交大慧谷培训中心 内部资料,仅供参考
信是发生。如,user mode与privileged mode之间。 3) Memory protect:compartmentalizing into discreet units 4) I/O operation
32. Security Perimeter:可信与不可信间的(TCB里外)imaginary boundary,TCB内外
不能直接通讯,需要用interface进行interact。
33. reference monitor引用监视器,ensure subject有足够的权限访问object,防止object
被未授权访问。是一个访问控制的concept,不是物理存在的是,而是一个abstract machine,是靠security kernel来执行的。
34. security kernel安全内核,是所有subject和object之间访问的中介。是TCB的core。
security kernel由这些构成:Software, hardware, and firmware
Reference monitor=law Threat=individual Kernel=society
---引用监视器是主、客体之间的访问中介,安全内核是引用监视器的执行机制
3.4 安全模型
A security policy outlines goals without regard to how they will be accomplished. A model is a framework that gives the policy form and solves security access problems for particular situations.
35. 安全策略是目标,安全模型是具体的步骤step。Formal正式模型:Bell-LaPadula 模
型,增强机密性Confidentiallty。Biba模型,增强完整性Integrity。informal非正式模型,Clar-Wilson
36. formal模型需要更多的时间,更严格一些常适用在spacecraft,railway signaling military
等要求严格的地方。Informal时间短,更快速。 37. 状态机模型(state machine):一个时刻的snapshot,一个状态到另外一个状态的改变
需要OS知道和允许。任何不安全的事件发生,系统都将强制imperative保护自己,Change to a more secure state a) 首先需要定义state variables
b) 然后为每个state variables定义安全的状态 c) 定义允许的allowable状态改变
38. Bell-LaPadula,基于状态机,formal mode,主要目标是保护secret信息不被未授权访
问,提供confidentiality但不提供integrity,第一个multilevel security system多层安全模型(也是一个信息流的安全模型),有访问矩阵operation(read、write and read/write)。MAC是基于Bell_LaPadula,军方使用
a) Simple rules:不能读比自己高的,no read up,可以read down
b) *-property rule:(star property rule),不能写比自己低的,no write down c) Strong star property rule:相同等级才能读写 d) 如果可以读,则自己比目标高或者相等。 39. Biba,在Bell-LaPadula之后,状态机,考虑完整性不关注confidentiality,informational
flow models
a) Simple integrity axiom:no read down。 b) *-integrity axiom:no write up
- 21 -
交大慧谷培训中心 内部资料,仅供参考
――*/star规则是写,simple是读,strong是读写;Bell-LaPadula是simple security rule(no read up);Biba是simple integrate rule(no read down) 40. Clark-Wilson,完整性,CDIs完整性要求更高,用户只能通过TPs对其进行操作;UDIs
要求相对低,可以一般用户read & write。IVP保证maintain完整性,对CDI的改变进行检测。subject (user)- program (TP)-object (CDI). separation of duties and well formed
41. 3个完整性目标:biba只提供第一条,clark满足全部
a) 防止未授权的修改
b) 防止已授权但不适当的修改 c) 保持内外一致(IVP实现)。Consistency d) Clark-wilson提供的功能:
42. Information flow model:Bell-LaPadula基于机密性划分,biba基于完整性划分,Chinese
Wall都是基于信息流 a) covert channel:产品漏洞Oversight;不适合的访问控制策略;共享资源;中Trojan
木马;ICMP中发送data,Loki。unintended communication两种:
- 22 -
交大慧谷培训中心 内部资料,仅供参考
43.
44. 45. 46.
conver timing channel:morse
conver storage channel:a higher-level subject writes data to a storage area and a lower-level subject reads it
b) Countermeasures:In the Orange Book,B2以上才addressed。
noninterfere:非干涉模型,互相不影响,不是基于信息流的,可能存在convert channel,inference attack(Tom编写一个发送给Russia的东西的文件,一小时后想再打开,但安全等级提升了Tom就没有权限了,但他可以推断)
lattice,格子模式,least upper & greatest lower(上、下界)。Read-no write,write-read,access-no access
Brewer and Nash Model:Chinese Wall,基于信息流,动态改变access control Graham-Denning Model:怎么创建和删除subject和object。
i. ii.
