Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.

Published bySimon Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial."— Presentation transcript:

1 Chapter 7 Securing Commercial Operating Systems

2 Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial Era Microkernel Era UNIX Era – IX – Domain and Type Enforcement – Recent Unix Systems Summary

3 Retrofitting Security into a Commercial OS Requires reference Monitor Concept – Complete Mediation – Tamperproofing – Verifiability

4 Complete Mediation Challenges Identify all security-sensitive operations – Some embedded deep inside the kernel code. – Examples: Open Sockets Shared memory, etc. – Covert channel identification is usually not even attempted

5 Tamperproofing Challenges Obvious: place in ring 0, but Kernel is often updated. /dev/kmem, /proc, Sysfs, netlink sockets → Every root process must STILL be part of the UNIX TCB

6 Verification Challenges Musts: – Mediation is implemented correctly, but Mediation interface designed manually Implemented in unsafe languages – Policy enforces required security goals Large number of queries and processes. Complicate policies. – Reference monitor implementation is correct Rest of TCB is huge. – Rest of the TCB behaves correctly.

7 History of Retrofitting Commercial OS's Commercial Era – Emulate system on security kernel – Retrofit security into OS – → UNIX MLS Microkernel Era – Independent Server Processes → went to kernel – New security models addressing both confidentiality and integrity Unix Era – Composed solutions from the two eras with focus on system integrity.

8 Commercial Era Emulated Systems – Data Secure UNIX – KSOS KVM/370 – 25% Performance overhead VAX/VMS DEC/Sandia Labs: MLS Secure Xenix (IBM) Access control and auditing – Added Compatibility Retrofitted Unix services Hidden subdirectories – Polyinstantiated file systems – Trusted Path (Secure attention sequence) 1990 saw many secure Unix variants

9 Microkernel Era Goal: minimal size kernel emphasizing system abstractions; no emphasis on security per se. Source: Mach (1980's) – Trusted Mach (Tmach) – Distributed Trusted Mach (DTMach) – Distributed Trusted OS (DTOS) – Flask

10 Trusted Mach Built by Trusted Information Systems (TIS) Added MLS for files, memory. Aim was to provide function for other systems like Unix and Windows. (Single level)

11 Distributed Trusted Mach Secure Computing Corporation and NSA Hybrid access control model: – MLS labels for confidentiality – Type Enforcement labels for integrity (TE) Similar architecture to Tmach + servers for networking and general security policy server.

12 DTMach II DTMach = Mach + security server – Security server = reference monitor outside the kernel Each port access implies an authorization query For example, opening a file opens a port to the file server, etc. – Security server used both MLS and TE rules. TE rules: – code could only be modified by administrators – Limited code that could be executed There were limitations: – For example, there was an arbitrary send right...

13 Distributed Trusted OS (DTOS) AIM: True reference monitor in the Mach microkernel. Richer set of operations for ports than just send. Microkernel: – Managed labeling of subjects and kernel objects. – Mediated each kernel operation by querying security server. Focus on verifiability of microkernel and TCB.

14 Flask Fluke was a second generation microkernel developed at University of Utah, better than Mach. Flask = DTOS – Mach / Fluke More emphasis on TE.

15 UNIX Era By early 1990's, many Unices had MLS support. Search for adding integrity (very ad-hoc at this point). Cover two systems: – IX – DTE

16 IX AT&T prototype, enforces MLS and integrity. Includes a reference monitor over file access Mandatory access control policy providing both confidentiality and integrity protections. Care has been taken to prevent tampering in the TCB. Verification not a goal. MLS was high water mark, for files and processes. However processes could not go beyond a certain ceiling.

17 IX (2) Integrity was LoMac, with floors. Since levels are dynamic, each data transfer must be checked/mediated. No memory-mapped files. Trusted paths/pipes between processes (pex); a pex includes a label for the process at each end so that only that process may work with it.

18 An assured pipeline in IX

19 Domain and Type Enforcement Trusted Information Systems: Problem: protecting TCB from vulnerable root processes Runs on Tmach system, but reference monitor added to OSF/1.

20 DTE Policy Model Subject types are now called Domains, object types are still types. Each domain is a triple (access rights to objects, access rights to subjects in other domains (signals), entry point program) A domain describes how a process accesses files, signals other processes and creates processes. DTE Unix defines limited protection domains for root processes. Key point is “least privilege”. Domain transitions are limited and their execution is limited also. Labeled Networking.

21 Recent Unix Systems BSD variants – Trusted BSD MAC, auditing, authentication Reference monitor interface similar to LSM SEBSD is a version of SELinux for BSD – FreeBsd Jail – OpenBSD emphasizes correct coding and configuration Code separation Buffer overflow protection Least privilege configurations – NetBSD In-kernel authentication and verification of file execution Veriexec

22 Summary Retrofitting Security into a Commercial OS - Requirements and Challenges - History Commercial Era Microkernel Era Unix Era – recent Unix variants

Download ppt "Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial."

Similar presentations

Trusted System Elements and Examples CS461/ECE422 Fall 2011.

Trusted System Elements and Examples CS461/ECE422 Fall 2011.
Operating System Security

Operating System Security
JENNIS SHRESTHA CSC 345 April 22, 2014. Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.

JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.

Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.
Chapter 4 Security in Ordinary Operating Systems

Chapter 4 Security in Ordinary Operating Systems
Secure Operating Systems Lesson 9: Multics. Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very.

Secure Operating Systems Lesson 9: Multics. Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Secure Operating Systems Lesson 10: SCOMP. Where are we?  Multics is busy being explored, which is kind of cool…  But Multics wasn’t the end of custom.

Secure Operating Systems Lesson 10: SCOMP. Where are we?  Multics is busy being explored, which is kind of cool…  But Multics wasn’t the end of custom.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
Chapter 9 Building a Secure Operating System for Linux.

Chapter 9 Building a Secure Operating System for Linux.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.

Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
Information Systems Security Security Architecture Domain #5.

Information Systems Security Security Architecture Domain #5.

Similar presentations

Ads by Google