Friday, March 21, 2014

CISSP - Security Architectures and Design

An important domain in one's quest to get CISSP certified is Security Architecture and Design.

This domain may seem irrelevant, unnecessarily detailed and boring for those who come from Network and network security operations background but I believe everyone will find very important and unnoticed stuff here. 

This domain is very strongly related with Access Control domain and concepts like DAC, MAC, RBAC must be thorougly understood before starting.

I would suggest you to pay close attention to subjects such as Bell-LaPadula, Biba, Clark-Wilson and Chinese Wall models as well as the Evaluation Criteria such as TCSEC (aka The Orange Book) its European version ITSEC and Common Criteria.

I tried to resume as much as I can so do that I can make it readable but there are really too much small and important points to keep in mind.

Let's start.


Security Architecture and Design is a three-part domain. The first part covers the hardware and software required to have a secure computer system, the second part covers the logical models required to keep the system secure, and the third part covers evaluation models that quantify how secure the system really is.



Layering separates hardware and software functionality into modular tiers. A generic list of security architecture layers is as follows:
  •  Hardware
  • Kernel and device drivers
  • Operating system
  • Applications


Abstraction hides unnecessary details from the user. Complexity is the enemy of security—the more complex a process is, the less secure it is.

Security domains

A security domain is the list of objects a subject is allowed to access. More broadly defined, domains are groups of subjects and objects with similar security requirements. “Confidential,” “secret,” and “top secret” are three security domains used by the U.S. DoD, for example. With respect to kernels, two domains are user mode and kernel mode.

The Ring Model

The ring model is a form of CPU hardware layering that separates and protects domains (such as kernel mode and user mode) from each other. Many CPUs, such as the Intel x86 family, have four rings, ranging from ring 0 (kernel) to ring 3 (user). The innermost ring is the most trusted, and each successive outer ring is less trusted.
The rings are (theoretically) used as follows:
  • Ring 0—Kernel
  • Ring 1—Other OS components that do not fit into ring 0
  • Ring 2—Device drivers
  • Ring 3—User applications

Processes communicate between the rings via system calls, which allow processes to communicate with the kernel and provide a window between the rings. A user running a word processor in ring 3 presses “save,” and a system call is made into ring 0, asking the kernel to save the file. The kernel does so and reports that the file is saved. System calls are slow (compared to performing work within one ring) but provide security. The ring model also provides abstraction: The nitty-gritty details of saving the file are hidden from the user, who simply presses the “save file” button.

While x86 CPUs have four rings and can be used as described above, this usage is considered theoretical because most x86 operating systems, including Linux and Windows, use rings 0 and 3 only. Using our “save file” example with four rings, a call would be made from ring 3 to ring 2, then from ring 2 to ring 1, and finally from ring 1 to ring 0. This is secure, but complex and slow, so most modern operating systems opt for simplicity and speed.

A new mode called hypervisor mode (and informally called “ring -1”) allows virtual guests to operate in ring 0, controlled by the hypervisor one ring “below.

Open and closed systems

An open system uses open hardware and standards, using standard components from a variety of vendors. An IBM-compatible PC is an open system; you may build an IBM-compatible PC by purchasing components from a multitude of vendors.

A closed system uses proprietary hardware or software. (Such as Apple computers)


The System Unit and Motherboard

The system unit is the computer’s case: It contains all of the internal electronic computer components, including motherboard, internal disk drives, power supply, etc. The motherboard contains hardware, including the CPU, memory slots, firmware, and peripheral slots such as PCI slots.

The computer bus

A computer bus is the primary communication channel on a computer system. Communication between the CPU, memory, and input/output devices such as keyboard, mouse, display, etc., occur via the bus.

Northbridge and Southbridge

Some computer designs use two buses: a northbridge and southbridge. The names derive from the visual design, usually shown with the northbridge on top and the southbridge on the bottom. The northbridge, also called the Memory Controller Hub (MCH), connects the CPU to RAM and video memory. The southbridge, also called the I/O Controller Hub (ICH), connects input/output (I/O) devices, such as disk, keyboard, mouse, CD drive, USB ports, etc. The northbridge is directly connected to the CPU and is faster than the southbridge.


