Operating Systems Security - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

Operating Systems Security

Description:

... the design and construction of tightly-coupled multiprocessor hardware with ... How will new hardware designs affect them? ... – PowerPoint PPT presentation

Number of Views:327
Avg rating:3.0/5.0
Slides: 42
Provided by: ronal50
Category:

less

Transcript and Presenter's Notes

Title: Operating Systems Security


1
Operating Systems Security
  • Dr. Ronald Pose
  • Faculty of Information Technology
  • Monash University
  • Melbourne, Australia
  • rdp_at_cs.monash.edu.au
  • http//www.csse.monash.edu.au/rdp

2
Abstract
  • Security is of increasing concern in the modern
    world. Not only is our physical security
    becoming more difficult to maintain, even in the
    developed world, but with the advent of the
    information age, our information and the
    infrastructure via which it is stored, processed
    and communicated, is increasingly important to
    control. The security of our information and its
    supporting infrastructure is the focus of this
    conference. One of the key aspects of keeping
    computerized information secure is keeping the
    computer system secure and vital to that is the
    operating system.

3
Abstract - 2
  • Operating system security is itself paramount if
    we are to secure the information it controls. In
    order to have a secure operating system it must
    be supported by a suitable computer architecture,
    and the implementation of the computer
    architecture must of course itself be
    appropriately engineered. If the underlying
    technology from which the operating system is
    built and on which it is supported is not secure,
    then one can have no confidence in the security
    of the operating system and of the information it
    maintains for the users.

4
Abstract - 3
  • Even should the operating system and its
    supporting infrastructure potentially be secure,
    it is essential to follow appropriate rules so as
    not to allow the users to compromise their own
    security.

5
Abstract - 4
  • Thus, in this short overview of operating systems
    security we will delve into the requirements for
    the supporting computer and communication system,
    look at the design, operation and function of the
    operating system, investigate the implementation
    of a secure operating system, discuss security
    policies that can be supported by the system, and
    attempt to bring this complex structure together
    in a way that provides some insight into the
    design, construction and operation of a secure
    operating system.

6
Acknowledgements
This is primarily a personal view of the current
state of operating systems security. At the end
I include some references but this is not a
complete survey. This presentation also contains
material taken from the background chapters of
Dan Mossops PhD thesis.
7
Biographical Sketch
Ronald Pose completed his B.Sc.(Hons) degree and
his Ph.D. at Monash University, Melbourne,
Australia. He majored in both Chemistry and in
Computer Science, with a minor in Mathematical
Statistics. His Ph.D. involved the design and
implementation of a novel capability-based
operating system kernel, the Password-Capability
System, and the design and construction of
tightly-coupled multiprocessor hardware with
novel addressing mechanisms to support it. In
1987 Ronald Pose was employed as a Research
Scientist at Telecom Australia Research
Laboratories where he worked on the application
of public key cryptography and authentication and
certification techniques. He joined the faculty
of Monash University in 1988. There he has
supervised a number of research students with
whom he has worked on a wide variety of research
projects including neural networks, genetic
algorithm function optimization, network routing,
low latency virtual reality address recalculation
pipeline display system, and self-reconfigurable
computer systems. Dr. Pose's current research
interests include virtual reality and
telerobotics technology, computer architecture,
parallel and distributed computer systems
architecture, secure operating systems,
reconfigurable computer systems architecture,
multiprocessor interconnection networks, wireless
ad hoc networks and spread-spectrum microwave
communication technology, computer system
security. He currently has Ph.D. students
working on computer security analysis, multi-user
virtual reality, and wireless ad-hoc networking.
8
Presentation Overview
  • Security
  • General Definitions
  • Role of the Operating System
  • Security Policies
  • Access Matrix Style
  • Role Based
  • Confinement of Information
  • Principle of Least Authority
  • Operating System Security
  • Requirements for Implementing a Secure Operating
    System
  • Supporting Hardware
  • Computer System Environment
  • What Security Services are Provided by the
    Operating System
  • Resource Security
  • Service Security
  • Communication Security
  • Other Security
  • Operating System Design Options
  • Access Control Lists

9
Background
  • I will assume that the audience has used a
    computer and has some familiarity with a popular
    operating system such as Microsoft Windows XP,
    Unix, or MacOS. While each of these has the
    characteristics of an operating system, none of
    them could be considered very secure. That is
    not to say that the world is necessarily at great
    peril in terms of its information systems given
    that the vast majority of computer systems use
    such operating systems, however computer systems
    security can never be extremely strong while we
    continue with current systems and practices.

