DOCSLIB.ORG

Planning for Multilevel Security and the Common Criteria

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Planning for Multilevel Security and the Common Criteria z/OS Version 2 Release 3 Planning for Multilevel Security and the Common Criteria IBM GA32-0891-30 Note Before using this information and the product it supports, read the information in “Notices” on page 163. This edition applies to Version 2 Release 3 of z/OS (5650-ZOS) and to all subsequent releases and modifications until otherwise indicated in new editions. Last updated: 2019-06-25 © Copyright International Business Machines Corporation 1994, 2019. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Figures................................................................................................................ vii Tables.................................................................................................................. ix About this document.............................................................................................xi Who should read this document................................................................................................................. xi How this document is organized.................................................................................................................xi How to use this document..........................................................................................................................xii Prerequisite and related information.........................................................................................................xii How to send your comments to IBM.....................................................................xiii If you have a technical problem................................................................................................................xiii Summary of changes............................................................................................xv Changes made in z/OS Version 2 Release 3.............................................................................................. xv Changes made in z/OS Version 2 Release 2 as updated in March 2016..................................................xvi Changes made in z/OS Version 2 Release 1............................................................................................. xvi Changes made in z/OS Version 1 Release 13.......................................................................................... xvii Chapter 1. What is multilevel security?.................................................................. 1 History.......................................................................................................................................................... 1 Characteristics of a multilevel-secure system............................................................................................ 3 Access controls.......................................................................................................................................3 Object reuse............................................................................................................................................4 Accountability.........................................................................................................................................5 Labeling hardcopy with security information........................................................................................ 5 The name-hiding function...................................................................................................................... 5 Write-down............................................................................................................................................. 6 Performance........................................................................................................................................... 6 The trusted computing base........................................................................................................................6 Hardware................................................................................................................................................ 7 Software..................................................................................................................................................7 Chapter 2. Security labels......................................................................................9 Defining security labels................................................................................................................................9 Security labels that the system creates.................................................................................................... 10 Assigning a security label to a subject or resource...................................................................................11 Using security labels..................................................................................................................................12 Mandatory access control (MAC)......................................................................................................... 12 Discretionary access control (DAC) checking......................................................................................16 Security labels for data transferred to tape or DASD................................................................................16 Security labels and data set allocation..................................................................................................... 16 Printing security information on hardcopy output.................................................................................... 17 Changing a security label...........................................................................................................................17 Using security labels with z/OS UNIX System Services............................................................................18 Associating security labels with remote users....................................................................................18 Assigning a home directory and initial program depending on security label....................................19 Security labels and the su command...................................................................................................20 Security labels for z/OS UNIX files and directories.............................................................................20 iii Security label processing for communications between z/OS UNIX processes................................ 22 Using system-specific security labels in a sysplex................................................................................... 24 Defining and activating system-specific security labels..................................................................... 24 Shared file system environment and system-specific security labels................................................25 SETROPTS options that control the use of security labels....................................................................... 26 The COMPATMODE and NOCOMPATMODE options............................................................................ 27 The MLACTIVE and NOMLACTIVE options.......................................................................................... 27 The MLFSOBJ option............................................................................................................................28 The MLIPCOBJ option.......................................................................................................................... 29 The MLNAMES and NOMLNAMES options...........................................................................................29 The MLQUIET and NOMLQUIET options..............................................................................................30 The MLS and NOMLS options............................................................................................................... 30 The MLSTABLE and NOMLSTABLE options..........................................................................................31 The SECLABELAUDIT and NOSECLABELAUDIT options.....................................................................31 The SECLABELCONTROL and NOSECLABELCONTROL options.......................................................... 32 The SECLBYSYSTEM and NOSECLBYSYSTEM options........................................................................ 32 Chapter 3. Establishing multilevel security...........................................................33 In this topic................................................................................................................................................ 33 The physical environment......................................................................................................................... 33 The hardware configuration.......................................................................................................................33 The software configuration........................................................................................................................34 Required software................................................................................................................................ 34 z/OS elements and features that do not support multilevel security.................................................35 z/OS elements and features that partially support
Load more

Recommended publications
  • Validators Report
    National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report IBM Global Security Kit (GSKit) 8.0.14 Report Number: CCEVS-VR-VID10394-2011 Dated: 2012-03-06 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 ACKNOWLEDGEMENTS Validation Team Jim Brosey Orion Security Fort Meade, Maryland Jandria S. Alexander Aerospace Fort Meade, Maryland Vicky Ashby The MITRE Corporation McLean, Virginia Evaluation Team Alejandro Masino, Trang Huynh, Courtney Cavness atsec Information Security Corporation Austin, Texas Table of Contents 1. EXECUTIVE SUMMARY ........................................................................................................................................ 4 2. IDENTIFICATION .................................................................................................................................................... 4 3. CLARIFICATION OF SCOPE ................................................................................................................................. 6 3.1. PHYSICAL SCOPE ................................................................................................................................................... 6 3.2. LOGICAL SCOPE ....................................................................................................................................................
