unit 2 nms
TRANSCRIPT
UNIT-2PART-1:- OPERATING SYSTEM SECURITY
Introduction to OS SECURITYAn operating system is a fundamental component of most modern computer systems, operating system are close to the hardware; it masks the details of the underlying hardware from the programmer and provides lower layer of software visible to users. It can be viewed as a Resource Manager, responsible for fair Resource Sharing between different processes in the system. On the other hand, operating system control access to application memory and scheduling of the processors. Application must be run like OS-level services and the developer of these applications does not know the level of details needed to develop secure applications on their win, if OS is not doing these things securely, it generally comprise all security at higher levels ,so the OS is a very logical place to enforce and support security.
OS resolves around the application protection of four elements:-1. Confidentiality - is the protection of transmitted data from passive attacks i.e.
protection of data from unauthorized disclosure.2. Authentication - This mechanism help establish proof of identities. The
authentication process ensures that the origin of an electronic message or document is correctly identified.
3. Integrity : when the contents of message are changed after the sender sends it, but before it reaches the intended recipients, we say that integrity of the message is lost.
4. Availability : It states that resources should be available to authorized parties at all times.
Protection Mechanisms:-The concept of multiprogramming introduces the sharing resources among users. This sharing involves memory, I/O devices programs and data. The ability to share their resources introduces the need for protection .An OS may affect protection along the following spectrum:-
No Protection:- This is appropriate when sensitive procedures are being run at separate times.
Isolation: -This approach implies that each process operates separately from other processes, with no sharing. Each process has its awn address space, files and other objects.
Share ALL or share NOTHING:- In this method, the owner of an object declares it to be public or private , in other hand, only the owner’s process may access the object.
Share via access limitation:- The OS checks the permissibility of each access by a specific user to specific object, the OS therefore act as a guard between users and objects, ensuring that only authorized accesses occur.
Share via dynamic capabilities:- This extends the concept of access control to allow dynamic creation of sharing rights of objects.
Limit use of an object:- This form of protection limits not just access to an object but use to which that object may be put.
A given OS may provide different degree of protection for different objects, users and applications. The OS needs to balance the need to allow sharing, with the need to protect the resources of individual users.
PROTECTION OF MEMORY:-In a multiprogramming environment, protection of main memory is essential. The concern here is not just security but the correct functioning of the various processes that are active. The separation of the memory space of various processes is easily accomplished with a virtual memory scheme. Segmentation or paging or two in combination, provides an effective tools of managing main memory. The measures taken to control access in data processing systems fall into two categories:-
TOPIC -1:- LOW LEVEL PROTECTION MECHANISM LOMAC:-
LOMAC is dynamically loadable security module for free UNIX kernels that use low watermark mandatory access control to protect the integrity of processes and data from viruses, Trojan hoarse, malicious remote virus and compromised network server daemons. LOMAC is designed for compatibility and ease of use to be a form of Mac typically users can live with.LOMAC implements a simple form of integrity protection based on Biba’s low water mark model in Loadable kernel Module (LKM). LOMAC provides useful integrity protection against viruses, Trojan hoarse, malicious remote virus and compromised network servers without modifications to the kernel, applications or their existing configuration. LOMAC is designed to be easy to use. Its default configuration is intended to provide useful protection without being adjusted for the specific users, servers or other software present on the system. LOMAC may be used to harden currently deployed systems simply by loading the LKM into the kernel shortly after boot time. Protection:-LOMAC provides the protection by dividing a system into two integrity levels:-
High level Low level
Access control
User oriented Data oriented
MAC-Mandatory access control
DAC-Discretionary Access control
LOMAC 2-level partitioning of a system. High levels:- Contains critical system components that must be protected such as
the init process, kernel daemons, system binaries, libraries and configuration files.
Low levels:- Contains the remaining components such as client and server processes that read from the network, local user processes and their files.
One LOMAC assigns a file to one level or the other, its level never changes. This is not so for processes LOMAC can “Demote” high level processing by reducing their levels to low during runtime. LOMAC never increases the level of a process.
