Re: Object reuse protection
From: Lohkee (lohkee@worldnet.att.net)Date: 04/26/02
- Next message: Christopher Jahn: "Re: Virus protection, security questions"
- Previous message: Brian Wolf: "Re: explorer default"
- In reply to: Lohkee: "Re: Object reuse protection"
- Next in thread: Jeff Makey: "Re: Object reuse protection"
- Reply: Jeff Makey: "Re: Object reuse protection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Lohkee" <lohkee@worldnet.att.net> Date: Thu, 25 Apr 2002 23:47:17 GMT
"Lohkee" <lohkee@worldnet.att.net> wrote in message
news:SNKx8.44436$Rw2.3463347@bgtnsc05-news.ops.worldnet.att.net...
>
> "Jeff Makey" <jeff@sdsc.edu> wrote in message
> news:aa7jjr$auv$1@news1.ucsd.edu...
> > In article <7ZWv8.34960$Rw2.2624529@bgtnsc05-news.ops.worldnet.att.net>,
> > Lohkee <lohkee@worldnet.att.net> wrote:
> > >*****It is technically impossible to meet any of the other criteria for
> C2
> > >certification unless you properly implement Object Reuse*****
> >
> > No. All of the C2 criteria that are identical to those of the
> > inferior C1 class (which does not have the Object Reuse requirement)
> > can be satisfied even on a system with gross object reuse problems.
> >
> > :: Jeff Makey
> > jeff@sdsc.edu
> >
> > Department of Tautological Pleonasms and Superfluous Redundancies
> Department
>
>
> Both of those statements are absolutely false! If you take the time to
read
> the technical criteria carefully, you will see that it is technically
> impossible to meet DAC, I&A, or Audit without OR. Trust me on this one, I
> have been formally recognized by the US Govt. as an expert in this
> partucular subject.
>
> Lohkee!
>
CONTROLLED ACCESS PROTECTION (C2)
In order to understand why Object Reuse is so important, and why Jeff's
statements are false, we must look at the pertinent criteria for each area
(DAC, I&A, AUDIT).
Audit: The TCB shall be able to create, maintain, and protect from
modification or unauthorized access or destruction an audit trail of
accesses to the objects it protects. The audit data shall be protected by
the TCB so that read access to it is limited to those who are authorized for
audit data. The Discretionary Access Control mechanism is responsible for
enforcing these rules.
Identification and Authentication: The TCB shall protect authentication data
so that it cannot be accessed by any unauthorized user. Again, the
Discretionary Access Control mechanism is responsible for enforcing these
rules, so now we look at DAC.
Discretionary Access Control: The TCB shall define and control access
between named users and named objects (e.g., files and programs) in the ADP
system. The discretionary access control mechanism shall, either by explicit
user action, or by default, provide that objects are protected from
unauthorized access. Object Reuse is, in part, responsible for enforcing
these rules. Actually, Object Reuse is the cornerstone of DAC. If you are
at all familiar with the concept of "unceasing" files, the reasons for this
are rather obvious. In case you're not, let's take a quick look at the
service provided by the Object Reuse mechanism.
Object Reuse: No information, including encrypted representations of
information, produced by a prior subject's actions is to be available to any
subject that obtains access to an object that has been released back to the
system.
Given the criteria mandated for DAC, I&A, and Audit, it becomes obvious that
without a proper implementation of OR, they are impossible to meet (and how
critical this function really is), for example:
Tom has taken great care to implement all of the required control objectives
with the single exception of Object Reuse. Many so-called security
professionals would support Tom's claim of almost complete C2 compliance,
however, a competent analysis of Tom's system would reveal that the system
has, in fact, failed to meet any of the required control objectives and
therefore cannot meet any of the requirements.
Discretionary Access Control - FAILED
Although Tom "properly" implemented the required discretionary access
control mechanism when he designed the system, he has in fact failed to meet
the specified control objective for the following reason: Since Object
Reuse was not implemented, it is possible (and in fact quite probable) that
free disk space will contain residual images of data that are no longer
controlled because they have been released back to the system's pool of
unused resources. These images can legitimately be read by any authorized
user of the system to whom that memory or disk space is subsequently
assigned, a condition that violates the criteria necessary to claim
compliance with the DAC requirement.
Object Reuse - FAILED
Not implemented and so fails by default.
Identification/Authentication - FAILED
Since it is entirely possible that residual information may be I&A data
(particularly on *nix boxes) and that another system user may be able to
view that information, we have a clear violation of the criteria necessary
to claim compliance with the I&A requirement.
Audit - FAILED
The same condition enumerated under I&A is also true here.
Assurance - FAILED
Given that Tom's system has failed to properly implement any of the required
control objectives, it would be completely irrational to claim compliance
with this requirement.
Bottom line: C2 is like an upside-down pyramid. Take out the bottom stone
and the whole damn thing comes tumbling down. Jeff's statement that C1 and
C2 are identical is also false. You can read the Orange Book for yourself
to verify this one, or you can simply ask yourself what would be the point
in having two identical standards with different names (C1 and C2) within
the same document, or you can just look at Jeff's statement "No. All of the
C2 criteria that are identical to those of the inferior C1 class (which does
not have the Object Reuse requirement)" in which he contradicts himself
(DOH!).
The lack of OR is why C1 systems are untrusted. They only meet the surface
requirements, i.e., they might have a DAC requirement, but they cannot
guarentee that it is trustworthy because of the "erased" file issue
addressed by OR in C2.
Lohkee!
- Next message: Christopher Jahn: "Re: Virus protection, security questions"
- Previous message: Brian Wolf: "Re: explorer default"
- In reply to: Lohkee: "Re: Object reuse protection"
- Next in thread: Jeff Makey: "Re: Object reuse protection"
- Reply: Jeff Makey: "Re: Object reuse protection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