    [Show full text]
  • Cen Workshop Agreement Cwa 14722-3
    CEN CWA 14722-3 WORKSHOP August 2004 AGREEMENT ICS 35.240.15 Supersedes CWA 14722-3:2004 English version Embedded financial transactional IC card reader (embedded FINREAD) - Part 3: Functional and Security Specifications This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the constitution of which is indicated in the foreword of this Workshop Agreement. The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the National Members of CEN but neither the National Members of CEN nor the CEN Management Centre can be held accountable for the technical content of this CEN Workshop Agreement or possible conflicts with standards or legislation. This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members. This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies. CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG Management Centre: rue de Stassart, 36 B-1050 Brussels © 2004 CEN All rights of exploitation in any form and by any means reserved worldwide
    [Show full text]
  • Role Based Access Control on MLS Systems Without Kernel Changes
    Role Based Access Control on For example, roles in a bank may include the role of teller or accountant. Each of these roles has a set of MLS Systems without Kernel privileges or transactions that they can p erform, includ- Changes ing some privileges that are available to b oth roles. Roles can b e hierarchical. For example, some roles in a hospital D. Richard Kuhn may b e health care provider, nurse, and do ctor. The do c- National Institute of Standards and Technology tor role may include all privileges available to the nurse Gaithersburg, Maryland 20899 role, which in turn includes all the privileges available to the health care provider role. Roles have b een used in a variety of forms for com- Abstract puter system security for at least 20 years, and several prop osals for incorp orating roles into existing access con- Role based access control (RBAC) is attracting increas- trol mechanisms have b een published [2], [3], [4]. More ing attention as a security mechanism for b oth commer- recently, formal defnitions for general-purp ose RBAC no- cial and many military systems. This pap er shows how tions have b een prop osed [5], [6], [7]. RBAC can b e implemented using the mechanisms avail- This pap er shows how RBAC can b e implemented able on traditional multi-level security systems that im- using the controls available on traditional lattice-based plement information fow p olicies. The construction from multi-level secure systems. This approach presents a MLS to RBAC systems is signifcant b ecause it shows that number of advantages: the enormous investment in MLS systems can b e lever- aged to pro duce RBAC systems.
