An important domain in one's quest to get CISSP certified is Security Architecture and Design.
This domain may seem irrelevant, unnecessarily detailed and boring for those who come from Network and network security operations background but I believe everyone will find very important and unnoticed stuff here.
This domain is very strongly related with Access Control domain and concepts like DAC, MAC, RBAC must be thorougly understood before starting.
I would suggest you to pay close attention to subjects such as Bell-LaPadula, Biba, Clark-Wilson and Chinese Wall models as well as the Evaluation Criteria such as TCSEC (aka The Orange Book) its European version ITSEC and Common Criteria.
I tried to resume as much as I can so do that I can make it readable but there are really too much small and important points to keep in mind.
Let's start.
SECURITY ARCHITECTURE AND
DESIGN
Security
Architecture and Design is a three-part domain. The first part covers the
hardware and software required to have a secure computer system, the second
part covers the logical models required to keep the system secure, and the
third part covers evaluation models that quantify how secure the system really
is.
SECURE SYSTEM DESIGN
CONCEPTS
Layering
Layering
separates hardware and software functionality into modular tiers. A generic
list of security architecture layers is as follows:
- Hardware
- Kernel
and device drivers
- Operating
system
- Applications
Abstraction
Abstraction
hides unnecessary details from the user. Complexity is the enemy of
security—the more complex a process is, the less secure it is.
Security domains
A security
domain is the list of objects a subject is allowed to access. More broadly
defined, domains are groups of subjects and objects with similar security
requirements. “Confidential,” “secret,” and “top secret” are three security
domains used by the U.S. DoD, for example. With respect to kernels, two domains
are user mode and kernel mode.
The Ring Model
The ring
model is a form of CPU hardware layering that separates and protects domains (such
as kernel mode and user mode) from each other. Many CPUs, such as the Intel x86
family, have four rings, ranging from ring 0 (kernel) to ring 3 (user). The
innermost ring is the most trusted, and each successive outer ring is less
trusted.
The rings
are (theoretically) used as follows:
- Ring
0—Kernel
- Ring
1—Other OS components that do not fit into ring 0
- Ring
2—Device drivers
- Ring
3—User applications
Processes
communicate between the rings via system calls, which allow processes to
communicate with the kernel and provide a window between the rings. A user
running a word processor in ring 3 presses “save,” and a system call is made into
ring 0, asking the kernel to save the file. The kernel does so and reports that
the file is saved. System calls are slow (compared to performing work
within one ring) but provide security. The ring model also provides
abstraction: The nitty-gritty details of saving the file are hidden from the
user, who simply presses the “save file” button.
While x86 CPUs have four rings and
can be used as described above, this usage is considered theoretical because
most x86 operating systems, including Linux and Windows, use rings 0 and 3
only. Using our
“save file” example with four rings, a call would be made from ring 3 to ring
2, then from ring 2 to ring 1, and finally from ring 1 to ring 0. This is
secure, but complex and slow, so most modern operating systems opt for
simplicity and speed.
A new mode called hypervisor mode (and informally
called “ring -1”) allows virtual guests to operate in ring 0, controlled by the
hypervisor one ring “below.
Open and closed systems
An open system uses open hardware and standards, using
standard components from a variety of vendors. An IBM-compatible PC is an open
system; you may build an IBM-compatible PC by purchasing components from a
multitude of vendors.
A closed system
uses proprietary hardware or software. (Such as Apple computers)
SECURE HARDWARE
ARCHITECTURE
The System Unit and
Motherboard
The system unit is the computer’s case: It contains
all of the internal electronic computer components, including motherboard,
internal disk drives, power supply, etc. The motherboard contains hardware,
including the CPU, memory slots, firmware, and peripheral slots such as PCI
slots.
The computer bus
A computer bus is the primary communication channel on
a computer system. Communication between the CPU, memory, and input/output
devices such as keyboard, mouse, display, etc., occur via the bus.
Northbridge and Southbridge
Some computer designs use two buses: a northbridge and
southbridge. The names derive from the visual design, usually shown with the
northbridge on top and the southbridge on the bottom. The northbridge, also
called the Memory Controller Hub (MCH), connects the CPU to RAM and video
memory. The southbridge, also called the I/O Controller Hub (ICH), connects
input/output (I/O) devices, such as disk, keyboard, mouse, CD drive, USB ports,
etc. The northbridge is directly connected to the CPU and is faster than the
southbridge.
