security evaluation
play

Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun - PowerPoint PPT Presentation

Aug 12, 2023 •26 likes •436 views

Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 8 Dr Hans Georg Schaathun Security Evaluation Autumn 2008 Week 8 1 / 21 Overview Session objectives Discuss advantages and

  1. Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 – Week 8 Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 1 / 21

  2. Overview Session objectives Discuss advantages and limitations of security evaluations Clarify fundamental concepts and terminology in security evaluation Give an overview of the Common Criteria, enabling students to find appropriate documentation when needed Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 2 / 21

  3. Overview Can we trust a secure product/system? Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 3 / 21

  4. Overview Can we trust a secure product/system? Do you trust the manufacturer? Can you scrutinise and evaluate the product/system yourself? Is there an indenpendent evaluation or certification? Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 3 / 21

  5. Overview Can we trust a secure product/system? Do you trust the manufacturer? Can you scrutinise and evaluate the product/system yourself? Is there an indenpendent evaluation or certification? What is the difference between product and system ? What practical difference does it make for the evaluator? Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 3 / 21

  6. Overview Evaluation Standards TCSEC ( Orange Book ) – USA 1983–1999 CTCSEC – Canada 1989 ITSEC – Europe 1991–2001 (EU Council 1995) Common Criteria – Canada, France, Germany, the Netherlands, UK, and USA, 1998– International treaty: Common Criteria Recognition Agreement Evaluation Scheme needed to join Replaces TCSEC, ITSEC, ... Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 4 / 21

  7. Fundamental Concepts Target Product generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria) System local and individual requirements dialogue between security expert and non-expert user Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

  8. Fundamental Concepts Target Product generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria) System local and individual requirements dialogue between security expert and non-expert user Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

  9. Fundamental Concepts Target Product generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria) System local and individual requirements dialogue between security expert and non-expert user Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

  10. Fundamental Concepts Target Product generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria) System local and individual requirements dialogue between security expert and non-expert user Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

  11. Fundamental Concepts Target Product generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria) System local and individual requirements dialogue between security expert and non-expert user Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

  12. Fundamental Concepts Target Product generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria) System local and individual requirements dialogue between security expert and non-expert user Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

  13. Fundamental Concepts Target Product generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria) System local and individual requirements dialogue between security expert and non-expert user Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

  14. Fundamental Concepts Purpose Distinctions in the Orange Book Evaluation assess achievement of claimed properties Certification suitability for a given application Accreditation acceptance for a given application Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 6 / 21

  15. Fundamental Concepts Method We have to avoid Different results from different evaluations Security bugs found after a positive evaluation Goals: Reproducability and Repeatability Two methodologies Product-oriented (aka. investigational) considers the final product Establishes trust in a particular product Process-oriented (aka. audit-oriented) considers the development process (Potentionally) Establishes trust in a particular producer Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 7 / 21

  16. Fundamental Concepts Method We have to avoid Different results from different evaluations Security bugs found after a positive evaluation Goals: Reproducability and Repeatability Two methodologies Product-oriented (aka. investigational) considers the final product Establishes trust in a particular product Process-oriented (aka. audit-oriented) considers the development process (Potentionally) Establishes trust in a particular producer Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 7 / 21

  17. Fundamental Concepts Method We have to avoid Different results from different evaluations Security bugs found after a positive evaluation Goals: Reproducability and Repeatability Two methodologies Product-oriented (aka. investigational) considers the final product Establishes trust in a particular product Process-oriented (aka. audit-oriented) considers the development process (Potentionally) Establishes trust in a particular producer Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 7 / 21

  18. Fundamental Concepts Organisational Framework Government Agencies (initial US approach) Private Enterprises with Government Accreditation Government Certificates (UK 1991) Private Certification (Germany) What is the contract between . . . ? Sponsor Evaluator Manufacturer Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 8 / 21

  19. Fundamental Concepts Organisational Framework Government Agencies (initial US approach) Private Enterprises with Government Accreditation Government Certificates (UK 1991) Private Certification (Germany) What is the contract between . . . ? Sponsor Evaluator Manufacturer Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 8 / 21

