Крючков Фундаменталс оф Нуцлеар Материалс Пхысицал Протецтион 2011

in this respect) requires 37K of memory per connection, which may be a potential problem with large networks;

∙ any change to the business logic leads to the necessity of changing software for all workstations.

Being simple, this model is highly convenient in environments with a limited number of workstations. An optimum exists beyond which problems start to arise as described above.

An alternative dual-linked circuit is a model with a “thin” client and a “thick” server. Unlike the previous model, this has business logic moved to the server. This is a diversely realizable model using different software. In particular, MS SQL Server enables the writing of so-called stored procedures in a query language. These procedures realize business logic. Some DBMSs have auxiliary capabilities, including change, rule incorporation or data value limiting admissibility checks, with no excessive data communicated over the network. Such systems however require the server RAM for each connection so new constraints additionally emerge. First, this requires rather a high-power DBMS. For example, unlike the first model realizable in MS Access, the second model requires MS SQL Server to realize. Furthermore, different firmware has somewhat different query language syntax. This makes the approach in question somewhat limiting to the system evolution capabilities and requires use of a more powerful DBMS, e.g. Oracle.

The client/server model is evolving further towards a decentralized computation process, and multilink client/server systems are realized so. Fig. 7.2 shows a schematic of a triple-linked client/server model.

Such architecture offers an extra link between the “thin” client and the “thin” server and has components of it linked via s tandard network protocols, say, TCP/IP. This auxiliary feature contains core business logic. The distinction of these systems is that they do not need RAM on the database server to support each connection to the client.

Where triple-linked systems are set up, all three application levels (presentation logic, business logic and data access logic) are partitioned throughout. This gives the system more flexibility and makes it easier to upgrade any level. Such system has extra services, e.g. Internet, e-mail and phone or fax communications, easily connected thereto.

Database and application servers for small networks and slack applications can be physically combined in one computer. This, however, will still make a triple-linked system because it has a functionally separated logic.

311

applications are broken down into independent parts which exist on the application servers as Web–services.

7.3. Base software

The industry standard [1] identifies the following three types of base software:

∙operating systems;

∙database management systems;

∙development tools.

Base software used in computerized NM A&C systems must be certified to the respective information access security class. The requirements to information security are set forth in the Guidelines of the Russian Federation’s Gostekhkomissiya (State Technical Commission) which govern the classification of NM A&C systems [4]. Details of the base software classification and information security requirements, depending on the specified class, will be discussed in Chapter 8. There are no special requirements to development tools.

Hereinafter, we shall consider in more details each base software type. Requirements imposed on these by the industry standard will be discussed, modern software will be reviewed in brief and advanced software considered.

7.3.1. Operating systems

Operating system (OS) is essential software needed to form the NM A&C system’s working environment. OS is what primarily secures the information system against unauthorized access and defines reliability thereof.

The requirements to operating systems are set forth in the industry standard and in data access security requirements of Gostekhkomissiya. The industry standard requires that an operating system should contain and ensure:

∙networking features;

∙data access security features;

∙log-in access control;

∙memory protection;

∙discrete and accounted for access to resources;

∙error handling facilities;

∙operability support facilities;

313

∙advanced database access providers;

∙support of distributed network protocols;

∙hardware fault tolerance;

∙system operation statistics. An OS may support:

∙client/server technology;

∙multitasking with a prioritization system;

∙workstation networking capabilities;

∙uninterruptible power supply. The standard’s requirements are rather general and do not establish particular criteria. More specified requirements imposed on operating systems by the classification of NM A&C systems introduced are set forth in Gostekhkomissiya’s Guidelines [4]. The document specifies requirements to various data security subsystems, as well as certification and qualification requirements depending on the class of the system.

A major technical problem developers of computerized NM A&C systems are faced with is lack of operating systems certified to classes higher than 3. A number of Microsoft Windows NT 4.0 modifications have been currently certified by Gostekhkomissiya for use in computerized NM A&C systems. The system itself is certified to data access security class 3, the certificate thereof having been renewed more than once.

An OS certified to access security class 3 do not permit operating data of different sensitivity levels, this making it impossible to use it at most nuclear material handling sites. More than that, Windows NT 4.0 is a legacy system. Microsoft said they would stop to support this OS in 2004. So a top-priority task the Federal Information System is faced with now is to certify a new OS for use in class 3 systems and choose a system to build class 2 NM A&C systems.

