JayEvan J' Tevis John A' Hamilton, Jr'

1
A Security-centric Ring-based Software
Architecture

• Jay-Evan J. Tevis John A.
  Hamilton, Jr.
• Western Illinois University
  Auburn University
• Macomb, IL
  Auburn, AL

2
Introduction

• Software systems are vulnerable to many different
  forms of attack
• Protection of such systems can be improved by
  viewing their key components from the perspective
  of an enemy attacker

3
Introduction (continued)

• Colonel John Warden developed a five-ring system
  model for military strategic warfare
• It describes the parts of an enemy system as five
  concentric rings
• It is designed for use in planning and conducting
  strategic targeting against an adversary

4
Introduction (continued)

• We apply this model to software architecture in a
  similar manner to identify
• What system-level components are essential
• How these components can be better protected
  through a security-focused architectural design

5
Overview
Overview
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• Security-centric software architectures
• Design of a ring-based software architecture
• A computer security adaptation using Wardens
  concentric rings
• Adapting Wardens model to computer security
• Protecting centers of gravity in a software
  system
• Conclusion and future plans

6
Security-centric Software Architectures
7
Critical Concepts in the Security Domain Neumann
Security-centric Software Architectures
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• Multi-level security
• Restrict flow of information from higher-security
  entities to lower-security entities
• Multi-level integrity
• Restrict dependencies between entities of higher
  integrity with entities of lower integrity
• Multi-level availability
• Restrict dependencies between entities of higher
  availability with entities of lower availability

8
Multiple Security Rings Gemini
Security-centric Software Architectures
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• High assurance security
• Hardware and kernel-enforced protection
• Multi-level security
• Enforcement of organizational access controls
• Cryptographic communication security
• IPSec-based authentication, confidentiality, and
  integrity
• Integrated information systems security
• Protection at transport and network layers

9
Seven Ring Gemguard Architecture Gemini
Security-centric Software Architectures
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans
10
Properties of Ring-based Software Architectures
Schell
Security-centric Software Architectures
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• Memory segmentation
• Three protection rings
• Security kernel
• Located in the most protected ring
• Enforces mandatory access controls
• Operating system
• Applications
• Although applied in research, such ring-based
  architectures are not widely deployed in industry

11
Ring-based Program Execution Policy Nguyen and
Levin
Security-centric Software Architectures
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• Mandatory access control (All users including
  root)
• Four ring-based execution domains
• (3) Unprivileged application
• (2) Privileged application
• (1) Administration
• (0) Operating System
• Programs assigned to a less privileged ring are
  unable to execute or access objects allocated in
  a more privileged ring

12
Design of a Ring-based Software Architecture
13
Ring-based Architectural Style
Design of a Ring-based Software Architecture
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans
14
Ring-based Architectural Style
Design of a Ring-based Software Architecture
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• A variation of the layered architectural style
• Innermost ring is the lowest layer outermost
  ring is the highest layer
• Geometric adjacency of two rings denotes an
  allowed to use relation
• Each entity in a specific ring can communicate
  with another entity

15
Ring-based Architectural Style (continued)
Design of a Ring-based Software Architecture
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• Entities within a ring have no inherent
  adjacency consequently, they are an unordered
  set
• This tends towards more of a distributed
  environment
• Any entity in an inner ring is accessible only by
  an entity in the closest outer ring
• To access an inner ring, an entity in the
  adjacent outer ring must be used as the mediator
  or interface

16
Features of Rings as Interfaces
Design of a Ring-based Software Architecture
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• Confidentiality (privacy)
• Authentication (who created or sent the data)
• Integrity (Data has not been altered)
• Non-repudiation (the order is final)
• Access control (prevent misuse of resources)
• Availability (Permanence or non-erasure of data)

17
Features of Rings as Gates Fernandez
Design of a Ring-based Software Architecture
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• A set of protection rings correspond to domains
  of execution with hierarchical levels of trust
• Gates serve as protected entry points
• Crossing of a ring is done through gates that
  check the access rights of a process

18
Design Patterns for a Ring-based Software
Architecture Fernandez
Design of a Ring-based Software Architecture
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• File authorization
• Access control for virtual address space
• Execution domain
• Reference monitor
• Controlled execution environment

19
A Computer Security Adaptation using Wardens
Concentric Rings
20
Wardens Five-Ring Model Warden
A Computer Security Adaptation using Wardens
Concentric Rings
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans
21
Five-Ring Model Applied to Other Domains Warden
A Computer Security Adaptation using Wardens
Concentric Rings
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans
 