  20. Fundamental Concepts Organisational Challenges Consistency across independent agencies Different people make different interpretations Interpretation drift Different interpretations at different times Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 9 / 21

  21. Fundamental Concepts Structure Functionality Which features are provided? Effectiveness Are the features appropriate for the requirements? Assurance How thorough/certain is the evaluation? The orange book couples the three considerations into discrete security classes ITSEC makes the three considerations separately Flexible framework; open for new requirements Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 10 / 21

  22. Fundamental Concepts Structure Functionality Which features are provided? Effectiveness Are the features appropriate for the requirements? Assurance How thorough/certain is the evaluation? The orange book couples the three considerations into discrete security classes ITSEC makes the three considerations separately Flexible framework; open for new requirements Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 10 / 21

  23. The Common Criteria The Common Criteria International Treaty Common standards documents CC documents CC Evaluation Methodology (CEM) Member states may have different implementations Evaluation Scheme or National Scheme Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 11 / 21

  24. The Common Criteria Basic Concepts Protection Profile (PP) describes the protection needed in a given application scenario Security Target (ST) describes the protection provided by (classes of) systems/products ST implements a PP Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 12 / 21

  25. The Common Criteria Security Functional Requirements This part of the CC defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products. Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 13 / 21

  26. The Common Criteria Security Functional Requirements This part of the CC defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products. Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 13 / 21

  27. The Common Criteria Functional Requirements Classes An example Communications class (two families) Non-repudiation of origin Non-repudiation of receipt Cryptographic support Security Audit User data protection . . . Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 14 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying security expectations To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

535 views • 19 slides
Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations IT Security Evaluation To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

70 views • 4 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, and Rainer Vosseler TL;DR SECURITY ANALYSIS FINDINGS TL;DR SECURITY ANALYSIS FIN

908 views • 68 slides
Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A.

Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A.

Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A. Jansen, BSc MSc System and Network Engineering Universiteit van Amsterdam July 3, 2018 B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 1 /

286 views • 15 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Evaluating Systems Chapter 22 Computer Security: Art and Science , 2 nd Edition Version 1.0

Evaluating Systems Chapter 22 Computer Security: Art and Science , 2 nd Edition Version 1.0

Evaluating Systems Chapter 22 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 22-1 Outline Goals of formal evaluation Trusted Computer Security Evaluation Criteria (TCSEC), 19831999 International Efforts and

1.32k views • 101 slides
Deep Learning For Embedded Security Evaluation Emmanuel PROUFF Joint work with Ryad Benadjila,

Deep Learning For Embedded Security Evaluation Emmanuel PROUFF Joint work with Ryad Benadjila,

Deep Learning For Embedded Security Evaluation Deep Learning For Embedded Security Evaluation Emmanuel PROUFF Joint work with Ryad Benadjila, Eleonora Cagli (CEA LETI), C ecile Dumas (CEA LETI), Houssem Maghrebi (UL), Loic Masure (CEA LETI),

932 views • 71 slides
Performance Evaluation of Performance Evaluation of Security- -Aware Routing Protocols Aware

Performance Evaluation of Performance Evaluation of Security- -Aware Routing Protocols Aware

Performance Evaluation of Performance Evaluation of Security- -Aware Routing Protocols Aware Routing Protocols Security for Clustered Mobile Ad Hoc for Clustered Mobile Ad Hoc Networks Networks Gregory S. Yovanof - - Kerem Kerem Ericsi

1.16k views • 26 slides
SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose,

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose,

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1 2 Alexa, unlock the front door. 3 Internet of Things 4 5 Prior Work Security Analysis of Emerging Smart Home

592 views • 22 slides
Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech

Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech

Omar Alrawi Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech We specialize in Network Security Measurements Work is presented on behalf of my team Omar Alrawi PhD Student (me) About

340 views • 33 slides
User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation

User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation

User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation When does UI evaluation happen? Design Testing and Implementation Development evaluation Testing 2 CS 349 - UI evaluation Types of tests

820 views • 20 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Evaluation DEMMS: Evaluation of Multimedia What are the Evaluation lectures about: When

Evaluation DEMMS: Evaluation of Multimedia What are the Evaluation lectures about: When