The CPU
The arithmetic logic unit (ALU) performs mathematical calculations—it
computes. It is fed instructions by the control unit, which acts as a traffic
cop, sending instructions to the ALU.
CPUs fetch machine language instructions (such as “add
1 + 1”) and execute them (add the numbers, for answer of “2”). The fetch and
execute (also called fetch– decode–execute, or FDX) process actually takes four
steps:
1.
Fetch Instruction 1
2.
Decode Instruction 1
3.
Execute Instruction 1
4.
Write (save) result 1
These four steps take one clock cycle to complete.
Pipelining combines multiple steps into one
combined process, allowing simultaneous fetch, decode, execute, and write steps
for different instructions. Each part is called a pipeline stage; the pipeline
depth is the number of simultaneous stages which may be completed at once.
Given our previous fetch and execute example of adding
1ş1, a CPU without pipelining would
have to wait an entire cycle before performing another computation. A
four-stage pipeline can combine the stages of four other instructions:
1.
Fetch Instruction 1
2.
Fetch Instruction 2, Decode Instruction 1
3.
Fetch Instruction 3, Decode Instruction 2, Execute Instruction 1
4.
Fetch Instruction 4, Decode Instruction 3, Execute Instruction 2, Write (save) result
1
5.
Fetch Instruction 5, Decode Instruction 4, Execute Instruction 3, Write (save) result
2,
An interrupt
indicates that an asynchronous event has occurred. CPU interrupts are a form of
hardware interrupt that cause the CPU to stop processing its current task, save
the state, and begin processing a new request. When the new task is complete, the
CPU will complete the prior task.
A process
is an executable program and its associated data loaded and running in memory.
A heavy-weight process (HWP) is also called a task. A parent process may spawn
additional child processes called threads. A thread is a light-weight process (LWP).
Applications run as processes in memory, comprised of
executable code and data. Multitasking
allows multiple tasks (heavy weight processes) to run simultaneously
on one CPU. Older and simpler
operating systems, such as MS-DOS, are non-multitasking; they run one process
at a time. Most modern operating systems, such as Linux and Windows XP, support
multitasking.
Multiprocessing has a fundamental difference from
multitasking in that it runs multiple processes on multiple CPUs.
A watchdog
timer is designed to recover a system by rebooting after critical processes
hang or crash. The watchdog timer reboots the system when it reaches zero; critical
operating system processes continually reset the timer, so it never reaches zero
as long as they are running. If a critical process hangs or crashes, they no
longer reset the watchdog timer, which reaches zero, and the system reboots.
Complex instruction set computer (CISC) and reduced
instruction set computer (RISC) are two forms of CPU design. CISC uses a large
set of complex machine language instructions, while RISC uses a reduced set of
simpler instructions. X86 CPUs (among many others) are CISC; ARM (used in many
cell phones and PDAs), PowerPC, Sparc, and others are RISC.
Cache memory is the fastest memory on the system, required to keep up with the CPU as
it fetches and executes instructions. The data most frequently used by the CPU
is stored in cache memory. The fastest portion of the CPU cache is the register
file, which contains multiple registers. Registers
are small storage locations used by the CPU to store instructions and data. The next fastest form of cache memory is
Level 1 cache, located on the CPU itself. Finally, Level 2 cache is
connected to (but outside) the CPU. Static random access memory (SRAM) is used
for cache memory.
As a general rule, the memory
closest to the CPU (cache memory) is the fastest and most expensive memory in a
computer. As you move away from the CPU, from SRAM, to DRAM, to disk, to tape,
etc., the memory becomes slower and less expensive.
RAM and ROM
RAM is volatile memory used to hold instructions and
data of currently running programs. It loses integrity after loss of power. RAM
memory modules are installed into slots on the computer motherboard. Read-only
memory (ROM) is nonvolatile: Data stored in ROM maintains integrity after loss
of power. The basic input/output system (BIOS) firmware is stored in ROM.
DRAM and SRAM
Static random access memory (SRAM) is expensive and
fast memory that uses small latches called “flip-flops” to store bits. Dynamic
random access memory (DRAM) stores bits in small capacitors (like small
batteries) and is slower and cheaper.