There are two ways to address the problem. The first one is to use Microsoft software. Prerequisites exist for Windows 2000 to be accepted as an advanced operating system. This operating system has been internationally certified to class 4 [5–7], so cert ifying it to class 3 under Gostekhkomissiya’s requirements to NM A&C systems is not expected to be technically complicated. The system is an evolution of NT-based operating systems, so it will not be a problem to adapt existing applied software to the new system. Responding to the criticism of its software openness policies, Microsoft after all announced its GSP (Government Security Program). The GSP is Microsoft’s answer to states’ demand for secure information systems. The partnership in the GSP has entitled

314

Russian organizations to getting access to Windows source code. The GSP will also connect developers in Russia to joint work with Microsoft to verify security functions and to other research activities planned as part of the program. Apart from the source code access, the GSP members will be provided with the Windows platform technical details to enable design and creation of still more secure computation systems. Experts in the industry believe the GSP may help bring Microsoft products, Windows 2000 in particular, to the level of security class 2 [8]. Another approach relies on plain-code base software meaning use of a Linux-based operating system. This approach is based on a license agreement enabling the system to be readily modified with a capability to build a Linux distributive to be certified to security class 2. The reasoning behind the latter approach is that open-code software is relatively cheap.

As of the time this handbook was being redacted, things with getting operating systems certified stood like this. Because of organizational problems, which were partly due to the restructuring of the industry’s executive bodies, the Windows 2000 codes were made available only in late 2006. This operating system had been obsolete by the time. So the requirement now is to have Windows XP and Windows 2003 Server, Microsoft’s next-generation operating systems, certified. Accordingly, no work is under way to bring the Windows NT family operating systems to the level of the access security class 2 requirements for NM A&C systems.

In parallel, Yanux 2.0 [9], a secure Linux-based operating system, was built by NPO “Luch” in Podolsk. Subject to [10], th is system was certified in 2005 to access security class 2 under requirements for NM A&C systems [4].

Further listed are the major features a secure operating system is expected to possess and the implementation thereof will be looked at using Windows NT operating systems as an example.

A secure OS is expected to feature [11]:

∙identification and authentication capabilities;

∙management and control of access to all system resources;

∙auditing of events;

∙resiliency and resilience tools;

∙control of covert data leakage channels.

Most secure operating systems operate on a microkernel basis. The microkernel resides in memory and controls data flows among components of the system. Any application refers to the microkernel for the permit to execute commands. Using special server processes, the microkernel checks

315

if execution of the command has been authorized and either permits or prohibits execution. Such approach realizes a client/server architecture. If the request made has been authorized, the microkernel calls the respective server process to realize it.

The security system of Windows NT is based on an objective protection model. Object is understood as any OS resource (file, devices, program, memory area).

Each Windows NT user should log in to the system. He/she has a login and a password entered in the database.

When logging in, the user undergoes identification and authentication procedures (Fig. 7.3). Identification means confirmation that the user who is logging in has an account in the database of registered users. This procedure checks the user name (login). Authentication confirms the identity of the user logging in. This procedure checks if the password entered is valid. The user enters his/her login and password. The security account manager checks if the user with such credentials exists and permits or denies access to the system. A so-called access token is generated that contains user data needed to have access to resources (objects), any process to be further initiated by the user to receive a copy of this token. This process is called the user account subject and has the same rights of access to objects as the user himself/herself.

Identification and authentication are rather formal in many current operating systems so it is quite easy for a subject to pass himself/herself off as another subject and use his/her rights of access to data. No authentication altogether is required for network interaction in Internet where global compatibility requirements are binding.

316

Control of access to resources includes check of the user’s rights to use the given object when an OS resource is requested for. There are a number of models realizing this function. We shall look into how two models, a discretionary model and a mandatory model, are organized [11]. The discretionary access control model is realized in Windows NT [12] and realization of mandatory access control is the necessary condition for an OS to be certified to access security class 2.

The discretionary model requires that each OS object should possess the so-called security descriptor that contains the object owner data and the system access control list to check the right of access to the object. By default, the creator of the object becomes the owner thereof, the right of ownership being transferable. The owner has the right to create and change the rights of access to the object. The access control list consists of access control records that specify the permits for the user to address the object. Access control records contain an access mask that defines what can be done with the object. For example, the access mask for a file contains “no access”, “full access”, “read”, “write”, “change” a nd “execute” operations. When an object is addressed to, the security monitor checks the object’s access control list and grants or limits, as the access mask defines, or denies access (Fig. 7.4).

