Tuesday, October 29, 2013

Session Layer

The session layer is right below the presentation layer in the OSI model. The session layer's responsibilities are centered around allowing applications on different systems to communicate with one another. When an application on one system needs to speak to another, a session must be established. Once a session has been established, the applications are able to freely share data. The session layer provides the functionality of establishing, maintaining, and removing the session. Once the conversation is over, the session layer will remove the session and release any resources it was using. A similar analogy is making a phone call. If I want to speak with you I will call your phone to initiate a session. Once you answer the session is active. We can then talk back and forth. At the end of the conversation we hang up and the resources that were committed to our session are now released for others to use. This is known as dialog management.

When the session layer sets up the connection, there are three types of connection it may use. Each affects how data will flow from one machine to the other. These modes are:

  • Simplex - Communication takes place in one direction
  • Half-duplex - Communication takes place in both directions, but only one application can send information at a time
  • Full-duplex - Communication takes place in both directions, and both applications are able to send information simultaneously
It may seem like it would make the most sense to just always have a full-duplex connection because this would allow both applications to easily communicate, but this isn't the case. In computing we always have to be mindful of the resources we are consuming, so if we can manage with less it's best to do so. A simplex connection requires less overhead and is perfect for any operation where only one system needs to be able to send information. Similarly, half-duplex is great for if each system only needs to periodically update one another.

There is often times confusion about how the session layer is different from the transport layer. The transport layer is responsible for establishing and controlling connections between systems. This is very similar, but the difference is the level they work at. The transport layer is concerned with computer to computer communication, while the session layer is concerned with application to application communication.

Some protocols that function at this level include Structured Query Language (SQL), NetBIOS, and remote procedure call (RPC).

Monday, October 28, 2013

Presentation Layer

Layer 6 of the OSI model is the presentation layer. This layer works right below the application layer and is primarily responsible for putting data given to it by the application layer into a format that other computers using the OSI model can understand. It provides a common way for systems to display and use information despite what application the user may be using on their system. For instance, suppose that Jack creates a document on a Windows machine using Microsoft Word. He then wants to send this file to Jane who uses uses Open Office instead of Word. To achieve this, the application layer passes the file on to the presentation layer which decides the proper way to encode it; in this case, it chooses American Standard Code for Information Interchange. The message continues to move down through the other layers, across the wire, and up through the model on the end system. When the presentation layer on Jane's machine receives the message it looks at the headers placed by Jack's system. It sees that the information is in ASCII format and tells the application layer which decides what program is appropriate for opening this type of file.

The presentation layer is focused solely on the syntax and format of the data and pays no attention to the meaning of any of the data. It translates the format that an application uses to a standard format that is used when transferring information over a network. When a program saves a file, such as an image, a format must be specified, such as GIF, or JPEG. The presentation layer adds information to the file that tells the computer how to display the file and process it. This way if the file is later sent, the receiving computer will also have instructions on how to properly display the file.

The presentation layer is also responsible for compression and encryption of files. If a compressed or encrypted file is to be sent over a network, the presentation layer will write information about how it is compressed of encrypted to the header of the packet. Again, this tells the receiving system's presentation layer what process was used to compress or encrypt the file and it can pass that information on to the application layer. In the event that the receiving system doesn't know that compression algorithm or file format, the file will be displayed with an unassociated icon.

Sunday, October 27, 2013

Application Layer

The application layer is not the applications a user runs on their system. Rather, this layer is made up of protocols that support these applications. When a user is performing some action with an application and then wants to send this data as a message, application layer protocols are called on to package the data (using headers and footers) and pass the data on to the next layer (in this case, the presentation layer). The message will continue to move down the OSI model as each layer performs its duties on the message, until it eventually reaches the target system and moves in reverse through the model. When the target system's application layer receives the message, it looks at the headers and footers that were placed there by the user's application layer and processes the data in the correct manner.

As another example, say you want to mail a letter to your friend. You write the letter and hand it to me, the application layer. I take the message and put it in an envelope and pass it on to the other layers which will eventually add the address and name of the recipient. When the recipient receives the letter, she removes the envelope (strips off the headers and footers) and is presented with your message. This is similar to how the application layer functions.

Some protocols that function at this layer include Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP), Line Printer Daemon (LPD), File Transfer Protocol (FTP), Telnet, and Trivial File Transfer Protocol (TFTP). Each of these has an application programming interface (API) that defines how they can be called by an application. When an application, such as a mail client, wants to send a message it will call on a protocol; in this case, SMTP. The API of SMTP says how the information must be presented to the protocol for it to do its job. After the mail client makes a call to the SMTP API, SMTP adds its information to the user's message and passes it on to the presentation layer.

