Countermeasure Characterizations
Building Blocks for
Designing Secure Information Systems
Herman 0. Lubbes
Network Associates, Inc.
Lubbes@ tislabs.com
Abstract
The Assurance Working Group (AWG) within the IA
Program studied a number of issues relating to the
design and analysis of secure systems. A principal
element of this work was to understand how to select
and integrate countermeasures to form secure systems.
It was found that one of the biggest failures of the
existing design process was that there was a lack of
information about what countermeasures did, how they
did it, and how they depended on their operational
environment. The Common. Criteria documentation
provided this information, but the documentation was
formal and voluminous. A number of factors led the
AWG to adapt an abbreviated format and data
description referred to as the Countermeasure
Characterization (CMC) containing much of the same
information required by the Common Criteria. The
countermeasure documentation resulting from the
application of CMC data description and format not
only supports the system designer, but the thought
process necessary to produce it gives the
countermeasure developer a better understanding of the
environment in which the product must operate.
1. Introduction
Information technologies and their associated
computing systems and networks have become a
worldwide phenomenon. As these systems have
proliferated we have seen increasing instances of hostile
attacks resulting in loss of data, services, time, money
and confidence in these vital systems. This paper
addresses ways to design systems that increase our
confidence that they are resilient to hostile attacks and
contain minimal vulnerabilities due to flaws in their
design.
The DARPA Information Assurance Program (IA)
sought to develop countermeasures against hostile
attacks. Under several contracts, individual Principal
Investigators (PIS) attempted to develop
countermeasures against a variety of threats. The
Assurance Working Group (AWG), an informal
working group composed of personnel from NSA,
Mitre, NRL and NAI’, was tasked to: 1) provide a way
to quickly communicate the objectives and
accomplishments of each PI to the other Pis; and 2) to
provide assistance to the PIS in their efforts to integrate
their individual technologies into complete secure
information systems. This paper discusses some of the
significant observations and findings arising during the
task period, (September, 99 to September, 00).
First, we look at prior and current methodologies for
designing systems with known assurance levels. Next,
we discuss the current state of practice as reflected by
Common Criteria (CC)[ 13 evaluation methodologies,
and a prospective improvement we call Countermeasure
Characterization (CMC). Finally, we postulate a
number of benefits that could accrue from further
development of the CMC. I
2. Background
In 1984, Carl Landwehr, Connie Heitmeyer, and
John McLean published “A Security Model for Military
Message Systems” [2]. This formal model consisted of .
three parts:
Definitions
Assertions
Assumptions
Assertions are predicates to be proven or demonstrated
to be correct for a component of a system, given a set of
assumptions about other components or security
disciplines that establish the environment of the
component making the assertions. The component
developer making the assertions to be proven has no
control over the correctness of the assumptions made
about the other elements or disciplines. The other
disciplines include physical security, operational
I
’ DARPA Prime Contract #F30602-98-C-0012,
Purchase Order #501298
0-7695-1212-7/01 $10.00 0 2001 IEEE
103