The Official Unofficial Zorp project
 
Overview| Examples| Bugs| FAQ | White papers | Download | Help wanted | SourceForge Project page | Filltable utility  
 
 
SourceForge.net: SF.net Project News: Zorp unofficial
  • zorp 2.0.9-6 has been released
  • iptables-utils zorp-unoff version has been released
  • New whitepaper, even more FAQs
  • Zorp whitepapers released, new FAQs
  • New tproxy versions
  • New Zorp version: get the DN
  • The best bughunter
  • Bughunting contest extended
  • Valentine day bughunting contest!
  • Site updates: FAQ, design
    		•
    SourceForge.net: Project File Releases: Zorp unofficial
  • zorp 2.0.9-6 released (Mon, 01 Nov 2004 21:49:58 GMT)
  • zorp 2.0.9-6 released (Mon, 01 Nov 2004 21:40:56 GMT)
  • iptables-utils 1.21-1 released (Mon, 01 Nov 2004 21:19:42 GMT)
  • zorp 2.0.9-1 released (Sat, 12 Jun 2004 00:00:00 GMT)
  • zorplibll 2.0.26.24-1 released (Sat, 12 Jun 2004 00:00:00 GMT)
  • zorp zorp_2.0.8-1 released (Thu, 11 Dec 2003 00:00:00 GMT)
  • zorp zorp_2.0.7-2 released (Wed, 03 Dec 2003 00:00:00 GMT)
  • zorp zorp_2.0.7-1 released (Tue, 11 Nov 2003 00:00:00 GMT)
  • zorplibll zorplibll_2.0.26.23-1 released (Mon, 10 Nov 2003 00:00:00 GMT)
    		•
    		Next Previous Contents

    4. Security Objectives

    This section explains the security objectives of the TOE, the IT and NON-IT environment, and provides rationale for then.

    4.1 Security objectives

    The security objectives of the TOE

    • TOE.STRICT_INPUT_CHECK The TOE checks carefully its input, and if the input fails to adhere to the expected input syntax, refuses to give output. The input syntax is strict enough to ensure that input adhering to it is converted to syntactically and semantically correct output. The conversion rules are simple enough to easily prove the above in an informal style.
    • TOE.AUDIT_EXCEPTIONS All activities and errors detected by the underlying python libraries or runtime environment are handled and audited by the TOE.
    • TOE.CAREFUL_AUDIT The audit trails are carefully crafted not to trigger possible implementation problems of the audit subsystem of the underlying operating system.
    • TOE.FUNCTION The TOE outputs rules to be inserted into the packet filter configuration iff they are in the chain given by the invocation parameters and correspond to the input data.
    • TOE.RE The functions of the re module gots user input only as input strings, with lengths less or equal than 1024 bytes.
    • TOE.MINIMAL The TOE shall be as simple as possible.
    • TOE.LSPP The TOE shall provide security services which enable an underlying LSPP-conformant Operating system to remain LSPP-conformant. The TOE extends the information flow control policy, and the security management functions of the underlying operating system.

    Objectives for the IT environment

    • IT.OS_HARDENED The underlaying operating system is LSPP conformant, working as expected, the TOE can read its configuration file, and write its standard output. The underlying operating system is able to provide the needed level of separation of domains, and the integrity of the TOE itself and the mechanisms it depends on. The underlying operating system provides the ability to create its security management roles and security labels needed by the TOE within its security framework.
    • IT.PYTHON The python interpreter works as documented.
    • IT.RE The re module of the python interpreter is able to handle any input string with length less than 1024 character.
    • IT.CHAIN_DESIGN The chains modified by using the output of the TOE get only packets designated to be controlled by the junior system administrator.

    Objectives for the NON-IT environment

    • NONIT.OS_ADMIN The management practices of the underlaying operating system provide for the necessary restrictions of access of the junior system administrator.
    • NONIT.CALLING_DOCUMENTED The parameters of the TOE and their safe values are documented in the administrative documentation.
    • NONIT.VERSIONS_AND_PATCHING The lack of known security issues of the underlying operating system and python implementation is enforced with correct upgrade and patching procedures, which are adhered to by the senior system administrator.
    • NONIT.SENIOR The senior system administrator is not careless, wilfully negligent or hostile, and will follow and abide by the instructions provided by the administrator documentation.