OSI Model

The OSI model was developed by the ISO in an attempt to standardize the way in which systems communicate across networks. The hope was to create a standard protocol set which would allow the product of any vendor to be able to network with other vendor's products. While the protocol set did not catch on, the model did. At the time of the OSI model's creation, the TCP/IP protocol suite was already in place as a widely used networking protocol. While TCP/IP has it's own model which is still commonly used today when examining and understanding networking issues, the protocol suite has become an integral part of the OSI model.

The OSI model is made up of seven layers. Each layer represents a different step in communicating over a network. At each layer, there are a set of protocols that operate to achieve that layer's responsibility. The objective of the OSI model is to outline how the protocols at each layer need to function so that they can work with systems that may be developed by other vendors. This concept is known as an open network. An open network architecture is one that no vendor owns, and if implemented, it provides a standard way of operating. It is this open network design that lets a computer that uses an Intel processor communicate with another that uses AMD.

The seven layers of the OSI model, moving from the top to the bottom are: Application, Presentation, Session, Transport, Network, Data link, and Physical. Each layer has a different function when creating a
message to be sent over a network. When a system needs to create a message to send, it begins at the top of the model and works down. Each layer adds information to the message as it travels down the model. At each stop the message grows in size. When the receiving system gets the message, the message moves in reverse up the model. As it moves up the model, each layer removes the information that was added by it's counterpart layer on the other system. Once each layer removes the data that pertains to it, it passes the message on to the next layer. This process where layers and protocols communicate with their counterparts across systems is known as encapsulation. Encapsulation is based on the idea that a layer only needs to know how to do it's job and how to pass the message on to the next layer. The session layer is not concerned with how the physical layer is going to put the electrical signals onto the wire, and vice versa.

Each layer has different responsibilities and functions it performs, as well as a format it expects the message to be in. Each layer also has a connection point, or interface, that allows it to communicate with three other layers: 1) the layer above it, 2) the layer below it, and 3) the same layer on the target machine. A layer provides control functions by adding information to the message in the form of headers and footers on the data packet. This tells the corresponding layer on the target machine how the message is to be handled.

The benefit of encapsulating the responsibilities of these layers is it allows products from different vendors to work together within the single model in a predictable manner. If a vendor designs a protocol for the session layer that is based on the OSI model, other vendors, and consumers, can be certain it will function properly with other open system protocols.

Wednesday, October 23, 2013

Surveillance Devices

Visual recording devices can play an important part in physical security. Their presence can discourage would be attackers, provide the ability for one person or system to monitor multiple areas simultaneously, and provide a log of events for an area. A commonly used system is closed-circuit TV (CCTV).

CCTV systems are made up of cameras, transmitters, receivers, and monitors. The camera captures the data and transmits it to a receiver which then displays the data on a monitor. Today's systems surpass older models that only allowed one feed to be displayed on a monitor at a time. Today, a monitor can show feeds from multiple cameras so that a security guard can see more than one environment simultaneously. Data captured by the camera is also often recorded on a drive for record and later review. Most modern CCTV cameras today also use light-sensitive chips call charged-coupled devices. This chips are what convert the light received into electrical signals. What makes the chips advanced is that they include infrared light which is normally beyond the scope of human eyesight. This allows for more granularity and detail in the resulting image.

An important consideration for CCTV cameras is what type of lens will you need. There are two main types used: fixed focal length and zoom (varifocal). The focal length affects how objects are viewed on a horizontal and vertical basis. Short focal length lenses provide a wider-angle view, while long focal length lenses provide a more narrow view. This angle determines what size the images seen by the camera will be and how much of an area the camera can view. So if you want to be able to monitor a wide area at once, a short focal length lens is most appropriate. If the camera is installed in a smaller area, a long focal length lens is best. A fixed focal length lens comes in a size such as wide or narrow and is stationery. A zoom lens is adjustable, however, and can be used to view something closer and will refocus.

The next characteristic of lenses is depth of field. Depth of field refers to what portion of the image is in focus when shown on the monitor. Depth of field is affected by the size of the lens opening, the distance of the subject, and the focal length of the lens. The depth of field increases as the size of the lens opening increases, the subject distance increases, or the focal length decreases.

Lighting also plays an important role in CCTV. Cameras have an iris lens which controls how much light enters the camera. A manual iris lens has to be adjusted manually and is best suited for an environment with a steady light supply. An auto iris lens has the ability to self adjust as the environment light changes such as outside.

The last consideration is that of mounting. A fixed mounting is stationery and cannot move in response to security personnel commands, whereas a camera with PTZ capabilities provides pan, tilt, and zoom features.

As you can see, there are many considerations for installing a CCTV system. To get the best results, a thorough assessment of the environment and needs of the organization should be done. CCTV systems can become very expensive quickly so it is important to prioritize what features are needed where.

