Top

Published in:

2010 | OriginalPaper | Chapter

2. High Assurance Software Lessons and Techniques

Authors : Dr. Ted Huffmire, Dr. Cynthia Irvine, Thuy D. Nguyen, Timothy Levin, Dr. Ryan Kastner, Dr. Timothy Sherwood

Published in: Handbook of FPGA Design Security

Publisher: Springer Netherlands

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

To understand the principles needed to manage security in FPGA designs, this chapter presents lessons learned from the development of high assurance systems. These principles include risk assessment, threat models, policy enforcement, lifecycle management, assessment criteria, configuration control, and development environments.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Introduction and Motivation

next chapter Hardware Security Challenges

“Quis custodiet ipsos custodies?” (“Who guards the guardians?”)—Juvenal, Satires VI.347.

For the purpose of this discussion, the two terms are considered to be equivalent.

The term security functionality is based on the term TOE Security Functionality (TSF) which is defined in the CC as a set consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the security functional requirements [23].

Where program could be a module, component, monolithic system, or distributed system.

S. Adee, The hunt for the kill switch. IEEE Spectrum 45(5), 34–39 (2008) CrossRef

P. Ammann, R.S. Sandhu, The extended schematic protection model. J. Comput. Secur. 1(3, 4), 335–385 (1992)

J.P. Anderson, Computer security technology planning study. Tech. Rep. ESD-TR-73-51, Air Force Electronic Systems Division, Hanscom AFB, Bedford, MA, 1972. Also available as vol. I, DITCAD-758206. Vol. II, DITCAD-772806

E.A. Anderson, C.E. Irvine, R.R. Schell, Subversion as a threat in information warfare. J. Inf. Warfare 3(2), 52–65 (2004)

M.J. Bach, The Design of the UNIX Operating System (Prentice Hall, Inc., Englewood Cliffs, 1986)

T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S.K.R. Jamani, A. Ustuner, Thorough static analysis of device drivers. SIGOPS Oper. Syst. Rev. 40(4), 73–85 (2006) CrossRef

D.E. Bell, L. LaPadula, Secure computer system: unified exposition and multics interpretation. Tech. Rep. ESD-TR-75-306, MITRE Corp., Hanscom AFB, MA, 1975

D.E. Bell, L. LaPadula, Secure computer systems: mathematical foundations and model. Tech. Rep. M74-244, MITRE Corp., Bedford, MA, 1973

K.J. Biba, Integrity considerations for secure computer systems. Tech. Rep. ESD-TR-76-372, MITRE Corp., 1977

10.

E.W. Bobert, On the inability of an unmodified capability machine to enforce the *-property, in Proceedings DoD/NBS Computer Security Conference, September 1984, pp. 291–293

11.

G. Boolos, R. Jeffrey, Computability and Logic (Cambridge University Press, Cambridge, 1974) MATH

12.

CCEVS, Publication #4: guidance to CCEVS approved Common Criteria testing laboratories, version 2.0. National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme, September 2008

13.

CCEVS, Publication #1: organization, management and concept of operations, version 2.0. National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme, September 2008

14.

CCMB, Common Criteria for information technology security evaluation, revision 3.1, revision 1, no. CCMB-2006-09-001. Common Criteria Maintenance Board, September 2006

15.

B.E. Chelf, S.A. Hallem, A.C. Chou, Systems and methods for performing static analysis on source code. US Patent 7,340,726, Coverity, Inc., 2008

16.

H. Chen, D. Wagner, MOPS: an infrastructure for examining security properties of software, in Proc. 9th ACM Conf. Computer and Communications Security (CCS 02)

17.

B. Chess, G. McGraw, Static analysis for security. IEEE Secur. Priv. 2, 76–79 (2004)

18.

S. Christy, R.A. Martin, Vulnerability type distributions in CVE. http://cve.mitre.org/docs/vuln-trends/index.html, May 2007

19.

J.P.A. Co, Computer security threat monitoring and surveillance. Tech. Rep., James P. Anderson Co., Fort Washington, PA 19034, February 1980

20.

Committee on National Security Systems, NSTISSP no. 11, revised fact sheet. National Information Assurance Acquisition Policy, July 2003

21.

Common Criteria Maintenance Board, Common Criteria for information technology security evaluation, part 3: security assurance components, version 2.3, CCMB-2005-08-003. Common Criteria Maintenance Board, August 2005

22.

Common Criteria Development Board, The application of CC to integrated circuits, version 2.0, revision 1, CCDB-2006-04-003. Supporting document, mandatory technical document. Common Criteria Development Board, April 2006

23.

