Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 9 Page 1 CS 236 Online Assurance of Trusted Operating Systems How do I know that I should trust someone’s operating system? What methods can I.

Published byElmer Freeman Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 9 Page 1 CS 236 Online Assurance of Trusted Operating Systems How do I know that I should trust someone’s operating system? What methods can I."— Presentation transcript:

1 Lecture 9 Page 1 CS 236 Online Assurance of Trusted Operating Systems How do I know that I should trust someone’s operating system? What methods can I use to achieve the level of trust I require?

2 Lecture 9 Page 2 CS 236 Online Assurance Methods Testing Formal verification Validation

3 Lecture 9 Page 3 CS 236 Online Testing Run a bunch of tests against the OS to demonstrate that it’s secure But what tests? What is a sufficient set of tests to be quite sure it works? Not a strong proof of system security But what is used most often

4 Lecture 9 Page 4 CS 236 Online Formal Verification Define security goals in formal terms Map either OS design or implementation to those terms Use formal methods to “prove” that the system meets security goals

5 Lecture 9 Page 5 CS 236 Online Challenges in Formal Verification Defining security goals properly Accurate mapping of real system to formal statements –This one is a real killer High overhead of running verification methods for realistic systems

6 Lecture 9 Page 6 CS 236 Online Validation Define desired system security In terms of: –Features provided –Architectural design –Processes used in creating the system –Evaluation methodology –Possibly other dimensions Use standardized procedure to demonstrate your system fits this profile

7 Lecture 9 Page 7 CS 236 Online Validation and Standards Validation is usually done against a pre-defined standard Wide agreement that standard specifies a good system So you just have to demonstrate you fit the standard

8 Lecture 9 Page 8 CS 236 Online Benefits of Validation Allows head-to-head comparisons of systems Allows varying degrees of effort to determine system security Allows reasonably open and fair process to determine system security

9 Lecture 9 Page 9 CS 236 Online Disadvantages of Validation Only as good as its standards Doesn’t actually prove anything Can be very expensive

10 Lecture 9 Page 10 CS 236 Online Secure Operating System Standards If I want to buy a secure operating system, how do I compare options? Use established standards for OS security Several standards exist

11 Lecture 9 Page 11 CS 236 Online Some Security Standards U.S. Orange Book European ITSEC U.S. Combined Federal Criteria Common Criteria for Information Technology Security Evaluation

12 Lecture 9 Page 12 CS 236 Online The U.S. Orange Book The earliest evaluation standard for trusted operating systems Defined by the Department of Defense in the late 1970s Now largely a historical artifact

13 Lecture 9 Page 13 CS 236 Online Purpose of the Orange Book To set standards by which OS security could be evaluated Fairly strong definitions of what features and capabilities an OS had to have to achieve certain levels Allowing “head-to-head” evaluation of security of systems –And specification of requirements

14 Lecture 9 Page 14 CS 236 Online Orange Book Security Divisions A, B, C, and D –In decreasing order of degree of security Important subdivisions within some of the divisions Requires formal certification from the government (NCSC) –Except for the D level

15 Lecture 9 Page 15 CS 236 Online Some Important Orange Book Divisions and Subdivisions C2 - Controlled Access Protection B1 - Labeled Security Protection B2 - Structured Protection

16 Lecture 9 Page 16 CS 236 Online The C2 Security Class Discretionary access control –At fairly low granularity Requires auditing of accesses And password authentication and protection of reused objects Windows NT was certified to this class

17 Lecture 9 Page 17 CS 236 Online The B1 Security Class Includes mandatory access control –Using Bell-La Padula model –Each subject and object is assigned a security level Requires both hierarchical and non- hierarchical access controls

18 Lecture 9 Page 18 CS 236 Online The B3 Security Class Requires careful security design –With some level of verification And extensive testing Doesn’t require formal verification –But does require “a convincing argument” Trusted Mach was in this class

19 Lecture 9 Page 19 CS 236 Online Why Did the Orange Book Fail? Expensive to use Didn’t meet all parties’ needs –Really meant for US military –Inflexible Certified products were slow to get to market Not clear certification meant much –Windows NT was C2, but didn’t mean NT was secure in usable conditions Review procedures tied to US government

20 Lecture 9 Page 20 CS 236 Online The Common Criteria Modern international standards for computer systems security Covers more than just operating systems Design based on lessons learned from earlier security standards Lengthy documents describe the Common Criteria

21 Lecture 9 Page 21 CS 236 Online Basics of Common Criteria Approach Something of an alphabet soup – The CC documents describe –The Evaluation Assurance Levels (EAL) The Common Evaluation Methodology (CEM) details guidelines for evaluating systems

22 Lecture 9 Page 22 CS 236 Online Another Bowl of Common Criteria Alphabet Soup TOE – Target of Evaluation TSP – TOE Security Policy –Security policy of system being evaluated TSF – TOE Security Functions –HW, SW used to enforce TSP PP – Protection Profile –Implementation-dependent set of security requirements ST – Security Target –Predefined sets of security requirements

23 Lecture 9 Page 23 CS 236 Online What’s This All Mean? Highly detailed methodology for specifying : 1.What security goals a system has 2.What environment it operates in 3.What mechanisms it uses to achieve its security goals 4.Why anyone should believe it does so

24 Lecture 9 Page 24 CS 236 Online How Does It Work? Someone who needs a secure system specifies what security he needs –Using CC methodology –Either some already defined PPs –Or he develops his own He then looks for products that meet that PP –Or asks developers to produce something that does

