CS 665: Computer System Security. Designing Trusted Operating Systems. Trusted? What Makes System Trusted. Information Assurance Module



Similar documents
Information Security Information & Network Security Lecture 2

Reference Guide for Security in Networks

Mandatory Access Control

CSE543 - Introduction to Computer and Network Security. Module: Access Control

Part III. Access Control Fundamentals

Introduction to Computer Security

CS52600: Information Security

Chapter 2: OS Overview

Access Control Models Part I. Murat Kantarcioglu UT Dallas

Role Based Access Control: Adoption and Implementation in the Developing World

Computer Security. Evaluation Methodology CIS Value of Independent Analysis. Evaluating Systems Chapter 21

How To Model Access Control Models In Cse543

Meeting Cyber Security Challenges

Security Architecture and Design

Domain 9 Security Architecture and Design

HANDBOOK 8 NETWORK SECURITY Version 1.0

DEPARTMENT OF DEFENSE STANDARD DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA

System Assurance C H A P T E R 12

Constructing Trusted Code Base XIV

Access Control Intro, DAC and MAC. System Security

Session objectives. Access control. Subjects and objects. The request. Information Security

Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

SECURITY ARCHITECTURE

Computer security Lecture 3. Access control

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Access Control Basics. Murat Kantarcioglu

Information Security Policy

Keyfort Cloud Services (KCS)

Security Model and Enforcement for Data-Centric Pub/Sub with High Information Assurance Requirements

Trusted RUBIX TM. Version 6. Multilevel Security in Trusted RUBIX White Paper. Revision 2 RELATIONAL DATABASE MANAGEMENT SYSTEM TEL

Chapter 23. Database Security. Security Issues. Database Security

Application Intrusion Detection

Access Control Matrix

Chapter 6, The Operating System Machine Level

Virtual Machine Security

Security White Paper The Goverlan Solution

White Paper Levels of Linux Operating System Security

INTRUSION DETECTION SYSTEMS and Network Security

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

ISACA PROFESSIONAL RESOURCES

SELinux Policy Management Framework for HIS

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Common Criteria Evaluation Challenges for SELinux. Doc Shankar IBM Linux Technology Center

? Resource. Access Control and Operating System Security. Access control matrix. Access control. Capabilities. Two implementation concepts.

Database Security Part 7

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Access Control Fundamentals

The Network and The Cloud: Addressing Security And Performance. How Your Enterprise is Impacted Today and Tomorrow

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University


Role Based Access Control (RBAC) Nicola Zannone

CAPP-Compliant Security Event Audit System for Mac OS X and FreeBSD

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

What is a secret? Ruth Nelson

Secure cloud access system using JAR ABSTRACT:

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Today. Important From Last Time. Old Joke. Computer Security. Embedded Security. Trusted Computing Base

Best Practices, Procedures and Methods for Access Control Management. Michael Haythorn

PCI Express IO Virtualization Overview

Secure Containers. Jan Imagination Technologies HGI Dec, 2014 p1

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

BM482E Introduction to Computer Security

Certification Report

GETTING STARTED WITH ANDROID DEVELOPMENT FOR EMBEDDED SYSTEMS

Introduction to Embedded Systems. Software Update Problem

? Resource. Outline. Access Control and Operating System Security. Access control. Access control matrix. Capabilities. Two implementation concepts

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

GE Measurement & Control. Cyber Security for NEI 08-09

Identity Management and Access Control

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

How To Secure An Rsa Authentication Agent

Protocols and Architecture. Protocol Architecture.

Trustworthy Computing

IBX Business Network Platform Information Security Controls Document Classification [Public]

MONITORING PERFORMANCE IN WINDOWS 7

Audit Trail Administration

Document Management System Security

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Advanced Systems Security: Retrofitting Commercial Systems

CPS221 Lecture: Operating System Structure; Virtual Machines

Parallel Scalable Algorithms- Performance Parameters

1.1.1 Introduction to Cloud Computing

Security Overview of the Integrity Virtual Machines Architecture

Information Technology Security Guideline. Network Security Zoning

05.0 Application Development

ISO 27002:2013 Version Change Summary

Information Technology Branch Access Control Technical Standard

Transcription:

