interactes with CPU

Execution Domain switching - CPU switches from executing in privileged mode to user mode

memory protection

I/O protection

abstract machine that mediates all access subjects have to objects, subjects have the necessary access rights .. and to protect the objects from unauthorized access and destructive modification.

E.g. Laws = reference monitor

The security kernal is the mechanism tha tactually enforcs the rules of the reference monior concept.

• The secrurity kernel must
• 1) isolate processes carrying out the reference monitor concept,
• 2) must be teamperproof
• 3) must be invoked for each access attempt
• 4) msut be small enough to be properly tested

All othe objects available to a subject

Data hiding occurs when processes work at different layers and have layers of access control between them. Processes need to know how to communicate only with each other's interfaces.

deals with the different states a system can enter. If a system starts in a secure state, all transacion sna d and shutdown and fails securely

lattic model provides an upper bound and lower bound of authorized access for subjects

Information Flow security model does not permit data to flow to an object in an insecure manner.

• Subject to object model - Objects you are able to access
• Used to provide CONFIDENTIALITY
• Used primarily in Military systems

3 main rules used and enforced:

• 1) Simple security rule (no read up) - Subject cannot read data at a higher level
• 2) The Star-property rule (no write down) - Subject cannot write data to a lower level
• 3) Strong star property rule - Subject with read/write – only at same level

• Deals Primarily with INTEGRITY
• Two main rules used and enforced
• 1) Star-integrity axiom (no write up) - Subject cannot write data to objects at higher level
• 2) Simple integrity axiom (no read down) - Subject cannot read data from lower level

Biba and Bell-LaPadula Model are informational flow models - Concerned with data flowing up or down levels

• Addresses all 3 integrity model goals
• • Prevent unauthorized users from making modifications
• • Prevent authorized users from making improper modifications (separation of duties)
• • Maintain internal/external consistency (well-formed transaction)

Dictacts that subjects can only access objects through applications

clark wilson - it uses access triple, whic is subject-program-object

a system has only one level of data classification adn all users must have this level of clearance to be able to use the system.

enable the system to process data classified at different classification levels

Trust - The system uses all of its protection mechanisms properly to process sensitive data for may types of users.

Assurance - the level of confidence you have in this trust and that the protection mechanisms behave properly in all circumstances predicably.

Trusted Computer System Evaluation Criteria (TCSEC)

Developed to evaluate systems built to be used mainly by the milatary.

It was expanded to evalueate other types of products. deals maily with stand-alone systems, so a range of books were written to cover many other topics in security. These books are called the rainbow series

• ITSEC vs. TCSEC
• ITSEC evaluations the assurancea dn functionality of a system's protection mechanisms seperately.

TCSEC combines the two into one rating.

The system provides minimal protection and is used for systems that were evaluated but failed to meet the criteria of higher divisions.

deals with discretionary protection (no security labels)

C2 requires object reuse protection adn auditing

B1 - first rating that requires security lables.

B2 - requries security labels for all subjects and devices, the existence of a trusted path, routine covert channel analysis, and the provision of sepearate administrator functionality

The Common Criteria was devleoped to provide globally recognized evaluation criteria and is in use today.

It combines sections of the TCSEC, ITSEC, CTCPEC, and the Federal Criteria.

Uses protection profiles and ratings from EAL1 to EAL7 (EAL7 - modeled assurance can be mathematically prove)

Covert Channel - unintended communication path that transfers data in a way that violates the security policy.

Timing & storage

Timing - enables a process to relay information to another process by modulating its use of system resources

storage - enables a process to write data to a storage medium so another process can read it

A maitenance hook is developed to let a programmer into the application quicly for maitenance. This should be removed before the appplciation goes into proedction .. security risk

Countermeasures - code review and QA and unit testing

Time-of-check/time-of-use. This is a class of asynchronous attacks.

• Countermeasures - Do not seperate tasks that can have their sequence altered
• OS can apply software locks to items - check to see if the user is authorized before it opens a file

I think I know this one