1. When LOMAC is running a process’s level determines how much power has to modify other parts o the system. Given the above division of the system into the levels, LOMAC provides integrity protection with two main mechanisms:- A. First LOMAC prevents low level processes from modifying high level
files or signaling high level processes. Since no administrative users, their n/w clients and all n/w servers run at the low level, these restrictions protect the high level part of the system from direct attacks by malicious remote users and compromised servers.
B. Second LOMAC ensures that data does not flow from low level files to high level files.
2. A process attempt to cause suite a flow by reading from a low level file and subsequently writing to a high level file. LOMAC prevents such flows through demotion: whenever a high process reads from a low level file, LOMAC reduces the processes level to low. ONE at the low in integrity level, LOMAC’s first mechanism prevents the process from modifying high level as described above. This combination of mechanisms prevents indirect attacks by viruses, worms and Trojan hoarses.
High level
Init, kernel daemons, system binaries, libs, etc.
Network servers, clients user files, downloads
Low level
LOMAC cannot distinguish when a program that has read low integrity data but is still sunning properly and one that has read-low integrity data and has been compromised. LOMAC can ensure that processes which read potentially. Dangerous low-level data during run time are demoted to the low integrity level. Once at that low level, LOMAC’s other mechanism prevent there from Harming high integrity processes or files.
IMPLEMENTATION:- There are two main problems in implementing kernel resident MAC:-Gaining supervisory control over kernel operations Mapping security attributes to filesFor these problems LOMAC provides low cost capabilities. Fig. shows the architecture of the LOMC LKM. The diagram shows horizontal split b/w upper and lower halves. The upper half implements high level LOMAC functionality in kernel independent manner and consist of approximately 1000 times of C code. The lower half implements a kernel specific interface to the Linux 2.2 series of kernels and consists of approximately 1500 lines of C code.
(LOMAC loadable kernel module architecture)More on gaining control:-At initialization time, LOMAC traverses an array of function pointers through which the kernel provides services to user process. LOMAC with the address of security relevant system calls with the addresses of the corresponding wrappers. Once done, calls made through the system call vector will call the wrappers, rather than the kernel’s corresponding call functions.More on attribute mapping:-The basic algorithm is given a target path. Its level can be found by searching linearly through the list of records until a record is found whose path is a prefix of the target path. For example, the level of “/home/httpd/html” is high, because it maps the record for prefix “/home/httpd”. If during a search through the record list, the target path matches a record’s path exactly; the flag field is checked. If the child of flag is set, the match ignored and search continues. Consequents the level “/home/httpd” is high because it exactly matches the record for prefix “/home/httpd” which has no child of flag. The level of “/home/tfraser” is low because it matches record for prefix”/home” with the child of flag and the level of “/home” is high because of skips the child of “/home” records and matches the record for prefix.
Monitor PLM(path level map) Mediate
Wrappers and utility functions
Gaining Control:-LOMAC achieve the control by interposing itself b/w processes and the kernel system call interface. LOMAC’s kernel interface contains a series of functions called “wrappers”. Each wrapper takes the same parameter as its corresponding system cart. Wrapper algo:-
Wrapper (arguments){
Mediate: decide to allow or deny the operation;Call kernel’s original system all function;Monitor: update LOMAC’s shape on successful completion;
}Attribute Mapping:-In addition to gaining supervisory control, LOMAC must also assign integrity levels to files in a manner that is persistent access reboots. LOMAC maintains a persistent mapping b/w levels and absolute canonical path names in its path level map (PLM) module.
Level Flags PATH
High
Low
High
CHILD-OF
“/home/httpd”
“home”
“/”Whenever the kernel opens a file, LOMAC labels it’s in memory Data structure with the integrity level indicated by PLM. These are based on the longest path first .Child-of is a extra flag indicating low positioning of “/home”.
Application of LOMAC:-In order to apply this protection scheme, it must be able to determine the appropriate level for every process file in the system.