10
Setting the scene
  • An important issue is how important is security,
    and how much are we willing to pay for it, in
    financial, convenience, performance and other
    terms. A perfectly secure system is unlikely to
    be popular since it will by necessity, omit many
    of the popular but highly insecure features to
    which people have become accustomed.
    Interestingly many of the emerging problems that
    are now plaguing us as computer users, like junk
    e-mail, computer viruses and worms, and loss of
    privacy, are largely self-inflicted, through use
    of insecure technologies. E-mail was safe
    before the advent of attachments, especially
    executable attachments. Web surfing was safe
    before executable applets and other active sites
    became possible and popular. However operating
    systems have never really been secure in
    themselves. They have tended to rely on skilled
    users and administrators to cooperate in
    maintaining security. Now that the end user and
    administrator is likely to be technically naïve,
    it is more important to design and produce
    systems that give the lay users some hope of
    maintaining their information security. This
    requires good operating systems security
    infrastructure provided in a form that is easy to
    use and understand.

11
Setting the scene - 2
  • In this talk I can only outline the basic
    principles and give pointers to appropriate
    technologies that can assist us in our search for
    information security. This is an open field
    where there is a real need for new ideas, and an
    even bigger need to question the current
    practices. We have sold the public a way of
    dealing with information that is inherently
    insecure, and have made these unsafe practices
    and technology ubiquitous. Huge industries have
    developed based on insecurity of information and
    in trading information. These could be
    threatened by widespread use of secure systems.
    Similarly there are many governments around the
    world that have vested interests in ensuring that
    peoples information systems are insecure, so as
    to allow monitoring of the population are their
    activities. There are enormous legal questions
    regarding the safeguarding of information,
    information privacy, international law,
    intellectual property etc. Interestingly these
    issues can all impact on the design,
    implementation, deployment and use of secure
    operating systems.

12
Security - definitions
  • a computer is secure if you can depend on it and
    its software to behave as you expect
  • Garfinkel et al. (2003)
  • the ability of a system to protect information
    and system resources with respect to
    confidentiality and integrity
  • Ross (1999)
  • deals with the prevention and detection of
    unauthorized actions by users of a computer
    system
  • Gollman (1999)

13
Security - definitions 2
  • a secure system is a system on which enough
    trust can be put to use it together with
    sensitive information
  • Olovsson (1992)
  • concerned with the protection of valuable assets
    from harm, which is a significant negative
    consequence to the asset security deals with
    malicious harm, which is harm resulting from
    attacks or probes by someone or something playing
    the role of attacker
  • Firesmith (2004)

14
Role of the Operating System
  • The operating system can be considered in various
    ways
  • an intermediary between the user software and the
    hardware
  • an abstraction layer providing an idealized view
    of the computer hardware
  • a virtual machine
  • a set of services

15
Security Policies
  • Mandatory
  • applied on a system-wide basis
  • A means of restricting access to objects based
    on the sensitivity of the information contained
    in the objects and the formal authorization of
    subjects to access information of such
    sensitivity - US DoD
  • Discretionary
  • it is the users rather than the system
    restricting access
  • A means of restricting access to objects based
    on the identity of subjects and/or groups to
    which they belong. The controls are
    discretionary in the sense that a subject with a
    certain access permission is capable of passing
    that permission on to any other subject (unless
    restrained by mandatory access control) - US DoD

16
Security Policies - 2
  • Access matrix style (Lampson 1974)
  • Mapping of access of subjects to objects
  • Role based
  • Developed to address the needs of civilian rather
    than military needs
  • Access is restricted based on the role the
    individual has in the organization
  • An individual may have multiple roles
  • Roles may change over time

17
Properties of Security Policies
  • Confidentiality
  • Integrity
  • Availability
  • Confinement
  • Identity
  • Anonymity
  • Non-repudiation