The arithmetic logic unit (ALU) performs mathematical calculations—it computes. It is fed instructions by the control unit, which acts as a traffic cop, sending instructions to the ALU.

CPUs fetch machine language instructions (such as “add 1 + 1”) and execute them (add the numbers, for answer of “2”). The fetch and execute (also called fetch– decode–execute, or FDX) process actually takes four steps:
1. Fetch Instruction 1
2. Decode Instruction 1
3. Execute Instruction 1
4. Write (save) result 1
These four steps take one clock cycle to complete.

Pipelining combines multiple steps into one combined process, allowing simultaneous fetch, decode, execute, and write steps for different instructions. Each part is called a pipeline stage; the pipeline depth is the number of simultaneous stages which may be completed at once.

Given our previous fetch and execute example of adding 1ş1, a CPU without pipelining would have to wait an entire cycle before performing another computation. A four-stage pipeline can combine the stages of four other instructions:
1. Fetch Instruction 1
2. Fetch Instruction 2, Decode Instruction 1
3. Fetch Instruction 3, Decode Instruction 2, Execute Instruction 1
4. Fetch Instruction 4, Decode Instruction 3, Execute Instruction 2, Write (save) result 1
5. Fetch Instruction 5, Decode Instruction 4, Execute Instruction 3, Write (save) result 2,

An interrupt indicates that an asynchronous event has occurred. CPU interrupts are a form of hardware interrupt that cause the CPU to stop processing its current task, save the state, and begin processing a new request. When the new task is complete, the CPU will complete the prior task.

A process is an executable program and its associated data loaded and running in memory. A heavy-weight process (HWP) is also called a task. A parent process may spawn additional child processes called threads. A thread is a light-weight process (LWP).

Applications run as processes in memory, comprised of executable code and data. Multitasking allows multiple tasks (heavy weight processes) to run simultaneously on one CPU. Older and simpler operating systems, such as MS-DOS, are non-multitasking; they run one process at a time. Most modern operating systems, such as Linux and Windows XP, support multitasking.

Multiprocessing has a fundamental difference from multitasking in that it runs multiple processes on multiple CPUs.

A watchdog timer is designed to recover a system by rebooting after critical processes hang or crash. The watchdog timer reboots the system when it reaches zero; critical operating system processes continually reset the timer, so it never reaches zero as long as they are running. If a critical process hangs or crashes, they no longer reset the watchdog timer, which reaches zero, and the system reboots.

Complex instruction set computer (CISC) and reduced instruction set computer (RISC) are two forms of CPU design. CISC uses a large set of complex machine language instructions, while RISC uses a reduced set of simpler instructions. X86 CPUs (among many others) are CISC; ARM (used in many cell phones and PDAs), PowerPC, Sparc, and others are RISC.

Cache memory is the fastest memory on the system, required to keep up with the CPU as it fetches and executes instructions. The data most frequently used by the CPU is stored in cache memory. The fastest portion of the CPU cache is the register file, which contains multiple registers. Registers are small storage locations used by the CPU to store instructions and data. The next fastest form of cache memory is Level 1 cache, located on the CPU itself. Finally, Level 2 cache is connected to (but outside) the CPU. Static random access memory (SRAM) is used for cache memory.

As a general rule, the memory closest to the CPU (cache memory) is the fastest and most expensive memory in a computer. As you move away from the CPU, from SRAM, to DRAM, to disk, to tape, etc., the memory becomes slower and less expensive.


RAM is volatile memory used to hold instructions and data of currently running programs. It loses integrity after loss of power. RAM memory modules are installed into slots on the computer motherboard. Read-only memory (ROM) is nonvolatile: Data stored in ROM maintains integrity after loss of power. The basic input/output system (BIOS) firmware is stored in ROM.


