Skip to content

Page097

Secure System Design Concepts

Secure system design transcends specific hardware and software implementations and represents universal best practices.

Layering

Layering separates hardware and software functionality into modular tiers. The complexity of an issue such as reading a sector from a disk drive is contained to one layer (the hardware layer in this case). One layer (such as the application layer) is not directly affected by a change to another. Changing from an IDE (Integrated Drive Electronics) disk drive to a SCSI (Small Computer System Interface) drive has no effect on an application that saves a file. Those details are contained within one layer and may affect the adjoining layer only.

The OSI model (which we will discuss in Chapter 5, Domain 4: Communication and Network Security) is an example of network layering. Unlike the OSI model, the layers of security architecture do not have standard names that are universal across all architectures. A generic list of security architecture layers is as follows:

  1. Hardware
  2. Kernel and device drivers
  3. Operating System
  4. Applications

In our previous IDE ➜ SCSI drive example, the disk drive in the hardware layer has changed from IDE to SCSI. The device drivers in the adjacent layer will also change. Other layers, such as the applications layer, remain unchanged.

Abstraction

Abstraction hides unnecessary details from the user. Complexity is the enemy of security: the more complex a process is, the less secure it is. That said: computers are tremendously complex machines. Abstraction provides a way to manage that complexity. A user double-clicks on an MP3 file containing music, and the music plays via the computer speakers. Behind the scenes, tremendously complex actions are taking place: the operating system opens the MP3 file, looks up the application associated with it, and sends the bits to a media player. The bits are decoded by a media player, which converts the information into a digital stream, and sends the stream to the sound card. The sound card converts the stream into sound and sends it to the speaker output device. Finally, the speakers play sound. Millions of calculations are occurring as the sound plays, while low-level devices are accessed. Abstraction means the user simply presses play and hears music.

Security Domains

A security domain is the list of objects a subject is allowed to access. More broadly defined, domains are groups of subjects and objects with similar security requirements. Confidential, Secret, and Top Secret are three security domains used by the US Department of Defense (DoD), for example. With respect to kernels, two domains are user mode and kernel mode.

Kernel mode (also known as supervisor mode) is where the kernel lives, allowing low-level access to memory, CPU, disk, etc. It is the most trusted and powerful part of the system. User mode is where user accounts and their processes live. The two domains are separated: an error or security lapse in user mode should not affect the kernel. Most modern operating systems use both modes; some simpler (such as embedded) and older (such as Microsoft DOS) operating systems run entirely in kernel mode.