CS 665: Computer System Security Designing Trusted Operating Systems Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Trusted? An operating system is trusted if we have confidence it provides Memory protection, File protection. General object access control, User authentication in a consistent and effective way. How to design such an OS? 1-2 What Makes System Trusted Policy Security requirements, well defined, consistent, unambiguous, implementable. Model Representation of the policy, formal. Should not degrade functionality. Design Includes functionality, implementation options. Trust Review of features, assurance makes an OS worthy of trust. 1-3 Rev 1.1 1-1

Terminology Secure: Either-or Property of presenter Asserted based on product characteristics Absolute: not qualified by usage A goal Secure Trusted Graded: degrees of trustworthiness Property of receiver Judged based on evidence and analysis Relative: viewed in the context of use A characteristic 1-4 Trust in What? Process Absent of security flaws and malicious segments Product Evaluated, approved product. Software Part trusted to enforce security policy Computing base Hw/SW/firmware enforcing unified policy. System Trusted to process sensitive information 1-5 Security Policy The statement we expect the system to enforce. Military security policy: Need-to-know. Object: O Sensitivity level: Rank(O) Top Secret Secret Confidential Restricted Unclassified Compartment: Information subject matter 1-6 Rev 1.1 1-2

Military Security Policy Each object has its classification. <rank; compartment>. Clearance: Trust to access information up to a certain level of sensitivity. For subject s and object o: s o iff ranks ranko compartments and compartmen s ts o O dominates S, S is dominated by O 1-7 Military Security Policy (2) S can access O (S dominates O) only if: Clearance of S at least as high as O (hierarchy). S needs to know about ALL compartments where O is classified (nonhierarchical). S:<top_secret, Sweden>, O: <secret, Sweden> S dominates O S:<top_secret, Sweden>, O:<secret,{Sweden, crypto}> S does not dominate O. S:<top_secret,,{Sweden, crypto}>, O:<secret, Sweden> S dominates O 1-8 Commercial Security Policies Data sensitivity: public, proprietary, internal Names vary, but not the meaning. Projects similar to compartments. Corporate lever responsibilities range over project/department boundaries. But, outside the government, no notion of clearance! Rules regulating access are not formalized. Integrity and availability as important as confidentiality, but not as well formulated. 1-9 Rev 1.1 1-3

Clark-Wilson Security Policy Defines well-formed transactions. Do not sign a receipt unless the appropriate goods received. Do not pay without having a signed receipt. Such constrained data items processed by transformation procedures. The only way to access these items, validates the order. Transaction: <userid, TP i, {CDI j,cdi k, }>. Separation of duties. Different person orders, receives, pays. Introduce state information into the triplet notation. 1-10 Chinese Wall Security Policy Information access protection. Objects divided in conflict classes. Access possible to only one object in each class. O1 O2 O3 Conflict Class 1 O4 O5 Conflict Class 2 O6 Conflict Class 3 1-11 Security Models Models formalize policies. Useful for: Conceptualization and design. Completeness and consistency checking. Documentation of policy. Verification and validation. 1-12 Rev 1.1 1-4

Multilevel Security Need for multiple layers of sensitivity. Mathematical formalizations of militarytype security policies Lattice model. Relation forms partial ordering if Transitive: If a b and b c then a c Antisymmetric: If a b and b a then a=b Lattice elements may not be comparable, but they have an upper bound and a lower bound. 1-13 Lattice Model of Access Security Example: Factor of lattice. 4 12 2 6 60 20 10 3 1 5 30 15 Helpful in modeling hierarchical relationships. Dominance relation in the military security is a lattice. Upper bound:<top_secret, all_compartments> Lower: <unclassified, no_compartments> Commercial security may for a lattice public, proprietary, internal 1-14 Bell-LaPadua Confidentiality Model Describes allowable access paths. Central to US DoD evaluation criteria. Goal: concurrent computations at different sensitivity levels. No information leaks allowed. C(s) and C(o): sensitivity levels. Simple Security Property: S may have a read access to O iff C( o) C( s) 1-15 Rev 1.1 1-5

