Presentation on theme: "Operating System Security"— Presentation transcript:
1Operating System Security Trent JaegerThe Pennsylvania State UniversitySYNTHESIS LECTURES ON INFORMATION SECURITY, PRIVACY AND TRUST #1Morgan &cLaypool publishers
2IntroductionOperating systems provide the fundamental mechanisms for securing computer processing. Since the 1960s, operating systems designers have explored how to build “secure” operating systems —operating systems whose mechanisms protect the system against a motivated adversary. Recently, the importance of ensuring such security has become a mainstream issue for all operating systems.
4Three major tasksOperating systems must provide efficient resource mechanisms,Second, it is the operating system’s responsibility to switch among the processes fairlyThird, access to resources should be controlled, such that one process cannot inadvertently or maliciously impact the execution of another.
5This third task is the problem of ensuring the security of all processes run on the system.Ensuring the secure execution of all processes depends on the correctimplementation of resource and scheduling mechanisms.Security becomes an issue because processes in modern computersystems interact in a variety of ways, and the sharing of data amongusers is a fundamental use of computer systems.First, the output of one process may be used by other processes.Second With the ubiquity of Internet-scale sharing mechanisms, such as , the web, and instant messaging, users may share anything with anyone in the world
6The challenge in developing operating systems security is to design security mechanisms that protect process execution and their generateddata in an environment with such complex interactions.The current state of operating systems security takes two forms:(1) constrained systems that can enforce security goals with a high degree of assurance and(2) general-purpose systems that can enforce limited security goalswith a low to medium degree of assurance.
7Security GoalA secure operating system provides security mechanisms that ensure thatthe system's security goals are enforced despite the threats faced by thesystem.Systems that provide a high degree of assurance in enforcement havebeen called secure systems, or even more frequently “trusted”Systems. However, it is also true that no system of modern complexity iscompletely secure.A security goal defines the operations that can be executed by a systemwhile still preventing unauthorized access.Security goals describe how the system implements accesses to systemresources that satisfy the following:1. secrecy,2. integrity,3. and availability.
8An example of an functional security goal is the principle of least privilege, which limits a process to only the set of operations necessary forits execution.To build any secure system requires that we consider how thesystem achieves its security goals under a set of threats (i.e.,a threat model) and given a set of software, including the securitymechanisms, that must be trusted(i.e., a trust model).TRUSTMODELA system’s trust model defines the set of software and data upon which thesystem depends for correct enforcement of system security goals. Forexample, the operating system depends on a variety of programs toauthenticate the identity of users (e.g., login and SSH).
9of data that the user depends on. Threat ModelA threat model defines a set of operations that an attacker may use tocompromise a system. If an attacker is able to find a vulnerability in the systemthat provides access to secret information (i.e., violate secrecy goals) or permitsthe modification of information that subjects depend on (i.e.,violate integritygoals), then the attacker is said to have compromised the system.This threat model exposes a fundamental weakness in commercial operating systemsthey assume that all software running on behalf of a subject is trusted by thatsubject. This can result in the leakage of that user’s secrets and the modificationof data that the user depends on.
10Access ControlAn access enforcement mechanism authorizes requests from multiplesubjects (e.g. users, processes, etc.) to perform operations (e.g., read,write, etc.) on objects (e.g., files, sockets, etc.).An operating system provides an access enforcement mechanism.Two fundamental concepts of access control:a protection system that defines the access control specification anda reference monitor that is the system’s access enforcementmechanism that enforces this specification.
11Protection systemA protection system consists of a protection state, which describes theoperations that system subjects can perform on system objects, and aset of protection state operations, which enable modification of thatstate.A protection system enables the definition and management of aprotection state. A protection state consists of the specific systemsubjects, the specific system objects, and the operations that thosesubjects can perform on those objects.The access matrix is used to define the protection domain of a process.
12Mandatory protection system Problems with access matrixUntrusted processes can tamper with the protection system.A protection system that permits untrusted processes to modify the protection state is called a discretionary access control (DAC) system.Mandatory protection systemA mandatory protection system is a protection system that can only bemodified by trusted administrators via trusted software, consisting of thefollowing state representations:A mandatory protection state is a protection state where subjects and objects are represented by labels where the state describes the operations that subject labels may take upon object labels;A labelling state for mapping processes and system resource objects to labels;A transition state that describes the legal ways that processes and system resource objects may be relabeled.
13Mandatory access control A label is simply an abstract identifier—the assignment of permissions to a label defines its security semantics. Labels are tamperproof .Trusted administrators define the access matrix’s labels and set the operations that subjects of particular labels can perform on objects of particular labels. Such protection systems are mandatory access control (MAC) systems because the protection system is immutable to untrusted processes.
15A reference monitor is the classical access enforcement mechanism A reference monitor is the classical access enforcement mechanism. It takes a request as input, and returns a binary response Indicating whether the request is authorized by the reference monitor’s access control policy. We identify three distinct components of a reference monitor: (1) its interface -The interface defines where the authorization module needs to be invoked to perform an authorization query to the protection state, a labeling query to the labeling state, or a transition query to the transition state. (2) its authorization module-determines the exact queries that are to be made to the policy store. ; (3) Its policy store-The policy store responds to authorization, labeling, and transition queries based on the protection system that it maintains..
17Concluding RemarksA secure operating system is an operating system where its accessenforcement satisfies the reference monitor conceptThe reference monitor concept defines the necessary and sufficient propertiesof any system that securely enforces a mandatory protection system, consistingof three guarantees:1. Complete Mediation: The system ensures that its access enforcement mechanism mediates all security-sensitive operations.2. Tamperproof: The system ensures that its access enforcement mechanism, including its protection system, cannot be modified by untrusted processes.3. Verifiable:The access enforcement mechanism, including its protection system,“must be small enough to be subject to analysis and tests, the completeness of which can be assured” .That is, we must be able to prove that the system enforces its security goal correctly.