25 Lecture 9 Page 25 CS 236 Online How Do You Know a Product Meets a PP? Dependent on individual countries Generally, independent labs verify that product meets a protection profile In practice, a few protection profiles are commonly used Allowing those whose needs match them to choose from existing products

26 Lecture 9 Page 26 CS 236 Online Status of the Common Criteria In wide use Several countries have specified procedures for getting certifications –And there are agreements for honoring other countries’ certifications Many products have received various certifications

27 Lecture 9 Page 27 CS 236 Online Problems With Common Criteria Expensive to use Slow to get certification –Ensuring certified products are behind the market Practical certification levels might not mean that much –Windows 2000 was certified EAL4+ –But kept requiring security patches... Perhaps more attention to paperwork than actual software security

28 Lecture 9 Page 28 CS 236 Online TPM and Trusted Computing Can special hardware help improve OS security? Perhaps TPM is an approach to building such hardware The approach is commonly called “trusted computing”

29 Lecture 9 Page 29 CS 236 Online What Is TPM? Special hardware built into personal computers –And other types of machines Tamperproof, special purpose Effective use requires interaction with software –Especially OS software Defined as a set of open standards

30 Lecture 9 Page 30 CS 236 Online What Does TPM Hardware Do? Three basic core functionalities: –Secure storage and use of keys –Secure software attestations –Sealing data These functions can be used to build several useful security features

31 Lecture 9 Page 31 CS 236 Online TPM Key Storage Keys are stored in a tamperproof area TPM hardware can generate RSA key pairs –Using true random number generator Each TPM chip has one permanent endorsement key Other keys generated as needed

32 Lecture 9 Page 32 CS 236 Online The Endorsement Key Created when the chip was fabricated Used to sign attestations –To prove that this particular machine made the attestation A public/private key pair –Private part never leaves the trusted hardware

33 Lecture 9 Page 33 CS 236 Online TPM Cryptography TPM hardware includes encryption and decryption functions To ensure keys are never outside a tamperproof perimeter Data comes in Encryption/decryption is performed Data goes out Users otherwise can’t affect crypto

34 Lecture 9 Page 34 CS 236 Online TPM Attestations Allows TPM to provide proof that a particular piece of software is running on the machine –An OS, a web browser, whatever Essentially, a signature on a hash of the software

35 Lecture 9 Page 35 CS 236 Online An Example of an Attestation What version of Linux is running on this machine? TPM (with appropriate SW support) hashes the OS itself Signs the hash with its attestation key Sends the signature to whoever needs to know

36 Lecture 9 Page 36 CS 236 Online Secure TPM Boot Facilities Use attestations to ensure that the boot loader is trusted code The trusted boot loader then checks the OS it intends to load –Trusted attestations can tell the boot loader if it’s the right one –Bail out if it’s not the right one Can prevent an attacker from getting you to boot a corrupted kernel

37 Lecture 9 Page 37 CS 236 Online Sealing Data With TPM Encrypt the data with keys particular to one machine –Keys stored by TPM Data can only be decrypted successfully on that machine Can also seal storage such that only a particular application can access it

38 Lecture 9 Page 38 CS 236 Online The TPM Controversy TPM can be used for many good security purposes But some believe it takes too much power from the user –E.g., can require user to prove he’s running a particular browser before you give him a file –Or seal a file so only the owner’s application can read it –Who’s in charge of my machine, anyway?

39 Lecture 9 Page 39 CS 236 Online More TPM Controversy Many (but not all) critics worry especially about DRM uses Serious issues about companies using it to achieve anti-competitive effects Serious questions about practicality based on patching, various releases, etc. –Will you have to accept attestations for all of them? Does it actually improve security or not?

40 Lecture 9 Page 40 CS 236 Online Other Secure Hardware TPM isn’t the only new HW that could help OS security Other proposals include: –Memory tagging –Tamperproof biometrics readers –HW for cleaning memory

41 Lecture 9 Page 41 CS 236 Online Memory Tagging Proper application of mandatory access control requires tracking data When sensitive data is read, will it be written? –If so, new version is also sensitive How to do that? –Conservatively, mark everything

42 Lecture 9 Page 42 CS 236 Online Problem With Marking Everything Everything gets marked –Sometimes literally All information in system tends to migrate towards “system high” But in many cases, no sensitive data actually present in the files

43 Lecture 9 Page 43 CS 236 Online For Example, The entire process is tainted So everything it writes is also tainted

44 Lecture 9 Page 44 CS 236 Online What’s Really Going On Only important to track where the tainted data goes Not where untainted data goes

45 Lecture 9 Page 45 CS 236 Online How To Do This? Track the data at a finer granularity than the process Keep track of sensitivity label of data in every memory location –Using special hardware tags Augment processor instructions to propagate/combine tags

46 Lecture 9 Page 46 CS 236 Online How Does This Help? When data is written to file, check its label Label the file as the data was labeled Writes of insensitive data by process with sensitive access don’t become sensitive

47 Lecture 9 Page 47 CS 236 Online Conceptually, If process writes, use only necessary labels If no labels, don’t label file

Download ppt "Lecture 9 Page 1 CS 236 Online Assurance of Trusted Operating Systems How do I know that I should trust someone’s operating system? What methods can I."

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Vpn-info.com.

Vpn-info.com.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
More on OS Security.

More on OS Security.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Computer Security: Principles and Practice Chapter 10 – Trusted Computing and Multilevel Security.

Computer Security: Principles and Practice Chapter 10 – Trusted Computing and Multilevel Security.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 10 – Trusted Computing.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 10 – Trusted Computing.
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Effective Methods for Software and Systems Integration

Effective Methods for Software and Systems Integration
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Similar presentations

Ads by Google