CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)
.pdf
|
Computer Architecture |
331 |
|
|
|
|
|
|
Dynamic vs. Static RAM
There are two main types of RAM: dynamic RAM and static RAM. Most computers contain a combination of both types and use them for different purposes.
To store data, dynamic RAM uses a series of capacitors, tiny electrical devices that hold a charge. These capacitors either hold a charge (representing a 1 bit in memory) or do not hold a charge (representing a 0 bit). However, because capacitors naturally lose their charges over time, the CPU must spend time refreshing the contents of dynamic RAM to ensure that 1 bits don’t unintentionally change to 0 bits, thereby altering memory contents.
Static RAM uses more sophisticated technology—a logical device known as a flip-flop, which to all intents and purposes is simply an on/off switch that must be moved from one position to another to change a 0 to 1 or vice versa. More important, static memory maintains its contents unaltered so long as power is supplied and imposes no CPU overhead for periodic refresh operations.
That said, dynamic RAM is cheaper than static RAM because capacitors are cheaper than flipflops. However, static RAM runs much faster than dynamic RAM. This creates a trade-off for system designers, who combine static and dynamic RAM modules to strike the right balance of cost versus performance.
CACHE RAM
Computer systems contain a number of caches that improve performance by taking data from slower devices and temporarily storing it in faster devices when repeated use is likely; this is called cache RAM. The processor normally contains an onboard cache of extremely fast memory used to hold data on which it will operate. This on-chip, or Level 1 cache, is often backed up by a static RAM cache on a separate chip, called a Level 2 cache, that holds data from the computer’s main bank of real memory. Likewise, real memory often contains a cache of information stored on magnetic media. This chain continues down through the memory/storage hierarchy to enable computers to improve performance by keeping data that’s likely to be used next closer at hand (be it for CPU instructions, data fetches, file access, or what have you).
Many peripherals also include onboard caches to reduce the storage burden they place on the CPU and operating system. For example, many higher-end printers include large RAM caches so that the operating system can quickly spool an entire job to the printer. After that, the processor can forget about the print job; it won’t be forced to wait for the printer to actually produce the requested output, spoon-feeding it chunks of data one at a time. The printer can preprocess information from its onboard cache, thereby freeing the CPU and operating system to work on other tasks.
332 Chapter 11 Principles of Computer Design
Registers
The CPU also includes a limited amount of onboard memory, known as registers, that provide it with directly accessible memory locations that the brain of the CPU, the arithmetic-logical unit (or ALU), uses when performing calculations or processing instructions. In fact, any data that the ALU is to manipulate must be loaded into a register unless it is directly supplied as part of the instruction. The main advantage of this type of memory is that it is part of the ALU itself and, therefore, operates in lockstep with the CPU at typical CPU speeds.
Memory Addressing
When utilizing memory resources, the processor must have some means of referring to various locations in memory. The solution to this problem is known as addressing, and there are several different addressing schemes used in various circumstances. We’ll look at five of the more common addressing schemes.
REGISTER ADDRESSING
As you learned in the previous section, registers are small memory locations directly in the CPU. When the CPU needs information from one of its registers to complete an operation, it uses a register address (e.g., “register one”) to access its contents.
IMMEDIATE ADDRESSING
Immediate addressing is not technically a memory addressing scheme per se, but rather a way of referring to data that is supplied to the CPU as part of an instruction. For example, the CPU might process the command “Add 2 to the value in register one.” This command uses two addressing schemes. The first is immediate addressing—the CPU is being told to add the value 2 and does not need to retrieve that value from a memory location—it’s supplied as part of the command. The second is register addressing—it’s instructed to retrieve the value from register one.
DIRECT ADDRESSING
In direct addressing, the CPU is provided with an actual address of the memory location to access. The address must be located on the same memory page as the instruction being executed.
INDIRECT ADDRESSING
Indirect addressing uses a scheme similar to direct addressing. However, the memory address supplied to the CPU as part of the instruction doesn’t contain the actual value that the CPU is to use as an operand. Instead, the memory address contains another memory address (perhaps located on a different page). The CPU reads the indirect address to learn the address where the desired data resides and then retrieves the actual operand from that address.