Fire Detection and Suppression

Fire can be one of the most damaging physical events. Damage to systems, buildings, and people can cost a company great deals and be a tragedy. Because of this it's very important that fire safety be taken seriously. It's also why regulations exist that ensure a minimum amount of protection against fire. This post will discuss the different technologies used for fire detection and suppression. Equally important is fire prevention which includes proper training and ensuring the correct supplies are accessible in case of emergency, though this will not be discussed.


Fire detection

Fire detection systems come in two base varieties, manual and automatic. Manual systems are the red pull boxes that many people are familiar with. These systems are activated by a person once a fire is detected. Automatic systems are able to sense heat or smoke in a variety of ways. When a fire is detected the system will sound an alarm before triggering a suppression system.

A common type of smoke detector uses a photoelectric device to test the air for smoke. In one variety, a beam of light originates at an emitter and ends at a receiver. The system monitors the intensity of the light and sounds an alarm if the light becomes obscured. Another variety draws in air surrounding the detector and tests the air quality with a photoelectric device.

Heat activated systems monitor the temperature of the environment and watch for noticeable changes. These systems can be set to sound an alarm if a certain temperature is reached (fixed temperature) or if the rate of change exceeds a predefined limit (rate-of-rise). Rate-of-rise systems can provide an earlier alarm than fixed temperature systems but can also be the source of more false alarms.

It is important that fire detection devices be installed in all the proper areas and not just in obvious places like offices and hallways. Many office buildings have dropped ceilings and raised floors where wiring is ran. There should be detection devices installed in both of these to ensure an early alert in case of an emergency. Additionally, smoke or heat can often gather in ventilation systems before being dispersed to the surrounding areas, so there should be detection devices installed in these areas as well.

Fire suppression

Not all fire is equal. There are four types of fire and each requires a certain type of suppression device. Use the wrong one, and you could end up making the fire bigger/stronger rather than extinguishing it. The table below summarizes the classes of fire and the appropriate suppression method.
Fire Class Type of Fire Elements of Fire Suppression Method
A Common combustible Wood products, paper, and laminates Water, foam
B Liquid Petroleum products and coolants Gas, CO₂, foam, dry powders
C Electrical Electrical equipment and wires Gas, CO₂, dry powders
D Combustible metals Magnesium, sodium, potassium Dry powder
Foams are mainly water-based and are designed to float on top of a fire and prevent any oxygen from flowing to it. Gas, such as halon or FM-200, mixes with the fire to extinguish it and is not harmful to computer equipment. Halon has been found to damage the atmosphere, however, and is no longer produced. CO₂ gas removes the oxygen from the air to suppress the fire. It is important that if CO₂ is used there be an adequate warning time before disbursement. Because it removes the oxygen from the air it could potentially endanger people's lives. CO₂ is often used in unmanned facilities for this reason. Dry powders include sodium or potassium bicarbonate, calcium carbonate, or monoammonium phosphate. The first three interrupt the combustion of a fire, and monoammonium phosphate melts at a low temperature and smothers the fire.

Water sprinkler systems are much simpler to install than any of the above systems but can cause damage to computer and electrical systems. It's important that an organization recognize which areas require which types of suppression systems. If water is to be used in an environment that contains electrical components, it's important that the electricity be shut off first. Systems can be configured to shut off all electrical equipment before water is released. There are four main types of water systems:

  • Wet pipe - Wet pipe systems always contain water within the pipe and are usually controlled by a temperature sensor. Disadvantages of these systems include that the water in the pipe may freeze, and damage to the pipe or nozzle could result in extensive water damage.
  • Dry pipe - Dry pipe systems employ a reservoir to hold the water before deployment, leaving the pipes empty. When a temperature sensor detects a fire, water will be released to fill the pipes. This type of system is best for cold climates where freezing temperatures are an issue.
  • Preaction - Preaction systems operate similarly to dry pipe systems but add an extra step. When empty, the pipes are filled with pressurized air. If pressure is lost, water will fill the pipes, but not be dispersed. There is a thermal-fusible link on the nozzle that must first melt away before the water can be released. The advantage of this system is it gives people more time to react to false alarms and small fires. It is much more effective to put out a small fire with a hand-held extinguisher than a full spray system.
  • Deluge - Deluge systems have their sprinkler heads turned all the way open so that greater amounts of water can be released at once. These types of systems are not usually used in data centers because of this. 

Tuesday, October 22, 2013

Perimeter Security, Part II

Locks

Locks can be used to secure access points throughout the location. Padlocks may used on the outer gate, mechanical locks on the building doors, and keypads on interior doors. These various types of locks provide different levels of security and have different features. It's important to understand that locks aren't truly a deterring factor in security, however. Many attackers see locks as a puzzle and a challenge; not a reason to give up.