18
Confinement of Information
  • Lampson (1973) defined confinement as preventing
    an executing program from transmitting
    information to any other program except its
    caller
  • A related confinement problem is that of ensuring
    a program can only receive information from its
    caller
  • It may be possible for the caller to authorize
    some communication of information

19
Security Policy Examples
  • Bell-LaPadula (1973)
  • mandatory policy
  • designed to preserve confidentiality
  • each subject and object is assigned a
    classification - public, confidential, secret,
    top secret.
  • subjects can only read information at their
    classification or lower
  • Subjects can only write information to objects of
    equal or higher classification

20
Security Policy Examples - 2
  • Biba (1977)
  • mandatory
  • aims to ensure integrity of information
  • each subject and object is assigned an integrity
    classification - lowest, low, high, highest
  • subjects can only read information at their
    integrity classification or higher
  • subjects can only write information to objects of
    equal or lower integrity classification

21
Security Policy Examples - 3
  • Clark-Wilson (1987)
  • mandatory
  • designed to ensure integrity of information
  • data items in the model are either constrained or
    unconstrained
  • Integrity verification procedures determine
    whether a given data item satisfied integrity
    constraints
  • Transformation procedures move data items from
    one valid state to another
  • constrained data items may have restrictions
    specified on allowable transformation procedures
  • enforces separation of duty - different users
    must certify integrity and transformation
    procedures

22
Security Policy Examples - 4
  • Chinese Wall (Brewer Nash 1989)
  • mandatory
  • role based security policy
  • corporate information is organized in 3 levels
  • Lowest level - individual items about a single
    corporation
  • Middle level - information grouped by corporation
  • Highest level - corporations in competition
    grouped together
  • highest level groupings form conflict of interest
    classes
  • Information may be accessed by a user only if it
    does bot conflict with any other information he
    holds

23
Principle of Least Authority
  • It is considered good security practice to allow
    a subject access to information or authority to
    do anything, only when it is necessary for his
    doing the job in question
  • Ideally this would be enforced by a security
    policy and by the operating system supporting it

24
Operating System Security
  • What kinds of security policies should be
    supported?
  • What security services are required?
  • Where are the boundaries of the system?
  • Is it a distributed system?
  • Are users distributed across time and space?
  • Is there any concurrency involved?

25
Requirements for Implementation of Secure
Operating Systems
  • Supporting hardware
  • Is virtualization needed?
  • Is there fine enough access control in H/W?
  • Is there adequate control at H/W level?
  • Can H/W ensure O/S cannot be bypassed?
  • Can the H/W support the required resources?
  • Is the H/W scalable adequately?
  • Is there support for multiple levels of privilege?

26
Requirements for Implementation of Secure
Operating Systems - 2
  • Computer System Environment
  • Is the computer system in a secure environment?
  • Are there adequate power, cooling, etc.?
  • Is it networked?
  • If so, is the networking environment secure?
  • Are there backup or redundant H/W resources?

27
What Security Services are Provided by the
Operating System?
  • Resource security
  • Service security
  • Communication security
  • Authentication of users
  • Authentication of resources
  • Privacy
  • Anonymity
  • Other security services

28
Operating System Design Options
  • Access Control Lists (ACL)
  • Common method of implementing access matrices
  • Each object (resource) has a list of authorized
    subjects (users) who may obtain specified access
    rights to that object
  • Subjects must be authenticated
  • Unix, Windows XP, and many others

29
Operating System Design Options - 2
  • Capabilities
  • Dennis and Van Horn (1966)
  • An alternative method of implementing access
    matrices
  • Each subject (user) has possession of a set of
    tokens, each granting authorization to gain
    access to an object
  • Subjects may be anonymous
  • Capabilities must be protected from forgery or
    modifcation to increase access rights

30
Capabilities versus ACLs
  • ACL may be likened to a guard at the door to an
    object/resource
  • He checks whether the subject/user is on the
    authorized list, and only then lets them in
  • Capabilities may be likened to door keys
  • Objects/resources are protected by locks, and
    only those with keys can get in
  • Possession of a key that works is all that is
    required

