The big Red Button

DOM Sicherheitstechnik has been around since 1936, that is to say they existed before WWII, one may even argue that the choice to use a “Dual Key” authentication mechanism was a result of their design; since they were the first Lock company to design a key that had two half and was increasingly difficult if not impossible to pick. [DOM]ⁱ In any military action where dual controls were needed, DOM keys were probably used up until a better option became available. In addition to the dual controls all encrypted messages would have been executed according to a protocol in a per-established manner.

A PAL is a complicated firring mechanism usually for a nuclear weapon; Weapons control is the core business of any military; as once stated all wars are 99% logistics and 1% destruction. Therefore a PAL's main goal is authentication, and enforcement of the chain of command in a given military to control a sensitive munition during it's logistical operations and execution in theater, including it's psychical characteristics and environmental awareness.[BSM]ⁱⁱ

This is really to ensure that should the big red button ever get pushed, the bomb knows who pushed it where and when and that is is to go off over what target. And this control must exist for all weapons, be they in an ICBM, on a submarine, on an Aircraft be it a bomber or multi-role fighter equipped with a nuclear weapon.

Recently 50 ICBM's at the 90^th missile wing at the F.E. Warren Air Force base in Wyoming went off line, that is to say due to a network communications issue the PAL's went into a locked down mode titled LF-Down assuming that the base itself may have been vaporized. Realistically they simply lost communications with their command and control computers however simply losing this control is seen as an incident of note as it has never happened in known history to more than a few devices at once.[AM]ⁱⁱⁱ The root cause was suspected communications cable issues; seeing as they are buried underground, ground water can casue corrosion; corrosion wreaks havok on the RFI and reflective RF properties of signals on a line.

This really underlies the importance of security control systems in general, PAL's are an electro mechanical control that may or may not include software. These would be refereed to within the realm of the (ISC)2 as a “Technical Control”they also have “Procedural Controls” and “Physical controls” to further secure their environment eixisting within the PAL or the procedure used to Arm it. [THF]^iv

The Hanan incident in which a U.S. Signals intelligence plane was detained by Chinese authorities after an emergency landing has demonstrated that failure to physically destroy equipment will ensure that any capable opponent will reverse engineer every aspect of it. The NSA believed that their proprietary Operating System was secure in it's methods; surely if the NSA could have their greatest asset compromised by a team of Chinese engineers in less than 7 years; a nuclear weapon may only take 10 years.[HMS]^v Although the advent of inexpensive solid state based storage will ensure that this never happens again as once chips are burnt, they are not forensically recoverable.

Just like any mechanism or device the PAL is most likely designed by a consortium of companies within the united states, we may assume that Lockheed Martin, Grumman, Bae Systems, Hughes and RSA have been involved since most of their primary business is military and federal consulting in aerospace. The greatest threat to any business involved in this area is espionage or the “Advanced Persistent Threat”; Agents may manipulate those in the employ of such companies like Gregg Bergersen to disclose the secrets any PAL they may have worked on for bribes^vi.

In fact with the American economy in it's current state the threat of espionage is far greater then the very difficult threat of an enemy agent obtaining a weapon and reverse engineering it's PAL.

Tamper proof systems are subject to the same scrutiny as cryptographic methods. That is to say that a “Tamper proof box” may be designed to fail in a specific manner including a small explosion if exposed to light, heat or various forms of ionizing radiation including but not limited to PET or X-ray's. These systems are quite costly since the additional engineering also lends it self to reducing the overall reliability of said system by intentionally increasing it's complexity. Tamper proffing any complex system is costly and increases the testing and development costs of said system exponentialy, in the commercial communcations sector power supplies, signals boards and even chips are tamper proofed by encasing them in lead paint, removing markings and placing expoxy over any critical components of a given circuit. If the cirucut utilizes an RF housing this may be achieved by simply putting globs of epoxy over the desired components to prevent manipulation and visibility of said components.