Mechanical locks

There are two main types of mechanical locks: warded lock, and tumbler lock. The warded lock is a basic padlock. Inside of a warded lock, there is a spring-loaded bolt with a notch cut into it. The key fits into this notch and slides the bolt from the locked to the unlocked position. Additionally, there are wards, or metal projections, that the key is cut to fit around, as illustrated. Warded locks are the cheapest kind of lock because of their lack of sophistication and are also the easiest to pick.

Tumbler locks have more pieces and parts and can prove a more secure option. Within a tumbler lock, there are multiple metal pieces that have to be raised to a certain height before the bolt can be turned. The key for the lock will have the correct sequence of notches cut into it to allow it to raise each tumbler to the appropriate height. There are two common types of tumbler locks: pin tumbler and wafer tumbler. Pin tumbler locks (pictured left) use spring loaded pins inside of the lock. Pin tumbler locks are the most commonly used tumbler lock. Wafer tumbler locks are the small, round locks you usually find on file cabinets. They use a flat disk instead of a pin and are not as secure.
Combination locks require a combination to be entered which aligns internal wheels before being unlocked. These are the locks that you likely used in high school.

Programmable locks

Programmable locks, or cipher locks, are keyless locks that use a number pad to control access. The lock requires a specific combination to be entered and may incorporate other security devices such as a biometric scan or key card. Programmable locks cost more to install, but give the ability to change the code, lock out certain sequence patterns, and have codes for emergency situations such as if a person were under duress. In this situation, entering the emergency code will open the door while also triggering a remote alarm. Other features of programmable locks are:
  • Door delay - If a door is held open for a given time, an alarm will trigger to alert personnel of suspicious activity
  • Key override - A specific combination can be programmed for use in emergency situations to override normal procedures or for supervisory overrides
  • Master keying - Enables supervisory personnel to change access codes and other features of the cipher lock
  • Hostage alarm - If an individual is under duress and/or held hostage, a combination he enters can communicate this situation to the guard station and/or police station

Perimeter Security, Part I

The first line of defense for any organization is it's perimeter control. As mentioned before, physical security should be applied in a layered approach. If a criminal is able to circumvent outer controls such as fences and locks, there must be more controls inside to delay the attacker until a response can be made.

Fences

Fences can serve as an effective outer physical barrier. They are likely to only delay the most determined attackers, but they give a strong psychological impression that a company is serious about security. When installing fencing, many companies choose to also place shrubs or bushes in front to improve aesthetics. Vegetation can greatly improve the look of the fence, but also may damage the fence over time, so proper maintenance is key.

When choosing a fence there are multiple factors to consider. Height, gauge, and mesh size are very important qualities of fencing. Fences in the three to four foot height range will stop only the most casual attackers as these can be easily jumped. Six to seven foot fences are considered too high to easily climb, and eight foot or higher fences are used when you're really serious about security. Often with these higher fences, barbed or razor wire will be strung along the top to really convince people that trying to climb it would be a bad idea.

The gauge of the fence refers to the thickness of the wire that makes up the body. The higher the gauge number, the thinner the wire. Below is a table summarizing the most common sizes:
  • 11 gauge = 0.0907-inch diameter
  • 9 gauge = 0.1144-inch diameter
  • 6 gauge = 0.162-inch diameter
The mesh size of the fence refers to how much distance is between the wires. A smaller mesh size makes it more difficult to climb or cut. Common mesh sizes are 2 inches, 1 inch, and 3/8 inch.

One last consideration when installing fences is that the posts and wire frame must be installed deep enough into the ground to prevent anyone from trying to dig underneath it.

Saturday, October 19, 2013

Crime Prevention Through Environmental Design

Crime Prevention Through Environmental Design (CPTED) emphasizes the philosophy that crime can be prevented or deterred through strategic design which influences human behavior. The ideas of CPTED were first developed in the 1960's and continue to play an important part in structure design to this day. CPTED is used when developing office buildings, neighborhoods, campuses, towns, and cities. It addresses landscaping, entrances, lighting, paths, and traffic circulation patterns. The core idea of CPTED is that human behavior can be influenced by the design of an environment and used to reduce crime.

Natural Access Control, Surveillance, and Territorial Reinforcement

Natural access control is the guidance of people entering and leaving an area by using elements such as paths, lighting, and even landscaping. For instance, cars can be prevented from encroaching on a pedestrian area through the use of bollards. These bollards can also emit light which illuminate the path for pedestrians and help to usher them to or from an entrance. Additional items like hedges may help to restrict people from leaving the intended path.