BASE+OFFSET ADDRESSING
Base+Offset addressing uses a value stored in one of the CPU’s registers as the base location from which to begin counting. The CPU then adds the offset supplied with the instruction to that base address and retrieves the operand from that computed memory location.
Secondary Memory
Secondary memory is a term commonly used to refer to magnetic/optical media or other storage devices that contain data not immediately available to the CPU. For the CPU to access data in
Computer Architecture |
333 |
secondary memory, the data must first be read by the operating system and stored in real memory. However, secondary memory is much more inexpensive than primary memory and can be used to store massive amounts of information. In this context, hard disks, floppy drives, and optical media like CD-ROMs or DVDs can all function as secondary memory.
VIRTUAL MEMORY
Virtual memory is a special type of secondary memory that the operating system manages to make look and act just like real memory. The most common type of virtual memory is the pagefile that most operating systems manage as part of their memory management functions. This specially formatted file contains data previously stored in memory but not recently used. When the operating system needs to access addresses stored in the pagefile, it checks to see if the page is memory-resident (in which case it can access it immediately) or if it’s been swapped to disk, in which case it reads the data from disk back into real memory. Using virtual memory is an inexpensive way to make a computer operate as if it had more real memory than is physically installed. Its major drawback is that the swapping operations that occur when data is exchanged between primary and secondary memory are relatively slow (memory functions in microseconds, disk systems in milliseconds; usually, this means four orders of magnitude difference!) and consume significant computer overhead, slowing down the entire system.
Memory Security Issues
Memory stores and processes your data—some of which may be extremely sensitive. It’s essential that you understand the various types of memory and know how they store and retain data. Any memory devices that may retain data should be purged before they are allowed to leave your organization for any reason. This is especially true for secondary memory and ROM/ PROM/EPROM/EEPROM devices designed to retain data even after the power is turned off.
However, memory data retention issues are not limited to those types of memory designed to retain data. Remember that static and dynamic RAM chips store data through the use of capacitors and flip-flops (see the sidebar “Dynamic vs. Static RAM”). It is technically possible that those electrical components could retain some of their charge for a limited period of time after power is turned off. A technically sophisticated individual could theoretically take electrical measurements of those components and retrieve small portions of the data stored on such devices. However, this requires a good deal of technical expertise and is not a likely threat unless you have entire governments as your adversary.
The greatest security threat posed by RAM chips is a simple one. They are highly pilferable and are quite often stolen. After all, who checks to see how much memory is in their computer at the start of each day? Someone could easily remove a single memory module from each of a large number of systems and walk out the door with a small bag containing valuable chips. Today, this threat is diminishing as the price of memory chips continues to fall ($70 for 512MB DDR400 static RAM as we write this note).
One of the most important security issues surrounding memory is controlling who may access data stored in memory while a computer is in use. This is primarily the responsibility of
334 Chapter 11 Principles of Computer Design
the operating system and is the main memory security issue underlying the various processing modes described in previous sections in this chapter. In the section “Security Protection Mechanisms” later in this chapter, you’ll learn how the principle of process isolation can be used to ensure that processes don’t have access to read or write to memory spaces not allocated to them. If you’re operating in a multilevel security environment, it’s especially important to ensure that adequate protections are in place to prevent the unwanted leakage of memory contents between security levels, through either direct memory access or covert channels (a full discussion of covert channels appears in Chapter 12).
Storage
Data storage devices make up the third class of computer system components we’ll discuss. These devices are used to store information that may be used by a computer any time after it’s written. We’ll first examine a few common terms that relate to storage devices and then look at some of the security issues related to data storage.
