---

CS 621 - Trusted Systems

Syllabus

©1998 Charles Abzug

---

Summary Course Description:

Definition of a "Trusted System", and considerations pertaining to the design, evaluation, certification and accreditation of trusted systems, including hardware considerations, software considerations such as developmental controls, validation/verification, assured distribution and other assurance issues. Implementation, configuration management, and systems administration of trusted systems. Trusted applications and trusted database issues. Importance of aggressive monitoring and of setting traps for the intruder. Importance of the understanding of both the psychology and the successful modus vivendi of the attacker to generating and maintaining a powerful defense.

Course Prerequisites:

 CS 510, 511, 512, 550, 555, 574, (the Computer Science core curriculum) and CS 623, Introduction to Information Security

Statement of Purpose:

At this point in the curriculum, each student has assimilated the full set of basic Computer Science background skills of computer programming, operating systems, principles of operation of computers, and software engineering. In addition, there has been an exposure to the broad principles of Information Systems Security (INFOSEC), including threats, vulnerabilities, risk management, and the basic concepts of security countermeasures. "Trusted Systems" covers the principles of how computer systems are designed and constructed in a carefully controlled and disciplined manner so as to provide a sound basis for secure operation in accordance with objective standards, as well as practical techniques for operating of existing systems so as to exploit as much as possible of their security capabilities.

Intended Audience:

Like the other courses in JMU's graduate INFOSEC program, this course addresses the needs of two groups of people: 

• those who, either presently do encounter computer systems as part of their personal and organizational lives, or who in the near future will; and
• those who, either presently are directly involved with computers and provide computing tools and systems for others, or who will in the near future.

Course Objectives:

By the end of the course, the student should: 

1. Understand the unique nature of security problems attendant upon the widespread use and reliance upon computer systems for the storage, processing, and retrieval of critical and sensitive data.
2. Understand the principal hardware, software and process issues in the design, construction, testing, and operation of Trusted Systems.
3. Be able to check the configuration of an existing system to determine whether it is operating at or near to the optimum level of attainable security, and if necessary modify the configuration to attain the desired goal.
4. Be able to apply the concepts of various security models to the understanding of how security can be provided in a Trusted System and to the selection of a Trusted System adequate for providing the security needs of a particular environment. 
5. Understand how the application of Trusted Systems issues can be extended to the Database environment.
6. Understand how the Distributed Networking environment introduces additional security challenges in the form of communications protocols with vulnerabilities, and be able to make ongoing adjustments to the configuration of a secure system as more such vulnerabilities become known and as solutions to them are found. 
7. Be able to reconcile the relatively lengthy history of Trusted Systems developments in the U.S. Department of Defense with the more recent developments in the Canadian and European environments.

Textbooks and Other Source Materials:

Pipkin, Donald L. (1997). Halting the Hacker: A Practical Guide to Computer Security. Upper Saddle River, NJ: Prentice-Hall PTR. QA76.9.A35P56 1997; 005.8—dc21; 96-46381; ISBN 0-13-243718-X. [NOTE: This book includes a CD-ROM containing information pertaining to various sources of information pertaining to Information Systems Security (INFOSEC), as well as a variety of documents, including several members of the National Computer Security Center's "Rainbow Series" of publications, and a fairly extensive library of software tools useful for either checking security in a stated environment or for enhancing security.] 

Various members of the National Computer Security Center's "Rainbow Series":

DOD 5200.28-STD. Department of Defense Trusted Computer System Evaluation Criteria (the "Orange Book").

CSC-STD-004-85. Technical Rationale behind CSC-STD-003-85: Computer Security Requirements. Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments.

NCSC-TG-005. Trusted Network Interpretation of the Trusted Computer Evaluation Criteria.

NCSC-TG-011. Trusted Network Interpretation Environments Guideline: Guidance for Applying the Trusted Network Interpretation.

NCSC-TG-028. Assessing Controlled Access Protection.