Values
may be stored in multiple locations in memory, including CPU registers and in
general RAM. These values may be addressed directly (“add the value stored here”)
or indirectly (“add the value stored in memory location referenced here”).
Indirect addressing is like a pointer.
Register
direct addressing is the same as direct addressing, except it references a CPU
cache register, such as Register 1.
Memory protection prevents one process from
affecting the confidentiality, integrity, or availability of another. This is a
requirement for secure multiuser (more than one user logged in simultaneously)
and multitasking (more than one process running simultaneously) systems.
Process isolation is a logical control that attempts
to prevent one process from interfering with another. This is a common feature
among multiuser operating systems such as Linux, UNIX, or recent Microsoft
Windows operating systems. Older operating systems such as MS-DOS provide no
process isolation. A lack of process isolation means a crash in any MS-DOS
application could crash the entire system.
Hardware segmentation takes process isolation one step
further by mapping processes to specific memory locations. This provides more
security than (logical) process isolation alone.
Virtual memory provides virtual address mapping
between applications and hardware memory. Virtual memory provides many
functions, including multitasking (multiple tasks executing at once on one
CPU), allowing multiple processes to access the same shared library in memory,
swapping, and others.
Swapping uses virtual memory to copy
contents in primary memory (RAM) to or from secondary memory (not directly
addressable by the CPU, on disk). Swap space is often a dedicated disk
partition that is used to extend the amount of available memory. If the kernel
attempts to access a page (a fixed-length block of memory) stored in swap
space, a page fault occurs (an error that means the page is not located in
RAM), and the page is “swapped” from disk to RAM.
Swapping and paging are often used interchangeably,
but there is a slight difference. Paging
copies a block of memory to or from disk, while swapping copies an entire
process to or from disk.
Swap is designed as a protective measure to handle
occasional bursts of memory usage. Systems should not routinely use large
amounts of swap; in that case, physical memory should be added or processes
should be removed, moved to another system, or shortened.
Firmware
Flash
(EEPROM, faster than regular EEPROM, slower than disks)
BIOS
WORM storage
Write once, read many (WORM) storage can be written to
once and read many times. It is often used to support records retention for
legal or regulatory compliance. The most common type of WORM media is Compact
Disc–Recordable (CD-R) and Digital Versatile Disk–Recordable (DVD-R). Note that
CD-RW and DVD-RW (Read/Write) are not WORM media.
SECURE OPERATING SYSTEM
AND SOFTWARE ARCHITECTURE
The Kernel
The kernel is the heart of the operating system, which
usually runs in ring 0. Kernels have two basic designs: monolithic and
microkernel. Monolithic kernel is not modular and compiled only once when the
computer is turned on thus does not detect hardware changes once computer
already booted. Microkernel is modular and can call drivers on demand.
Reference Monitor
Reference Monitor mediates all access between
subjects and objects. It enforces the system’s security policy, such as
preventing a normal user from writing to a restricted file, such as the system
password file. The reference monitor is always enabled and cannot be bypassed.
Users and file
permissions
Unix/Linux
Windows
Privileged Programs
Setuid is a Linux and UNIX file
permission that makes an executable run with the permissions of the file’s
owner, and not as the running user. Setgid
(set group ID) programs run with the permissions of the file’s group.
The passwd program runs as root, allowing users to
change their passwords and thus the contents of /etc/passwd and /etc/shadow.
The activities of these commands must be controlled
with close attention.
VIRTUALIZATION AND
DISTRIBUTED COMPUTING
Virtualization
The key to virtualization security is the hypervisor,
which controls access between virtual guests and host hardware. A Type 1
hypervisor (also called bare metal) is part of an operating system that runs
directly on host hardware. A Type 2 hypervisor runs as an application on a
normal operating system, such as Windows 7; for example, VMWare ESX is a Type 1
hypervisor, and VMWare Workstation is Type 2.
Many network-based security tools, such as network
intrusion detection systems (NIDS), can be blinded by virtualization. A
traditional NIDS connected to a physical SPAN port or tap cannot see traffic
passing from one guest to another on the same host. NIDS vendors are beginning
to offer virtual IDS products, running in software on the host and capable of
inspecting host–guest and guest–guest traffic.
Cloud Computing
A concern about cloud computing is multiple
organizations’ guests running on the same host. The compromise of one cloud
customer could lead to the compromise of other customers.
