top - download
⟦a9a8c4a21⟧ Wang Wps File
Length: 9268 (0x2434)
Types: Wang Wps File
Notes: Security Analysis Outline
Names: »0227A «
Derivation
└─⟦83a4a04d1⟧ Bits:30005815 8" Wang WCS floppy, CR 0002A
└─ ⟦this⟧ »0227A «
WangText
…02…CPS/TCN/014
OKH/801003 #
SECURITY ANALYSIS OUTLINE
CAMPS
T̲A̲B̲L̲E̲ ̲O̲F̲ ̲C̲O̲N̲T̲E̲N̲T̲S̲
1. SCOPE....................................
2. PURPOSE..................................
3. INTRODUCTION.............................
4. CLASSIFICATION OF SECURITY THREATS.......
4.1 NORMAL OPERATION.......................
4.2 RECOVERY...............................
4.3 OFFLINE OPERATION......................
1̲ ̲S̲C̲O̲P̲E̲
The scope of this paper is all security related subsystems
of CAMPS.
2̲ ̲P̲U̲R̲P̲O̲S̲E̲
The purpose is to present an outline for the security
analysis which must be performed on all levels of CAMPS
systems design. It makes an attempt to classify the
various security threats and to indicate for each class
the most characteristic types of safeguards which may
be considered. It is only a first attempt aimed at
directing the attention to the diversity of security
threats.
3̲ ̲I̲N̲T̲R̲O̲D̲U̲C̲T̲I̲O̲N̲
a) The purpose of a security analysis is roughly to
make up a list of identified security threats together
with possible safeguards against them. In short
one wishes to answer the following questions:
1) What might happen to the system?
2) What would be the consequences concerning security?
3) How often will it happen?
4) Which are the possible safeguards, that is,
how can the consequences be prevented.
5) Are the safeguards feasible considering the
frequency of occurrence for the threat in question
and the system resources and manpower required
to implement them.
4̲ ̲C̲L̲A̲S̲S̲I̲F̲I̲C̲A̲T̲I̲O̲N̲ ̲O̲F̲ ̲S̲E̲C̲U̲R̲I̲T̲Y̲ ̲T̲H̲R̲E̲A̲T̲S̲
a) Security threats may be classified according to
a number of different criteria some of which may
be more useful than others.
b) In this paper the first level of classification
is according to operational mode of the system,
as the types of security threat seem to differ
widely between those modes. The second level classifies
roughly into a number of "types within an operational
mode.
FIGURE
c) The rest of this section explains in more detail
the classifications headings of the figure, together
with examples of security threats and possible
safeguards within each category. They are meant
as illustrations and have not been evaluated with
respect to feasibility and appropriateness.
4.1 N̲O̲R̲M̲A̲L̲ ̲O̲P̲E̲R̲A̲T̲I̲O̲N̲
By normal operation is meant the situation where the
on-line PU performs the CAMPS functions and no errors
have been d̲e̲t̲e̲c̲t̲e̲d̲.
4.1.1 D̲e̲s̲i̲g̲n̲ ̲F̲l̲a̲w̲s̲ ̲i̲n̲ ̲S̲e̲c̲u̲r̲i̲t̲y̲ ̲C̲o̲n̲t̲r̲o̲l̲
a) Such flaws may either not have been considered
in the SRS or subsequent design - and development
phases do not adequately implement the requirements
of SRS.
b) Examples:
1) Message Merge is allowed to down classify an
existing message text without notification
to anybody.
2) The current TDX driver accepts absolute device
- and subdevice addresses from user programs.
So an application program may by mistake open
to the wrong printer and print sensitive information
c) Safeguards:
List the flaws
Decide for each item, possibly in cooperation
with the customer, if it is a feature that
is part of the operational specification, or
the system should be enhanced with measures
against this type of violation.
4.1.2 F̲a̲u̲l̲t̲s̲ ̲i̲n̲ ̲C̲o̲n̲t̲r̲o̲l̲l̲i̲n̲g̲ ̲M̲o̲d̲u̲l̲e̲s̲
a) These are the cases where a module, which is directly
participating in the security control functions,
contains a fault
b) Examples:
1) An editing procedure upclassifies a message
but forgets to move the message to a message
file with the new classification.
2) Some module forget under certain circumstances
to delete COSMIC TOP SECRET information from
a buffer.
3) A terminal handling system does not detect
that a terminal goes off-line, and a new user
comes when the terminal has come on-line again.