NCSC-TG-029. Introduction to Certification and Accreditation.

NCSC-TG-001, 003, 008, 010, 017, 018, 022, 023, 025, 027, 030: Various "Guides to Understanding blankety-blank in Trusted Systems."

 

NOTE that 24 members of the Rainbow Series are included in electronic form in the Compact Disk that you got along with the course text (Pipkin, Donald L. (1997). Halting the Hacker: A Practical Guide to Computer Security. Upper Saddle River, NJ: Prentice-Hall PTR), and can be accessed readily from your Internet browser via a User-friendly Table of Contents (D:\RAINBOW\index.htm, if your CD-ROM drive letter is D). These same documents, plus an additional eight, are also available on-line in internet-browsable form from the National Computer Security Center (a division of the National Security Agency). URL: http://www.radium.ncsc.mil/tpep/library/rainbow/. An additional five documents are downloadable to your machine from the same NCSC URL cited above. Other documents listed there are not yet available electronically, neither in browsable nor in downloadable form. A toll-free number is available for ordering all documents of the series that are still in print (a single copy of the entire series is available to anyone free of charge): 800-688-6115, extension 0. Also available is a single copy of the "Information Systems Security Products and Services Catalog". You are encouraged to look at the website and to select any documents that may be of interest to you, and to order those that are neither browsable nor downloadable, as well as the Products and Services Catalog..

Common Criteria for Information Technology Security Evaluation. URL: http://www.cs.jmu.edu/users/AbzugCX/Trusted-Systems/Common-Criteria

Additional World Wide Web sources as may be cited from time to time.

Fites, Philip E.; & Kratz, Martin P.J. (1996). Information Systems Security: A Practitioner's Reference. Boston, MA: International Thomson Computer Press. QA76.9.A25F536 1993; 005.8—dc20; 93-15895; ISBN 1-85032-828-5. [NOTE: This text will be used for auxiliary readings only. It is the same textbook that was used in the previous course, CS 623: Introduction to Information Security.]

Additional (Optional) INFOSEC References: List of INFOSEC and Crypto References.

Presentation Materials for Day One: Module-1, Module-2, Module-3, Module-4, Module-5, Module-6

Detailed Course Content:

Trusted Systems Course Content

Reading Assignments:

NOTE that readings in addition to those enumerated here may also be assigned via the Discussion facility.

 Week 1:

 Principal Reading: the "Orange Book" (DOD 5200.28-STD. Department of Defense Trusted Computer System Evaluation Criteria). After the lecture coverage of the first day's class, you will find that the reading goes easiest in the following order:

1. Introduction (pages 1-5)
2. Appendix D (pages 95-109)
3. Part II: Rationale and Guidelines (pages 57-87)
4. Appendices A & B (pages 89-91)
5. Part I: The Criteria (pages 7-54) [This part makes a lot more sense if left for last.]

Secondary reading (re-read?): Chapter 7 in Fites, entitled "Computer and Systems. Security" (pp. 147-180). [NOTE: It is only necessary to skim this chapter; it can serve as a quick review of some of the concepts discussed in lecture on Class Day 1, and also has a brief coverage of viruses, which were not discussed in lecture.

Week 2:

Read in Pipkin from Sidebar 1 through Chapter 6 (pp. 16-82).

Review and further coverage of database normalization: http://www.ariasoft.com/normalize.html and http://userpages.aug.com/frodo/filenorm.htm

Review of database design: http://userpages.aug.com/frodo/datatwo.htm

Review of both database design and normalization: http://www.borland.com/devsupport/VdBASE/ti_list/TI2563.html

Week 3:

Read in Pipkin from Chapter 7 through Chapter 12 (pp. 83-138).