Natural access control can also be used to deter the misuse of non-normal entrances. A building may have a side door that is used for special circumstances, such as emergencies. This door could be a prime target for criminals because it may be away from normal traffic flow. To combat this with CPTED, the organization could consider placing a bench within visibility of the door which would encourage people to sit and gather, thus deterring any illegal acts. Clear lines of sight are used frequently in CPTED to dissuade criminal activity and create natural surveillance. Because of an absence of hiding places, criminals are less likely to target the area.

Organizations will also frequently try to create clear areas of ownership. CPTED teaches that if legitimate users have a sense of ownership about their area, they will be more likely to defend it if necessary. Users will also be more aware and skeptical of suspicious activity. The goal is to make any would-be criminals feel uncomfortable and as if they may be monitored at any point. Territorial reinforcement can be achieved through the use of fences, natural boundaries through landscape, paths for walkers, or areas to play. All of these things give a sense of ownership to the space.

Target Hardening

I will mention briefly that CPTED is distinct from target hardening. Target hardening includes activities such as installing locks, security systems, and cameras. These efforts may also deter crime, but do so through different measures. Target hardening often restricts the use of an area through physical and artificial barriers, whereas CPTED emphasizes opening up areas to encourage public use.

Monday, October 14, 2013

Physical security

We're now moving on from security architecture and design and into the next domain - physical security. Physical security is made up of the people, processes, procedures, technology, and equipment used to protect the resources of a company. In a good physical security program, these components are employed through a layered defense model, that is, an attacker must navigate through a series of defenses in order to gain access to an asset. This concept will be discussed in greater detail in future posts.

Physical security deals with a different set of threats than information or computer security. These threats can be grouped into these broad categories:

  • Natural environmental threats: Floods, earthquakes, storms and tornadoes, fires, extreme temperature conditions, etc
  • Supply system threats: Power distribution outages, communications interruptions, and interruption of other resources such as water, gas, air, filtration, and so on
  • Manmade threats: Unauthorized access (both internal and external), explosions, damage by disgruntled employees, employee errors and accidents, vandalism, fraud, theft, and others
  • Politically motivated threats: Strikes, riots, civil disobedience, terrorist attacks, bombings, and so forth
Additionally, another unique aspect of physical security is the concern of life safety. Unlike in information or computer security, threats to physical security can be potentially deadly. Necessarily so, life safety becomes the primary concern whenever developing a physical security program.

Planning a physical security program

Planning a physical security program shares many of the same steps and considerations as planning other security programs. Management must decide what level of risk is acceptable for various assets so that it can determine the appropriate level of security to apply. A grocery store will not require the same level of physical security as a data center. To decide what level of security is appropriate, a risk analysis is performed which identifies threats and measures their potential business impact if exploited. It is important to additionally consider and legal or regulatory obligations that a company must meet in this step.

Once a team has been formed and a risk analysis has been performed, a physical security program can be developed that fits the organization's needs. Specifics as to what technologies, procedures, or equipment can be implemented will be discussed in the future, but the general goals of the security program are as follows:
  • Crime and disruption prevention through deterrence: Fences, security guards, warning signs, and so forth
  • Reduction of damage through the use of delaying mechanisms: Layers of defenses that slow down the adversary, such as locks, security personnel, and barriers
  • Crime or disruption detection: Smoke detectors, motion detectors, CCTV, and so forth
  • Incident assessment: Response of security guards to detected incidents and determination of damage level
  • Response procedures: Fire suppression mechanisms, emergency response processes, law enforcement notification, and consultation with outside security professionals
As you can see, a physical security program must address both preventing and responding to incidents.

Finally, after a physical security program has been developed and implemented, it must be monitored and evaluated. It is possible to measure and determine the effectiveness of the program through a performance based approach. Under this approach, metrics must be developed to measure how well the program is working. The goal is to increase the performance of the program and decrease the risk to the company in a cost-effective manner. Possible metrics include:
  • Number of successful crimes and disruptions
  • Number of unsuccessful crimes and disruptions
  • Time between detection, assessment, and recovery steps
  • Business impact of disruptions
  • Number of false-positive detection alerts
  • Time it took for a criminal to defeat a control
  • Time it took to restore the operational environment
  • Financial loss as a result of a crime or disruption
Tests such as fire drills or penetration tests can help to evaluate weaknesses in the security program and identify areas of improvement.

Saturday, October 12, 2013

Systems evaluation methods

Evaluating a system can be a very lengthy and tedious process. The goal of the evaluation is to determine how effectively a system enforces the security measures that the vendor claims it has. The result is a rating describing the assurance level of the system. This rating describes to what degree the system can be trusted to enforce it's security measures. This is valuable for when someone is looking to purchase a new system and needs to know how reliable the system's security is.

When a system is submitted for evaluation against one of the methods that will be described soon, a lengthy process begins which includes tons of paperwork and a full analysis of the system. The examination includes dissecting, at a very fine level, how various components of the system work independently and together. Areas examined include the trusted computing base, access control mechanisms, kernel, reference monitoring, and protection mechanisms.

