© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.
-
Upload
claire-mckinnon -
Category
Documents
-
view
219 -
download
2
Transcript of © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.
![Page 1: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/1.jpg)
© Crown Copyright (2000)
Module 2.6
Vulnerability Analysis
![Page 2: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/2.jpg)
“You Are Here”
M2.1 Security Requirements
M2.2 Development Representations
M2.3 Functional Testing
M2.4 Development Environment
M2.5 Operational Environment
M2.6 Vulnerability Analysis
M2.7 Penetration Testing
M2.8 Assurance Maintenance/Composition
MODULE 2 - ASSURANCE
![Page 3: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/3.jpg)
What is Vulnerability Analysis?
• A search for vulnerabilities in the TOE or its intended operation
• Analysis of their impact
• Input to penetration testing
• Involves– assessment of developer’s analysis– evaluator analysis based on previous results
![Page 4: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/4.jpg)
Vulnerabilities - A Few Terms
• potential vulnerability– suspected, not proven
• known vulnerability– demonstrated by developer or evaluator
• exploitable vulnerability– leading to compromise of assets
• non-exploitable vulnerability– assets will not be compromised in practice
![Page 5: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/5.jpg)
Sources of Vulnerability
The security functions could be
• inadequate to counter the threats
• incorrectly implemented
• bypassed
• tampered with
• directly attacked
• misused
![Page 6: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/6.jpg)
Bypassing Attacks
• Avoid monitored interface
• Inherit privilege to bypass
• Access unprotected area
Attacker AssetSecurity Function
![Page 7: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/7.jpg)
Covert Channels
Subject ‘A’
Resource Subject ‘B’Reads
Reads
Modifies AccessDenied
Unclassified
Secret
![Page 8: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/8.jpg)
Tampering Attacks
• Modify/spoof/read critical data
• Undermine assumptions/dependencies
• De-activate, disable or delay enforcement
Attacker AssetSecurity Function
![Page 9: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/9.jpg)
Direct Attacks
• Security function behaves as specified
• Attacker manipulates input/outputs
Attacker AssetSecurity Function
![Page 10: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/10.jpg)
Misuse
• Consider all modes of operation
• Examine potential for insecure states:– mis-configuration of security functions– insecure use of TOE
• Can insecure states be detected or prevented?
• Repeat/witness TOE installation procedures
![Page 11: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/11.jpg)
Exploitability
• Are known vulnerabilities exploitable?
• Suitable countermeasures– procedural– technical
• Relevance to Security Target?
• Within attacker capabilities?
![Page 12: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/12.jpg)
Strength Determination - 1
• Confirm minimum strength met
Level Resistant to
Basic Casual unsophisticated attacks
Medium Knowledgeable attackers with limitedopportunities or resources
High Beyond normal practicality to defeat
![Page 13: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/13.jpg)
Strength Determination - 2
STRENGTHRATING
Detection
Equipment
Time Collusion
Expertise
Chance
![Page 14: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/14.jpg)
ITSEC Requirements - 1
Effectiveness Analysis
• Developer Analysis– Binding– Strength of Mechanisms– Ease of Use– Construction & Operational Vulnerability
Assessment
• Independent Vulnerability Analysis
![Page 15: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/15.jpg)
Binding Analysis
• Analysis of mechanism interactions– permissible– mandatory– forbidden
• Protection against indirect attack
• Absence of conflict
ITSEC Requirements - 2
![Page 16: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/16.jpg)
ITSEC Requirements - 3
• ITSEC Figure 4
Aspect E1 E2 E3 E4 E5 E6
Security Target
Formal SPM
Architectural Design
Detailed Design
Code/hardware drawings
Operational documentation
![Page 17: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/17.jpg)
Common Criteria Requirements
Aspect EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7
Misuse - Developer
Misuse - Evaluator
SOF
Covert Channels
Developer VulnerabilityAnalysis
IndependentVulnerability Analysis
![Page 18: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/18.jpg)
Evaluation Reporting
• Examination of documentation– show how & where requirements satisfied
• Analysis– demonstrate completeness with respect to
vulnerabilities considered– justify non-exploitability
![Page 19: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/19.jpg)
Summary
• Methodical search for vulnerabilities– checklist approach
• Validation of developer analysis– confirm absence of exploitable vulnerabilities
• Independent analysis by evaluators
• Input to penetration testing
![Page 20: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/20.jpg)
Further Reading - 1
ITSEC Evaluation
• UKSP 05 Part III, Chapter 3
• UKSP 05 Part V
• UKSP 04 Part III, Chapter 4
• ITSEM, Annex 6.C
![Page 21: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/21.jpg)
Further Reading - 2
CC Evaluation
• CC Part 3, Sections 2.6.7 and 14
• CEM Part 2, Chapters 6-8 (AVA sections) & Annex B
• UKSP 05 Part V
![Page 22: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/22.jpg)
Exercise 1 - Vulnerabilities
Client ObjectServer
Mechanism
access
request notify
object
mediates
subject(client)
object
details
![Page 23: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/23.jpg)
Exercise 2 - Strength
• Password mechanism can be defeated by– manual attack, taking 20 days– automated attack, taking 5 minutes
• What is the strength of this mechanism?
• How might the strength be improved?
![Page 24: © Crown Copyright (2000) Module 2.6 Vulnerability Analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5513bd3755034646298b47cf/html5/thumbnails/24.jpg)
Exercise 3 - Misuse
• Should lamp be lit in– CIPHER mode?– CLEAR mode?
CRYPTODEVICEDATA
CIPHER Encrypted
CLEAR Cleartext