Week 4:

Principal reading:

1. CSC-STD-004-85. Technical Rationale behind CSC-STD-003-85: Computer Security Requirements. Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments.
2. NCSC-TG-005. Trusted Network Interpretation of the Trusted Computer Evaluation Criteria. Read the Introduction (pages ix-xix), the beginning of Part I (pages 1-57), and Appendix A through section A.2.5.3 (pages 193-200),
3. NCSC-TG-011. Trusted Network Interpretation Environments Guideline: Guidance for Applying the Trusted Network Interpretation. Read Chapters 1, 2, and 3 (pages 1-18) , Chapter 6 (pages 39-52), and Appendix A (pages 53-55).

 Secondary reading:

Chapter 8 in Fites, entitled, "Telecommunications Security" (pp. 181-218). [This chapter, which just needs to be rapidly skimmed, summarizes the field of telecommunications and gives an overview of security issues.

Week 5:

Primary Reading:  

1. Review of the ISO-OSI model of data communications and of its relation to the TCP/IP protocol suite: http://tfbbs.tvinet.com/amitcp/OSI_Reference_Model.html 
2. Summary diagram showing nine different sets of communications protocols in relation to the OSI model: http://www.neteng.com/osimodel.htm  
3. Lovely tutorial on the TCP/IP protocol suite: You can take your choice about how you want to access this one. The identical content is available either in one complete document at: www.inform.umd.edu/CompRes/Netinfo/Internet/TCPIPIntro/complete-doc.txt, or it looks a little prettier if you go first to a contents page and then separately download each chapter: www.inform.umd.edu/CompRes/Netinfo/Internet/TCPIPIntro/

 Secondary Reading: Chapter 12 in Fites, entitled, "Application Program Security" (pp. 311-352).

Week 6:

Perform research as needed for your final group project.

Writing/Programming Assignments (Deliverables):

GENERAL NOTE: The following information pertains to all homework assignments. Be sure to follow all instructions painstakingly. Failure to do so will result in penalties assessed against your grade. 

1. Form of Submission: Written reports (text documents) must be submitted in the form of MicroSoft Office documents (Word or PowerPoint, any version) and sent as attachments to E-mail addressed to your instructor's James Madison University E-mail account. For computer programs, you must submit all of: (i) the source code; (ii) the object code; (iii) all files of input used to test your program; and (iv) ASCII text files of your test output. All of the relevant files must be attached to one E-mail msg. If you forgot to attach all of the files the first time, then send a new message with all of the files attached. Do NOT expect your instructor to glue together the contents of several partial submissions.
2. Target of Submission: You must address the E-mail with your homework to your instructor's JMU E-mail account. If you know of any other E-mail addresses for your instructor, you may not use them for the submission of your homework assignments, or for any other course correspondence, either.
3. Due Date: All assignments are due by 2300 hours (11:00p.m.) Sunday night at the end of the week for which that assignment is scheduled. Receipt time will be stamped automatically on the mail msg by the JMU E-mail server.
4. Identification of Sender: Be sure that your full name is properly spelled out in your mail message. It is best if you could arrange to have your complete name appear in the "From:" box (e.g., <George Washington> washingq@yourE-mailserver.org). If your server does not lend itself to doing that, then put your name prominently in the text of the message, thusly: GEORGE WASHINGTON. Your name also needs to appear prominently near the beginning of each file (except for executable files and test input files).
5. Labeling of Message: The "Subject" field of your E-mail should state, "CS 621 Homework, Week n" You may place in the text field any brief note that you think necessary, but there will normally be no need at all for any mail text.
6. File-Naming Convention: Your attached files should be given names in the form of, "HW-WKn.doc" or "HW-WKn.ppt", or ."HW-WKn.cpp", or whatever file extension is appropriate.
7. Length: Text reports are restricted in length to no more than ten pages single-spaced in 10-pt. type with margins of between 0.5"-1.0" (left, right, top and bottom) for the body of the text, including diagrams but exclusive of title page and appended list of references. Note that this really is a maximum length limit. Do not feel that you need to fill up this much space, unless you have something worthwhile to say.
8. Course Archive: Copies of all your homework submissions will be retained by the Computer Science Department in the form of an historical course archive. We may wish to put some of them on display for prospective students or their employer sponsors or in other circumstances where we want to demonstrate what our students have accomplished. If you don't want any of your homework submissions to be put on public display, please mark prominently on the title page, "DISTRIBUTION RESTRICTED TO JMU COMPUTER SCIENCE DEPARTMENT ONLY".
9. Portfolio Submission(s): Five of the six CS 621 deliverable assignments are marked for inclusion in your portfolio. In accordance with the document regarding your portfolio that was distributed several months ago, the only assignments that are required to be included in your portfolio are those of Weeks 3 and 4. You may also, at your option, include the other assignments as well, for Weeks 1, 2, and 5.