Primary vs. Secondary
The concepts of primary and secondary storage can be somewhat confusing, especially when compared to primary and secondary memory. There’s an easy way to keep it straight—they’re the same thing! Primary memory, also known as primary storage, is the RAM that a computer uses to keep necessary information readily available to the CPU while the computer is running. Secondary memory (or secondary storage) includes all the familiar long-term storage devices that you use every day. Secondary storage consists of magnetic and optical media such as hard drives, floppy disks, magnetic tapes, compact discs (CDs), digital video disks (DVDs), flash memory cards, and the like.
Volatile vs. Nonvolatile
You’re already familiar with the concept of volatility from our discussion of memory, although you may not have heard it described using that term before. The volatility of a storage device is simply a measure of how likely it is to lose its data when power is turned off. Devices designed to retain their data (such as magnetic media) are classified as nonvolatile, whereas devices such as static or dynamic RAM modules, which are designed to lose their data, are classified as volatile. Recall from the discussion in the previous section that sophisticated technology may sometimes be able to extract data from volatile memory after power is removed, so the lines between the two may sometimes be blurry.
Random vs. Sequential
Storage devices may be accessed in one of two fashions. Random access storage devices allow an operating system to read (and sometimes write) immediately from any point within the device by using some type of addressing system. Almost all primary storage devices are random access devices. You can use a memory address to access information stored at any point within a RAM chip without reading the data that is physically stored before it. Most secondary storage devices are also random access. For example, hard drives use a movable head system that allows you to move directly to any point on the disk without spinning past all of the data stored on previous tracks; likewise CD-ROM and DVD devices use an optical scanner that can position itself anywhere on the platter surface as well.
Computer Architecture |
335 |
Sequential storage devices, on the other hand, do not provide this flexibility. They require that you read (or speed past) all of the data physically stored prior to the desired location. A common example of a sequential storage device is a magnetic tape drive. To provide access to data stored in the middle of a tape, the tape drive must physically scan through the entire tape (even if it’s not necessarily processing the data that it passes in fast forward mode) until it reaches the desired point.
Obviously, sequential storage devices operate much slower than random access storage devices. However, here again you’re faced with a cost/benefit decision. Many sequential storage devices can hold massive amounts of data on relatively inexpensive media. This property makes tape drives uniquely suited for backup tasks associated with a disaster recovery/ business continuity plan (see Chapters 15 and 16 for more on Business Continuity Planning and Disaster Recovery Planning). In a backup situation, you often have extremely large amounts of data that need to be stored and you infrequently need to access that stored information. The situation just begs for a sequential storage device!
Storage Media Security
We discussed the security problems that surround primary storage devices in the previous section. There are three main concerns when it comes to the security of secondary storage devices; all of them mirror concerns raised for primary storage devices:
Data may remain on secondary storage devices even after it has been erased. This condition is known as data remanence. Most technically savvy computer users know that utilities are available that can retrieve files from a disk even after they have been deleted. It’s also technically possible to retrieve data from a disk that has been reformatted. If you truly want to remove data from a secondary storage device, you must use a specialized utility designed to destroy all traces of data on the device or damage or destroy it beyond possible repair.
Secondary storage devices are also prone to theft. Economic loss is not the major factor (after all, how much does a floppy disk cost?), but the loss of confidential information poses great risks. If someone copies your trade secrets onto a floppy disk and walks out the door with it, it’s worth a lot more than the cost of the disk itself.
Access to data stored on secondary storage devices is one of the most critical issues facing computer security professionals. For hard disks, data can often be protected through a combination of operating system access controls. Floppy disks and other removable media pose a greater challenge, so securing them often requires encryption technologies.
Input and Output Devices
Input and output devices are often seen as basic, primitive peripherals and usually don’t receive much attention until they stop working properly. However, even these basic devices can present security risks to a system. Security professionals should be aware of these risks and ensure that appropriate controls are in place to mitigate them. The next four sections examine some of the risks posed by specific input and output devices.
Monitors
Monitors seem fairly innocuous. After all, they simply display the data presented by the operating system. When you turn them off, the data disappears from the screen and can’t be recovered. However, a technology known as TEMPEST can compromise the security of data displayed on a monitor.