    [Show full text]
  • Part 3: Security Assurance Components
    Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components September 2012 Version 3.1 Revision 4 CCMB-2012-09-003 Foreword This version of the Common Criteria for Information Technology Security Evaluation (CC v3.1) is the first major revision since being published as CC v2.3 in 2005. CC v3.1 aims to: eliminate redundant evaluation activities; reduce/eliminate activities that contribute little to the final assurance of a product; clarify CC terminology to reduce misunderstanding; restructure and refocus the evaluation activities to those areas where security assurance is gained; and add new CC requirements if needed. CC version 3.1 consists of the following parts: Part 1: Introduction and general model Part 2: Security functional components Part 3: Security assurance components Trademarks: UNIX is a registered trademark of The Open Group in the United States and other countries Windows is a registered trademark of Microsoft Corporation in the United States and other countries Page 2 of 233 Version 3.1 September 2012 Legal Notice: The governmental organisations listed below contributed to the development of this version of the Common Criteria for Information Technology Security Evaluation. As the joint holders of the copyright in the Common Criteria for Information Technology Security Evaluation, version 3.1 Parts 1 through 3 (called “CC 3.1”), they hereby grant non- exclusive license to ISO/IEC to use CC 3.1 in the continued development/maintenance of the ISO/IEC 15408 international standard. However, these governmental organisations retain the right to use, copy, distribute, translate or modify CC 3.1 as they see fit.
    [Show full text]
  • NSA Security-Enhanced Linux (Selinux)
    Integrating Flexible Support for Security Policies into the Linux Operating System http://www.nsa.gov/selinux Stephen D. Smalley [email protected] Information Assurance Research Group National Security Agency ■ Information Assurance Research Group ■ 1 Outline · Motivation and Background · What SELinux Provides · SELinux Status and Adoption · Ongoing and Future Development ■ Information Assurance Research Group ■ 2 Why Secure the Operating System? · Information attacks don't require a corrupt user. · Applications can be circumvented. · Must process in the clear. · Network is too far. · Hardware is too close. · End system security requires a secure OS. · Secure end-to-end transactions requires secure end systems. ■ Information Assurance Research Group ■ 3 Mandatory Access Control · A ªmissing linkº of security in current operating systems. · Defined by three major properties: ± Administratively-defined security policy. ± Control over all subjects (processes) and objects. ± Decisions based on all security-relevant information. ■ Information Assurance Research Group ■ 4 Discretionary Access Control · Existing access control mechanism of current OSes. · Limited to user identity / ownership. · Vulnerable to malicious or flawed software. · Subject to every user©s discretion (or whim). · Only distinguishes admin vs. non-admin for users. · Only supports coarse-grained privileges for programs. · Unbounded privilege escalation. ■ Information Assurance Research Group ■ 5 What can MAC offer? · Strong separation of security domains · System, application, and data integrity · Ability to limit program privileges · Processing pipeline guarantees · Authorization limits for legitimate users ■ Information Assurance Research Group ■ 6 MAC Implementation Issues · Must overcome limitations of traditional MAC ± More than just Multi-Level Security / BLP · Policy flexibility required ± One size does not fit all! · Maximize security transparency ± Compatibility for applications and existing usage.
    [Show full text]
  • An Access Control Model for Preventing Virtual Machine Escape Attack
    future internet Article An Access Control Model for Preventing Virtual Machine Escape Attack Jiang Wu ,*, Zhou Lei, Shengbo Chen and Wenfeng Shen School of Computer Engineering and Science, Shanghai University, Shanghai 200444, China; [email protected] (Z.L.); [email protected] (S.C.); [email protected] (W.S.) * Correspondence: [email protected]; Tel: +86-185-0174-6348 Academic Editor: Luis Javier Garcia Villalba Received: 26 March 2017; Accepted: 23 May 2017; Published: 2 June 2017 Abstract: With the rapid development of Internet, the traditional computing environment is making a big migration to the cloud-computing environment. However, cloud computing introduces a set of new security problems. Aiming at the virtual machine (VM) escape attack, we study the traditional attack model and attack scenarios in the cloud-computing environment. In addition, we propose an access control model that can prevent virtual machine escape (PVME) by adapting the BLP (Bell-La Padula) model (an access control model developed by D. Bell and J. LaPadula). Finally, the PVME model has been implemented on full virtualization architecture. The experimental results show that the PVME module can effectively prevent virtual machine escape while only incurring 4% to 8% time overhead. Keywords: virtual security; virtual machine escape; access control; BLP model; PVME model 1. Introduction Cloud computing treats IT resources, data and applications as a service provided to the user through network, which is a change in the way of how data is modeled. Currently, the world’s leading IT companies have developed and published their own cloud strategies, such as Google, Amazon, and IBM.
