Upload
mark-terry
View
264
Download
6
Embed Size (px)
Citation preview
Chapter 5 – Designing Trusted Chapter 5 – Designing Trusted Operating SystemsOperating Systems
What makes an operating system What makes an operating system “secure”? Or “trustworthy?“secure”? Or “trustworthy?
How are trusted systems designed, and How are trusted systems designed, and which of those design principles carry over which of those design principles carry over naturally to other program development naturally to other program development tasks?tasks?
How do we develop “assurance” of the How do we develop “assurance” of the correctness of a trusted operating correctness of a trusted operating systems?systems?
Designing Trusted Operating Designing Trusted Operating SystemsSystems
Primitive security servicesPrimitive security services• Memory protectionMemory protection• File protectionFile protection• General object access controlGeneral object access control• User authenticationUser authentication
OS is trusted if we have confidence OS is trusted if we have confidence that it provides these four services in that it provides these four services in a consistent and effective way.a consistent and effective way.
What is a trusted system?What is a trusted system?SecureSecure TrustedTrusted
Either-or: Either-or: something something either is or is not secureeither is or is not secure
Graded:Graded: There are There are degrees of degrees of “trustworthiness“trustworthiness
Property of Property of presenterpresenter Property of Property of receiverreceiver
AssertedAsserted based on based on product characteristicsproduct characteristics
JudgedJudged based on based on evidence and analysisevidence and analysis
Absolute:Absolute: not qualified as not qualified as to how, where, when, or to how, where, when, or by whom usedby whom used
RelativeRelative: viewed in : viewed in context of usecontext of use
A A goalgoal A A characteristiccharacteristic
What is a trusted system?What is a trusted system? Trusted processTrusted process – process that can affect system – process that can affect system
securitysecurity Trusted productTrusted product – evaluated and approved – evaluated and approved
productproduct Trusted softwareTrusted software- software portion of system that - software portion of system that
can be relied upon to enforce security policycan be relied upon to enforce security policy Trusted computing baseTrusted computing base – set of all protection – set of all protection
mechanisms within a computing system that mechanisms within a computing system that enforce a nified security policyenforce a nified security policy
Trusted systemTrusted system – system that employs sufficient – system that employs sufficient hardware and software integrity measures to hardware and software integrity measures to allow its use for processing sensitive informationallow its use for processing sensitive information
Security PoliciesSecurity Policies
security policy – security policy – statement of statement of security we expect the system to security we expect the system to enforceenforce
Military Security PolicyMilitary Security Policy• based on protecting classified based on protecting classified
informationinformation• Information access is limited by Information access is limited by need-need-
to-knowto-know rule rule• Each piece of classified info is Each piece of classified info is
associated with a associated with a compartmentcompartment
Military Security PolicyMilitary Security Policy Class (classification)Class (classification) - <rank; compartment> - <rank; compartment> Clearance - Clearance - indication that person is trusted to indication that person is trusted to
access info up to a certain level of sensitivityaccess info up to a certain level of sensitivity DominanceDominance – –
s <= O iff ranks <= O iff rankss <= rank <= rankoo and compartmentsand compartmentsss <= compartments <= compartmentsoo
Clearance level of subject is Clearance level of subject is at least as highat least as high as as that of the informationthat of the information
Subject has a need to know about Subject has a need to know about allall compartments for which the information is compartments for which the information is classified.classified.
Commercial Security PoliciesCommercial Security Policies
Data items at any level may have Data items at any level may have different degrees of sensitivity different degrees of sensitivity ((public, proprietary, internalpublic, proprietary, internal))
No formalized notion of clearancesNo formalized notion of clearances No No dominancedominance function for most function for most
commercial information accesscommercial information access
Clark-Wilson Commercial Security PolicyClark-Wilson Commercial Security Policy
Well-formed transactionsWell-formed transactions – – perform perform steps in order, exactly as listed & authenticating steps in order, exactly as listed & authenticating the individuals who perform the stepsthe individuals who perform the steps
Goal Goal – maintain consistency – maintain consistency between internal data and external between internal data and external expectations of the dataexpectations of the data
Process Process constrained data itemsconstrained data items by by transformation procedurestransformation procedures• <userID, TP<userID, TPii, {CDI, {CDIjj, CDI, CDIkk, …}>, …}>
Commercial Security PolicyCommercial Security Policy
Separation of dutySeparation of duty – division of – division of responsibilities (manual system)responsibilities (manual system)
Chinese Wall Security PolicyChinese Wall Security Policy – – • Confidentiality PolicyConfidentiality Policy• Objects Objects (e.g. files)(e.g. files)• Company GroupsCompany Groups (all objects (all objects
concerning a particular company)concerning a particular company)• Conflict classes Conflict classes (cluster competing (cluster competing
companies)companies)
Models of SecurityModels of Security
Security models are used toSecurity models are used to• Test a particular policy for completeness Test a particular policy for completeness
and consistencyand consistency• Document a policyDocument a policy• Help conceptualize and design an Help conceptualize and design an
implementationimplementation• Check whether an implementation Check whether an implementation
meets its requirementsmeets its requirements
Multilevel SecurityMultilevel Security
Want to build a model to represent a Want to build a model to represent a range of sensitivities and to reflect need to range of sensitivities and to reflect need to separate subjects from objects to which separate subjects from objects to which they should not have access.they should not have access.