31
Capabilities versus ACLs - 2
  • ACLs and Capabilities appear to be equivalent
    ways of expressing the permissions described by
    the access matrix
  • There are dynamic and operational differences
    especially when considering role-based security
    policies or when there are dynamic changes in
    authorizations
  • Capabilities have extra flexibility
  • Hybrid schemes are possible

32
Capability Implementations
  • Tagged
  • Each word of memory is tagged by the hardware to
    indicate whether it is a capability or not
  • Segregated
  • Capabilities are stored in separate memory
    segments or capability-lists protected by the
    operating system
  • Encrypted
  • Capabilities are encrypted to protect them
  • Password-Capabilities
  • Capabilities are protected with a random password

33
Support for Object-Orientation
  • Operating system support for object-oriented
    systems is essential to ensure security of such
    systems in terms of enforcing the
    object-orientation methodology
  • Otherwise the object-orientation is simply a
    convention

34
Analysis of operating system security
  • A formal requirements analysis
  • A formal risk analysis
  • A formal operating system security analysis
  • All are required to have certifiable confidence
    in operating systems security

35
Requirements for Operating System Security
Analysis
  • Simple conceptual model
  • Small implementation
  • Well defined specifications and implementation
  • Well defined communication paths

36
Impact of Operating Systems Design on Users
  • ACL and Capability paradigms appear quite
    differently to users
  • ACLs are more familiar in terms of computing
  • There is a simple login (authentication) process
    and then all resources are available
  • Owners may add others to ACLs as appropriate
  • Capability systems appear differently
  • Capabilities must be distributed to the required
    users
  • Capabilities may be passed on to third parties
    depending on security policy
  • Potentially no login process, but must present a
    capability for every resource to be accessed

37
Future of Operating Systems
  • Are they a bonus or a liability?
  • Should we have them?
  • We require new paradigms for O/S security
  • How will new hardware designs affect them?
  • Good topic for a conference session since it
    affects security, usability, and many other
    issues.

38
References
  • Anderson, M.S., Pose, R.D. and Wallace,C.S.
    (1986)
  • The Password-Capability System, The Computer
    Journal, 29(1) 1-8
  • Wallace, C.S. and Pose, R.D. (1990)
  • Charging in a Secure Environment, in J. Rosenberg
    and J. Keedy (eds), Security and Persistence,
    Bremen, Springer-Verlag, pp.85-97

39
References - 2
  • Bell, D.E. and LaPadula, L.J. (1973)
  • Secure computer systems mathematical
    foundations. Tech. Rep. 2547 (Volume 1), Mitre
    Corp, Massachusetts, USA
  • Biba, K.J. (1977)
  • Integrity considerations for secure computer
    systems. Tech. Rep. ESD-TR-76-372, USAF
    Electronic Systems Division, Hanscon Airforce
    Base, Massachusetts, USA
  • Clark, D.D. and Wilson, D.R. (1987)
  • A comparison of commercial and military computer
    security policies, Proc. IEEE Symp. On Security
    and Privacy, pp.184-194.
  • Dennis, J.B. and Van Horn, E.C. (1966)
  • Programming semantics for multiprogrammed
    computations, CACM 9(3) 143-155.

40
References - 3
  • Firesmith, D.G. (2004)
  • A taxonomy of safety-related requirements.
    Requirements Engineering 2004 (RE04),
    Requirements for High Assurance Systems (RHAS),
    Kyoto, Japan, IEEE CS.
  • Garfinkel, S., Spafford, G. and Schwarz, A.
    (2003)
  • Practical Unix and Internet Security, 3rd ed.,
    OReilly, California, USA. ISBN 0-596-00323-4
  • Gollman, D. (1999)
  • Computer Security, John Wiley Sons Ltd.,
    ISBN 0-471-38922-6
  • Lampson, B.W. (1973)
  • A note on the confinement problem, CACM 16(10)
    613-615
  • Lampson, B.W. (1974)
  • Protection, ACM Operating Systems Review
    8(1)18-24
  • Olovsson, T. (1992)
  • A structured approach to computer security, Tech.
    Rep. 122, Chalmers University of Technology,
    Sweden

41
References - 4
  • Ross, S.T. (1999)
  • UNIX System Security Tools, McGraw-Hill, ISBN
    0-079-13788-1
Write a Comment
User Comments (0)
About PowerShow.com