Evaluation DEMMS: Evaluation of Multimedia What are the Evaluation lectures about: When to evaluate Systems What kinds of evaluation are possible Predictive evaluations Robert Villa Traditional user experiments

551 views • 10 slides
A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation

A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation

[ICCSA 2004] 2004] [ICCSA A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation Criteria for Side Channel Attacks Side Channel Attacks Presented at the workshop ICCSA ICCSA 200 2004 4, ,

404 views • 26 slides
Cyber Security Evaluation for Nuclear I&C Systems Corresponding to V-Model Jiye Jeong ,

Cyber Security Evaluation for Nuclear I&C Systems Corresponding to V-Model Jiye Jeong ,

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Cyber Security Evaluation for Nuclear I&C Systems Corresponding to V-Model Jiye Jeong , Gyunyoung Heo Department of Nuclear Engineering, Kyung Hee

399 views • 3 slides
Presentation for Classic Papers track at ACSAC 2007, Miami Beach, December 1114, 2007

Presentation for Classic Papers track at ACSAC 2007, Miami Beach, December 1114, 2007

Presentation for Classic Papers track at ACSAC 2007, Miami Beach, December 1114, 2007 Distributed Secure Systems: Then and Now John Rushby a Brian Randell School of Computing Science Computer Science Laboratory Newcastle University

784 views • 35 slides
Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 15 Page 1 CS 236 Online Evaluating Program Security What if your task isnt writing secure code? Its determining if someone

423 views • 16 slides
Session October 8, 2012 Source: Office of Budget & Resource Planning CSU Budget Cycle

Session October 8, 2012 Source: Office of Budget & Resource Planning CSU Budget Cycle

Budget Information Session October 8, 2012 Source: Office of Budget & Resource Planning CSU Budget Cycle Review Governors Hearings BOT Adopt Legislative Enrollment, Support May Revise Preliminary Analyst Cost Increases,

761 views • 45 slides
Last Class Recursive Descent Parsing and CYK ANLP: Lecture 13 Chomsky normal form grammars

Last Class Recursive Descent Parsing and CYK ANLP: Lecture 13 Chomsky normal form grammars

Last Class Recursive Descent Parsing and CYK ANLP: Lecture 13 Chomsky normal form grammars English syntax Shay Cohen Agreement phenomena and the way to model them with CFGs 14 October 2019 1 / 71 2 / 71 Recap: Syntax Parsing algorithms

407 views • 18 slides
Shader Programming Technical Game Development II Professor Charles Rich Computer Science

Shader Programming Technical Game Development II Professor Charles Rich Computer Science

4/12/17 Shader Programming Technical Game Development II Professor Charles Rich Computer Science Department rich@wpi.edu Reference: Rost, OpenGL Shading Language, 2nd Ed., AW, 2006 The Orange Book Also take CS 4731 Computer Graphics

159 views • 13 slides
VoltDB Things you learn as you massively scale David Rolfe Director of Solution Architecture,

VoltDB Things you learn as you massively scale David Rolfe Director of Solution Architecture,

VoltDB Things you learn as you massively scale David Rolfe Director of Solution Architecture, EMEA Tom Howcroft Director of Sales, EMEA 1 17-Jul-18 Scaling at the Architectural Level 2 How many servers will you need to start? HA

379 views • 21 slides
Internal Roles Internal features: privileged mode, memory protection, file access permissions,

Internal Roles Internal features: privileged mode, memory protection, file access permissions,

Internal Roles Internal features: privileged mode, memory protection, file access permissions, etc. What do they accomplish? What is the real goal? Whom do we protect Internal features protect the operating system against users

536 views • 26 slides
1 7 January 2008 An Introduction to the OpenGL Shading Language 8 January 2008 An

1 7 January 2008 An Introduction to the OpenGL Shading Language 8 January 2008 An

Traditional Graphics Pipeline Traditional Graphics Pipeline Xform Lighting Per Vertex Per Vertex Projection Polynomial Operations & Polynomial Operations & Primitive Primitive Evaluator Evaluator Clipping Assembly Assembly

183 views • 6 slides

More recommend