Use the Use the lattice modellattice model of security of security• military security model where <= in the model military security model where <= in the model
is the relation operator in the lattice (transitive, is the relation operator in the lattice (transitive, antisymmetric)antisymmetric)
• Commercial security model (public, Commercial security model (public, proprietary, internal)proprietary, internal)
Bell-La Padula Confidentiality ModelBell-La Padula Confidentiality Model
Formal description of allowable paths of Formal description of allowable paths of information flow in a secure systeminformation flow in a secure system• Simple Security Property. Simple Security Property. A subject A subject ss may may
have have readread access to an object access to an object oo only if C(o) <= only if C(o) <= C(s)C(s)
• *-Property*-Property – A subject – A subject ss who has who has readread access access to an object to an object oo may have may have writewrite access to an access to an object object pp only if C(o) <= C(p) only if C(o) <= C(p)
The *-property is used to prevent The *-property is used to prevent write-down write-down (subject with access to high-level data transfers that (subject with access to high-level data transfers that data by writing it to a low-level object.data by writing it to a low-level object.
Bibb Integrity ModelBibb Integrity Model
Simple Integrity PropertySimple Integrity Property. Subject . Subject ss can modify (have can modify (have writewrite access to) access to) object object oo only if I(s) >= I(o) only if I(s) >= I(o)
Integrity *-PropertyIntegrity *-Property. If subject . If subject ss has has readread access to object access to object oo with with integrity level I(o), integrity level I(o), ss can have can have writewrite access to object access to object pp only if I(o) >= I(p) only if I(o) >= I(p)
Models Proving Theoretical Models Proving Theoretical Limitations of Security SystemsLimitations of Security Systems
Graham-Denning ModelGraham-Denning Model – introduced – introduced concept of a formal system of protection concept of a formal system of protection rules; constructs a model having generic rules; constructs a model having generic protection propertiesprotection properties
Harrison-Ruzzo-Ullman ModelHarrison-Ruzzo-Ullman Model – uses – uses commands involving conditions and commands involving conditions and primitive operations where a primitive operations where a protection protection systemsystem is a set of subjects, objects, is a set of subjects, objects, rights, and commandsrights, and commands
Take-Grant SystemsTake-Grant Systems
Four operations performed by Four operations performed by subjects on objects with rightssubjects on objects with rights• Create(o,r) subject creates an object Create(o,r) subject creates an object
with certain rightswith certain rights• Revoke(o,r) subject removes rights from Revoke(o,r) subject removes rights from
objectobject• Grant(o,p,r) subject grants to o access Grant(o,p,r) subject grants to o access
rights on prights on p• Take (o,p,r) subject removes from o Take (o,p,r) subject removes from o
access rights on paccess rights on p
Trusted System Design ElementsTrusted System Design Elements
Least privilegeLeast privilege Economy of mechanismEconomy of mechanism Open designOpen design Complete mediationComplete mediation Permission basedPermission based Separation of privilegeSeparation of privilege Least common mechanismLeast common mechanism Ease of useEase of use
Security Features of Ordinary Security Features of Ordinary Operating SystemsOperating Systems
Authentication of usersAuthentication of users Protection of memoryProtection of memory File and I/O device access controlFile and I/O device access control Allocation and access control to general Allocation and access control to general
objectsobjects Enforcement of sharingEnforcement of sharing Guarantee of fair serviceGuarantee of fair service Interprocess communications and Interprocess communications and
synchronizationsynchronization Protection of operating system protection Protection of operating system protection
datadata
Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems
Trusted systems incorporate technology to Trusted systems incorporate technology to address both features and assuranceaddress both features and assurance
Objects are accompanied (surrounded) by Objects are accompanied (surrounded) by an access control mechanisman access control mechanism
Memory is separated by user, and data Memory is separated by user, and data and program libraries have controlled and program libraries have controlled sharing and separationsharing and separation
Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems
Identification and AuthenticationIdentification and Authentication• Require secure id of individuals, each Require secure id of individuals, each
individual must be uniquely identifiedindividual must be uniquely identified Mandatory and Discretionary Access Mandatory and Discretionary Access
ControlControl• MAC – access control policy decisions are made MAC – access control policy decisions are made
beyond the control of the individual owner of beyond the control of the individual owner of the objectthe object
• DAC – leaves access control to the discretion of DAC – leaves access control to the discretion of the object’s ownerthe object’s owner
• MAC has precedence over DACMAC has precedence over DAC
Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems
Object Reuse ProtectionObject Reuse Protection• Prevent object reuse leakagePrevent object reuse leakage• OS clears (overwrites) all space to be OS clears (overwrites) all space to be
reassignedreassigned• Problem of Problem of magnetic remanencemagnetic remanence
Complete MediationComplete Mediation• All accesses must be controledAll accesses must be controled
Trusted PathTrusted Path• For critical operations (setting password, etc.), For critical operations (setting password, etc.),
users want unmistakable communicationsusers want unmistakable communications
Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems
Accountability and AuditAccountability and Audit• Maintain a log of security relevant eventsMaintain a log of security relevant events• Audit log must be protected from outsidersAudit log must be protected from outsiders
Audit Log ReductionAudit Log Reduction• Audit only open and close of files/objectsAudit only open and close of files/objects
Intrusion detectionIntrusion detection• Build patterns of normal system usage, Build patterns of normal system usage,
triggering an alarm any time usage seems triggering an alarm any time usage seems abnormalabnormal
• Intrusion preventionIntrusion prevention
Kernelized DesignKernelized Design
Kernel – part of OS that performs Kernel – part of OS that performs lowest-level functionslowest-level functions• Synchronization, interprocess Synchronization, interprocess
communications, message passing, communications, message passing, interrupt handlinginterrupt handling
• Security kernel – responsible for Security kernel – responsible for enforcing security mechanism for entire enforcing security mechanism for entire OS; provides interface among the OS; provides interface among the hardware, OS, and other parts of hardware, OS, and other parts of computer systemcomputer system