Common Criteria Maintenance Board, Common Criteria for information technology security evaluation, part 1: introduction and general model, version 3.1, revision 1, CCMB-2006-09-001. Common Criteria Maintenance Board, September 2006

24.

Common Criteria Maintenance Board, Common Criteria for information technology security evaluation, part 2: security functional components, version 3.1, revision 2, CCMB-2007-09-002. Common Criteria Maintenance Board, September 2007

25.

Common Criteria Maintenance Board, Common Criteria for information technology security evaluation, part 3: security assurance components, version 3.1, revision 2, CCMB-2007-09-003. Common Criteria Maintenance Board, September 2007

26.

Common Criteria Maintenance Board, Common Criteria for information technology security evaluation, evaluation methodology, version 3.1, revision 2, CCMB-2007-09-004. Common Criteria Maintenance Board, September 2007

27.

M.A. Cusumano, Who is liable for bugs and security flaws in software? Commun. ACM 47, 25–27 (2004)

28.

M. Das, S. Lerner, M. Seigle, ESP: path-sensitive program verification in polynomial time, in PLDI 02: Programming Language Design and Implementation, June 2002, pp. 57–68

29.

P.J. Denning, Virtual memory. ACM Comput. Surv. 2(3), 153–189 (1970) MATHCrossRef

30.

D.E. Denning, A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976) MathSciNetMATHCrossRef

31.

D.E. Denning, An intrusion-detection model. IEEE Trans. Softw. Eng. 13, 222–232 (1987) CrossRef

32.

J.B. Dennis, E.C.V. Horn, Programming semantics for multiprogrammed computations. Commun. ACM 9(3), 143–155 (1966) MATHCrossRef

33.

DigitalNet Government Solutions, Security target version 1.7 for XTS-6.0.E, March 2004

34.

P. Eggert, D. Cooper, S. Eckmann, J. Gingerich, S. Holtsberg, N. Kelem, R. Martin, FDM user guide. No. TM-8486/000/04, Reston, VA: Unisys Corporation, June 1992

35.

European Commission, Biometrics at the frontiers: assessing the impact on society. Tech. Rep., European Commission Joint Research Center (DG JRC), Institute for Prospective Technological Studies, 2005

36.

R. Fabry, Capability-based addressing. Commun. ACM 17, 403–412 (1974) CrossRef

37.

R. Fitzgerald, trans. Homer: The Odyssey (Vintage, New York, 1961)

38.

L.J. Fraim, Scomp: a solution to the multilevel security problem. Computer 16, 26–34 (1983) CrossRef

39.

J. Goguen, J. Meseguer, Security policies and security models, in Proc. of 1982 IEEE Symposium on Security and Privacy, Oakland, CA (IEEE Comput. Soc., Los Alamitos, 1982), pp. 11–20

40.

G.S. Graham, P.J. Denning, Protection—principles and practice, in Proceedings of the Spring Joint Computer Conference, May 1972, pp. 417–429

41.

I. Hadzic, S. Udani, J. Smith. FPGA viruses, in Proceedings of the Ninth International Workshop on Field-Programmable Logic and Applications (FPL’99), Glasgow, UK, August 1999

42.

M. Harrison, W. Ruzzo, J. Ullman, Protection in operating systems. Commun. ACM 19(8), 461–471 (1976) MathSciNetMATHCrossRef

43.

J.L. Hennessy, D.A. Patterson, Computer Architecture: A Quantitative Approach, 4th edn. (Morgan Kaufmann, San Mateo, 2006) MATH

44.

C.A.R. Hoare, Communicating sequential processes. Commun. ACM 21(8), 666–677 (1978) MathSciNetMATHCrossRef

45.

J. Horton, R. Harland, E. Ashby, R.H. Cooper, W.F. Hyslop, B. Nickerson, W.M. Stewart, O. Ward, The cascade vulnerability problem, in Proceedings IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 1993, pp. 110–116

46.

IAD (Information Assurance Directorate), US Government protection profile for separation kernels in environments requiring high robustness. National Information Assurance Partnership, version 1.03 edn., 29 June 2007

47.

Intel, Intel 64 and IA32 architectures software developer’s manual, vol. 3A: system programming guide, part 1. Intel Corporation, Denver, CO, 253668-022us edn., November 2006

48.

D. Jackson, Software Abstractions: Logic, Language, and Analysis (MIT Press, Cambridge, 2006)

49.