Without signing-in, he can work with the privileges
of the previous user.
c) Safeguards:
1) Centralize the most important control procedures
and do not intermix their control data structures
with control structures meant for other purposes
2) Structure security control in a way that facilitates
inspection and test of the code.
3) Include redundant controls for the most important
areas. As an example a terminal application
may check the security level of a message to
be printed, even if the file management system
has already performed this check.
4.1.3 F̲a̲u̲l̲t̲s̲ ̲i̲n̲ ̲S̲u̲p̲p̲o̲r̲t̲i̲n̲g̲ ̲M̲o̲d̲u̲l̲e̲s̲
a) These are the cases where a module not directly
involved in security control contains a fault.
The actual failures in this category will normally
violate not only security but system integrity
as well, because they result in corruption of data
in the system. The fault in this category are the
most difficult ones to deal with, as they may go
undetected for long periods, and their consequences
may be difficult to anticipate.
b) Examples:
1) Disk driver or disk hardware addressing error
causes a sector of a high classified message
to overwrite a sector of a lower classified
one.
2) TDX bus addressing error causes part of a message
to appear on the wrong terminal.
3) A page manager failure causes an FMS internal
buffer to be mapped in as a buffer in an user
process
c) Safeguards:
1) Internal integrity checks in supporting modules
or on-line diagnostics programs detect the
error before it has any consequences.
2) Using modules impose integrity checks of their
own in order to detect errors in supporting
modules. FMS may f.ex. incorporate security
classification into each sector in order to
detect sector addressing errors. Application
programs may f.ex. attach checkrun to data
in order to detect corruption of messages by
supporting modules.
4.1.4 O̲n̲-̲L̲i̲n̲e̲ ̲D̲i̲a̲g̲n̲o̲s̲t̲i̲c̲s̲
a) This label addresses the conflicting requirements
for on-line test programs. On one side they should
be able to test the system throughly thus having
access to all system resources. On the other hand
they should not be able to disclose or destroy
information by mistake.
b) Examples:
1) Diagnostics are attempted on an LTU channel
while the other channels of that LTU are in
operation. By mistake, the wrong channel is
activated.
2) A diagnostics program interferes with a device,
say a disc controller, in a way that causes
contents of two buffers to be switched.
c) Safeguards:
1) Diagnostic functions are built into device
drivers and handlers. The functions are activated
by on-line test programs subject to normal
access controls.
4.2 R̲E̲C̲O̲V̲E̲R̲Y̲
Recovery refers to the mode of operation where an error
has been detected and procedures have been initiated
to switch the whole system or parts of it to redundant
hardware or to perform other appropriate recovery actions.
4.2.1 S̲w̲i̲t̲c̲h̲o̲v̲e̲r̲ ̲M̲i̲s̲t̲a̲k̲e̲s̲
a) This type of failure may take place where manual
patch procedures are part of the recovery.
b) Examples:
- A terminal becomes connected to the wrong LTU
channel.
c) Safeguards:
- Answer back mechanism in VDU's and printers
allowing a check of the VDU and printer connections.
Exchange of XID on X.25 channels.
4.2.2 R̲e̲s̲i̲d̲u̲a̲l̲ ̲I̲n̲f̲o̲r̲m̲a̲t̲i̲o̲n̲
After a switch over or invocation of backup module,
information will be left in device buffers. Recovery
modules may attempt to read and save this information
for recovery or diagnostics purposes. This information
may however be highly classified so the saved information
should not be accessible to anybody.
4.3 O̲f̲f̲-̲l̲i̲n̲e̲ ̲O̲p̲e̲r̲a̲t̲i̲o̲n̲
By off-line operation is meant the operation of the
standby PU. It may have the whole CAMPS system loaded
and ready for operation. In addition to that some diagnostics
and repair activities may take place
b) Examples:
1) Memory dump or memory analysis programs may
disclose contents of buffers.
2) Diagnostics programs may read residual information
in LTU buffers, disk controller etc.
3) Diagnostics programs may by mistake issue a
"take over" command to an I/O crate device
which is in on-line operation, thereby disturbing
on-line operation and possibly reading classified
information.
c) Safeguards:
1) Erase memory and buffers by power down before
initiation of off-line diagnostics. This, however,
may make error detection more difficult.
2) The on-line configuration description could
be automatically transmitted to the standby
system and all diagnostics I/O could be checked
against that information.
3) Disconnect I/O bus from standby system, thereby
inhibiting off-line diagnonistics from accessing
I/O crate devices.