Bell-LaPadua (2) * - property S that has a read access to O, may have write access to P iff C( o) C( p) Contents of sensitive documents cannot be written below their level of sensitivity. Prevent write-down. How stringent is this? Should a classified husband talk with his wife? Consideration of noninterference needed. 1-16 Biba Integrity Model Counterpart of Bell-LaPadua Subject S can modify (write) object o only if I(s) >= I(o) If subject s has read access to object o with integrity level I(o), s can have write access to object p only if I(o) >= I(p). 1-17 Trusted OS Design Security cannot be added successfully. It needs to be designed into an OS. Modularity, information hiding principles. Software engineering principles essential: Requirements, design and test traceability, formal and informal reviews. Integrated and centralized design treatment of security featurees. 1-18 Rev 1.1 1-6

Good design principles Least privilege. Economy of mechanisms Small, simple. Open design. Complete mediation Check every access attempt. Permission based Denial of access is the default. Separation of privilege. Multiple barriers (authentication & encryption). Least common mechanism (share less). Ease of use. 1-19 Features of Trusted OS User identification and authentication Mandatory access controls Discretionary access controls Object reuse protection. Complete mediation. Trusted paths. Audits. Audit log reduction. Intrusion detection. 1-20 Identification and authentication Key to computer security Two steps Who is the service requester. Verify the claimed identity. I&A in trusted systems goes beyond that of traditional OS. 1-21 Rev 1.1 1-7

Access Control (AC) Mandatory AC implies that a central authority makes access decisions. Owner not involved. Military policy. Discretionary AC makes owner or someone else in charge of the decision. Typical for commercial environments. Access rights may change dynamically. If applied simultaneously, MAC has a precedence over DAC. 1-22 Object reuse policy If an object is freed by the user, its allocated space remains dirty. Previous user s data may become available to someone. New user may scavenge for sensitive data. This approach is called object reuse. OS needs to prevent leakage, by overwriting all reassigned space. 1-23 Complete mediation & Trusted paths All accesses to all resources need control. But, modern OS have numerous paths towards an object. Network ports, processes, DMA, etc. Trusted paths needed to establish unmistakable communication trust. Unique keys (CTRL-ALT-DEL), for example. Cannot be intercepted by software. 1-24 Rev 1.1 1-8

Audits Security information relevant log files are necessary. These should accommodate audit requests. How to avoid enormously large files? Limit to open/close object actions. Even these can become too large over time. Audit: Find a needle in a haystack! Continuous audits performed in the background. 1-25 Intrusion detection ID software establishes patterns of normal usage. Consequently, it can sound alarm if these patterns change. Detailed study later. 1-26 Kernelized design principles Kernel: part of OS that performs lowest level functions. Synchronization, interprocess communication, message passing, interrupt handling. Security kernel responsible for enforcing security mechanisms. Security kernel contained within OS kernel. 1-27 Rev 1.1 1-9

Why security kernel? Coverage Every access MUST pass through. Separation From the rest of OS and from the users. Unity Concentration of security relevant code. Modifiability Compactness Likely to be relatively small Verifiability 1-28 Reference Monitors Control access to all objects. Collection of access control code for devices, files, memory, communication RM must be Tamperproof Invoked by any access request Small enough to be verifiable Part of a wider suite of tools and techniques 1-29 Trusted Computing Base (TCB) Code responsible for implementing security policy Trust in an OS depends on trust in TCB! Security enforcement depends on: Hardware (processors, memory, registers, I/O) Processes (protect security critical ones) Files (special files as I&A data, access control DB) Protected memory (protects reference monitor against tampering) Interprocess communication (so parts of TCP can pass data and activate other parts) 1-30 Rev 1.1 1-10

TCB (2) TCB monitors four basic interactions: Process activation Includes memory allocation, context switching, file access lists, status information Execution domain switching Request for sensitive data may cause a process to switch execution domains. Memory protection Monitor all memory accesses, maintain confidentiality, integrity. I/O operation 1-31 Virtualization Virtual machine is a collection of resources (HW, SW), real or simulated. Each user given the perception of unique ownership. Multiple virtual memory spaces, divided by users or user groups or types. 1-32 Rev 1.1 1-11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information