There's even a large industry within the united stated devoted to the reverse engineering of said tamper proof systems. It's a matter of Competitive intelligence.

NTI states that the overall cost of the American nuclear program from 1940 to 1996 is around 5.8 trillion dollars. We may assume a good portion of that was in the development of PAL systems for warheads, as we can see they are neither cheap nor elegant but they must be a necessity to ensure the safety and operation of the current arsenal.a

iN.A. (Dom Security, 2011) About DOM [Online] World Wide Web, Available from: http://www.dom-sicherheitstechnik.com/Company.736.0.html (accessed on May 26^th 2011)

iiBellovin, Steven M. (Coloumbia Unviersity, 02 September 2009) Permsissive Action Links [Online] World Wide Web, Available from: https://www.cs.columbia.edu/~smb/nsam-160/pal.html (Accessed on May 26^th 2011)

iiiAmbinder, Marc (The Atlantic, October 26 2010) Failure Shuts down Squadron of Nuclear Missle [Online] World Wide Web, Available from: http://www.theatlantic.com/politics/archive/10/10/power-failure-shuts-down-sqaudron-of-icbms/65207 (Accessed on May 26^th 2011)

ivTipton, Harold F. (Taylor and Francis, 2010) Offical (ISC)2 Guide to the CISSP CBK 2^nd ed P. 47 ISBN: 978-1-4398-0959-4

vHersch, Seymor M (The New Yorker, November 1^st 2010) The online Threat [Online] World Wide Web, Available from: http://www.newyorker.com/reporting/2010/11/01/101101fa_fact_hersh (Accessed on May 26^th 2011)

viShuster (60 Minutes, February 28^th 2010) Caught on Tape; Selling Americas secrets [Online] World Wide Web, Available From: http://www.cbsnews.com/stories/2010/02/25/60minutes/main6242498.shtml (Accessed on May 26^th 2011)

Security Models and Mechanisams

The nature of all computer systems security relies upon systems
access and how privileges are granted to a given user object or
application program to system subject. Most security models are
designed around the Subject, Object and User permission. Regardless
of weather or not we are considering local Operating System or Client
and Server interactions, these models are usually only concerned with
Subjects (files and folders), Objects (Applications and programs) and
Users. Some incorporate procedures as well (transactions).

Every computer regardless of operating system maintains a set of “Rings”
with respect to system and application access and program execution.
Windows 7, Linux and Unix clones all utilize these divisions with
respect to applications running on x86 based hardware. These modes
allow the system to differentiate between a program and a device
driver and the kernel at the hardware layer. Thus if a device driver
fails it would not take the kernel with it and if a program fails it
would not corrupt drivers or the kernel; in theory this is an
excellent model; in practice programs often take the kernel when they
fail due to improper programming techniques.

Illustration 1i

Discretionary access control (DAC) is defined by the TCSEC as the “Absence of MAC”. Where every object has an owner and that object may also be read by the system or other users.ⁱⁱ

All Unix implementations and Linux distributions utilize DAC as the
standard permissions mechanism within the file system; where each
directory may only be readable or writable depending upon the parent
directory and it's applied or inherited permissions. The superuser or
administrator may modify group memberships and object ownerships.
Users are limited by group memberships on the system to which objects
they may manipulate or where they may create or destroy objects by
their assigned permissions. Examples of this are how a user must be a
member of the “Wheel” group if they wish to use the command “su -” to become root. 

The root user would usually assign that membership to other users that may also be admins from time to time. Most access-matrix and AAA models are based upon the DAC standard with some minor modifications involving the use of
Access control lists which reside on an object or AAA standards
include Radius and TACACS and TACACS+ models. 

The level of systems access at the OS level is usually determined by the security model implemented by the operating system in question.

Mandatory Access Control is the result of the adoption and Implementation of the “Bell-La-Paullda” confidentiality modelⁱⁱⁱ and BIBA integrity model^iv and can be considered a derivative work of the Lipner^v security model usually implemented on a system in addition to DAC^vi.

