lecture 20 overview. trusted os design os is a complex system – difficult to design – adding the...
TRANSCRIPT
![Page 1: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/1.jpg)
Lecture 20 Overview
![Page 2: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/2.jpg)
Trusted OS Design
• OS is a complex system– difficult to design– Adding the responsibility of security enforcement
makes it even more difficult
• Clear mapping from security requirements to the design
• Design must be checked using formal reviews or simulation
• Requirements design testing
![Page 3: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/3.jpg)
Security Design Principles
• Least privilege– users, programs, fewest privilege possible
• Economy of mechanism– small, simple, straight forward
• Open design– extensive public scrutiny
• Complete mediation– every attempt must be checked
![Page 4: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/4.jpg)
Security Design Principles
• Permission based– denial of access is the default
• Separation of privilege– more than one condition
• Least common mechanism– the risk of sharing
• Ease of use– unlikely to be avoided
![Page 5: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/5.jpg)
OS Functions
5
![Page 6: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/6.jpg)
Security features in ordinary OS
• Authentication of users– password comparison
• Protection of memory– user space, paging, segmentations
• File and I/O device access control– access control matrix
• Allocation & access control to general objects– table lookup
![Page 7: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/7.jpg)
Security features in ordinary OS
• Enforcement of sharing– integrity, consistency
• Fair service– no starvation
• Interprocess communication & synchronization– table lookup
• Protection of OS protection data– encryption, hardware control, isolation
![Page 8: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/8.jpg)
Trusted OS Functions
8
![Page 9: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/9.jpg)
Security features of Trusted OS• Identification and Authentication• Mandatory and Discretionary Access Control• Object reuse protection • Complete mediation (all accesses are checked)• Trusted path • Accountability and Audit (security log)• Audit log reduction• Intrusion detection (patterns of normal system
usages, anomalies)
![Page 10: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/10.jpg)
Kernel
• OS part that performs lowest level functions
User tasks
OS
OS Kernel
Hardware
![Page 11: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/11.jpg)
Security Kernel• responsible for enforcing security mechanisms of
the entire OS• Coverage– ensure that every access is checked
• Separation– security mechanisms are isolated from the rest of OS
and from user space easier to protect
• Unity– all security mechanisms are performed by a single set
of code easier to trace problems
![Page 12: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/12.jpg)
Security Kernel
• Modifiability– security mechanism changes are easier to make
and test
• Compactness– relatively small
• Verifiability– formal methods , all situations are covered
![Page 13: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/13.jpg)
Lecture 21
Trusted Operating System
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Hesham El-Rewini
![Page 14: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/14.jpg)
Reference Monitor• portion of a security kernel that controls
accesses to objects• Collection of access controls for– Devices, Files, Memory, Interprocess
communication, Other objects
• It must be– Always invoked when any object is accessed– Small enough
• analysis, testing
– Tamperproof
O
S
O O
SS
Gate
![Page 15: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/15.jpg)
Trusted Computing Base (TCB)
• Everything in the trusted OS necessary to enforce security policy
• System element on which security enforcement depends:– Hardware• processors, memory, registers, and I/O devices
– Processes• separate and protect security-critical processes
![Page 16: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/16.jpg)
Trusted Computing Base (TCB)
• System element on which security enforcement depends (cont):– Primitive files• security access control database,
identification/authentication data
– Protected memory• reference monitor can be protected against tampering
– Interprocess communication• e.g., reference monitor can invoke and pass data
securely to audit routine
![Page 17: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/17.jpg)
TCB and Non-TCB Code
Primitive I/O
Basic Operations
Clocks, timing
Interrupt handling
Hardware:registers memory
Capabilities
Applications
Utilities
User request interpreter
…
Segmentation, paging, memory management
TCB
Non-TCB
![Page 18: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/18.jpg)
TCB monitors basic interactions
• Process activation
• Execution domain switching
• Memory Protection
• I/O operation
![Page 19: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/19.jpg)
Combined Security Kernel / OS System
User tasks
OS
OS Kernel
Hardware
Security activity
OS Kernel:
- HW interactions
- Access control
OS:
- Resource allocation
- Sharing
- Access control
- Authentication functions
![Page 20: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/20.jpg)
Separate Security Kernel
User tasks
OS
Security Kernel
Hardware
Security Kernel:
-Access control
-Authentication functions
OS:
- Resource allocation
- Sharing
- Hardware interactions
![Page 21: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/21.jpg)
Separation
• Physical Separation
• Temporal Separation
• Cryptographic Separation
• Logical separation (isolation)
![Page 22: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/22.jpg)
Virtualization
• OS emulates or simulates a collection of a computer system’s resources
• Virtual Machine: Collection of real or simulated hardware facilities– processor, memory, I/O devices
![Page 23: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/23.jpg)
Virtual machine
Real System ResourcesReal System Resources
Real OSReal OS
Virtual Virtual
MachineMachine
User 1User 1
Virtual Virtual
MachineMachine
User 2User 2
Virtual Virtual
MachineMachine
User 3User 3
![Page 24: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/24.jpg)
Layered OS
Hardware
Security functions
Synchronization, allocation
Scheduling, sharing, MM
File system, device allocation
Utility functions
Compilers, database
User processes
OS kernel
Security kernel
OS
![Page 25: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/25.jpg)
Modules operating in Different Layers
Least trusted code
Most
trusted code
User interface