1) Dividing the file system: - Rules are explained in attribute mapping to determine which parts of the file system are at the higher integrity level and which are at low level. These rules are presently set at compile time. Although future versions of LOMAC may provide a more configurable rule set, the goal of the present implementation is to deliver a single generic configuration that provides at least some protection on a wide variety of system. The division described by the current rule set reflects the tension b/w two compensating goals:-the maximum amount of protection and maintaining the max. Amount of app. Compatibility.
2) Monitoring process: - While file levels are static, process level can decrease during run time. In general, LOMAC assigns a new process the same level as the process that created it. At initialization time, LOMAC assigns the high integrity level to the fir t process, which initializes the system by creating a new high level process to handle various system tasks. These processes continue by creating ore high level children. As individual process read from low level files, LOMAC demotes then to the low integrity level. From that point, all their children begin life at low level.
3) Exceptions for compatibility:- LOMAC must make an exception to allow some critical program such as client side DHCP agent pump and system log daemon for transfer data from low level to high level. For this it maintains a list of trusted program. But if a high level process running a trusted program were compromised LOMAC would not prevent it from harming the high integrity levels or part of the system. Hence presence of trusted programs represents some risk so it should operate properly.
TOPIC-2 ACCESS CONTROL MODELSIntroduction to access control: - Foundation of information and security can be done n three ways:-
Authentication Access control Audit
Authentication:-Establishes the identity of one party to another. Most commonly authentication establishes the identity of a user to some part of the system, typically by mean of a password. More generally authentication establishes can be computer-to-computer or process-to-process and mutual in both directions.Access Control:- Determine what one party will allow another to do with respect to resources and objects mediated by the former. Access Control usually requires authentication as a prerequisite.Audit:- The audit process gathers data about activity in the system and analyzes it to discover security violations or diagnose their cause. Analysts can occur offline after the fact or online in real time. In the latter case, the process is usually called Intrusion Detection.
Access control usually apply authentication has been established. Access control can take several forms:-Discretionary Access Control (DAC) is based on the idea that the owner of data should
determine who has access it. DAC allows data to be freely copied from object to object, so even if access to original data is denied, access to a copy can be obtained.
Lattice based access control also known as mandatory access control (MAC), confine the transfer of information to one direction in a lattice of security labels. MAC emerged from confidentiality requirements of the military but has broad applications for integrity and separation objects.
Role based access control (RBAC) requires that access rights be assigned to roles rather than to individual users. Users obtain these rights by virtue of being assigned membership in appropriate roles. This simple idea greatly eases the administration of authorization.
Access control:-Access control refers to controlling access to resources on a computer or network system. Without it, everyone would be able to access everything. Employees would be able to view their manager’s salary information, read each other’s email and malicious individual such as competitors would be able to dial into your remote access server and read your company’s strategy plans for the next five years. With access controlling place, users are identified, authenticated and authorized before they can actually access.
Access controls control which objects a subject can access. These are the two key terms used in access control models. A subject someone or something for eg,users applications or system program to which access to an object is granted or denied eg of objects are files,printers,application and system process. Access control model provide a model for developers who need to implement access control functionality in these software and devices. An access control model defines a computer and for network system’s role for user access to information resources. Access control models provide confidentially, integrity and also provide accountability through audit trails.
Bell La PadulaBIBA Authentication DACCHINESE WALL HACORIGINATED CONTROLLEDACCESS CONTROL MODELROLE BASED ACCESS CONTROLCLARK WILSON MODEL
Data Oriented Access Control:- Following successful log on, the user has been granted access to one or set of hosts and applications. At this time we need data access control. In this legand real world OS protection models fall basically into one of the two types:-
MAC DAC
Access Control Models
Hybrid Models User Oriented Access control
Data OrientedAccess control
In computer security passive resources are called objects and active entities that utilize the resources are called subjects. Typical objects include:-files, directories, memory, printers and typical subjects includes:-user, processes. The roles depend upon situation: for ex, a process can request access to some resource (act as subject) and later be a target if request (act as an abject).
