OSWebSec: Criteria

From Soma-notes
Revision as of 15:54, 25 September 2012 by Afry (talk | contribs) (must be edited later)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Operating System and the web Thursday Sept 20, 2012

What did they want from the orange book?

They wanted:


Documentation for assurance – what are you assured of – what certain functions do – a contract saying what shall happen, and what should not happen. Its' about things falling apart, it's not about things going well. This is how much money you will lose.

For predictability – I want to ensure that I will know exactly what the computer will do, i want it to tell me exactly how it messed up and give me the error message. Where do software flaws fit in this picture?

If you want to assure predictabiltiy it seems software bugs are the first stage of where predictability goes out the window. Ensure predictability of software through testing. As a marketing person, i'm always concerned with over selling things. Predictability and testing. Fool the testers – make them believe that the system is predictable. Is testing ever about ensuring complete predictability. If I test on this specific scenario – I try to get good coverage of possible scenarios. In common scenarios it should be predictable. They are wanting assurance when a foreign government is trying to break into the system – they want to be alerted to the situation. If we sell a product that they will have high assurance, we are telling them – however we are telling them that it's going to behave – that's how it should behave.

They say all of the assurance predictability and they say testing – they lay out the criteria for how they are going to test. If they hold me to that. Stuck some undergrads for a couple of months, banged away and wrote down everything they found. Are we still liable? Even if we follow the process. Make some A1 systems – we couldn't sell them – the psychological acceptability wasn't so high. That was a big waste of money. Rather have that communication channel – we now have to assess risk. IPAD has no wireless capability. Connect it to a dock to pass information to it. President obama has an IPAD with all of the updates. Key lesson to realize customer psychology – just because they say they want something doesn't mean that they will buy it. The only test for what people want is what they buy. How are these systems supposed to be built? Checklist of access control – some parts they were very specific – other parts were more generalized. What did they trust more? Hardware – they want hardware to verify software running on the system.

ACM Turing award Lecture – Ken Thompson – on Trusting Trust. Talks about how- you want to build a backdoor into the system? Put it into the compiler – always inserts the backdoor. How do you find such a backdoor. You can make it such that the compiler inserts the backdoor into the compiler itself. The burden they are talking about, verifying things, can be arbitrarily high. Inserting who knows what into chips. Think about many transistors onto modern microchips. It's a backdoor – waiting for some sort of signal. A wireless circuit. Intel has this things – where they want all their chips wirelessly enabled. How do you know who it talks to? Faraday cage. The issue is not the network. Covert channels – connect to it's own wireless network.

List of mechanisms:

secure printers and secure terminals

windows – ctrl -alt-del – windows 8 gets rid of - *tablet – on traditional pcs – ctrl alt del creates it's own special interrupt – when you hit that the kernel is supposed to get that and is supposed to handle it. You are talking to an authorized part of the system. You are talking to the trusted code base. Which is the kernel – which is a part of the trusted code base.

When you talk about trusted part of the code base – it's the part that can completely screw you over. I'm going to have to trust it – trust it no matter what.

Want to know what they are trying to do, and how well they did it. Any paper should have some sort of evaluation. There might be holes in it – what do they think the research advances? What does this look like, how did they put it together. Perfectly happy to go through the details of how you do these things. Talk about those in detail about how they work. But you should be getting the frame. At least get the context.

Smashing the Stack for Fun and Profit – Aleph One – Phrack.

Proposals – You should be thinking about what kind of things you would like to do. Due October 18.

Areas:

Cloud Android Virtual Machine Security Software Updates

Security policy – access to the correct objects

Reference monitors – you need to have a reference monitor that enforces the security policy – Another name for what we've been talking about – reference monitor – this part of the system that you have trust in that is going to check / enforce particular policies. Make sure the references, are you allowed to follow that link. Is a mechanisms – is the key part of the code base – the part enforcing the policy.

Single vs. Multi level devices – this related to the MLS – military concept – You have different security compartments – where you don't want to just have them mix. You can have certain ways information can flow between compartments. Information within the non-classified area can go to the secret area. That's policy. You have compartments very carefully separated.