Trusted Operating Systems

Slides:

Advertisements

Similar presentations

Operating System Security

Advertisements

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

Lecture 8 Access Control (cont)

Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Methodologies

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Secure Operating Systems Lesson 0x11h: Systems Assurance.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Fundamentals of Computer Security Geetika Sharma Fall 2008.

Chapter 17 Controls and Security Measures

Information Systems Security Security Architecture Domain #5.

Lecture 7 Access Control

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Database Security By Bei Yuan. Why do we need DB Security? Make data arranged and secret Secure other’s DB.

Linux Security.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Computer Security An overview of terms and key concepts.

SELinux US/Fedora/13/html/Security-Enhanced_Linux/

Switch off your Mobiles Phones or Change Profile to Silent Mode.

Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.

Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.

Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.

Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.

Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS7: Security 7.1. The Security Problem.

Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Academic Year 2014 Spring Academic Year 2014 Spring.

COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:

Access Control / Authenticity Michael Sheppard 11/10/10.

Privilege Management Chapter 22.

Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.

Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

Overview of NSA Security Enhanced Linux Russell Coker.

Developing a Secure Internet Service SE Linux in Production Russell Coker Linux Consultant.

Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.

SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.

CS703 - Advanced Operating Systems

Access Control Model SAM-5.

Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé

Protection and Security

Operating Systems Protection Alok Kumar Jagadev.

Security Models and Designing a Trusted Operating System

SE Linux Implementation

Operating Systems Security

Official levels of Computer Security

THE ORANGE BOOK Ravi Sandhu

An Overview Rick Anderson Pat Demko

SECURITY IN THE LINUX OPERATING SYSTEM

OS Access Control Mauricio Sifontes.

How to Mitigate the Consequences What are the Countermeasures?

Access Control.

PLANNING A SECURE BASELINE INSTALLATION

NSA Security-Enhanced Linux (SELinux)

Designing IIS Security (IIS – Internet Information Service)

Access Control What’s New?

Presentation transcript:

Trusted Operating Systems

What is a trusted operating system Four aspects of a trusted OS Information compartmentalization Role compartmentalization Least privilege Kernel level enforcement “if it’s easy to administer, it’s probably easy to break into”

Pros and cons Pros Cons Difficult to compromise One compromise will not lead to another Useful for mission critical applications Protects against inside attacks Cons Software compatibility Difficulty in administration Performance overhead More cumbersome for users

Information Compartmentalization Information restricted without regard to user ID or “owner” No user, even administrators, can see or modify information they are not cleared to see Compromised applications cannot be used for further access, since they cannot see information unrelated to their task Web server cannot write to html files because it has only been cleared to read them

Mandatory Access Control In DAC (Discretionary Access Control), users own files User can determine if a file is readable, writable, executable, etc, and by whom In MAC, restrictions are based on the sensitivity of information All objects have Sensitivity Labels which define a level or range of levels encompassing the information SLs cannot be overruled by the owner of a file or even a system administrator

Sensitivity Labels Two components Dominant Equal Disjoint Classification Compartment Dominant Top Secret SL can read but not write Confidential SL Equal Only time modification is permitted Disjoint Prevents equal classifications from accessing other compartments Top Secret A cannot read Secret A B, since Top Secret A does not have access to the B compartment

Role Compartmentalization No user can perform all system tasks There is no “root”, administrators are limited in their privileges Important system actions must be confirmed by multiple administrators Execution of a privileged program is still limited by privilege of user

Least Privilege Processes only have access to the minimum amount of information and privilege required to perform their task Mail server cannot modify web pages Web server cannot send email Even if running as an administrator Permissions are strictly limited in scope and type

Kernel Level Enforcement Security related operations happen in kernel mode, where they cannot be circumvented by any amount of user level action However, operations happen at the highest level possible, limiting potential damage as much as possible Application cannot override kernel decisions

Trusted OS Implementations Trusted Solaris Password generator enforces strong passwords MAC Trusted symbol prevents spoofing Full system auditing Trusted IRIX Mandatory Integrity Trusted Networking MAC labeling of input and output

Trusted OS Implementations Trusted BSD Based on FreeBSD Fine grained auditing Fine grained policy SELinux Patches to Linux published by the NSA Argus Pitbull LX Trusted environment that runs on top of Linux, Solaris, or AIX Domain Based Access Control Has root, but restricted Allows trusted applications to be run in alongside non-trusted applications, providing flexibility

“Orange Book” standards Levels of security policies and accountability mechanisms Certification to use in given situations C2: Controlled Access Protection (5) B1: Labeled Security Protection (7) B2: Structured Protection (1) B3: Security Domains (1) A1: Verified Design (0)

Common Criteria Supercedes “Orange Book” Worldwide effort, combines international criteria Broken into functional requirements: Audit Cryptographic support Communications User Data Protection Identification and Authentication Security Management Privacy Protection of the TOE Security Functions Resource Utilization TOE Access Trusted Path/Channels

Common Criteria Assurance Levels EAL1: Functionally tested EAL2: Structurally tested EAL3: Methodically tested and checked EAL4: Methodically designed, tested, and reviewed EAL5: Semiformally designed and tested EAL6: Semiformally verified design and tested EAL7: Formally verified design and tested Blah blah blah

References http://www.argus-systems.com/product/white_paper/pitbull/oss/2.shtml http://rr.sans.org/securitybasics/trusted_OS.php http://www.sei.cmu.edu/str/descriptions/trusted_body.html http://www.computerworld.com/cwi/story/0,1199,NAV47_STO53293,00.html http://www.commoncriteria.org http://www.securityhorizon.com/whitepapers/archives/tos.html http://www.nsa.gov/selinux/index.html http://wwws.sun.com/software/solaris/trustedsolaris/ts_tech_faq/