MAC:- In mandatory access controls, also called multilevel access control, objects(information) are classified on hierarchical levels of security sensitivity(typically top secret, confidential). Subjects (users) are assigned their security cleanence. Access of a subject to an object is granted or denied depending on the relation between the cleanance on the subject and the security classification of the object. Lattice model and Bell-La Padula model are based on MAC.DAC:- In Discretionary Access model each object has its unique owner. The owner exercises it Discretion even the assignment of access permissions. Lampeon introduces the access matrix model for DAC. The core of this model is a matrix whose rows are indexed by subjects and columns by objects.
Doc-1 passwd Progr_1Alice Rw R XBob R R _Ronald Rw Rw rwx
Fig1: Access MatrixIn Real systems, however access control matrices are not very
practical, because the matrix usually sparse and there is a lot of redundancy and subjects and objects can be added or removed easily but the centralized matrix could become a bottleneck. The matrix may be decomposed by columns, yielding access control list in fig (2). Thus for each object, an ACL details users and their permitted access rights. ACL may contain a default or public entry. Decomposition by row yield capability tickets fig(3). A capability ticket specifies authorized objects and operations for a user. Each user has a no of tickets and may be authorized to lend or give them to others. Because tickets may be dispensed accessed the system, they present a greater security problem than act. To accomplish such problems or hold all. Ticket on behalf of the users. These tickets would have to be held in a region of memory inaccessible to users.
File 1
FILE 2
FILE 3
FILE 4
Fig (2): ACL
AOWN R W
C
R W
B
R
BOWN R W
C
R
AOWN R W
B
W
B
R
COWNRW
User ‘A’
User ‘B’
User ‘C’
Fig (3):- Capability Lists
So in DAC model we have:- Individual user may determine the access controls
Eg Unix file system implement DAC
This model works well in commercial and academic environments not so well in the military, hospitals, private web sites etc.
In MAC model we have:- Site wide security policy is enforced by the system in addition to
the DAC
File 1OWN
R
W
File3OWN
R
File 1
R
File2OWN
R
W
File 3
W
File4
R
File 1
R
W
File2
R
File 4OWN
R
W
Better suited to environment with rigid information access restrictions
Example of DAC:-
USER
My doc.doc A decided to which control is given. It is based on “need to know” basis.
Example of MAC:-Administrator Level
65360A Level 100B 1Two files file1.doc2
File2.doc200Access rights are granted access to numeric access level. Access level of user has to be equal or higher then object which they want to access.
A can access file 1B cant access both files.Administrator can access both
MAC v/s DAC:-
1) MAC is best for military and highly sensitive information systems.
2) All models such as Bell La Padula, chines wall, And LOMAC are based on MAC rather than DAC.
3) Provide multi targeting capability
BELL-LA-PADULA MODEL(BLP):-
BLP is formal(mathematical)description of MAC.These are three properties:-
1) DS property(Discretionary Security)
BA Accessing A’s file
2) SS property(Simple security- no “Read Up”)
3) * property(Stac property-no”write down”)
A secure system satisfies all of thse properties. BLP includes mathematical proof that if a system is secure and a transaction satisfies all of the properties,then the system will remain secure. Now I give some description about BLP:-
BLP is a state machine model capturing confidientiality aspects of acces control.
Access permissions are defined through an “Access control Matrix” and through a partial ordering of “security levels”.
Security policy prevent information flowing downwards from a high security level to a low security level.
BLP only considers the information flow that occurs when a subject observes or attends an object.
What is in the model or What we have to model:-
1) All “current access operations”:- An access operation is described by a tuple(s,o,a),
S belongs to S(ubjects),o belongs to O(bjects), a belongs to A(ccess_operations)
The set of all current access operation is an element of p(SXOXA)
We use B has shorthand for P(SXOXA) We use b to denote a particular set of access
2) The current permissions as defined by the Access control Matrices M:-
‘M’ is the set of access control metrices.
3) The “current Assignment of security levels” :- 1.
Maximal security level :- fs SL(L..Labels) Current security level :- fc SL Classification : fo OL
2. The security level of a user is the user’s “clearance”.3. The current security level allow subjects to be
downgraded temporairily.