336 Chapter 11 Principles of Computer Design
TEMPEST truly is an extremely interesting technology. If you’d like to learn more, there are a number of very good Web resources on TEMPEST protection and exploitation. A good starting point is the article “The Computer Spyware Uncle Sam Won’t Let You Buy” posted on InfoWar.com at http:// www.hackemate.com.ar/ezines/swat/swat26/Swt26-00.txt.
TEMPEST is a technology that allows the electronic emanations that every monitor produces (known as Van Eck radiation) to be read from a distance and even from another location. The technology is also used to protect against such activity. Various demonstrations have shown that you can easily read the screens of monitors inside an office building using gear housed in a van parked outside on the street. Unfortunately, the protective controls required to prevent Van Eck radiation (lots and lots of copper!) are expensive to implement and cumbersome to use.
Printers
Printers also may represent a security risk, albeit a simpler one. Depending upon the physical security controls used at your organization, it may be much easier to walk out with sensitive information in printed form than to walk out with a floppy disk or other magnetic media. Also, if printers are shared, users may forget to retrieve their sensitive printouts, leaving them vulnerable to prying eyes. These are all issues that are best addressed by an organization’s security policy.
Keyboards/Mice
Keyboards, mice, and similar input devices are not immune from security vulnerabilities either. All of these devices are vulnerable to TEMPEST monitoring. Also, keyboards are vulnerable to less-sophisticated bugging. A simple device can be placed inside a keyboard to intercept all of the keystrokes that take place and transmit them to a remote receiver using a radio signal. This has the same effect as TEMPEST monitoring but can be done with much less-expensive gear.
Modems
Nowadays, modems are extremely cheap and most computer systems ship from manufacturers with a high-speed modem installed as part of the basic configuration. This is one of the greatest woes of a security administrator. Modems allow users to create uncontrolled access points into your network. In the worst case, if improperly configured, they can create extremely serious security vulnerabilities that allow an outsider to bypass all of your perimeter protection mechanisms and directly access your network resources. At best, they create an alternate egress channel that insiders can use to funnel data outside of your organization.
You should seriously consider an outright ban on modems in your organization’s security policy unless they are truly needed for business reasons. In those cases, security officials should know the physical and logical locations of all modems on the network, ensure that they are correctly configured, and make certain that appropriate protective measures are in place to prevent their illegitimate use.
Computer Architecture |
337 |
Input/Output Structures
Certain computer activities related to general input/output (I/O) operations, rather than individual devices, also have security implications. Some familiarity with manual input/output device configuration is required to integrate legacy peripheral devices (those that do not autoconfigure or support Plug and Play, or PnP, setup) in modern PCs as well. Three types of operations that require manual configuration on legacy devices are involved here:
Memory-mapped I/O For many kinds of devices, memory-mapped I/O is a technique used to manage input/output. That is, a part of the address space that the CPU manages functions to provide access to some kind of device through a series of mapped memory addresses or locations.
Thus, by reading mapped memory locations, you’re actually reading the input from the corresponding device (which is automatically copied to those memory locations at the system level when the device signals that input is available). Likewise, by writing to those mapped memory locations, you’re actually sending output to that device (automatically handled by copying from those memory locations to the device at the system level when the CPU signals that the output is available). From a configuration standpoint, it’s important to make sure that only one device maps into a specific memory address range and that the address range is used for no other purpose than to handle device I/O. From a security standpoint, access to mapped memory locations should be mediated by the operating system and subject to proper authorization and access controls.
Interrupt (IRQ) Interrupt (IRQ) is an abbreviation for Interrupt ReQuest line, a technique for assigning specific signal lines to specific devices through a special interrupt controller. When a device wishes to supply input to the CPU, it sends a signal on its assigned IRQ (which usually falls in a range of 0–16 on older PCs for two cascaded eight-line interrupt controllers and 0–23 on newer ones with three cascaded eight-line interrupt controllers). Where newer PnP-compatible devices may actually share a single interrupt (IRQ number), older legacy devices must generally have exclusive use of a unique IRQ number (a well-known pathology called interrupt conflict occurs when two or more devices are assigned the same IRQ number and is best recognized by an inability to access all affected devices). From a configuration standpoint, finding unused IRQ numbers that will work with legacy devices can be a sometimes trying exercise. From a security standpoint, only the operating system should be able to mediate access to IRQs at a sufficiently high level of privilege to prevent tampering or accidental misconfiguration.