Also, many cloud providers offer preconfigured system
images, which may introduce risks via insecure configuration.
Finally, do you know where your data is? Public clouds
may potentially move data to any country, potentially beyond the jurisdiction
of the organization’s home country. Some laws forbid the storage of critical
information such as PII abroad.
SYSTEM VULNERABILITIES,
THREATS, AND COUNTERMEASURES
Emanations are energy that escapes an
electronic system, and which may be remotely monitored under certain
circumstances.
A covert
channel is any communication that violates security policy. The
communication channel used by malware installed on a system that locates
personally identifiable information (PII) such as credit card information and
sends it to a malicious server is an example of a covert channel.
Buffer overflows can occur when a programmer fails
to perform bounds checking.
Time of check, time of use (TOCTOU) attacks are also called race conditions. An
attacker attempts to alter a condition after it has been checked by the
operating system, but before it is used. TOCTOU is an example of a state
attack, where the attacker capitalizes on a change in operating system state.
Here is pseudocode for a
setuid root program (runs with super user privileges, regardless of the running
user) called “open test file” that contains a race condition:
1. If the file “test” is readable by the user
2. Then open the file “test”
3. Else print “Error: cannot open file.”
The race condition
occurs between steps 1 and 2. Remember that most modern computers are
multitasking; the CPU executes multiple processes at once. Other processes are
running while our “open test file” program is running. In other words, the computer
may run our program like this:
1. If
the file “test” is readable by the user
2. Run
another process
3. Run
another process
4. Then
open the file “test”
A successful attack may
place some commands between the first and the fourth steps and execute harmful
commands.
A backdoor is a shortcut in a system that allows a user to bypass
security checks (such as username/password authentication) to log in.
Malicious code (or malware) is the generic term for any type
of software that attacks an application or system.
Zero-day exploits are malicious code (a threat) for which there
is no vendor-supplied patch (meaning there is an unpatched vulnerability).
Computer viruses are malware that does not spread
automatically; they require a carrier.
Worms are
malware that self-propagates (spreads independently).
A trojan (also called a Trojan horse) is
malware that performs two functions: one benign (such as a game) and one
malicious.
A rootkit is malware which replaces
portions of the kernel and/or operating system.
A logic bomb is a malicious program that
is triggered when a logical condition is met, such as after a number of
transactions have been processed or on a specific date (also called a time bomb).
Packers
provide runtime compression of executables. The original exe is compressed, and
a small executable decompresser is prepended to the exe. Upon execution, the
decompresser unpacks the compressed executable machine code and runs it.
Packers are a neutral technology that is used to shrink the size of
executables.
Server-side attacks (also called service-side
attacks) are launched directly from an attacker (the
client) to a listening service.
Client-side attacks occur when a user downloads malicious content.
Applets are
small pieces of mobile code that are embedded in other software such as Web
browsers.
Java applets run
in a sandbox, which segregates the code from the operating system. The sandbox
is designed to prevent an attacker who is able to compromise a Java applet from
accessing system files, such as the password file. Code that runs in the
sandbox must be self-sufficient; it cannot rely on operating system files that
exist outside the sandbox.
ActiveX controls are the functional equivalent of Java applets. They
use digital certificates instead of a sandbox to provide security. ActiveX
controls are tied more closely to the operating system, allowing functionality
such as installing patches via Windows Update. Unlike Java, ActiveX is a
Microsoft technology that works on Microsoft Windows operating systems only.
The Open Web Application
Security Project represents one of the best application security resources.
OWASP provides a tremendous number
of free resources dedicated to improving organizations’ application security
posture. One of their best-known projects is the OWASP Top 10 project, which
provides consensus guidance on what are considered to be the ten most
significant application security risks.
Service-Oriented Architecture (SOA) attempts to reduce application architecture
down to a functional unit of a service. SOA is intended to allow multiple
heterogeneous applications to be consumers of services. The service can be used
and reused throughout an organization rather than built within each individual
application that needs the functionality offered by the service.
Data mining searches large amounts of data to determine
patterns that would otherwise get lost in the noise.
The primary
countermeasure to mitigate the attacks described in the previous section is
defense
in depth: multiple overlapping controls spanning across
multiple domains, which enhance and support each other. Any one control may
fail, but defense in depth (also called layered defense) mitigates this issue.