4. F is a subset of Ls Ls L o is the set of security level assignments
5. f = (fs,fc,fo) denotes an element of F.6. The ‘state set’ of BLP :- V = BMF7. A “state” is denoted by (b,M,f)
POLICIES OF BLP :-
1. Prevent information flow from high security levels to low security levels.
2. In BLP, information flow can only occur directly through access operations.
3. Simple Security Property(SS):-
4. Information flow is still possible A Low subject could create a high level “ Trojan Horse
program” that reads a high level document and copies its contents to its low level file.
This would constitute an improper declassification of the
5. * property (Stac property) :-
No Red-up : fs(s) ≥ fo(o) if access is in observe mode
Trojan horse Copy
Create Read
6. The very first version of BLP did not consider the * property7. The ss and * are the Mandatory BLP policies.8. Discretionary Security property(DS property):-
Access must be permitted by the access control matrix:-
WO – WRITE DOWN :-
1) The * property implies that a high level subject is not able to sent messages to a low level subject
2) There are two ways to escape from this restriction:-a) Temporary Downgrade a High level subject . This is the reason
for the current security level fc. BLP assures that subjects have no memory of their own.
b) Identify a set of trusted subjects which are permitted to violate the * property.
3) We redefine the * property and demand it only for subjects, which are not trusted. Trusted subjects may violate security policies.
BASIC SECURITY THEOREM OF BLP :-
1. A “state is secure “if all current access tuples (s,o,a) are permitted by the ss,*, Ds property.
2. A “State transition is secure” if it goes from a secure state to a secure state.
Theorem:-
“if the initial state of the system is secure and if all state transitions are secure then the system will always be secure.”
LIMITATIONS OF BLP:-
No write down:- fc(s) ≤ fo(o) if access is in alter mode, also, if subject s has access to an object o in alter mode, then fo(o’) ≤ fo(o) for all objects o’ accessed by s in observe mode.
1) Restricted to confidentiality.2) No policies for changing access rights; a general and complete
downgrade is secure, BLP is intended for systems with static security levels.
3) BLP contains convert channel (communication channel that allow transfer of information in a manner that violates the system security policy):- A low subject can detect the existence of high objects when it is denied access.
Topic 4:-BIBA MODEL:- Introduction:- Biba model is similar to BLP but focus is on integrity not on confidentiality. The main aim was to turn the BLP model upside down. It follows the following model:
High integrity subject can’t read lower integrity objects (No “Read down”) Subject can’t move low integrity data to high integrity environment (No “write
up”) The Biba model is a formal state Transition System of computer security policy that describes a set of Access Control rules designed to ensure that data are not contaminated. The following point should be noted carefully:-
Biba is a state machine model similar to BLP capturing integrity aspects of access control
Integrity means here “prevention of unauthorized information” Integrity levels are assigned to Subjects and objects
Properties of Biba model:
1) Simple Integrity property: No Write up:- If subject ‘s’ can modify(alert) object ‘o’Then fs(s)>=fo(o)
2) Integrity ‘*’ property: If subject ‘s’ can read (observe) object ‘o’, then s can have write access to some other object ‘o’ only if fo(o)>=fo(o’)
Some other policy of Biba :- 1)Low water mark policy(LOMAC) : automatically adjust integrity level. It is of two types:
A) Subject Low Water mark policy:- Subject ‘s’ can read an object at any integrity level. The new integrity level of‘s’ is g.1.b (fs(s),fo (o))
B) Object Low water mark policy:- Subject ‘s’ can modify an object ‘o’ at any integrity level. The new integrity level of ‘o’ is g.1.b. (fs (s),fo (o)).
*Policy for invoke:- Invoke is access operation between subjects.
Invoke Property :- Subject s1 can invoke s2 only if fs(s1)>=fs(s2) Acc. to MAC policy of integrity a “Dirty subject s1 can not touch a “clean” object indirectly by invoking s2.