The modern definition of MAC also includes considerations for
integrity in addition to security where the Subject, Object and
access matrix is primarily determined by a policy applied to the
system in question; where read and write object rights are inherent
in the subject label; Again this was originally defined in the TCSEC
standard as “Multi-Level Security” designed to address sensitive data classifications and their manipulat within classified systems; however it's most prolific modern implementations are SELinux and AppArmor. The primacy of purpose for MAC is to ensure that a given subject cannot write to an object of a
higher classification or that a given object may not be read by a
given subject of a lesser classification. Again the administrator may
only change an object security label or a subjects clearance, they do
not have object access; administration and operations of MAC on-top
of DAC increase the operational and maintenance complexity of any
system that uses either of these options. Essentially employing MAC
ensures that data on the system will maintain it's integrity and
security according to the security policy. Pre-configured polices
often exist for standard server configurations including Oracle
database services, Apache – tomcat web services and other
standard server configurations. MAC is very complex in nature and
increases troubleshooting overhead for applications by a great deal;
it's notorious for breaking oracle installations or preventing apache
from serving web pages correctly; however these common errors are
usually the result of a lack of planning on the administration's
part.

Illustration 2^vi

Role Based Access Control is yet another security model; it has been
formalized as a standard by the NIST.^viii  RBAC is a newer standard than MAC or DAC and is implemented by using  a centralized directory service such as Active Directory, or Novell eDirectory or specialized permissions and roles stored within a database or directory service. RBAC relies on user objects being assigned roles that may have associated transaction or session
permissions which are queried when subject access requests occur.
Thus a user is limited in what they may accomplish within a given
environment by their assigned roles and the authorizations that those
roles have and the subjects they are attempting to work with
including which transactions they may be attempting as well as the
subjects and the transaction based assigned permissions. Again an
administrator must assign roles to user objects (subjects);
permissions to resources, including transaction permissions as well
as session permissions they may even have to assign role activation
constraints. Active Roles is a product that assigns roles based
administration and offers a predefined transaction permission
framework for active directory. Generally speaking RBAC is the most
complex of the three security models and requires the greatest amount
of effort for both the implementation in an organization and the
maintenance required. The complexity of RBAC is offset by it's
granularity, you may specify at a very granular level what a given
user may accomplish with a given object, subject and transaction;
it's employed primarily by the Military and Banking sectors.

Illustration 3ix

Web Services Security is the extension f Integrity and confidentiality to the world of Web 2.0 standards including XML and SOAP transactions by utilizing signatures, encryption and tokens of XML and related services including the creation and use of the WS-Security lawyer on top of the standard certification layer of trust currently used to deliver SSL based HTTP transactions using SOAP and XML.^x

Level	Security Model as applied
OS	DAC
Local Users and Applications	MAC
CLIENT / Server	MAC/AAA
Web Services	WS-Security

Generally security models are layered upon one another, this layering process is refereed to as “Hardening” and a system may be hardened depending upon it's sensitivity and classification. The greater the risk within the system the more hardening and “due care” are required.

The following Tables will compare and contrast the limitations at given
levels of each of these models:

OS Level	Complexity	Goal	Limitations	Benefits
DAC	Low	Limit acces to system files	Administrator has access to everything	Standard file permissions on Windows and UNIX
AAA	Medium	Authorize an individual using a trusted third party server	Requires a dedicated directory server	Group permissions on shared drives facilitate simple file management.
Access-matrix	High	Authorize a user or group to a specific object	Requires planning on the administrators part. Can limit object from administrator access Time intensive Complicates troubleshooting	Can limit object from administrator access

Client Server	Complexity	Goal	Limitations	Benefits
DAC	Low	Limit acces to system files	Administrator has access to everything	Standard file permissions on Windows and UNIX
MAC	High	Limit access to objects by security clearence labels (Integrity and Authenticity)	Requires a lot of planning	No one user of a lesser clearance may read an object of a greater clearance No one subject of a greater clearance may write to an object of a lesser clearance
RBAC	High	Limit systems use and transacations by pre-defined job roles	Great administrative Overhead Requries dedicated expertise on site Time intensive Complicates troubleshooting	Can prevent fraud in Banks. Limits the “Area of potential destruction” that an unwitting subject may engage in.