Direct Memory Access (DMA) Direct Memory Access (DMA) works as a channel with two signal lines, where one line is a DMA request (DMQ) line, the other a DMA acknowledgment (DACK) line. Devices that can exchange data directly with real memory (RAM) without requiring assistance from the CPU use DMA to manage such access. Using its DRQ line, a device signals the CPU that it wants to make direct access (which may be read or write, or some combination of the two) to another device, usually real memory. The CPU authorizes access and then allows the access to proceed independently while blocking other access to the memory locations involved. When the access is complete, the device uses the DACK line to signal that the CPU may once again permit access to previously blocked memory locations. This is faster than requiring the CPU to mediate such access and permits the CPU to move on to other tasks while the memory access is underway. DMA is used most commonly to permit disk drives, optical drives, display cards, and multimedia cards to manage large-scale data transfers to and from
338 Chapter 11 Principles of Computer Design
real memory. From a configuration standpoint, it’s important to manage DMA addresses to keep device addresses unique and to make sure such addresses are used only for DMA signaling. From a security standpoint, only the operating system should be able to mediate DMA assignment and use of DMA to access I/O devices.
If you understand common IRQ assignments, how memory-mapped I/O and DMA work, and related security concerns, you know enough to tackle the CISSP exam. If not, some additional reading may be warranted. In that case, PC Guide’s excellent overview of system memory (www.pcguide.com/ref/ram/) should tell you everything you need to know.
Firmware
Firmware (also known as microcode in some circles) is a term used to describe software that is stored in a ROM chip. This type of software is changed infrequently (actually, never, if it’s stored on a true ROM chip as opposed to an EPROM/EEPROM) and often drives the basic operation of a computing device.
BIOS
The Basic Input/Output System (BIOS) contains the operating-system independent primitive instructions that a computer needs to start up and load the operating system from disk. The BIOS is contained in a firmware device that is accessed immediately by the computer at boot time. In most computers, the BIOS is stored on an EEPROM chip to facilitate version updates. The process of updating the BIOS is known as “flashing the BIOS.”
Device Firmware
Many hardware devices, such as printers and modems, also need some limited processing power to complete their tasks while minimizing the burden placed on the operating system itself. In many cases, these “mini” operating systems are entirely contained in firmware chips onboard the devices they serve. As with a computer’s BIOS, device firmware is frequently stored on an EEPROM device so it can be updated as necessary.
Security Protection Mechanisms
There are a number of common protection mechanisms that computer system designers should adhere to when designing secure systems. These principles are specific instances of more general security rules that govern safe computing practices. We’ll divide our discussion into two areas: technical mechanisms and policy mechanisms.
Technical Mechanisms
Technical mechanisms are the controls that system designers can build right into their systems. We’ll look at five: layering, abstraction, data hiding, process isolation, and hardware segmentation.
Security Protection Mechanisms |
339 |
Layering
By layering processes, you implement a structure similar to the ring model used for operating modes (and discussed earlier in this chapter) and apply it to each operating system process. It puts the most-sensitive functions of a process at the core, surrounded by a series of increasingly larger concentric circles with correspondingly lower sensitivity levels (using a slightly different approach, this is also sometimes explained in terms of upper and lower layers, where security and privilege decrease when climbing up from lower to upper layers).
Communication between layers takes place only through the use of well-defined, specific interfaces to provide necessary security. All inbound requests from outer (less-sensitive) layers are subject to stringent authentication and authorization checks before they’re allowed to proceed (or denied, if they fail such checks). As you’ll understand more completely later in this chapter, using layering for security is similar to using security domains and lattice-based security models in that security and access controls over certain subjects and objects are associated with specific layers and privileges and access increase as one moves from outer to inner layers.