    4.2 Rationale for the security objectives

    All objectives are necessary

    Rationale for the TOE objectives

    • TOE.STRICT_INPUT_CHECK This objective contributes to counter the threats T.EVIL_JUNIOR, T.UNDERLYING_COMPROMISE, T.BAD_RULE_INSERTED by restricting its input domain to safe values.
    • TOE.AUDIT_EXCEPTIONS This objective contributes to counter the threats T.UNDERLYING_COMPROMISE, T.BAD_RULE_INSERTED and T.AUDIT_FAIL by taking care of error conditions not foreseen explicity in development time.
    • TOE.CAREFUL_AUDIT This objective contributes to counter the threats T.AUDIT_FAIL and T.UNDERLYING_COMPROMISE by restricting the contents of the audit trail into known safe values.
    • TOE.FUNCTION This objective contributes to counter the threats T.BAD_RULE_INSERTED and T.UNDERLYING_COMPROMISE by restricting the modification of packet filter configuration to known safe values.
    • TOE.RE This objective contributes to counter the threats T.UNDERLYING_COMPROMISE, T.BAD_RULE_INSERTED and T.AUDIT_FAIL by restricting the input of the underlying re module to known safe values.
    • TOE.MINIMAL This objective contributes to counter the threat T.BAD_RULE_INSERTED and T.UNDERLYING_COMPROMISE by minimizing the chance of malfunction of the TOE.
    • TOE.LSPP This objective counters the threat T.NO_LSPP.

    Rationale for objectives for the IT environment

    • IT.OS_HARDENED This objective counters the threat T.OS_COMPROMISE and cares for the assumption A.OS.
    • IT.PYTHON This objective counters the threat T.PYTHON_PROBLEM and cares for the assumption A.PYTHON.
    • IT.RE This objective together with TOE.RE counters the threat T.UNDERLYING_COMPROMISE by ensuring that the underlying re module is able to handle to data given to it.
    • IT.CHAIN_DESIGN This objective together with TOE.FUNCTION counters the threat T.EVIL_JUNIOR by giving only the designated rights to the junior system administrator.

    Rationale for objectives for the NON-IT environment

    • NONIT.OS_ADMIN This objective together with NONIT.SENIOR contributes to counter the threat T.EVIL_JUNIOR and cares for the assumption A.JUNIOR by ensuring that the junior system administrator cannot gain unauthorized access in ways not covered by the scope of control of the TOE.
    • NONIT.CALLING_DOCUMENTED This objective together with TOE.FUNCTION, IT.CHAIN_DESIGN, and NONIT.SENIOR counters the threat T.BAD_CALLING by giving the opportunity to the senior system administrator to have rules to adhere to:)
    • NONIT.VERSIONS_AND_PATCHING This objective contributes to counter the threats T.OS_COMPROMISE, T.PYTHON_PROBLEM and care for the assumptions A.OS, A.PYTHON by ensuring those assumptions.
    • NONIT.SENIOR This objective together with other objectives contributes to counter the threats T.BAD_CALLING, T.EVIL_JUNIOR, T.OS_COMPROMISE, T.PYTHON_PROBLEM, and cares for the assumptions A.SENIOR, A.PYTHON, A.OS.

    The security environment is fully covered.

    Assumptions

    • A.SENIOR Cared for by NONIT.SENIOR
    • A.JUNIOR Cared for by NONIT.OS_ADMIN
    • A.OS Cared for by IT.OS_HARDENED, NONIT.VERSIONS_AND_PATCHING and NONIT.SENIOR
    • A.PYTHON Cared for by IT.PYTHON, NONIT.VERSIONS_AND_PATCHING and NONIT.SENIOR

    Policies

    There are no policies defined in the security environment is expressed in terms of assumptions and threats

    Threats

    • T.EVIL_JUNIOR Cared for by TOE.STRICT_INPUT_CHECK, IT.CHAIN_DESIGN, NONIT.OS_ADMIN, and NONIT.SENIOR objectives.
    • T.BAD_CALLING Cared for by NONIT.CALLING_DOCUMENTED and NONIT.SENIOR objectives.
    • T.OS_COMPROMIZE Cared for by IT.OS_HARDENED, NONIT.VERSIONS_AND_PATCHING and NONIT.SENIOR objectives.
    • T.PYTHON_PROBLEM Cared for by IT.PYTHON, NONIT.VERSIONS_AND_PATCHING and NONIT.SENIOR objectives.
    • T.UNDERLYING_COMPROMISE Cared for by TOE.STRICT_INPUT_CHECK, TOE.AUDIT_EXCEPTIONS, TOE.CAREFUL_AUDIT, TOE.FUNCTION, TOE.RE, TOE.MINIMAL and IT.RE objectives.
    • T.AUDIT_FAIL Cared for by TOE.AUDIT_EXCEPTIONS and TOE.CAREFUL_AUDIT objectives.
    • T.BAD_RULE_INSERTED Cared for by TOE.STRICT_INPUT_CHECK, TOE.AUDIT_EXCEPTIONS, TOE.MINIMAL and TOE.FUNCTION objectives.
    • T.NO_LSPP Cared for by TOE.LSPP.

    Next Previous Contents