Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Operating System

Published byBrooke Ray Modified over 6 years ago

Similar presentations

Presentation on theme: "Secure Operating System"— Presentation transcript:

1 Secure Operating System

2 Mandatory Protection Systems
Problem of discretionary access control: untrusted processes can modify protection states Mandatory protection system: Subjects and objects represented by labels Protection state: the operations that subject labels may perform on object labels Labeling state: mapping objects to labels Transition state: defines what relabeling is allowed

3 Example Transition State Labeling State file1 file2 … secret
unclassified trusted untrusted R,W R R Process 1 R,W R R,W W R,W W Process 2 R,W R R,W R,W Protection State

4 Mandatory Access Control
In a mandatory protection system The set of labels are defined by trusted administrators The set of labels are immutable Protection state, labeling state, and transition state can only be modified by trusted administrators through trusted programs This is called Mandatory Access Control (MAC)

5 Reference Monitor An authorization system that determines whether a subject is allowed to perform an operation on an object Takes as input a request Returns a binary response indicating whether the request is authorized or not

6 Source: Operating system security, Jaeger’08, Morgan & Claypool

7 Secure Operating System
A system with a reference monitor access enforcement mechanism that satisfies the requirements below when it enforces a mandatory protection system. Complete Mediation: all security-sensitive ops Tamperproof: untrusted processes cannot modify access enforcement system Verifiable: small TCB

8 Examining Unix Complete mediation
Problem1: not all file access is mediated by RM, e.g., if a process possesses a file descriptor, it can perform any ad hoc command on the file using system calls ioctl or fcntl, as well as read and modify file metadata. Problem 2: not all system resources are mediated

9 Examining Unix Tamperproof
Any user process can modify the protection state at its discretion. User processes can access and modify kernels through special file systems (e.g., /proc, /kmem.) Any root user process can modify any aspect of the protection system

10 Examining Unix Verifiable Effectively unbounded TCB
Impossible to prove that security goals are met as long as TCB is OK

11 Secure Operating System Example: SELinux

12 Securing Linux Linux Security Module (LSM) introduced in early 2000’s
Provides a generic reference monitor interface Allows for different security models to be used Supports POSIX.1e capability system as an optional security model Two popular LSMs: AppArmor and SELinux

13 How does LSM work? Predefined LSM hooks were placed in Linux kernels
The hooks are interfaces to the reference monitor Hook placement is non-trivial Over 150 hooks A security model just needs to implement the hooks

14

15 Security-Enhanced Linux (SELinux)
A MAC security model using LSM Provides fine-grained access control policy Policy writers define the policy – a non-trivial job Quality of protection depends largely on the policy specification

16

17 Step 1: Convert call to LSM hooks to authorization queries
Parameters to an LSM call Subject: the current process that is making the call Object: inode Operations requested Convert subject and object to labels Called “context” in SELinux Stored in kernel Each object also has a “data type”

18

19 Step2: Retrieve SELinux Policy Entry for the access request
Example policy statement: allow <subject_type> <object_type>:<object_class> <operation_set> allow user_t passwd_exec_t:file execute allow passwd_t shadow_t:file {read write}

20 SELinux Protection State
All the policy statements constitute the protection state of SELinux Can be large and complicated More than 1000 labels defined in the reference policy Tens of thousands of allow statements More flexible than standard Unix access control Allows restriction of access not possible or cumbersome under Unix

21 SELinux Labeling State
Map users/systems resources to labels Labeling state defines how newly created processes and resources are labeled File context specification: define mapping from file paths to object context e.g., <file path expr> <context> /etc/shadow.* system_u:object_r:shadow_t:s0 /etc/*.* system_u:object_r:etc_t:s0

22 SELinux Transition State
Defines under what conditions labels of subjects/objects may change e.g., file label transition type_transition <creator_type> <default_type>:<class> <resultant_type> type_transition passwd_t etc_t:file shadow_t A process with passwd_t label creates a file that would have etc_t, but with this policy the file will have the shadow_t label

23 SELinux Transition State
Defines under what conditions labels of subjects/objects may change e.g., user label transition type_transition <current_type> <executable_file_type>:process <resultant_type> type_transition user_t passwd_exec_t:process passwd_t A process with user_t label will change to passwd_t when executing a file with passwd_exec_t label

24 SELinux Transition State
All the transition must be authorized i.e., there must be corresponding “allow” statements for the transition

25 SELinux Security Complete Mediation Tamperproof Verifiable
All accesses to all objects have to go through the reference monitor Depends on LSM hook placement No errors have been found since Linux 2.6 Tamperproof Policy protects kernel from “weak accesses” Verifiable

Download ppt "Secure Operating System"

Similar presentations

Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
JENNIS SHRESTHA CSC 345 April 22, 2014. Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.

JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.

Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.
Chapter 4 Security in Ordinary Operating Systems

Chapter 4 Security in Ordinary Operating Systems
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
Chapter 9 Building a Secure Operating System for Linux.

Chapter 9 Building a Secure Operating System for Linux.
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Linux Security.

Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Similar presentations

Ads by Google