Static random access memory (SRAM) is expensive and fast memory that uses small latches called “flip-flops” to store bits. Dynamic random access memory (DRAM) stores bits in small capacitors (like small batteries) and is slower and cheaper.

Values may be stored in multiple locations in memory, including CPU registers and in general RAM. These values may be addressed directly (“add the value stored here”) or indirectly (“add the value stored in memory location referenced here”). Indirect addressing is like a pointer.

Register direct addressing is the same as direct addressing, except it references a CPU cache register, such as Register 1.
Memory protection prevents one process from affecting the confidentiality, integrity, or availability of another. This is a requirement for secure multiuser (more than one user logged in simultaneously) and multitasking (more than one process running simultaneously) systems.

Process isolation is a logical control that attempts to prevent one process from interfering with another. This is a common feature among multiuser operating systems such as Linux, UNIX, or recent Microsoft Windows operating systems. Older operating systems such as MS-DOS provide no process isolation. A lack of process isolation means a crash in any MS-DOS application could crash the entire system.

Hardware segmentation takes process isolation one step further by mapping processes to specific memory locations. This provides more security than (logical) process isolation alone.

Virtual memory provides virtual address mapping between applications and hardware memory. Virtual memory provides many functions, including multitasking (multiple tasks executing at once on one CPU), allowing multiple processes to access the same shared library in memory, swapping, and others.

Swapping uses virtual memory to copy contents in primary memory (RAM) to or from secondary memory (not directly addressable by the CPU, on disk). Swap space is often a dedicated disk partition that is used to extend the amount of available memory. If the kernel attempts to access a page (a fixed-length block of memory) stored in swap space, a page fault occurs (an error that means the page is not located in RAM), and the page is “swapped” from disk to RAM.

Swapping and paging are often used interchangeably, but there is a slight difference. Paging copies a block of memory to or from disk, while swapping copies an entire process to or from disk.

Swap is designed as a protective measure to handle occasional bursts of memory usage. Systems should not routinely use large amounts of swap; in that case, physical memory should be added or processes should be removed, moved to another system, or shortened.


      Flash (EEPROM, faster than regular EEPROM, slower than disks)

WORM storage

Write once, read many (WORM) storage can be written to once and read many times. It is often used to support records retention for legal or regulatory compliance. The most common type of WORM media is Compact Disc–Recordable (CD-R) and Digital Versatile Disk–Recordable (DVD-R). Note that CD-RW and DVD-RW (Read/Write) are not WORM media.


The Kernel

The kernel is the heart of the operating system, which usually runs in ring 0. Kernels have two basic designs: monolithic and microkernel. Monolithic kernel is not modular and compiled only once when the computer is turned on thus does not detect hardware changes once computer already booted. Microkernel is modular and can call drivers on demand.

Reference Monitor

Reference Monitor mediates all access between subjects and objects. It enforces the system’s security policy, such as preventing a normal user from writing to a restricted file, such as the system password file. The reference monitor is always enabled and cannot be bypassed.

Users and file permissions



Privileged Programs

Setuid is a Linux and UNIX file permission that makes an executable run with the permissions of the file’s owner, and not as the running user. Setgid (set group ID) programs run with the permissions of the file’s group.

The passwd program runs as root, allowing users to change their passwords and thus the contents of /etc/passwd and /etc/shadow.

The activities of these commands must be controlled with close attention.



The key to virtualization security is the hypervisor, which controls access between virtual guests and host hardware. A Type 1 hypervisor (also called bare metal) is part of an operating system that runs directly on host hardware. A Type 2 hypervisor runs as an application on a normal operating system, such as Windows 7; for example, VMWare ESX is a Type 1 hypervisor, and VMWare Workstation is Type 2.

Many network-based security tools, such as network intrusion detection systems (NIDS), can be blinded by virtualization. A traditional NIDS connected to a physical SPAN port or tap cannot see traffic passing from one guest to another on the same host. NIDS vendors are beginning to offer virtual IDS products, running in software on the host and capable of inspecting host–guest and guest–guest traffic.

Cloud Computing

A concern about cloud computing is multiple organizations’ guests running on the same host. The compromise of one cloud customer could lead to the compromise of other customers.