There are three evaluation methods that will be discussed. These are The Orange Book, the Information Technology Security Evaluation Criteria (ITSEC), and the Common Criteria methods. Of these three, the Common Criteria is becoming the industry standard, and was, in fact, developed to be so.

The Orange Book

The Orange Book, more formally known as the Trusted Computer System Evaluation Criteria, was developed by the U.S. Department of Defense to evaluate operating systems, applications, and different products. It is known as the Orange Book due to the orange cover that it sported. The Orange book breaks it's assurance rating into four division, A - B - C - D, with some of the divisions having more than one class in it. Classes with a higher number represent a higher assurance rating. So C2 is greater than C1, and B1 is greater than C2. Criteria on which systems are evaluated breaks down into seven areas outlined as follows:
  • Security policy - The policy must be explicit and well defined and enforced by the mechanisms within the system.
  • Identification - Individual subjects must be uniquely identified.
  • Labels - Access control labels must be associated properly with objects.
  • Documentation - Documentation must be provided, including test, design, and specification documents, user guides, and manuals.
  • Accountability - Audit data must be captured and protected to enforce accountability.
  • Life-cycle assurance - Software, hardware, and firmware must be able to be tested individually to ensure that each enforces the security policy in an effective manner throughout their lifetimes.
  • Continuous protection - the security mechanisms and the system as a whole must perform predictably in different situations continuously.
Each division and class is cumulative, meaning to meet a higher rating, a system must also meet all requirements for lower divisions and classes. The criteria remains the same, all that changes is how closely components are examined and how well they are designed and enforced.

TCSEC was first introduced in 1985, and was the first methodical set of standards developed for evaluating computer systems. It was retired in December 2000.

Information Technology Security Evaluation Criteria

The Information Technology Security Evaluation Criteria (ITSEC) was the first attempt my many European countries to develop a standard for evaluating computer systems. With the ITSEC, a different approach was taken to separate the ratings of functionality and assurance. Each is given an individual rating on separate scales.

When functionality is examined, a system is tested to see how well it delivers the promises it's vendors make. If a vendor claims a firewall will effectively manage state, it should be shown that it does in fact do this. The design of functions can vary widely from product to product so while two systems may both provide the same functionality, they may do so in very different manners. This raises the need for the second rating of assurance. Assurance is examined to determine how trustworthy the process is that delivers this functionality. Assurance is a degree of confidence in the system to perform it's function.

When a system is rated it is given a grade that reflects it's functionality and a separate grade for it's assurance. The table below shows a mapping of these ratings to their functional equivalent on the Orange Book scale. As you can see, there is an additional set of ratings in the ITSEC that aims to address consumer needs not addressed by the Orange Book.

ITSEC TCSEC
E0 = D
F1 + E1 = C1
F2 + E2 = C2
F3 + E3 = B1
F4 + E4 = B2
F5 + E5 = B3
F5 + E6 = A1
F6 = Systems that provide high integrity
F7 = Systems that provide high availability
F8 = Systems that provide high data integrity during communication
F9 = Systems that provide high confidentiality (like cryptographic devices)
F10 = Networks with high demands on confidentiality and integrity

Common Criteria

The goal of the Common Criteria was to address the flaws of both the Orange Book, and the ITSEC. The Orange Book's fatal flaw was a narrow scope that concerned itself with only the confidentiality of a system. The ITSEC made progress on this, but used a confusing, complex rating system that allowed vendors to mix and match ratings.

To address this, the Common Criteria developed a straight forward scale that addressed both confidentiality and assurance. Under Common Criteria, products are given an Evaluated Assurance Level (EAL). The lowest EAL rating is EAL1 and the highest is EAL7. The lower levels of the EAL scale examine functionality; does the product deliver on it's promises? The higher levels involve more methodical testing that examines the assurance level of the product's functionality.

Where Common Criteria really sets itself apart though, is in it's protection profiles. These profiles outline the need for a product and the likely threats it will face. It takes into account any assumptions made and what type of environment the product will function in. These profiles allow for more targeted testing, and provides greater feedback to customers who want to know if a product is right for them and their network.

Common Criteria is the current globally recognized standard.

Tuesday, October 8, 2013

State machine models

A computer's state can be described as a snapshot of the system at any point in time. All of the current instances of subjects and objects, and how they are interacting, are a part of the state. When developers are building an operating system they may wish to implement a state machine model. To do this, the developers will examine all of the ways that subjects can interact with objects and how the state of the system may change as inputs are accepted by objects. Every time an object accepts an input, a state transition occurs. If, after examining every possible association and interaction, it is decided that every state transition is concurrent with the security policy of the operating system, then the system is secure and effectively enforces a state machine model. Note that for the purposes of this post, models will be discussed in an abstract manner, while in reality there is a large amount of mathematics involved during development to prove the effectiveness of the model.