OS Level	Complexity	Goal	Limitations	Benefits
DAC	Low	Limit acces to system files	Administrator has access to everything	Standard file permissions on Windows and UNIX
AAA	Medium	Authorize an individual using a trusted third party server	Requires a dedicated directory server	Group permissions on shared drives facilitate simple file management.
Access-matrix	High	Authorize a user or group to a specific object	Requires planning on the administrators part. Can limit object from administrator access Time intensive Complicates troubleshooting	Can limit object from administrator access

Client Server	Complexity	Goal	Limitations	Benefits
DAC	Low	Limit acces to system files	Administrator has access to everything	Standard file permissions on Windows and UNIX
MAC	High	Limit access to objects by security clearence labels (Integrity and Authenticity)	Requires a lot of planning	No one user of a lesser clearance may read an object of a greater clearance No one subject of a greater clearance may write to an object of a lesser clearance
RBAC	High	Limit systems use and transacations by pre-defined job roles	Great administrative Overhead Requries dedicated expertise on site Time intensive Complicates troubleshooting	Can prevent fraud in Banks. Limits the “Area of potential destruction” that an unwitting subject may engage in.

iN.A. (Wikimedia, n.d.) Ring (Computer Security) [Online]
World Wide Web, Avaialble from: http://en.wikipedia.org/wiki/Ring_%28computer_security%29 (Accessed on May 12^th 2011)

iiN.A. (DoD, December 26 1985) DEPARTMENT OF DEFENSE STANDARD TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA [Online]
World Wide Web, Available From: http://www.iwar.org.uk/comsec/resources/standards/rainbow/5200.28-STD.html (Accessed on May 12^th 2011)

iiiTipton, F. Harold; (Taylor and Francis, 2009) Official (ISC)2 Guide to
the CISSP ISBN: 978-1-4398-0959-4 P685

ivTipton, F. Harold; (Taylor and Francis, 2009) Official (ISC)2 Guide to
the CISSP ISBN: 978-1-4398-0959-4 P691

vTipton,  F. Harold; (Taylor and Francis, 2009) Official (ISC)2 Guide to
the CISSP ISBN: 978-1-4398-0959-4 P691

viN.A. (DoD, December 26 1985) DEPARTMENT OF DEFENSE STANDARD TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA [Online]
World Wide Web, Available From: http://www.iwar.org.uk/comsec/resources/standards/rainbow/5200.28-STD.html (Accessed on May 12^th 2011)

viiWalsh,
Dan (RedHat Magazine, 2007) Whats new in Selinux for Red Hat
Enterprise 5 [Online] World
Wide Web, Available from: http://magazine.redhat.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/
(Accessed on May 13^th 2011)

viiiN.A.  (NIST, October 10^th 2007) RBAC standards page [Online]
World Wide Web, Available from: http://csrc.nist.gov/groups/SNS/rbac/standards.html
(Accessed on May 12^th 2011)

ixN.A. (Microsoft Inc, December 2009) Understanding Management Role
Groups [Online] World Wide Web,
Available from:http://technet.microsoft.com/en-us/library/dd638105%28EXCHG.140%29.aspx
(Accessed on May 12^th 2011)

xAlonso, Gustavo (Swiss Federal Institute of Technology, ETHZ, 2009) Security Web Services [Online] PDF Document, Available from: www.systems.ethz.ch/education/past-courses/fs09/web-services-and-service-oriented-architectures/slides/8-WS-SOA-Security.pdf (Accessed on May 12^th 2011)