In fact, separate layers can only communicate with one another through specific interfaces designed to maintain a system’s security and integrity. Even though less-secure outer layers depend on services and data from more-secure inner layers, they only know how to interface with those layers and are not privy to those inner layers’ internal structure, characteristics, or other details. To maintain layer integrity, inner layers neither know about nor depend on outer layers. No matter what kind of security relationship may exist between any pair of layers, neither can tamper with the other (so that each layer is protected from tampering by any other layer). Finally, outer layers cannot violate or override any security policy enforced by an inner layer.
Abstraction
Abstraction is one of the fundamental principles behind the field known as object-oriented programming. It is the “black box” doctrine that says that users of an object (or operating system component) don’t necessarily need to know the details of how the object works; they just need to know the proper syntax for using the object and the type of data that will be returned as a result. This is very much what’s involved in mediated access to data or services, as when user mode applications use system calls to request administrator mode service or data (and where such requests may be granted or denied depending on the requester’s credentials and permissions) rather than obtaining direct, unmediated access.
Another way in which abstraction applies to security is in the introduction of object groups, sometimes called classes, where access controls and operation rights are assigned to groups of objects rather than on a per-object basis. This approach allows security administrators to define and name groups easily (often related to job roles or responsibilities) and helps make administration of rights and privileges easier (adding an object to a class confers rights and privileges rather than having to manage rights and privileges for each individual object separately).
Data Hiding
Data hiding is an important characteristic in multilevel secure systems. It ensures that data existing at one level of security is not visible to processes running at different security levels. Chapter 7, “Data and Application Security Issues,” covers a number of data hiding techniques
340 Chapter 11 Principles of Computer Design
used to prevent users from deducing even the very existence of a piece of information. The key concept behind data hiding is a desire to make sure those who have no need to know the details involved in accessing and processing data at one level have no way to learn or observe those details covertly or illicitly. From a security perspective, data hiding relies on placing objects in different security containers from those that subjects occupy so as to hide object details from those with no need to know about them.
Process Isolation
Process isolation requires that the operating system provide separate memory spaces for each process’s instructions and data. It also requires that the operating system enforce those boundaries, preventing one process from reading or writing data that belongs to another process.
There are two major advantages to using this technique:
It prevents unauthorized data access. Process isolation is one of the fundamental requirements in a multilevel security mode system.
It protects the integrity of processes. Without such controls, a poorly designed process could go haywire and write data to memory spaces allocated to other processes, causing the entire system to become unstable rather than only affecting execution of the errant process. In a more malicious vein, processes could attempt (and perhaps even succeed) at reading or writing to memory spaces outside their scopes, intruding upon or attacking other processes.
Many modern operating systems address the need for process isolation by implementing socalled virtual machines on a per-user or per-process basis. A virtual machine presents a user or process with a processing environment—including memory, address space, and other key system resources and services—that allows that user or process to behave as though they have sole, exclusive access to the entire computer. This allows each user or process to operate independently without requiring it to take cognizance of other users or processes that might actually be active simultaneously on the same machine. As part of the mediated access to the system that the operating system provides, it maps virtual resources and access in user mode so that they use supervisory mode calls to access corresponding real resources. This not only makes things easier for programmers, it also protects individual users and processes from one another.
Hardware Segmentation
Hardware segmentation is similar to process isolation in purpose—it prevents the access of information that belongs to a different process/security level. The main difference is that hardware segmentation enforces these requirements through the use of physical hardware controls rather than the logical process isolation controls imposed by an operating system. Such implementations are rare, and they are generally restricted to national security implementations where the extra cost and complexity is offset by the sensitivity of the information involved and the risks inherent in unauthorized access or disclosure.
Security Policy and Computer Architecture
Just as security policy guides the day-to-day security operations, processes, and procedures in organizations, it has an important role to play when designing and implementing systems. This