Week 1:

Mandatory Access Control (MAC) Security Policy and its Representation via a Lattice (Paper/Portfolio): For this exercise, assume the existence of categories L, M, N, O, P, Q, R, T, U, V, W, X, Y, and Z. 

Part 1: Determine whether the Subject dominates the Object, whether the Object dominates the Subject, whether read access and whether write would be granted under MAC for each of the following Subject-Object pairs:  

Subject’s Authorization	Object’s Sensitivity	Subject Dominates Object?	Read Access Granted?	Write Access Granted?
<TS,{}>	<S,{}>
<S,{L}>	<S,{M}>
<S,{N,O}>	<S,<N}>
<TS,{P}>	<TS,{P,Q,R}>
<TS,{}>	<TS,{T}
<S,{U}>	<TS,{}>
<TS,{V}>	<TS,{V}>
<N,{W}>	<N,{X}>
<N,{}>	<C,{Y,Z}>

Part 2: Make a diagram of a MAC lattice describing the following scenario: In a computer system operating in Multi-Level Secure Mode, Personnel Data are stored on the system (PERS), which are Nonclassified but Sensitive, which are required by upper management to be protected by MAC (i.e., a MAC category must be used). Security Clearance Data (CLEAR), which are classified Confidential (collateral, no categories/compartments), do not require MAC protection (i.e., DAC is sufficient). Cryptographic Keying Material (KEY), at various classifications from Confidential through Top Secret, require MAC protection. There are three kinds of Special Access Program material, which have been assigned categories X (classified variously Confidential through Top Secret), Y (all classified Top Secret), and Z (classified Secret through Top Secret).

In addition to your lattice diagram, provide brief textual answers to the following questions: (i) From the standpoint of the degree of security provided, what are the advantages of MAC over DAC and of DAC over MAC? (ii) From the standpoint of ease of implementation and management, what are the advantages of MAC over DAC and of DAC over MAC?

Indicate how you would represent the following additional situation: Nonclassified Legal data (LEG) are also present on the system, having three different levels of sensitivity: Low, Medium, and High. Anyone authorized to see Medium level LEG data is also authorized to see Low level data, and anyone authorized to see High level LEG data is also authorized for Medium and Low. Develop three different lattice representations for this situation: (i) Employ three different levels on the MAC backbone (i.e., no categories or compartments), situated appropriately between Unclassified and Confidential, without employing an additional MAC category. (ii) Define three separate and distinct MAC categories, all at the single level of Nonclassfied but sensitive (LEG1, LEG2, and LEG3).

Note that each of the first two approaches has a disadvantage. Describe succinctly what they are, and also (iii) suggest still another way of modeling this requirement in MAC that avoids the deficiencies of both of the previous two alternatives.

A table in MS-Word is available for you to fill in the answer to the first part of this assignment.

Please also refer to a tutorial on constructing a lattice.

Week 2:

Security Models (Paper/Portfolio): Design a small example relational database, and write a paper describing how a security model such as the Bell-LaPadula Model, or other security model(s) of your choice, can be applied to your example database . Be sure to address in your paper the issues of object granularity and polyinstantiation.