User ID lookup
Data comparison
Data update
User Authentication module
![Page 26: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/26.jpg)
Assurance• Testing– based on the actual product being evaluated,
• not on abstraction
• Verification– each of the system’s functions works correctly
• Validation– developer is building the right product
• according to the specification
![Page 27: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/27.jpg)
Testing• Observable effects versus internal structure• Can demonstrate existence of a problem, but
passing tests does not imply absence of any• Hard to achieve adequate test coverage within
reasonable time– inputs & internal states
• hard to keep track of all states
• Penetrating Testing– tiger team analysis, ethical hacking
• Team of experts in design of OS tries to crack system
![Page 28: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/28.jpg)
Formal verification
• The most rigorous method• Rules of mathematical logic to demonstrate
that a system has certain security property
• Proving a Theorem– Time consuming– Complex process
![Page 29: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/29.jpg)
Entry
min A[1]
i 1
i i + 1
i > n
min < A[i]
min A[i]
Exityes
noyes
no
Example: find minimum
![Page 30: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/30.jpg)
Finding the minimum value
AssertionsP: n > 0 Q: n > 0 and
1 i n and min A[1]
R: n > 0 and S: n > 0 and1 i n and i = n + 1 and
for all j 1 j i -1 for all j 1 j i -1 min A[j] min A[j]
![Page 31: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/31.jpg)
Validation
• Requirements checking– system does things it should do• also, system does not do things it is not supposed to do
• Design and code reviews– traceability from each requirement to design and
code components
• System testing– data expected from reading the requirement
document can be confirmed in the actual running of the system
![Page 32: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/32.jpg)
Security Policies
![Page 33: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/33.jpg)
Security Policy
• A security policy is a statement of the security we expect the system to enforce
• A system can be trusted only in relation to its security policy– that is, to the security needs the system is
expected to satisfy
![Page 34: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/34.jpg)
Military Security policy
Unclassified
Restricted
Confidential
Secret
Top
Secret
![Page 35: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/35.jpg)
Access to Information
• Information access is limited by the need-to-know rule
• Compartment: Each piece of classified information may be associated with one or more projects called compartments
![Page 36: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/36.jpg)
Compartments and Sensitivity Levels
Unclassified
Restricted
Confidential
Secret
Top SecretCompartment 1
Compartment 3Compartment 2
![Page 37: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/37.jpg)
Classification & Clearance
• <rank; compartments>– class of a piece of information
• Clearance: an indication that a person is trusted to access information up to a certain level of sensitivity
• <rank; compartments>– clearance of a subject
![Page 38: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/38.jpg)
Dominance Relation
• We say that s dominates o (or o is dominated by s) if o <= s
For a subject s and an object o,
o <= s if and only if
rank(o) <= rank(s) and
compartments(o) is subset of compartments(s)
• A subject can read an object if the subject dominates the object.
![Page 39: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/39.jpg)
Example
• Information classified as <secret; {Sweden}>
• Which of the following subject clearances can read the above information?– <top secret; {Sweden}>– <secret; {Sweden, crypto}>– <top secret; {crypto}>– <confidential; {Sweden}>– <secret; {France}>
![Page 40: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/40.jpg)
Models of Security
• Security models are used to– Test a particular policy for completeness and
consistency– Document a policy– Help conceptualize and design an implementation– Check whether an implementation meets the
requirements
![Page 41: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/41.jpg)
Lattice
Upper bound
Lower bound
![Page 42: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/42.jpg)
Bell-La Padula Model
• Formal description of the allowable paths of information flow in a secure system
• Set of subjects and another set of objects
• Each subject s has a fixed security clearance C(s)• Each object o has a fixed security class C(o)
![Page 43: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/43.jpg)
Bell-La Padula Model
• Two properties characterize the secure flow of information:
– A subject s may have read access to an object o only if C(o) <= C(s)
– A subject s who has read access to an object o may have write access to an object p only if C(o) <= C(p).
![Page 44: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/44.jpg)
Illustration
o1
s1 o2
o3
s2 o4
o5
Low
High
![Page 45: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/45.jpg)
Harrison, Ruzzo, and Ullman Model
S1 S2 S3 O1 O2 O3
S1 control Owner
read
S2 control Owner
Read
write
read Owner
execute
S3 control read read execute
![Page 46: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/46.jpg)
HRU Model (cont.)• HRU allows state of the protection system to be
changed by a well defined set of commands:– Add subject s to M– Add object o to M– Delete subject s from M– Delete object o from M– Add right r to M[s,o]– Delete right r from M[s,o]– Owner can change rights of an object
![Page 47: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/47.jpg)
Take Grant Model
• Unlimited number of subjects and objects• States and state transitions• Directed graph
• Four primitive operations:– take– create– grant– revoke
![Page 48: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/48.jpg)
Take Grant Model (Cont.)
O2
O1O3
S1
S2
S3
read
read
read
execute
execute
Read, write
![Page 49: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/49.jpg)
Create
OSS
rightsbecomes
![Page 50: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/50.jpg)
Revoke
OS
r1, r2becomes
OS
r1, r2, r3
![Page 51: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/51.jpg)
Take
OS2take
becomes
S1 read
OS2take
S1 read
read
![Page 52: Lecture 20 Overview. Trusted OS Design OS is a complex system – difficult to design – Adding the responsibility of security enforcement makes it even](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e2b5503460f94b1a037/html5/thumbnails/52.jpg)
Grant
becomes
OS2grant
S1 read
read
OS2grant
S1
read