3.5 运行的安全模式security modes of operation
47. Dedicated Security Mode专注安全模型:只处理一种安全级别,要有最高的安全等级。
所有用户能访问所有data。The system can handle a single classification level of information. 常用在military。Need to know all
48. System High-Security Mode系统高安全模式:所有用户能访问一些数据,基于他们的
need to know some。类似于专注安全模型,但subject只能访问some object。 49. compartmented security mode间隔安全模式:没有need to know some,能访问some
数据
50. Multilevel Security Mode多层安全模型,能访问一些数据,能同时处理多个等级的访
问。系统可以同时at the same time(simultaneously)处理多个安全等级的不同多种分类信息,Bell-LaPadula就是此种。Need to know some
51. guard:对不同级别之间的通信进行过滤。前面的Layer类似功能
52. Trust and Assurance信任和保险:the orange book=TCSEC(Trusted Computer
Security Evaluation,是橘色)
3.6 Systems Evaluation Methods
TCSEC was introduced in 1985 and retired in December 2000. TCSEC was finally replaced with the Common Criteria.
53. Orange Book, 也称为Trusted Computer System Evaluation Criteria (TCSEC),更好用
于军方和政府。关注OS安全,不考虑网络,数据库等;关注机密性confidentiality,不关注完整性和可用性;对通过授权用户的非法使用不关注。TCB来自于橘皮书the orange book,它并非声明了安全等级,而是可信级别。It was the first evaluation criteria and was used for 20 years.
1) A < B3 < B2 < B1 < C2 < C1 < D 2) A Verified protection效验保护
a) A1,效验verify,保险assurance比B3更高。 3) B Mandatory protection强制保护:
a) label,MAC,bell-Lapadula 模型,引用监视器(访问控制机制) b) B1,标签label(从此开始有label)
- 23 -
交大慧谷培训中心 内部资料,仅供参考
54. 55. 56.
57.
c) B2,结构化structured,不允许有covert channel d) B3,安全域domain,定义security administrator 4) C Discretionary protection任意保护:DAC
a) C1,任意/自主安全保护discretionaryDAC,提出执行域
b) C2,受控访问control, 有auditing functionality(accountability),商业应用 5) D Minimal security最小安全
Rainbow Series:是橘皮书的扩展完善。
Red Book(也称为Trusted Network Interpretation (TNI)):网络和网络组件,机密性confidentiality、完整性integrity,通信完整性、防止Dos、入侵保护。
ITSEC,TCSEC欧洲标准,orange & rainbow book is USA。TCSEC的功能和保险是一个rate,ITSEC是分成两个attribute(functionality and assurance)。ITSEC关注CIA和网络,TCSEC只关注机密性和单系统。评级中的F1-F10是功能性,E0-E6是保险度。 CC,EAL7>...>EAL1,针对产品的,新版本需要重新进行evaluate。CC关键是protection profile,A protection profile contains the following five sections(Descriptive elements, Rationale, Functional requirements, Development assurance requirements, Evaluation assurance requirements)
58. certification & accreditation:有了前面的评估,现在就需要进行认证和认可
accreditation。认证是技术评价,accreditation是管理层。The goal of a certification process is to ensure that a system, product, or network is right for the customer’s purposes. 管理层理解能提供的保护等级和带来的risk。这个工作也需要cycle。 59. closed system more than open system in security.
3.7 A Few Threats to Security Models and
Architectures
60. Maintenance hooks,维护后门。HIDS、审计、加密。厂商patch 61. Asynchronous attack,time-of-check/time-of-use attack(TOC/TOU):race condition
is an attack in which an attacker makes processes execute out of sequence to control the result. A TOC/TOU attack is when an attacker jumps in between two tasks and modifies something to control the result.
a) Race condition:两个process执行,需要同一个资源,改变process的执行顺序 b) TOC/TOU attack:在两个process插入hacker的东西。
- 24 -
交大慧谷培训中心 内部资料,仅供参考
c) Countermeasures:对于race condition,则to not split up critical tasks;对于
TOC/TOU,则将先执行的process lock起来,不让其他人更改。
62. Buffer overflows,厂商patch/hotfix,程序开发时注意,进行bounds checking。
63. Disclosure of residual data:If an operating system allows sequential use of an object
without refreshing it,what security issue can arise?
- 25 -