Week 3:

Establishment of a Secure System Configuration (Project/Portfolio): Pick a full-service operating system, such as Microsoft's Windows95® or Windows NT®, or IBM's OS/2 Warp®, any single variant of your choice of UNIX,

Replace the previous word, UNIX, with: UNIX (such as LINUX, for example),

or Digital Equipment Corporation's VMS®, or IBM's VM® or MVS®, and indicate what steps you would undertake to check on the security of the present configuration, as well as what you would do to establish a maximally secure configuration. Your report should consist of a well commented shell script or an ordered list of Operating System commands, with extensive in-line documentation explaining the significance of each command, as well as a list of principal response alternatives to each command, together with an explanation of the significance and a recommended course of action for each.

NOTE that topic proposals for the Group Projects for Week 6 are also due at the end of Week 3, so that these can be processed and approved speedily, enabling the groups to march out and start their research. For further information, please see the description of the Week 6 deliverables.

Week 4:

Monitoring of Continued Security of the System Configuration (Project/Portfolio): For the same operating system that you selected for your previous assignment, provide a well-commented shell script or an ordered list of commands indicating how you would check up on the security configuration on a daily/weekly/monthly basis. Again, your shell script or command list should include extensive documentation explaining the significance of each command, as well as a list of principal response alternatives to each command, together with an explanation of the significance and a recommended course of action for each.

Week 5:

Comparison of the "Common Criteria" with the "Trusted Computer Systems Evaluation Criteria (TCSEC)" (Paper/Portfolio): Information pertaining to the "Common Criteria" is available through the web site, http://www.cs.jmu.edu/users/AbzugCX/Trusted-Systems/Common-Criteria, and other web pages referenced therein. Write a paper summarizing the differences between the TCSEC and the Common Criteria with regard to: (i) Security Functionality; (ii) Assurance; (iii) Flexibility of Approach; and (iv) Adaptability to the realities of the commercial marketplace. [NOTE that you should be spending part of this week in collaboration with your partners on your group project, so a brief summary paper of not more than four pages in length (text and figures) will be adequate for this assignment.]

Week 6:

Final Group Project: The course will culminate in a group project, the results of which will be presented on the occasion of the class meeting on the last day of the course. Five four-person groups should be completely formed by the end of Week 3, in order to start organizing their projects and collecting information so that they will be able to finish producing their written report and presentation in time for the last class meeting. Select a topic from the list provided below. Note that five topics are presented, for use by five groups. HOWEVER, some topics can be used by more than one group. Thus, for example, several groups can choose Topic #2, since they will presumably employ different approaches to dealing with this problem. Likewise, Topics #3 and #4 can each be carried out by more than one group, IF the different groups select different operating systems to investigate or different software packages. Thus, it is not necessary for the five groups to play "musical chairs" with the five topics. Each group should select a group leader, who should send an E-mail to the instructor indicating: (i) the names of all members of the group; and (ii) an ordered list of at least three topics. Where appropriate, your description of your topic should indicate WHICH operating systems, or WHICH software packages, you intend to work on for your project. Assuming that their entry is acceptable, the group whose E-mail is received first will be approved for the first topic on their list; succeeding group E-mail msgs will be processed in order of receipt.

