Chapter 13

Processing Controls

Operating System Integrity

• Operating system -- the set of programs implemented in software/hardware that permits sharing and use of resources within a computer system

• There are many cases in which serious losses have occurred through breaches of operating system controls

Some Features of OP Systems

• Capable of managing resources• Good managers vs. bad mangers• There is a cost associated with mis-

management of op systems– Exposure to risks– Loss of integrity

• What is an interrupt in op systems? Op systems demand respect by using interrupts.

Nature of a Reliable Operating System

1. Must be protected from user processes2. Must prevent one user corrupting another

user’s processes3. Must protect users from themselves4. Must protect itself from corruption of

another module or sub-process5. Must be robust when environmental

failures occur

Operating System Integrity Threats

• Accidental– hardware, software, and environmental failures

that cause the operating system to crash or to process erroneously

• Deliberate– usually aim at unauthorized removal of assets,

breaches of data integrity, or disruption of operations

Penetration Techniques

• Browsing (checking residue)• Masquerading • Piggybacking (tapping messages)• Between-lines entry (inactive users)• Spoofing (fooling the user as if op system is

interacting)• Backdoors/Trapdoors (use it as if you are already in

the system)• Trojan horse (unknown to user, user runs the

penetrator’s program)

Other Penetration Techniques

• Covert Storage Channels– one process communicates confidential

information to another process by changing the values of system state variables

• Covert Timing Channels– one process communicates confidential

information to another process by changing the time period that a system takes to perform some function

Operating System Integrity Flaws

• Penetrations result when integrity flaws exist in operating systems. These flaws arise for two reasons:1. The access control policy designed for the

operating system is defective2. Even if a secure access control policy is

designed for the operating system, it might be implemented incorrectly in the operating system

Integrity Flaws (no details)

• Incomplete parameter validation

• Inconsistent parameter validation

• Implicit sharing of data

• Asynchronous validation

• Inadequate access control

• Violable limits

Reference Monitors and Kernels

• A reference monitor is an abstract mechanism that checks each request by a subject to access and use an object to ensure that the request complies with a security policy.

• A reference monitor is implemented via a security kernel, which is a hardware, software, firmware mechanism

Reference Monitor Abstraction

Validation Checks

• Primarily ensure that computations performed on numeric fields are authorized, accurate, and complete

• Processing associated with alphabetic or alphanumeric fields typically is minimal

Rounding Validation Check Process

Other Software Controls

• Print Run-to-Run Control Totals– provide evidence that all input data has been

processed accurately

• Minimize Human Intervention– because human intervention is error-prone,

minimizing it will reduce incorrect processing

• Use Redundant Calculations– additional calculations can be used as “checks”

Audit Trail Controls

• Accounting Audit Trail– allows auditors to trace and to replicate the

processing performed on a data item

• Operations Audit Trail– data is often critical to effective management of

shared system resources

Operations Audit Trail

Content of the Operations Audit Trail• Resource Consumption Data

– identifies which user consumed a resource

• Security-Sensitive Events– creates audit trail entries for all changes to password or

access privileges files or failed access attempts

• Hardware Malfunctions– records processor or memory parity errors

• User-Specified Events– allows users to write their own programs to collect

operations data

Interrogating the Operations Audit Trail

1. Specifying audit objectives

2. Extracting data from the operations audit trail that will allow auditors to meet these objectives

3. Sorting the data extracted into the required order

4. Formatting and presenting the results

Existence Controls

• Nature of Checkpoint/Restart Controls– allow programs to be reestablished at

some prior, valid intermediate point in their processing and restarted form that point

– cannot guard against long-term or global failures

Functions of Checkpoint Facilities

• Processor-based Scheme– when a transient fault occurs, this scheme rolls

the processor back a small number of instruction and then restarts the processor

• Memory-based Scheme– relies on having two memory banks for each

address. Successful operations are copied from the first memory bank to the second

Processor-based Checkpoint/Restart facility

Memory-based Checkpoint/Restart facility

Auditors Concerns with Checkpoint/Restart Facilities

• Information written to a log must be secure

• Facilities must be effective and efficient

• Facilities should be well documented

• Facilities should work reliably