SECURITY MODELS
Read Down,
Write Up concepts apply to Mandatory Access Control models.
Bell-LaPadula Model
(CONFIDENTIALITY)
- Simple Security Property : No Read
UP, NRU
- Security Property : No
Write Down, NRW
- The
Strong Tranquility Property
states that security labels will not change while the system is operating. The Weak Tranquility Property states
that security labels will not change in a way that conflicts with defined
security properties.
BIBA Model (INTEGRITY)
- Simple Integrity Axiom : No Read
Down, NRD
- * Integrity Axiom : No Write Up, NWU
Clark-Wilson Model
(INTEGRITY)
While
Bell-LaPadula and Biba models apply mostly governmental bodies, Clark-Wilson
better applies to enterprises.
Clark–Wilson
effectively limits the capabilities of the subject. Clark–Wilson uses two
primary concepts to ensure that security policy is enforced; well-formed transactions and separation of duties.
Subject à Transformation Procedure àObject
A
transformation procedure (TP) is a well formed transaction, and a constrained
data item (CDI) is data that requires integrity. Unconstrained data items
(UDIs) are data that do not require integrity. For each TP, an audit record is
made and entered into the access control system. This provides both detective and recovery controls
in case integrity is lost.
Clark–Wilson requires that users are authorized to access and
modify data. It also requires that data is modified in only authorized ways.
Chinese Wall Model (Brewer
and Nash)(INTEGRITY)
The
Chinese Wall model is designed to avoid conflicts of interest by prohibiting
one person, such as a consultant, from accessing multiple conflict of interest
categories.
Conflict of Interest (CoI) should always remind Chinese Wall Model. The
Chinese Wall model requires that CoIs be identified so that once a consultant
gains access to one CoI, that person cannot read or write to an opposing CoI.
Noninterference
The
noninterference model ensures that data at different security domains remain
separate from one another. By implementing this model, the organization can be
assured that covert channel communication does not occur because the
information cannot cross security boundaries.
Access control matrix
An
access control matrix is a table defining what access permissions exist between
specific subjects and objects.
Zachman Framework for
Enterprise Architecture
The
Zachman Framework for Enterprise Architecture provides a framework for
providing information security, asking what, how, where, who, when, and why and
mapping those frameworks across rules, including planner, owner, designer, builder,
programmer, and user.
Graham-Denning Model
The Graham-Denning
Model has three parts: objects, subjects,
and rules. It provides a more granular approach for interaction between
subjects and objects. There are eight rules:
• R1.
Transfer access
• R2. Grant
access
• R3. Delete
access
• R4. Read
object
• R5. Create
object
• R6.
Destroy object
• R7. Create
subject
• R8.
Destroy subject
Harrison–Ruzzo–Ullman
Model
HRU model maps subjects, objects,
and access rights to an access matrix. It is considered a variation to the Graham–Denning Model. HRU has
six basic operations:
1. Create object.
2. Create subject.
3. Destroy subject.
4. Destroy object.
5. Enter right into access matrix.
6. Delete right from access matrix.
EVALUATION METHODS,
CERTIFICATION, AND ACCREDITATION
Trusted Computer System
Evaluation Criteria (TCSEC, aka the Orange Book)
ITSEC
Additional
levels to the above shown levels are:
•
F-IN: High integrity requirements
• AV:
High availability requirements
• DI:
High integrity requirements for networks
• DC:
High confidentiality requirements for networks
• DX:
High integrity and confidentiality requirements for networks
Common Criteria
Target of evaluation (ToE)—the system or product that is being evaluated.
Security target (ST)—the documentation describing the ToE, including
the security requirements and operational environment.
Protection profile (PP)—an independent set of security requirements and
objectives for a specific category of products or systems, such as firewalls or
intrusion detection systems.
Evaluation assurance level (EAL)—the evaluation score of the tested product or
system.
PCI-DSS
The
core principles of PCI-DSS are:
• Build and maintain a
secure network.
• Protect cardholder
data.
• Maintain a
vulnerability management program.
• Implement strong
access control measures.
• Regularly monitor and
test networks.
• Maintain an
information security policy.
Certification means a system has been certified to meet the
security requirements of the data owner. Certification considers the system,
the security measures taken to protect the system, and the residual risk
represented by the system.
Accreditation is the data owner’s acceptance of the certification,
and of the residual risk, required before the system is put into production.
