PPT - CSE Labs User Home Pages

idleheadedceleryΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

56 εμφανίσεις

SENG 5199
-
3

Data and Network
Security


Lecture
14

System Evaluation and
Assurance


Yongdae Kim

News Today


iPhone location tracking


Self
-
wiping HDD


Skype+Android



Drive
-
by
-
cache attack and Amnesty



Software update system and key
compromise


Web bugs and Tor


Cloud Police!




Assurance and Evaluation


Assurance: Whether the system will work



Evaluation: How you convince other people
of this?



Assurance


Our estimate of the likelihood that a system will fail
in a particular way



Estimation is based on


System development process


Identity of development team


Particular technical assessment


Formal method, experiment with test cases, experience



Assurance traditionally focused on implementation


Given the agreed functionality and strength of mechanisms,
the product has been implemented correctly.


This is because most of the security failures are
implementation bugs

Project Assurance


White box security testing


Architectural flaw


Implementation flaws


Less common flaws such as crypto, rng, …



Formal method

Penetration Testing


Evaluating the security of a computer
system or network by simulating an attack
from a malicious source


Black box testing: no prior knowledge of the
infrastructure to be tested


white box testing: complete knowledge of the
infrastructure to be tested, often including
network diagrams, source code, and IP
addressing information.


grey box tests: Something in between

Tools for Penetration Testing


Nmap
:
http://nmap.org


Used to discover hosts and services on a
computer network


Host Discovery, Port Scanning, Version Detection,
OS Detection, Firewall/IDS evasion, spoofing


Nessus:
http://www.tenable.com/products/nessus


Scanning for exploitable vulnerabilities


Nessus scans based on an exhaustive list of
vulnerabilities for all platforms of computing


Vulnerabilities, Misconfiguration (e.g. open mail
relay, missing patches,
etc
), Weak passwords,
DoS


Tools for Penetration Testing


Metasploit:
http://www.metasploit.com


Configuring an exploit


Checking if the target is susceptible to the chosen exploit


Configuring a payload


Choosing the encoding technique for IPS/IDS evasion


Executing the exploit.


Web application Penetration Testing


Known vulnerabilities in COTS applications


Technical vulnerabilities: URL manipulation, SQL injection,
cross
-
site scripting, back
-
end authentication, password in
memory, session hijacking, buffer overflow, web server
configuration, credential management, Clickjacking, etc,


Business logic errors: Day
-
to
-
Day threat analysis,
unauthorized logins, personal information modification,
pricelist modification, unauthorized funds transfer


Tools for Penetration Testing


OWASP, the Open Web Application Security
Project, an open source web application
security documentation project


OWASP Guide


OWASP Top 10 awareness document.



What are the limitations of security testing?

Evaluation


Process of assembling evidence that a
system meets, or fails to meet, a prescribed
assurance target


Rainbow Series


DoD Trusted Computer Sys Evaluation Criteria (Orange Book)


Audit in Trusted Systems (Tan Book)


Configuration Management in Trusted Systems (Amber Book)


Trusted Distribution in Trusted Systems (Dark Lavender Book)


Security Modeling in Trusted Systems (Aqua Book)


Formal Verification Systems (Purple Book)


Covert Channel Analysis of Trusted Systems (Light Pink Book)


… many more



http://www.radium.ncsc.mil/tpep/library/rainbow/index.html


Orange Book Criteria (TCSEC)


Level D


No security requirements



Level C: For environments with cooperating users


C1


protected mode OS, authenticated login, DAC, security
testing and documentation



(Unix)


C2


DAC to level of individual user, object initialization,
auditing



(Windows NT 4.0)



Level B, A


All users and objects must be assigned a security label
(classified, unclassified, etc.)


System must enforce Bell
-
LaPadula model

Orange Book Criteria (TCSEC)


Level B


B1


classification and Bell
-
LaPadula


B2


system designed in top
-
down modular way, must be
possible to verify, covert channels must be analyzed


B3


ACLs with users and groups, formal TCB must be
presented, adequate security auditing, secure crash
recovery



Level A1


Formal proof of protection system, formal proof that model
is correct, demonstration that impl conforms to model,
formal covert channel analysis


Common Criteria


Common Criteria for Information Technology
Security Evaluation


an international standard (ISO/IEC 15408) for
computer security certification


Key Concepts


Target Of Evaluation (TOE)
-

the product or system


Protection Profile (PP)
-

a document which identifies security
requirements for a class of security devices


Security Target (ST)
-

the document that identifies the
security properties of the target of evaluation. It may refer
to one or more PPs.


Security Functional Requirements (SFRs)
-

specify individual
security functions which may be provided by a product. CC
presents a standard catalogue of such functions.

Common Criteria


Quality Assurance Processes


Security Assurance Requirements (SARs)
-

descriptions of the measures taken during
development and evaluation of the product to
assure compliance with the claimed security
functionality


Evaluation Assurance Level (EAL)
-

the numerical
rating describing the depth and rigor of an
evaluation.

Common Criteria


Evaluation Assurance Level


EAL1: Functionally Tested


Review of functional and interface specifications


Some independent testing



EAL2: Structurally Tested


Analysis of security functions, incl high
-
level design


Independent testing, review of developer testing



EAL3: Methodically Tested and Checked


Development environment controls; config mgmt



EAL4: Methodically Designed, Tested, Reviewed


Informal spec of security policy, Independent testing


Windows 2000, XP, Solaris, Linux, …




Common Criteria


Evaluation Assurance Level


EAL 5: Semiformally Designed and Tested


Formal model, modular design


Vulnerability search, covert channel analysis


Multi
-
level security devices


EAL 6: Semiformally Verified Design and Tested


Structured development process


EAL 7: Formally Verified Design and Tested


Formal presentation of functional specification


Product or system design must be simple


Independent confirmation of developer tests


The Tenix Interactive Link Data Diode Device and the
Fox Data Diode