Also, many cloud providers offer preconfigured system images, which may introduce risks via insecure configuration.

Finally, do you know where your data is? Public clouds may potentially move data to any country, potentially beyond the jurisdiction of the organization’s home country. Some laws forbid the storage of critical information such as PII abroad.


Emanations are energy that escapes an electronic system, and which may be remotely monitored under certain circumstances.

A covert channel is any communication that violates security policy. The communication channel used by malware installed on a system that locates personally identifiable information (PII) such as credit card information and sends it to a malicious server is an example of a covert channel.

Buffer overflows can occur when a programmer fails to perform bounds checking.

Time of check, time of use (TOCTOU) attacks are also called race conditions. An attacker attempts to alter a condition after it has been checked by the operating system, but before it is used. TOCTOU is an example of a state attack, where the attacker capitalizes on a change in operating system state.

Here is pseudocode for a setuid root program (runs with super user privileges, regardless of the running user) called “open test file” that contains a race condition:
1. If the file “test” is readable by the user
2. Then open the file “test”
3. Else print “Error: cannot open file.”
The race condition occurs between steps 1 and 2. Remember that most modern computers are multitasking; the CPU executes multiple processes at once. Other processes are running while our “open test file” program is running. In other words, the computer may run our program like this:
1. If the file “test” is readable by the user
2. Run another process
3. Run another process
4. Then open the file “test”

A successful attack may place some commands between the first and the fourth steps and execute harmful commands.

A backdoor is a shortcut in a system that allows a user to bypass security checks (such as username/password authentication) to log in.

Malicious code (or malware) is the generic term for any type of software that attacks an application or system.

Zero-day exploits are malicious code (a threat) for which there is no vendor-supplied patch (meaning there is an unpatched vulnerability).

Computer viruses are malware that does not spread automatically; they require a carrier.

Worms are malware that self-propagates (spreads independently).

A trojan (also called a Trojan horse) is malware that performs two functions: one benign (such as a game) and one malicious.

A rootkit is malware which replaces portions of the kernel and/or operating system.

A logic bomb is a malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed or on a specific date (also called a time bomb).

Packers provide runtime compression of executables. The original exe is compressed, and a small executable decompresser is prepended to the exe. Upon execution, the decompresser unpacks the compressed executable machine code and runs it. Packers are a neutral technology that is used to shrink the size of executables.

Server-side attacks (also called service-side attacks) are launched directly from an attacker (the client) to a listening service.

Client-side attacks occur when a user downloads malicious content.

Applets are small pieces of mobile code that are embedded in other software such as Web browsers.

Java applets run in a sandbox, which segregates the code from the operating system. The sandbox is designed to prevent an attacker who is able to compromise a Java applet from accessing system files, such as the password file. Code that runs in the sandbox must be self-sufficient; it cannot rely on operating system files that exist outside the sandbox.

ActiveX controls are the functional equivalent of Java applets. They use digital certificates instead of a sandbox to provide security. ActiveX controls are tied more closely to the operating system, allowing functionality such as installing patches via Windows Update. Unlike Java, ActiveX is a Microsoft technology that works on Microsoft Windows operating systems only.

The Open Web Application Security Project represents one of the best application security resources. OWASP provides a tremendous number of free resources dedicated to improving organizations’ application security posture. One of their best-known projects is the OWASP Top 10 project, which provides consensus guidance on what are considered to be the ten most significant application security risks.

Service-Oriented Architecture (SOA) attempts to reduce application architecture down to a functional unit of a service. SOA is intended to allow multiple heterogeneous applications to be consumers of services. The service can be used and reused throughout an organization rather than built within each individual application that needs the functionality offered by the service.

Data mining searches large amounts of data to determine patterns that would otherwise get lost in the noise.

The primary countermeasure to mitigate the attacks described in the previous section is defense in depth: multiple overlapping controls spanning across multiple domains, which enhance and support each other. Any one control may fail, but defense in depth (also called layered defense) mitigates this issue.