A system that successfully implements a state machine model will, by definition, always be in a secure state. The system will boot into a secure state, execute transactions and commands securely, and will even fail in a secure state. It is critical that the system be able to fail in a safe way so that if an error or illegal operation occurs it is able to save itself without leaving itself vulnerable.

Two very well known state machine models are the Bell-LaPadula Model, and the Biba Model.

Bell-LaPadula Model

The Bell-LaPadula model is a state machine model that focuses on maintaining confidentiality. It often serves as the basis for mandatory access control (MAC) operating systems as are used by the government. Because its primary focus is confidentiality, the Bell-LaPadula model uses security labels along with an access matrix to enforce security. It is a multilevel security system because users with different levels of access use the system. There are three rules that are core to the framework of the model:
  1. Simple security rule - A subject cannot read data within an object that resides at a higher security level ( the "no read up" rule).
  2. * - property rule - A subject cannot write to an object at a lower security level (the "no write down" rule).
  3. Strong star property rule - For a subject to be able to read and write to an object, the subject's clearance and the object's classification must be equal.
The first rule is easy enough to understand. If you are give the classification of "secret", and a file is labeled "top secret", you do not have the proper clearance to read it. The purposes of the second rule are to prevent a person from writing highly classified information to a lower level, thus damaging the confidentiality. The final rule ensures that a subject has both the proper clearance and the need to know to access an object. While I may be given "top secret" clearance, I may not have a need to know about a missile program and therefore should not be able to access files associated with it.

Biba Model

The Biba model is similar to the Bell-LaPadula model in that it also has three rules which enforce what states the system may enter. Where the models differ, however, is their focus. While Bell-LaPadula is concerned with maintaining confidentiality, Biba is focused on maintaining integrity. The goal of the Biba model is to ensure that data of high integrity is not corrupted by data of low integrity. This would be useful in systems such that handle financial data, or healthcare information. The three rules for Biba are as follows:
  1. * - integrity axiom - A subject cannot write data to an object at a higher integrity level (referred to as "no write up").
  2. Simple integrity axiom - A subject cannot read data from a lower integrity level (referred to as "no read down").
  3. Invocation property - A subject cannot request service (invoke) of higher integrity.
The first two rules control how data may flow between different integrity levels.  You would not want your high integrity data, or "clean" data, to be mixed with lower integrity "dirty" data. These not only prevent users from traversing integrity boundaries, but processes as well. A process at a lower level should not be able to write data to a higher level. The invocation property also states that a lower level process may not invoke a process higher than it. This means that processes cannot make use of any tools or services that have a higher integrity ranking, they may only use what is below them.

Monday, October 7, 2013

Operating System Architecture

There are three broad designs for operating systems that I'm going to talk about. These are monolithic architecture, microkernel, and hybrid microkernel architecture. The key differences among these is how the operating system handles separating which processes run in user mode and which run in privileged, kernel mode. As will be shown, the decision has a strong impact on security and performance.

Monolithic architecture

In a monolithic architecture, the kernel is made up of all the operating system processes. This means that any service provided by the operating system (file management, interprocess communication, I/O management, etc) is run in a privileged state. Essentially, the operating system behaves as a software layer between the user applications and the hardware. This is efficient for the processor as it requires very few mode transitions to be made. A mode transition must be executed anytime a process with a different PWS (privilege word setting) is executed. It takes time to make this transition, so avoiding them is generally good for performance.

There are, however, several problems with this design as well. Processes within a monolithic architecture often communicate on an ad hoc basis which provides little for access control. It also results in very complex code which can make debugging or updating very difficult. And because the operating system works directly with the hardware, it can be very difficult to port the operating system to other systems.

There is one monolithic architecture model that helps to tackle some of these problems. That is the layered operating system model. In a layered operating system model, all of the operating system's processes are still part of the kernel, but they have been compartmentalized and have structured ways of interacting.

The image to the left shows the general structure of a layered operating model. Each layer has the ability to communicate with the layer directly above and below it. This provides a more structured way of communicating, and provides data hiding which means instructions and data at various levels do not have access to the instructions and data at other levels. And since the code is now more modular, it is much easier to upgrade or perform maintenance. There are still security concerns with this model, however, because so much code is given kernel privileges.

Microkernel and Hybrid Microkernel Architecture

Under the microkernel model, much of the code was stripped from the kernel and placed within the user space. This increased security because it meant that less code would be able to run in privileged mode. All that was left in the kernel space was key operating procedures such as memory management and interprocess communication. The overall goal of the microkernel model was to limit the processes that run in kernel mode to improve security, reduce complexity, and increase portability.