22
Computer Security Adaptation of Wardens Model
A Computer Security Adaptation using Wardens
Concentric Rings
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans
Physical security measures
Packets, bytes
Memory, bus, data cables
Input data, electrical power
Executable code, sensors
23
Computer Security Rings
A Computer Security Adaptation using Wardens
Concentric Rings
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• (0) Executable code and I/O sensors
• (1) Input/Output data and electrical power
• (2) Memory, system bus, data cables, converters
• (3) Packets, bytes
• (4) Physical security measures called upon by any
  of the inner rings to deal with an attack or an
  intrusion

Note Each ring is also a system within itself
requiring protection
24
Protecting Centers of Gravity in a Software System
25
Centers of Gravity
Protecting Centers of Gravity in a Software System
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• Centers of gravity are the components that are
  instrumental to a systems function and survival
• The five rings in his model constitute five
  centers of gravity
• Each ring is a possible target requiring
  protection
• Without the functioning inner rings, an outer
  ring becomes a useless appendage
• Software engineers should ensure that the
  security protection in each ring cannot be easily
  defeated

26
Leadership Ring
Protecting Centers of Gravity in a Software System
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• Failure of any critical components in the
  leadership ring leads to failure of the complete
  system
• Critical components must be identified and given
  the highest level of protection
• No vulnerability should exist that would allow
  changes to the program executable code without
  approval of the leadership ring
• Only the leadership ring should be able to
  disable system sensors
• With the innermost ring protected, each remaining
  ring must also be protected to avoid the threat
  of strategic paralysis

27
Organic Essentials Ring
Protecting Centers of Gravity in a Software System
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• The organic essentials ring must be protected
  through redundancy (battery backup, alternate
  communication paths)
• Protection must also occur from excessive battery
  drain or signal jamming
• Reduce battery usage, switch frequencies, shut
  down system

28
Infrastructure Ring
Protecting Centers of Gravity in a Software System
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• The infrastructure ring must also be protected
  through redundancy (second system bus, additional
  communication cabling)
• Backup components are needed for each of the
  major production/transformation components of the
  software system
• Shared memory, pipes, system bus
• The protection facilities must detect and
  minimize a denial of service attack and delete
  low priority or data-jamming traffic in order to
  thwart such an attack

29
Population Ring
Protecting Centers of Gravity in a Software System
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• The population ring is less vulnerable to attack
  because of the large quantity of data
  containers that a system can produce
• The major threat is exhaustion of memory due to
  dynamic memory allocation
• Another threat is corruption or destruction of
  the contents of the data when in transit
• Protection approaches include error-detection
  mechanisms and sliding window protocols

30
Fighting Mechanism Ring
Protecting Centers of Gravity in a Software System
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• The fighting mechanism ring is not as vital if
  each of the inner rings has been equipped with
  security protection mechanisms
• Nevertheless, centralizing the attacking role in
  this ring supports the software engineering
  principle of cohesion
• Protection includes not only attacking via
  counter measures, but also the sending of
  warnings and distress signals
• When designing security measures, the detection
  and handling of threats should always assume a
  parallel attack
• More than one component in the same rings or in
  different rings may be attacked simultaneously
• System security should not be centered on a
  single thread of protection in the outermost ring

31
Conclusion and Future Plans
32
Conclusion
Conclusion and Future Plans
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• The importance of computer system security
  demands better security-centric software
  architectures
• Wardens five-ring model provides a way to
  portray a computer system as viewed by an enemy
  attacker
• This modeling technique identifies the components
  of each ring and the centers of gravity needing
  the most protection
• It also points out the need for layered defenses
  against computer security threats

33
Related Work
Conclusion and Future Plans
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• Damage to the center ring of a software system
  will result in substantial reduction in the
  computers ability to handle and process
  information Kopp
• The most serious problem in a software system is
  one of mismatch between the security framework of
  the legacy system and the target systems
  standard protocol Devanbu and Stubblebine
• The security architecture can also be viewed as a
  pyramid Schaumont and Verbauwhede
• (From top) Circuit, micro-architecture,
  architecture, algorithm, and protocol
• Fine-grain controls can be used at the level of
  individual data objects Ioannidis, Bellovin,
  Smith
• All data objects are tagged with an identifier
  upon arrival from remote sources
• The object identifier dictates permissions and
  privileges rather than the file owners users ID
  and permissions as in UNIX

34
Future Plans
Conclusion and Future Plans
Security-centric Software Architectures Design of
a Ring-based Software Architecture A Computer
Security Adaptation using Wardens Concentric
Rings Protecting Centers of Gravity in a Software
System Conclusion and Future Plans

• Compare and contrast the ring-based architecture
  to the monolithic architecture used by Linux
• Implement a prototype operating system that
  utilizes the security-centric ring-based approach

35
A Security-centric Ring-based Software
Architecture

• Any Questions?