1. Multi-Level Secure Databases: comparison of security mechanisms and of security feature implementation in Multi-Level secure commercial database management products that have been evaluated by the National Computer Security Center and that appear on the Evaluated Products List. Currently, such products are: INFORMIX-On-Line/Secure release 5.0, Trusted Oracle7, and Sybase SQL Server. The referenced Evaluated Products List reports can serve as the kickoff points for your information gathering.  
2. Secure File System: Write a program module in which you implement the concept of a Reference Monitor providing both Mandatory and Discretionary Access Control.. Your program should be profusely commented so as to indicate readily to the reader how it carries out its intended function. Be sure to indicate the data structures you use to label the information necessary to enforce MAC, that is, to store the sensitivity level and the categories of each object, as well as to store the allowed sensitivity levels and category access permissions of each subject. You may make the simplifying assumption that all User logins occur at the full level of allowed sensitivity and category accesses. A call to your Reference Monitor can pass the relevant sensitivity levels and applicable categories either by reference or by value (your choice). Include with your program three files, one containing a small number of sample authorized users, another containing a small number of representative objects (labeled pseudo-files), the third containing a series of reference Monitor calls for an appropriate mix of read operations and write operations including attempted read ups and read downs, write ups and write downs, and a fourth file showing the program output for your inputs.  
3. Security Strengths and Weaknesses of Operating Systems: Analyze in depth the security strengths and weakness of two operating systems, and describe the substance of your analysis. One of your operating systems must be either DOS (Microsoft's MS-DOS®, or IBM's PC-DOS®, or Novell's DR-DOS®, but be sure to specify which), or Microsoft's Windows95® or Windows NT®, or IBM's OS/2 Warp®, or anybody's variant of UNIX (you must specify, however, which UNIX you are reviewing).  
4. Software Tools Available both for the System Security Manager and for the Hacker: Familiarize yourselves with the operation of several tools usable either by system security managers or by hackers to probe the security strengths and weakness of a computer system, such as COPS, SATAN, and CRACK, demonstrate their operation, and provide samples of the output produced as well as examples of how the output could be used either to assist in breaking into a system or to provide guidance in plugging the security holes. Be sure, in performing this project, to adhere to the ethical principles of computer use (see Moral and Ethical Issues for Students). Do NOT attack or otherwise investigate anyone's system unless you are authorized to do so by the legitimate owner of the system.  
5. Computer Viruses. Describe the structure and mode of operation of different kinds of computer viruses, as well as in detail how their presence on a system can be detected both by scanning and by Terminate-and-Stay-Resident monitoring software and how a system can be cleaned up after infection by a virus. Good sources of information to begin your search are: Overview of Computer Viruses and Anti-Virus Software by Bob Kanish, which has a very nice overview of the entire virus problem, as well as a profusion of links to other sources, especially Rob Rosenberger’s Computer Virus Myths, and a section entitled, "More Information About Viruses" containing several other useful pointers. A collection of actual, live viruses is available for a fee from www.spectre-press.com/alt6.htm, but be very careful how you handle these if you do get them. Another lucid source is www.drsolomon.com/vircen/vanalyse/va002.html. There are also several good books (and many bad ones) available at good technical libraries dealing with viruses.

Comprehensive Examination (Sample Questions):

Several examples are provided of possible questions from this course that may be included in the Comprehensive Examination to be given at the end of the curriculum, and which you will have to pass in order to receive your degree. These are provided to assist you in your reading and studying during the course, as well as in your review of the material later in preparation for the exam.

1. Principal Issues in Trusted Computer Systems: List and briefly describe the principal issues in trusted systems: security functionality issues and assurance issues that must be satisfied by the vendor of the secure product, as well as other issues which the vendor must address in the system documentation, but which the User is responsible to implement. Compare the approaches to security functionality and to security assurance that are taken in the "Orange Book" with those taken in the Common Criteria.
2. Security Problems in Data Communications Protocols: Select any of the following profiles: TCP/IP; SNMP; IGRP; RIP; and discuss the ramifications of attack profiles on your selection.
3. The Importance of Polyinstantiation for Database Security: Give a detailed example to demonstrate the use of polyinstantiation to provide database security. Your example should make it clear why polyinstantiation makes the database more secure than it would otherwise be.
4. Security Strengths and Weaknesses in COTS Database Products: Discuss the security features present in two or more COTS DBMS products.

Other Issues:

Documentation Guidelines

Moral and Ethical Issues for Students

Grading Policy: 

The overall course grade will be established as follows:

20%: Quality of student class contributions and discussions during the face-to-face classes and distance discussions
50%: Mid-Semester Paper and Project Assignments
30%: Final (Group) Project/Presentations at Conclusion of Course

 




Completed 08 Jan 98 by Charles Abzug. I acknowledge with gratitude the contributions made by Ross Deem to the production of this document.