Read Down, Write Up concepts apply to Mandatory Access Control models.


  1. Simple Security Property : No Read UP, NRU
  2. Security Property   : No Write Down, NRW
  3. The Strong Tranquility Property states that security labels will not change while the system is operating. The Weak Tranquility Property states that security labels will not change in a way that conflicts with defined security properties. 


  1. Simple Integrity Axiom : No Read Down, NRD
  2. * Integrity Axiom : No Write Up, NWU

Clark-Wilson Model (INTEGRITY)

While Bell-LaPadula and Biba models apply mostly governmental bodies, Clark-Wilson better applies to enterprises.
Clark–Wilson effectively limits the capabilities of the subject. Clark–Wilson uses two primary concepts to ensure that security policy is enforced; well-formed transactions and separation of duties.

Subject  à Transformation Procedure àObject

A transformation procedure (TP) is a well formed transaction, and a constrained data item (CDI) is data that requires integrity. Unconstrained data items (UDIs) are data that do not require integrity. For each TP, an audit record is made and entered into the access control system. This provides both detective and recovery controls in case integrity is lost.
Clark–Wilson requires that users are authorized to access and modify data. It also requires that data is modified in only authorized ways.

Chinese Wall Model (Brewer and Nash)(INTEGRITY)

The Chinese Wall model is designed to avoid conflicts of interest by prohibiting one person, such as a consultant, from accessing multiple conflict of interest categories.

Conflict of Interest (CoI) should always remind Chinese Wall Model. The Chinese Wall model requires that CoIs be identified so that once a consultant gains access to one CoI, that person cannot read or write to an opposing CoI.


The noninterference model ensures that data at different security domains remain separate from one another. By implementing this model, the organization can be assured that covert channel communication does not occur because the information cannot cross security boundaries.

Access control matrix

An access control matrix is a table defining what access permissions exist between specific subjects and objects.

Zachman Framework for Enterprise Architecture

The Zachman Framework for Enterprise Architecture provides a framework for providing information security, asking what, how, where, who, when, and why and mapping those frameworks across rules, including planner, owner, designer, builder, programmer, and user.

Graham-Denning Model

The Graham-Denning Model has three parts: objects, subjects, and rules. It provides a more granular approach for interaction between subjects and objects. There are eight rules:
• R1. Transfer access
• R2. Grant access
• R3. Delete access
• R4. Read object
• R5. Create object
• R6. Destroy object
• R7. Create subject
• R8. Destroy subject

Harrison–Ruzzo–Ullman Model

HRU model maps subjects, objects, and access rights to an access matrix. It is considered a variation to the Graham–Denning Model. HRU has six basic operations:
1. Create object.
2. Create subject.
3. Destroy subject.
4. Destroy object.
5. Enter right into access matrix.
6. Delete right from access matrix.


Trusted Computer System Evaluation Criteria (TCSEC, aka the Orange Book)


Additional levels to the above shown levels are:
• F-IN: High integrity requirements
• AV: High availability requirements
• DI: High integrity requirements for networks
• DC: High confidentiality requirements for networks
• DX: High integrity and confidentiality requirements for networks

Common Criteria

Target of evaluation (ToE)—the system or product that is being evaluated.
Security target (ST)—the documentation describing the ToE, including the security requirements and operational environment.
Protection profile (PP)—an independent set of security requirements and objectives for a specific category of products or systems, such as firewalls or intrusion detection systems.
Evaluation assurance level (EAL)—the evaluation score of the tested product or system.


The core principles of PCI-DSS are:
• Build and maintain a secure network.
• Protect cardholder data.
• Maintain a vulnerability management program.
• Implement strong access control measures.
• Regularly monitor and test networks.
• Maintain an information security policy.

Certification means a system has been certified to meet the security requirements of the data owner. Certification considers the system, the security measures taken to protect the system, and the residual risk represented by the system.

Accreditation is the data owner’s acceptance of the certification, and of the residual risk, required before the system is put into production.

No comments:

Post a Comment