    [Show full text]
  • File Permissions Do Not Restrict Root
    Filesystem Security 1 General Principles • Files and folders are managed • A file handle provides an by the operating system opaque identifier for a • Applications, including shells, file/folder access files through an API • File operations • Access control entry (ACE) – Open file: returns file handle – Allow/deny a certain type of – Read/write/execute file access to a file/folder by – Close file: invalidates file user/group handle • Access control list (ACL) • Hierarchical file organization – Collection of ACEs for a – Tree (Windows) file/folder – DAG (Linux) 2 Discretionary Access Control (DAC) • Users can protect what they own – The owner may grant access to others – The owner may define the type of access (read/write/execute) given to others • DAC is the standard model used in operating systems • Mandatory Access Control (MAC) – Alternative model not covered in this lecture – Multiple levels of security for users and documents – Read down and write up principles 3 Closed vs. Open Policy Closed policy Open Policy – Also called “default secure” • Deny Tom read access to “foo” • Give Tom read access to “foo” • Deny Bob r/w access to “bar” • Give Bob r/w access to “bar • Tom: I would like to read “foo” • Tom: I would like to read “foo” – Access denied – Access allowed • Tom: I would like to read “bar” • Tom: I would like to read “bar” – Access allowed – Access denied 4 Closed Policy with Negative Authorizations and Deny Priority • Give Tom r/w access to “bar” • Deny Tom write access to “bar” • Tom: I would like to read “bar” – Access
    [Show full text]
  • Ccdb-2009-03-001
    Supporting Document Mandatory Technical Document Application of Attack Potential to Smartcards March 2009 Version 2.7 Revision 1 CCDB-2009-03-001 Foreword This is a supporting document, intended to complement the Common Criteria version 3 and the associated Common Evaluation Methodology for Information Technology Security Evaluation. Supporting documents may be “Guidance Documents”, that highlight specific approaches and application of the standard to areas where no mutual recognition of its application is required, and as such, are not of normative nature, or “Mandatory Technical Documents”, whose application is mandatory for evaluations whose scope is covered by that of the supporting document. The usage of the latter class is not only mandatory, but certificates issued as a result of their application are recognized under the CCRA. Technical Editor: BSI Document History: V2.7 March 2009 (technical update of rating categories and update on usage of open samples based upon corresponding JIL document version 2.7) V2.5 December 2007 (explicit statements added that the points for identification and exploitation have to be added at the end to achieve the final attack potential value, references updated) V2.3 April 2007 (evaluation time guideline and rules regarding the use of open samples added and updated for use with both CC version 2 and 3) V2.1 April 2006 (classification as mandatory technical document, several updates to the tables) V1.1, July 2002 (draft indicator deleted, references updated, same content as V1.0) General purpose: The security properties of both hardware and software products can be certified in accordance with CC. To have a common understanding and to ensure that CC is used for hardware integrated circuits in a manner consistent with today’s state of the art hardware evaluations, the following chapters provide guidance on the individual aspects of the CC assurance work packages in addition to the Common Evaluation Methodology [CEM].
    [Show full text]
  • Microsoft Windows Common Criteria Evaluation Security Target
    Windows 10, Server 2012 R2 Security Target Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 Microsoft Windows Server 2012 R2 Security Target Document Information Version Number 1 Updated On March 17, 2016 Microsoft © 2016 Page 1 of 97 Windows 10, Server 2012 R2 Security Target This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs- NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious.