Fig. 7.4. User’s resource access procedure

The mandatory access control model is based on classified document management rules. All objects and users are given a special label called security level with dominance relations established among levels, e.g. the

317

Top Secret level is superior to the Secret level. Control of access to data is established based on two simple rules:

1.A user is entitled to getting only data of the security level not higher than that of his/her.

2.A user has the right to enter data only in objects of the security level not lower than that of his/her.

The first of the rules ensures data protection from being accessible to lower-level users. The second (and more important) rule prevents data leakage on the part of high-level users.

Mandatory access control does not differentiate between entities and is normally used, along with a discretionary model, for better flexibility.

Apart from access control, secure operating systems are expected to allow event auditing. This is normally realized in the form of security event logs by reviewing which the IT administrator traces down the user actions with respect to information security.

As computerized NM A&C systems are basically systems designed to operate in corporate local area networks, operating systems used to support functionality of these need to have built-in tools to support computer network operations. Thus, Windows NT operating systems have support of distributed network protocols and help organize PCs into logic groups or domains. Inside domains, users have to log in on the primary domain controller only. Whatever workstation is used for logging in, the rights of access are checked on a centralized basis. This makes the same security policy to be easily organized and pursued on all computers within the domain.

NT-based operating systems include a component termed Internet Information Services. When installed, it allows creation of a Web-server on the computer, thus enabling use of Internet global network technologies to be used in local corporate NM A&C system networks.

7.3.2. Database management systems

Database forms the core of any computerized accounting and control system. A computer database is an array of specifically arranged information. Database management systems (DBMS) are employed to operate databases and give a computerized support to storing and handling of data. To a great extent, DBMS selection defines the future user characteristics of the NM A&C system under construction, including speed of response, the amount of information to be stored and security attributes

318

to protect information against both unauthorized access and objective factors.

The industry standard imposes the following requirements on DBMSs. A DBMS should offer convenience of backup copy creation and data recovery. Where required, a DBMS may include a convenient user interface and DB automatic replication features.

A DBMS shall support:

∙networking operations;

∙high speed of response and capacity. Where required it also supports:

∙the driver ODMC;

∙security of data and data access control;

∙an SQL query language.

Two of these requirements are clearly defined: a DBMS should support data backup and networking capabilities. The rest are either general (high capacity) or not binding (“as required”). DBMSs are also subject to data access security certification. As of the time this chapter was being written, three DBMSs, including Microsoft SQL Server 6.5 and two Oracle versions, had been certified to access security class 3. These are systems that support client/server architectures and operate relational databases. In fact, these two requirements are presently the accepted industry standards. The client/server architecture was discussed above. In general, things with certifying modern DBMS systems stand in the same way as with operating systems.

As to open-code base software, PosgreSQL 7.4.6 DBMS was certified by NPO “Luch” in parallel with their Yanux 2.0 oper ating system. Therefore, in the context of open-code software applications, there is now a complete set of certified software required to develop and operate computerized NM A&C systems.

Relational databases

There are a number of requirements to satisfy to which a relational DB is expected to:

∙submit information as tables;

∙support the logical data structure irrespective of the physical presentation form;

∙use a high-level language to execute requests and change data in databases;

∙support basic relational and set operations;

319

∙support virtual tables for alternative data viewing;

∙discriminate unknown values, zero values and gaps in data;

∙support data integrity, authorization, transaction and recovery mechanisms.

Tables consist of columns (fields) and rows (entries), each entry describing the entity the data whereof is contained in the table. Entry fields contain properties (attributes) of this entity. For unambiguous identification of an entity (an entry), the table contains a special field called the primary key. The value of this key must be unique in the given table. More than one field (composite key) may be used for the primary key. In the NM A&C system practices, a special ID field is introduced to be used as the primary key. For relation to other tables, the table also has fields called foreign keys. The foreign key is the primary key for another table. Foreign keys relate a table entry to a particular object (entry) of another table (Fig. 7.5).

Fig. 7.5. Relationship between tables via key fields

A key aspect in a database design is identification of entities and organization of relationships among them. This should be done keeping in mind how stored data will be further handled.

The selection of entities should be followed by normalization of data to give the database the status as would prevent corruption of data and facilitate data manipulation. There is a set of rules which help, if adhered to, with achieving different levels of data “normal ity” (normal forms). A database is considered to be operational if the third normal form is achieved. Each subsequent normal form includes the requirements of the

320