system evaluation-信息安全概论-课件-09

Fact of the Lecture

Most breaches of security in organizations come from within the organizations. Therefore, when looking for the aliens, don’t just point your telescope at the skies.
Orange Book
A U.S. standard Information Technology Security Evaluation Criteria An European standard The most recent international effort to establish a global standard for the evaluation of security systems A combination of all significant previous effort, military and commercial
– – –
Design analysis Test analysis Final review

Evaluation classes

Class D: failure of being certified at any other evaluation classes Class C: DAC





A set of security functional requirements that define the security functionality for the system under evaluation A set of assurance requirements (or required assurance evidence) that define the steps for establishing that the system under evaluation meets its security functional requirements An evaluation process, a methodology that determines whether the system under evaluation meets the security functional requirements based on analysis of the assurance evidence A set of assurance classes or levels, a measure of the evaluation result that indicates how trustworthy the system under evaluation is with respect to the security functional requirements
Copyright © 2008 by Jingsha He ‹#› 4
November 25, 2008
Evaluation Methodology

A formal evaluation methodology is a technique that provides the measurement of trust based on specific security functional requirements and assurance evidence
Copyright © 2008 by Jingsha He ‹#› 6

ITSEC (1991-2001)


The Common Criteria (CC) (1998-present)


November 25, 2008
TCSEC (1)

Functional requirements
Copyright © 2008 by Jingsha He ‹#› 9
November 25, 2008
ITSEC (1)

Functional requirements

Defined by the vendor of a security system or product in the form of a security target Similar to TCSEC Unique requirements
November 25, 2008
Copyright © 2008 by Jingsha He
‹#› 2
Assurance
System Evaluation
November 25, 2008
Copyright © 2008 by Jingsha He
‹#› 3
The Necessity

Perfect security is almost unachievable
Copyright © 2008 by Jingsha He ‹#› 7
November 25, 2008
TCSEC (2)

Evaluation process

Evaluation sponsored by the government Phases

Application Preliminary technical review (PTR) Evaluation
C1 – discretionary protection C2 – controlled access protection B1 – labeled security protection B2 – structured protection B3 – security domain

Class B: MAC


Class A1 - verified protection
Copyright © 2008 by Jingsha He ‹#› 8
November 25, 2008
TCSEC (3)

Significance

First evaluation methodology Precedent for future methodologies

Evaluation classes Assurance requirements

Limitations

Mostly for operating systems

Not well-suited for other types of products or systems
Developed mainly based on the needs of the U.S. government as well as the military

Object reuse Trusted path

Assurance requirements

Configuration management Trusted distribution System architecture Design specification and verification Testing Product documentation
Introduction to Information Security
Prof. Jingsha He School of Software Engineering Beijing University of Technology
‹#› 1
November 25, 2008
Copyright © 2008 by Jingsha He
Copyright © 2008 by Jingsha He ‹#› 5
November 25, 2008
Major Methodologies/Standards

TCSEC (1983-1999)

Trusted Computer System Evaluation Criteria
The

Identification and authentication (I&A) Discretionary access control (DAC) Mandatory access control (MAC)

Security label
Auditing Other requirements

MAC not widely used in commercial systems Only the secrecy requirements No integrity and availability requirements

Complex evaluation process

Criteria creeping Time-consuming
Suitability of requirements Binding of requirements


Assurance requirements


Additional requirements
Correspondence between successive levels of specification Delivery and generation procedures Secure start and operation including recovery Vulnerability analysis

Complexity of systems A measure of confidence that the system meets specific security requirements
Trust is very meaningful
Assessment of the security of a system is a systematic, methodological process



A process in which the evidence for assuring security is gathered and analyzed against criteria for functionality and assurance A methodology to facilitate the development of trusted systems

November 25, 2008
Copyright © 2008 by Jingsha He
‹#› 10
ITSEC (2)

Evaluation process

Evaluation performed by certified, licensed organizations First approval of security target, then evaluation of the submitted product or system against the security target E0: failure of being certified at any other evaluation levels E1: informal description of architecture E2: informal description of the detailed design E3: more stringent requirements on the detailed design & correspondence between source code and security requirements E4: formal model of the security policy & design level vulnerability analysis E5: correspondence between detailed design and source code & source code level vulnerability analysis E6: extensive use of formal methods