Engineers found that the microkernel suffered a major setback in performance, however. Because so many of the processes were now in user space, the CPU would constantly have to perform mode transitions. In response, the hybrid microkernel architecture was created.

In a hybrid model, the microkernel still exists. And as before, it is responsible for carrying out interprocess communication and memory management. The other operating system processes that had previously been relegated to user space were moved to an area contained within the kernel known as executive services. These services, such as file management, I/O management, power management, and so on, now operate on a client/server model. This means that whenever a user application wants to make use of one of these services, they must request it using the service API. The service will then carry out the request and return the result when finished. A sample hybrid microkernel model is below. This picture illustrates the architecture of the Windows NT operating system.

Virtual machines

For this post I wanted to try something a little different and get away from the purely text / diagram driven content. I decided to make a video using Screenr (www.screenr.com) and show off some virtual machines. If I had more time I could have probably done something more interesting with the machines, but it's still nice to have that visual aspect. Rich data is fun! So here is a link to the video I ended up creating. Below it, I'm going to highlight a couple of key security considerations about virtual machines. Enjoy!



Key takeaways

I briefly touched on some of these in the video, but it's worth writing out as well.
  • Virtual machines can be used to consolidate work from several underutilized machines to one machine.
  • Virtual machines can allow a company to upgrade it's systems, but still run legacy applications.
  • Virtual machines can provide secure, sandbox environments for testing and debugging.
  • Virtual machines can provide the illusion of hardware, or hardware configuration that you do not have.
  • Virtual machines can allow you to run multiple operating systems at once.
  • Virtual machines can isolate what they run, preventing damage to the host system or other environments.

Saturday, October 5, 2013

Buffer overflows

Buffer overflow is one of the more well known attacks, especially among the tech crowd. It is an attack that targets the memory stack of an application with the purpose of either running it's own source code or altering the way a program runs. Because the target of this attack is the memory of a system, I'll begin by giving a brief introduction to memory management.

Memory management

A computer's memory is made up of several different types of memory that are used for various purposes. I won't go into heavy detail here, but these different types include cache, random access memory (RAM), and read only memory (ROM). Cache memory is a high speed read/write memory used to store values for a temporary amount of time, often between operations performed by the processor. Most often, if a value is going to be needed several times during a process it will be stored in cache memory. RAM is another type of memory used for temporary storage. RAM is significantly larger than cache and is used for read/write activities by the operating system and applications. Both RAM and cache are volatile memory, meaning that when they lose their power they lose any data they were storing. ROM is a non-volatile type of memory used for permanent storage of data (until you want to erase or overwrite it) which takes significantly longer to read and write to.

When a program or the operating system wants to access memory, an address has to be loaded into the processor. Memory addresses, as used by the operating system, are completely sequential. This works well for the operating system because it can easily say, "oh, you want to run notepad.exe? That program is stored in memory location 0x84B2." The difficulty arises when applications want to access memory. A developer cannot know where their program will be stored in memory, or what memory addresses will be available. To solve this problem, applications use what's called virtual memory. Virtual memory allows an application to say, "store this value at space 0", which in reality is memory address 0x2A91. A memory management program is employed to map the logical addresses (the address an application uses) to the absolute addresses (the address the operating system uses).

Buffer overflows

A buffer is an allocated segment of memory. When an application is performing a process that accepts user input, it will set up a buffer to store the value of that input. If the application fails to check the input, a value that is too large for the buffer may be passed, causing the application to overwrite memory outside of the buffer which previously held program instructions or data. This may be done for the purpose of causing havoc or attempting to run another program of the attacker's choosing.

So how exactly can overwriting some memory segments lead to an attacker being able to run a program? To understand this, we need to look at how buffers are set up. When an application sets up a buffer, it creates what's called a stack. The first thing the application places on the stack is a pointer to it's address in memory so that when the process is finished it can return control to the application. On top of the stack pointer the application writes the data passed as variables. The process that the stack is passed to then works from the top, taking the data off as it goes, until it reaches the stack pointer at the bottom which tells it where to return control.

The danger comes when values passed as inputs aren't checked to ensure they fit within the buffer. If a value that is too large is passed, it can overwrite the stack pointer. At this point, if the attack has been crafted correctly, a new stack pointer can be placed at the bottom which sends control to the attackers program that is loaded in the stack. To successfully create a buffer overflow, the attacker has to be able to view how big a stack is and where in memory it resides. If an attacker can figure this out, they can write an exploit for the application.

If developers want to prevent buffer overflows, the simplest protection is secure coding practices. Inputs given by users or other applications should always be checked to ensure they fit within the buffer. Additionally, safe versions of functions such as strcpy (which does not validate input) should always be used.