Fri Apr 8 06:51:40 PDT 2016
Content control: Data in use: How is data in use protected?
Options:
Option 1: Use trusted systems with provable separation mechanisms.
Option 2: Use operating environments with solid process separation.
Option 3: Configure discretionary access controls to protect temporary areas.
Option 4: Use cryptographic transforms to allow confidential computation in the open.
Option 5: Only use sensitive content in well controlled areas of the environment.
Option 6: Use configuration controlled computers for sensitive computation.
Option 7: Use real-time checks on data just prior to use.
Option 8: Use redundant computation to assure proper answers and availability of results.
Option 9: Use sanity checks and other similar validation for important results.
Option A: Use microzones to control and enable access only while in use.
Option B: Use local augmented hardware protection.
Option C: Use published methods.
Option D: Use transaction records.
Option E: Do nothing special.
Decision:
"No" indicates that the approach is too expensive to reasonably
apply. IACUTRS stand for Integrity, Availability, Confidentiality, Use
control, Accountability, Transparency, and Custody respectively. They are used to indicate
what protection objectives may be reasonably be addressed by these
controls over data in use at these risk levels. For high risk, we
generally advise at least two covers for each of IACUTRS, and for Medium
risk, at least one cover of each. For each standard approach
identified, indicate what controls are in use and the overall coverage
attained.
Approach | Low Risk | Medium risk | High risk |
Trusted systems | No | IACUTRS | IACUTRS |
Strong separation OSs | IACUS | ICUS | IC |
DAC temporary area separation | No | IC | IC |
Cryptographic transforms | CU | U | No |
Control locations of use | IACUTS | IACUTS | IACUTS |
Configuration controlled computers | IACUT | IACUT | No |
Local augmented hardware protection | ICU | ICU | ICU |
Real-time pre-use checks | I | I | I |
Redundant computations | No | A | IA |
Validate outputs | No | I | IT |
Microzones | ICUS | ICUS | IUS |
Published methods | IR | IR | R |
Transaction records | TR | TR | TR |
Overall objectives met | . | . | . |
Controls over data in use
Basis:
Use trusted systems with provable separation mechanisms.
Trusted systems such as those used to separation classified
information have, in some cases, provably correct process separation
mechanisms. These provide protection against outside influences
including resource consumption, alteration, leakage, breaks in
accountability, and use by unauthorized users. They also provide chain
of custody information through their strong audit mechanisms and are
typically using published and reviewed methods, improving integrity
and transparency.
Use operating environments with solid process
separation. Operating systems with solid process separation
include modern version of Windows, Unix-like operating systems, and
most other widely used general purpose operating systems. Use of these
methods can improve custody, but only to a limited extent.
Configure discretionary access controls to
protect temporary areas. Configuration controls over
temporary areas prevent interference with data values in temporary
areas including file storage areas used by processes. Programs often
fail to provide proper protection for their files and default values
are sometimes overly broad for control over the content in use.
Use cryptographic transforms to allow
confidential computation in the open. These mechanisms use
encrypted forms of content that have particular properties that allow
the encrypted forms to be useful for specific types of
computation. The most common use is for things like password
protection, where plaintext of passwords is never stored and in use,
passwords are checked by passing them through a one-way cryptographic
hash function and comparing results to the stored hash. This is only
workable when the number of values is high enough and the algorithm
complex enough to prevent exhausting the value space. Its use for
things like social security numbers is relatively easy to defeat, and
thus while it affords limited protection, it is not sound for
substantial threats. It also takes a great deal of performance for all
feasible approaches today other than the strict comparison of values,
and even these are significantly slowed.
Only use sensitive content in well controlled
areas of the environment and in specific physical locations.
In a zones and physically secured environment, these controls may be
adequate to reduce threats and available exploitation paths to a
desired level. However, this depends on the properties of a lot of
other controls. This also helps support chain of custody by limiting
locations.
Use local augmented hardware protection.
This includes methods like directional screen covers to limit
angle or readability, physically securing input and output device
ports, hardened enclosures or packaging, local biometrics, and
similar methods.
Use configuration controlled computers for sensitive computation.
This is an effective means for limiting the things that can
happen in the normal environment, however; it is only of limited utility for
higher threat levels.
Use real-time checks on data just prior to use.
These include antivirus checks just prior to execution of
programs, integrity shells, and other similar pre-use checks.
For each program, integrity checks for all incoming data should
be applied, and this also falls under this category.
Use redundant computation to assure proper answers and availability of results.
Redundant computation ranges from having multiple DNS servers for assured
availability to the use of N-modular redundancy for assuring proper results
in computations for life-critical applications and real-time control systems.
Use sanity checks and other similar validation for important results.
Output checks on the results are sensible when the results are
important enough to cause significant harm. Checks of audit records against
executions are also used to assure accountability in some high risk systems.
Use microzones to control and enable access only
while in use. Microzoning and its combination of encryption
and virtual machines (VMs) provide for separation of use in time (the
VM running state and content are only available while in use), in use
by VM (i.e., separate VMs have little or no direct interaction - but
do have covert channels) and decryption of content (VMs may
selectively decrypt content internally for use in a microzoning
approach). At this granularity level, these mechanisms can be
effective, but they are not normally high surety today.
Use published methods. Published
methods are typically better vetted and more widely understood. This
makes actions more transparent and, to a lesser extent improves
integrity..
Use transaction records. Transaction
records track each use at some level of granularity, typically
identifying inputs, outputs, and actions taken / methods applied. This
supports the ability to review what took place and allow for processes
to be later verified and or redone with the same or other methods.
This makes processes more accountable and transparent.
Use microzones to control and enable access only
while in use. Microzoning and its combination of encryption
and virtual machines (VMs) provide for separation of use in time (the
VM running state and content are only available while in use), in use
by VM (i.e., separate VMs have little or no direct interaction - but
do have covert channels) and decryption of content (VMs may
selectively decrypt content internally for use in a microzoning
approach). At this granularity level, these mechanisms can be
effective, but they are not normally high surety today.
Do nothing special.
It speaks for itself. In low risk systems, due diligence probably dictates some
controls in some situations, but this remains a feasible option.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|