A.K. Jain, S. Pankanti, S. Prabhakar, L. Hong, A. Ross, J.L. Wayman, Biometrics: a grand challenge, in Proceedings of the 17th International Conference on Pattern Recognition, August 2004, pp. 935–942

50.

M.J. Kaminskas, Risk Assessment/Risk Management. Building Design for Homeland Security, vol. 5. FEMA, Risk Management Series ed. (2007). http://www.fema.gov/library/viewRecord.do?id=1939

51.

P.A. Karger, Improving security performance for capability systems. Ph.D. thesis, University of Cambridge, Cambridge, England, 1988

52.

P. Karger, A.J. Herbert, An augmented capability architecture to support lattice security and traceability of access, in Proceedings 1984 IEEE Symposium on Security and Privacy, Oakland, CA (IEEE Comput. Soc., Los Alamitos, 1984), pp. 2–12

53.

P.A. Karger, R.R. Schell, Multics security evaluation: vulnerability analysis. Tech. Rep. ESD-TR-74-193, vol. II, HQ Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731, June 1974

54.

M. Kaufmann, J. Moore, An industrial strength theorem prover for a logic based on common Lisp. IEEE Trans. Softw. Eng. 23(4), 203–213 (1997) CrossRef

55.

G.H. Kim, E.H. Spafford, The design and implementation of Tripwire: a file system integrity checker, in Proceedings of the 2nd ACM Conference on Computing and Communications Security (CCS), Fairfax, VA, November 1994

56.

P. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems, in Proceedings of the 16th Annual International Cryptology Conference (CRYPTO), Santa Barbara, CA, August 1996

57.

M. Kurdziel, J. Fitton, Baseline requirements for government and military encryption algorithms, in MILCOM, vol. 2, Oct. 2002, pp. 1491–1497

58.

L. Lack, Using the bootstrap concept to build an adaptable and compact subversion artifice. Master’s thesis, Naval Postgraduate School, Monterey, CA, June 2003

59.

B.W. Lampson, Protection, in Proc. 5th Princeton Conf. on Information Sciences and Systems, Princeton, NJ, 1971

60.

B.W. Lampson, A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973) CrossRef

61.

C.E. Landwehr, Formal models for computer security. ACM Comput. Surv. 13(3), 247–278 (1981) CrossRef

62.

K. Lee, L. Sha, Process resurrection: a fast recovery mechanism for real-time embedded systems, in Proceedings of 11th IEEE Real Time and Embedded Technology and Applications Symposium 2005 (RTAS 2005), March 2005, pp. 292–301

63.

T.E. Levin, C.E. Irvine, T.D. Nguyen, Least privilege in separation kernels, in E-business and Telecommunication Networks; Third International Conference, ed. by J. Filipe, M.S. Obaidat. ICETE 2006, Set’ubal, Portugal, 7–10 August 2006. Communications in Computer and Information Science, vol. 9 (Springer, Berlin, 2008)

64.

T.E. Levin, C.E. Irvine, C. Weissman, T.D. Nguyen, Analysis of three multilevel security architectures, in Proceedings 1st Computer Security Architecture Workshop, Fairfax, VA, November 2007, pp. 37–46

65.

H.M. Levy, Capability-based Computer Systems (Digital Press, Bedford, 1984)

66.

S. Lipner, The trustworthy computing security development lifecycle, in Proceedings 20th Annual Computer Security Applications Conference (IEEE Comput. Soc., Los Alamitos, 2004), pp. 2–13 CrossRef

67.

Lockheed-Martin/The Open Group, Protection Profile for PKS in environments requiring high robustness. Draft Version 1.3, submittal for NSA approval, 09 June 2003. http://www.csds.uidaho.edu/pp/PKPP1_3.pdf. Last accessed: 15 March 2009

68.

T.F. Lunt, Access control policies: some unanswered questions. Comput. Secur. 8, 43–54 (1989) CrossRef

69.

T.F. Lunt, P.G. Neumann, D.E. Denning, R.R. Schell, M. Heckman, W.R. Shockley, Secure distributed data views security policy and interpretation for DMBS for a Class A1 DBMS. Tech. Rep. RADC-TR-89-313, vol. I, Rome Air Development Center, Griffiss, Air Force Base, NY, December 1989

70.

J. McLean, Security models and information flow, in Proceedings of the IEEE Symposium on Security and Privacy (IEEE Comput. Soc., Los Alamitos, 1990), pp. 180–189

71.

