chapter 7
DESCRIPTION
Securing Commercial Operating Systems. Chapter 7. Chapter Overview. Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial Era Microkernel Era UNIX Era IX Domain and Type Enforcement Recent Unix Systems Summary. - PowerPoint PPT PresentationTRANSCRIPT
Chapter 7
Securing Commercial Operating Systems
Chapter Overview
• Retrofitting Security into a Commercial OS
• History of Retrofitting Commercial OS's
• Commercial Era
• Microkernel Era
• UNIX Era
– IX
– Domain and Type Enforcement
– Recent Unix Systems
• Summary
Retrofitting Security into a Commercial OS
• Requires reference Monitor Concept
– Complete Mediation
– Tamperproofing
– Verifiability
Complete Mediation Challenges
• Identify all security-sensitive operations
– Some embedded deep inside the kernel code.
– Examples:
• Open
• Sockets
• Shared memory, etc.
– Covert channel identification is usually not even attempted
Tamperproofing Challenges
• Obvious: place in ring 0, but
• Kernel is often updated.
• /dev/kmem, /proc, Sysfs, netlink sockets
• → Every root process must STILL be part of the UNIX TCB
Verification Challenges
• Musts:
– Mediation is implemented correctly, but
• Mediation interface designed manually
• Implemented in unsafe languages
– Policy enforces required security goals
• Large number of queries and processes.
• Complicate policies.
– Reference monitor implementation is correct
• Rest of TCB is huge.
– Rest of the TCB behaves correctly.
History of Retrofitting Commercial OS's
• Commercial Era
– Emulate system on security kernel
– Retrofit security into OS
– → UNIX MLS
• Microkernel Era
– Independent Server Processes → went to kernel
– New security models addressing both confidentiality and integrity
• Unix Era
– Composed solutions from the two eras with focus on system integrity.
Commercial Era
• Emulated Systems
– Data Secure UNIX
– KSOS
• KVM/370 – 25% Performance overhead
• VAX/VMS DEC/Sandia Labs: MLS
• Secure Xenix (IBM) Access control and auditing
– Added Compatibility
• Retrofitted Unix services
• Hidden subdirectories – Polyinstantiated file systems
– Trusted Path (Secure attention sequence)
• 1990 saw many secure Unix variants
Microkernel Era
• Goal: minimal size kernel emphasizing system abstractions; no emphasis on security per se.
• Source: Mach (1980's)
– Trusted Mach (Tmach)
– Distributed Trusted Mach (DTMach)
– Distributed Trusted OS (DTOS)
– Flask
Trusted Mach
• Built by Trusted Information Systems (TIS)
• Added MLS for files, memory.
• Aim was to provide function for other systems like Unix and Windows. (Single level)
Distributed Trusted Mach
• Secure Computing Corporation and NSA
• Hybrid access control model:
– MLS labels for confidentiality
– Type Enforcement labels for integrity (TE)
• Similar architecture to Tmach + servers for networking and general security policy server.
DTMach II
• DTMach = Mach + security server
– Security server = reference monitor outside the kernel
• Each port access implies an authorization query
• For example, opening a file opens a port to the file server, etc.
– Security server used both MLS and TE rules.
• TE rules:
– code could only be modified by administrators– Limited code that could be executed
• There were limitations:
– For example, there was an arbitrary send right...
Distributed Trusted OS (DTOS)
• AIM: True reference monitor in the Mach microkernel.
• Richer set of operations for ports than just send.
• Microkernel:
– Managed labeling of subjects and kernel objects.
– Mediated each kernel operation by querying security server.
• Focus on verifiability of microkernel and TCB.
Flask
• Fluke was a second generation microkernel developed at University of Utah, better than Mach.
• Flask = DTOS – Mach / Fluke
• More emphasis on TE.
UNIX Era
• By early 1990's, many Unices had MLS support.
• Search for adding integrity (very ad-hoc at this point).
• Cover two systems:
– IX
– DTE
IX
• AT&T prototype, enforces MLS and integrity.
• Includes a reference monitor over file access
• Mandatory access control policy providing both confidentiality and integrity protections.
• Care has been taken to prevent tampering in the TCB.
• Verification not a goal.
• MLS was high water mark, for files and processes. However processes could not go beyond a certain ceiling.
IX (2)
• Integrity was LoMac, with floors.
• Since levels are dynamic, each data transfer must be checked/mediated.
• No memory-mapped files.
• Trusted paths/pipes between processes (pex); a pex includes a label for the process at each end so that only that process may work with it.
An assured pipeline in IX
Domain and Type Enforcement
• Trusted Information Systems:
• Problem: protecting TCB from vulnerable root processes
• Runs on Tmach system, but reference monitor added to OSF/1.
DTE Policy Model
• Subject types are now called Domains, object types are still types.
• Each domain is a triple (access rights to objects, access rights to subjects in other domains (signals), entry point program)
• A domain describes how a process accesses files, signals other processes and creates processes.
• DTE Unix defines limited protection domains for root processes. Key point is “least privilege”.
• Domain transitions are limited and their execution is limited also.
• Labeled Networking.
Recent Unix Systems
• BSD variants
– Trusted BSD
• MAC, auditing, authentication
• Reference monitor interface similar to LSM
• SEBSD is a version of SELinux for BSD
– FreeBsd Jail
– OpenBSD emphasizes correct coding and configuration
• Code separation
• Buffer overflow protection
• Least privilege configurations
– NetBSD
• In-kernel authentication and verification of file execution
• Veriexec
Summary
Retrofitting Security into a Commercial OS
- Requirements and Challenges
- History
• Commercial Era• Microkernel Era• Unix Era – recent Unix variants