Ring Property :- subject s1 can read objects at all integrity levels, modify abject ‘o’ with fs(s1)>=fo(o) and invoke a subject s2 only if fs(s1)<=fo(s2)
A ‘Dirty’ subject s1 can invoke a ‘clean’ boal s2 to touch a ‘clean’ object. The Ring property is the opposite of invoke property
Features of BIBA:-1) This security model is directed toward Data integrity (Rather than security) and is characterized by the phrase:- “No write up, no Read down”2) With BIBA user can only relate content as or below their own security level (a mouk may write a prayer book that can be read by commoners but a high priest would not be allowed to view the work of the less pious of mouk) Conversely users can only view content at or above their own security level (a mouk may read a book written by the high priest but may not read a pamplelet written by a lowly commoner)
* Comparison of BIBA with BLP:- As with BLP, BIBA model defines a simple security (ss) property and * property. In this case they are sort of reversed to BLP:-
1) the ss property stated that a subject at a given level of integrity may not read an object at a lower integrity level (No Read Down)2) the * property states that a subject at a given level of integrity must not write to any object at a higher level of integrity(No write up)
Topic 5: CHINESE WALL MODEL:* Introduction:- The Chinese wall policy combines commercial discretion with legally enforceable mandatory controls. It is required in the operation of many financial services organization and is therefore perhaps as significant to the financial world as Bell La Radula policy are to the military.
* What is in this Model? In this model focus is on the Conflicts of InterestPrinciple: User should not access the confidential information of both a client organization and one or more of its competition.How it Works:-
Users have no “wall” initially. Once any given file is accessed ,files with competitor
information become in-accessible
The following points should be noted carefully:-
1) In financial institution analyst deals with a no of clients and have to avoid conflicts of interests
2) The model has the following component:- Subject : Analyst Object : Data item for a single client Company Data Set: o->c gives for each object its company data set. Conflict of interest classes: companies that are competitors X : o->c gives
for each object ‘o’. The companies with a conflict on interest on ‘o’. Labels : Companies data set t conflict of interest class Sanitized information : No access Restrictions
Policies of CHINESE WALL model:
1) Simple security property (SS) :-Access is only granted if object requested:- is the same company data set as an object already accessed by that object belongs not to any of the interest classes of objects already accessed by
that subjectFormally:-
N=(Nso) s belongs S, o belongs O , Boolean matrix , Nso=true if s has accessed o.
SS-property:- Subject ‘s’ gets access to object ‘o’ only if for all objects ‘o’ with Nso = true, y(o) belongs x(o’) or y(o)=y(o’).
Indirect information flow:- Two Competitors A and B have their account with the same bank. Analyst-A, dealing with A and the bank, updates the bank portfolio with sensitive information about A. Analyst-B, dealing with B and the bank, now has access to information about the competitor.
2) Property :- A subject ‘s’ will be permitted write access to an object only if ‘s’ has no read access to any object ‘o’ which is in a different company data set and is unsanitized.
Formally :- Subject ‘s’ gets write access to object ‘o’ only if ‘s’ has no read access to an object ‘o’ with y(o)!=y(o’) or x(o’)!={}
Access Rights of subjects change dynamically with every
An Implementation of CHINESE WALL security Model using ConSA:A new Architecture ConSA, allow security models to be developed
separately from the system. They will protect and still be integrated seamlessly into the system. Any system using ConSA could then also replace the security model at any time , while retaining the same operating system and applications .Advantages of ConSA:
1) It is flexible enough so that even a Non conventional security model such as the Chinese Wall security model when access control is based on previously accessed entities, can be implemented using ConSA with ease.
2) In order to present a now security model with needless clutter, the final details of implementation on a system can be replaced by simply implementing it using ConSA.
Figure below shows the outline of ConSA, as it will typically be used in object oriented OS. The label modules define the label classes. The information flow module handles the flow control and authorization control module (ACM) controls subject access to entities. The subject mgmt. module, used by the security manager, is not really required for the Chinese Wall model used here, since the primary subject access restriction and modification are automatically handled by the ACM module.
ConSA consist of a number of methods which have to be defined for a particular security model, with certain conditions which must apply after their execution to present a consistent security.