    [Show full text]
  • Multilevel Security (MLS)
    Multilevel Security (MLS) Database Security and Auditing Multilevel Security (MLS) Definition and need for MLS – Security Classification – Secrecy-Based Mandatory Policies: Bell- LaPadula Model – Integrity-based Mandatory Policies: The Biba Model – Limitation of Mandatory Policies Hybrid Policies – The Chinese Wall Policy Definition and need for MLS Multilevel security involves a database in which the data stored has an associated classification and consequently constraints for their access MLS allows users with different classification levels to get different views from the same data MLS cannot allow downward leaking, meaning that a user with a lower classification views data stored with a higher classification Definition and need for MLS Usually multilevel systems are with the federal government Some private systems also have multilevel security needs MLS relation is split into several single-level relations, A recovery algorithm reconstructs the MLS relation from the decomposed single-level relations At times MLS updates cannot be completed because it would result in leakage or destruction of secret information Definition and need for MLS In relational model, relations are tables and relations consist of tuples (rows) and attributes (columns) Example: Consider the relation SOD(Starship, Objective, Destination) Starship Objective Destination Enterprise Exploration Talos Voyager Spying Mars Definition and need for MLS The relation in the example has no classification associated with it in a relational model The same example in MLS with
    [Show full text]
  • Multilevel Adaptive Security System
    Copyright Warning & Restrictions The copyright law of the United States (Title 17, United States Code) governs the making of photocopies or other reproductions of copyrighted material. Under certain conditions specified in the law, libraries and archives are authorized to furnish a photocopy or other reproduction. One of these specified conditions is that the photocopy or reproduction is not to be “used for any purpose other than private study, scholarship, or research.” If a, user makes a request for, or later uses, a photocopy or reproduction for purposes in excess of “fair use” that user may be liable for copyright infringement, This institution reserves the right to refuse to accept a copying order if, in its judgment, fulfillment of the order would involve violation of copyright law. Please Note: The author retains the copyright while the New Jersey Institute of Technology reserves the right to distribute this thesis or dissertation Printing note: If you do not wish to print this page, then select “Pages from: first page # to: last page #” on the print dialog screen The Van Houten library has removed some of the personal information and all signatures from the approval page and biographical sketches of theses and dissertations in order to protect the identity of NJIT graduates and faculty. ABSTRACT MULTILEVEL ADAPTIVE SECURITY SYSTEM by Hongwei Li Recent trends show increased demand for content-rich media such as images, videos and text in ad-hoc communication. Since such content often tends to be private, sensitive, or paid for, there exists a requirement for securing such information over resource constrained ad hoc networks.
    [Show full text]
  • Looking Back: Addendum
    Looking Back: Addendum David Elliott Bell Abstract business environment produced by Steve Walker’s Com- puter Security Initiative.3 The picture of computer and network security painted in What we needed then and what we need now are “self- my 2005 ACSAC paper was bleak. I learned at the con- less acts of security” that lead to strong, secure commercial ference that the situation is even bleaker than it seemed. products.4 Market-driven self-interest does not result in al- We connect our most sensitive networks to less-secure net- truistic product decisions. Commercial and government ac- works using low-security products, creating high-value tar- quisitions with tight deadlines are the wrong place to ex- gets that are extremely vulnerable to sophisticated attack or pect broad-reaching initiatives for the common good. Gov- subversion. Only systems of the highest security are suffi- ernment must champion selfless acts of security separately cient to thwart such attacks and subversions. The environ- from acquisitions. ment for commercial security products can be made healthy again. 3 NSA Has the Mission In 1981, the Computer Security Evaluation Center was 1 Introduction established at the National Security Agency (NSA). It was charged with publishing technical standards for evaluating In the preparation of a recent ACSAC paper [1], I con- trusted computer systems, with evaluating commercial and firmed my opinion that computer and network security is in GOTS products, and with maintaining an Evaluated Prod- sad shape. I also made the editorial decision to soft-pedal ucts List (EPL) of products successfully evaluated. NSA criticism of my alma mater, the National Security Agency.
    [Show full text]