J. Millen, The cascading problem for interconnected networks, in Fourth Aerospace Computer Security Applications Conference, 1988, pp. 269–273

72.

J. Murray, An exfiltration subversion demonstration. Master’s thesis, Naval Postgraduate School, Monterey, CA, June 2003

73.

S. Myagmar, A. Lee, W. Yurcik, Threat modeling as a basis for security requirements, in Proc. Symp. Requirements Engineering for Information Security (SREIS 05), 2005

74.

P. Myers, Subversion: the neglected aspect of computer security. M.S. thesis, Naval Postgraduate School, Monterey, CA, 1980

75.

National Computer Security Center, Trusted network interpretation of the trusted computer system evaluation criteria, NCSC-TG-005, July 1987

76.

National Computer Security Center, A guide to understanding object reuse in trusted systems. Tech. Rep. NCSC TG-018, National Computer Security Center, Fort George G. Meade, MD, 1991

77.

E.I. Organick, The Multics System: An Examination of Its Structure (MIT Press, Cambridge, 1972)

78.

L.C. Paulson, Isabelle: A Generic Theorem Prover. LNCS, vol. 828 (Springer, Berlin, 1994) MATH

79.

V. Paxon, Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999) CrossRef

80.

D. Redell, R. Fabry, Selective Revocation of Capabilities, International Workshop on Protection in Operating Systems, IRIA, 1974

81.

D. Rogers, A framework for dynamic subversion. Master’s thesis, Naval Postgraduate School, Monterey, CA, June 2003

82.

A. Roscoe, CSP and determinism in security modelling, in Proceedings of the IEEE Symposium on Security and Privacy (IEEE Comput. Soc., Los Alamitos, 1995), pp. 114–127

83.

J. Rushby, Design and verification of secure systems. ACM SIGOPS Operating Systems Review, vol. 15, December 1981, p. 12

84.

J. Rushby, S. Owre, N. Shankar, Subtypes for specifications: predicate subtyping in PVS. IEEE Trans. Softw. Eng. 24(9), 709–720 (1998) CrossRef

85.

J.H. Saltzer, M.D. Schroeder, The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975) CrossRef

86.

R. Sandu, Analysis of acyclic attenuating systems for the SSR protection model, in Proceedings of the 1985 IEEE Symposium on Security and Privacy, April 1985, pp. 197–206

87.

R.S. Sandhu, The schematic protection model: its definition and analysis for acyclic attenuating schemes. J. ACM 35, 404–432 (1988) CrossRef

88.

R.R. Schell, P.J. Downey, G.J. Popek, Preliminary notes on the design of secure military computer systems. Tech. Rep. MCI-73-1, Electronic Systems Division, Air Force Systems Command, Hanscom AFB, Bedford, MA, 73

89.

R. Schell, T.F. Tao, M. Heckman, Designing the GEMSOS security kernel for security and performance, in Proceedings 8th DoD/NBS Computer Security Conference, 1985, pp. 108–119

90.

D.D. Schnackenberg, Development of a multilevel secure local area network, in Proceedings of the 8th National Computer Security Conference, October 1985, pp. 97–101

91.

M.D. Schroeder, J.H. Saltzer, A hardware architecture for implementing protection rings. Commun. ACM 15(3), 157–170 (1972) CrossRef

92.

J.S. Shapiro, J.M. Smith, D.J. Farber, EROS: a fast capability system, in SOSP’99: Proceedings of the Seventeenth ACM Symposium on Operating Systems Principles (ACM, New York, 1999), pp. 170–185 CrossRef

93.

L.J. Shirley, R.R. Schell, Mechanism sufficiency validation by assignment, in Proceedings 1981 IEEE Symposium on Security and Privacy, Oakland (IEEE Comput. Soc., Los Alamitos, 1981), pp. 26–32

94.

W.R. Shockley, R.R. Schell, TCB subsets for incremental evaluation, in Proceedings Third AIAA Conference on Computer Security, December 1987, pp. 131–139

95.

A. Silberschatz, P.B. Galvin, G. Gagne, Operating System Concepts, 7th edn. (Wiley, New York, 2005)

96.

Snort.org, Snort. http://www.snort.org/, last referenced 22 March 2009

97.

Specware 4.2 Manual, Kestrel Technology, http://www.specware.org/documentation/4.2/languagemanual/SpecwareLanguageManual.pdf, 3 November 2008

98.

J.M. Spivey, Understanding Z: A Specification Language and Its Formal Semantics (Cambridge University Press, Cambridge, 1988) MATH

99.

D.F. Sterne, On the buzzword “security policy”, in Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA (IEEE Comput. Soc., Los Alamitos, 1991), pp. 219–230

100.

The Easter Egg Archive, Excel Easter Egg—Excel 97 flight to credits. http://www.eeggs.com/items/718.html, last accessed 19 February 2009

101.

K. Thompson, Reflections on trusting trust. Commun. ACM 27(8), 761–763 (1984) CrossRef

102.

S. Trimberger, Trusted design in FPGAs, in Proceedings of the 44th Design Automation Conference, San Diego, CA, June 2007

103.

US Department of Commerce and Communications Security Establishment of the Government of Canada, Implementation guidance for FIPS PUB 140-2 and the cryptographic module validation program, initial release: 28 March 2003, last update: 10 March 2009. National Institute of Standards and Technology, Gaithersburg, MD, March 2009

104.

US Department of Commerce, Security requirements for cryptographic modules, Federal Information Processing Standards Publication 140-2. National Institute of Standards and Technology, Gaithersburg, MD, May 2001

105.

US Department of Commerce, Standards for security categorization of federal information and information systems, Federal Information Processing Standards Publication 199. National Institute of Standards and Technology, Gaithersburg, MD, February 2004

106.

US Department of Commerce, Recommended security controls for federal information systems, NIST Special Publication 800-53 Revision 2. National Institute of Standards and Technology, Gaithersburg, MD, December 2007

107.

US Department of Commerce, Security requirements for cryptographic modules, Federal Information Processing Standards Publication 140-3 (Draft: 07-13-2007). National Institute of Standards and Technology, Gaithersburg, MD, July 2007

108.

US Department of Commerce, Security considerations in the system development life cycle, NIST Special Publication 800-64 Revision 2. National Institute of Standards and Technology, Gaithersburg, MD, October 2008

109.

US Department of Commerce, Derived test requirements for FIPS PUB 140-2, Security requirements for cryptographic modules, 24 March 2004, Draft, CMVP program staff (NIST, CSE and CMVP laboratories). National Institute of Standards and Technology, Gaithersburg, MD. http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/fips1402DTR.pdf. Cited 7 April 2009

110.

US Department of Defense, Trusted computer systems evaluation criteria (Orange Book) 5200.28-STD. National Computer Security Center, Fort Meade, MD, Dec. 1985

111.

US Department of Defense, A guide to understanding trusted distribution in trusted systems, version 2, NCSC-TG-008. National Computer Security Center, Fort Meade, MD, December 1988

112.

US Department of Defense, A guide to understanding trusted recovery in trusted systems, version 1, NCSC-TG-022. National Computer Security Center, Fort Meade, MD, December 1991

113.

US Department of Defense, Defense Science Board task force on high performance microchip supply. Office of the Under Secretary of Defense For Acquisition, Technology, and Logistics, Washington, DC, February 2005

114.

US Department of Defense, TRUST in integrated circuits, presolicitation notice, solicitation number: BAA07-24. Defense Advanced Research Project Agency, Microsystems Technology Office, Arlington, VA, March 2007. http://www.darpa.mil/mto/solicitations/baa07-24/index.html, cited 27 Mar 2009

115.

D. Volpano, C. Irvine, Secure flow typing. Comput. Secur. 16(2), 137–144 (1997) CrossRef

116.

D.R. Wichers, Conducting an object reuse study, in Proceedings of the 13th National Computer Security Conference, October 1990, pp. 738–747

117.

M.V. Wilkes, R.M. Needham, The Cambridge model distributed system. ACM SIGOPS Oper. Syst. Rev. 14(1), 21–29 (1980) CrossRef

118.

E. Witchel, J. Cates, K. Asanovic, Mondrian memory protection, in Tenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-X), San Jose, CA, October 2002

119.

C. Zymaris, A comparison of the GPL and the Microsoft EULA. 2003. Cybersource. Retrieved 15 September 2008, from http://www.cybersource.com.au/cyber/about/comparing_the_gpl_to_eula.pdf

Title: High Assurance Software Lessons and Techniques
Authors: Dr. Ted Huffmire
Dr. Cynthia Irvine
Thuy D. Nguyen
Timothy Levin
Dr. Ryan Kastner
Dr. Timothy Sherwood
Publisher: Springer Netherlands
Book: Handbook of FPGA Design Security
Print ISBN: 978-90-481-9156-7

Electronic ISBN: 978-90-481-9157-4

Copyright Year: 2010
DOI: https://doi.org/10.1007/978-90-481-9157-4_2