Title: Operating Systems Security
1Operating Systems Security
- Dr. Ronald Pose
- Faculty of Information Technology
- Monash University
- Melbourne, Australia
- rdp_at_cs.monash.edu.au
- http//www.csse.monash.edu.au/rdp
2Abstract
- Security is of increasing concern in the modern
world. Not only is our physical security
becoming more difficult to maintain, even in the
developed world, but with the advent of the
information age, our information and the
infrastructure via which it is stored, processed
and communicated, is increasingly important to
control. The security of our information and its
supporting infrastructure is the focus of this
conference. One of the key aspects of keeping
computerized information secure is keeping the
computer system secure and vital to that is the
operating system.
3Abstract - 2
- Operating system security is itself paramount if
we are to secure the information it controls. In
order to have a secure operating system it must
be supported by a suitable computer architecture,
and the implementation of the computer
architecture must of course itself be
appropriately engineered. If the underlying
technology from which the operating system is
built and on which it is supported is not secure,
then one can have no confidence in the security
of the operating system and of the information it
maintains for the users.
4Abstract - 3
- Even should the operating system and its
supporting infrastructure potentially be secure,
it is essential to follow appropriate rules so as
not to allow the users to compromise their own
security.
5Abstract - 4
- Thus, in this short overview of operating systems
security we will delve into the requirements for
the supporting computer and communication system,
look at the design, operation and function of the
operating system, investigate the implementation
of a secure operating system, discuss security
policies that can be supported by the system, and
attempt to bring this complex structure together
in a way that provides some insight into the
design, construction and operation of a secure
operating system.
6Acknowledgements
This is primarily a personal view of the current
state of operating systems security. At the end
I include some references but this is not a
complete survey. This presentation also contains
material taken from the background chapters of
Dan Mossops PhD thesis.
7Biographical Sketch
Ronald Pose completed his B.Sc.(Hons) degree and
his Ph.D. at Monash University, Melbourne,
Australia. He majored in both Chemistry and in
Computer Science, with a minor in Mathematical
Statistics. His Ph.D. involved the design and
implementation of a novel capability-based
operating system kernel, the Password-Capability
System, and the design and construction of
tightly-coupled multiprocessor hardware with
novel addressing mechanisms to support it. In
1987 Ronald Pose was employed as a Research
Scientist at Telecom Australia Research
Laboratories where he worked on the application
of public key cryptography and authentication and
certification techniques. He joined the faculty
of Monash University in 1988. There he has
supervised a number of research students with
whom he has worked on a wide variety of research
projects including neural networks, genetic
algorithm function optimization, network routing,
low latency virtual reality address recalculation
pipeline display system, and self-reconfigurable
computer systems. Dr. Pose's current research
interests include virtual reality and
telerobotics technology, computer architecture,
parallel and distributed computer systems
architecture, secure operating systems,
reconfigurable computer systems architecture,
multiprocessor interconnection networks, wireless
ad hoc networks and spread-spectrum microwave
communication technology, computer system
security. He currently has Ph.D. students
working on computer security analysis, multi-user
virtual reality, and wireless ad-hoc networking.
8Presentation Overview
- Security
- General Definitions
- Role of the Operating System
- Security Policies
- Access Matrix Style
- Role Based
- Confinement of Information
- Principle of Least Authority
- Operating System Security
- Requirements for Implementing a Secure Operating
System - Supporting Hardware
- Computer System Environment
- What Security Services are Provided by the
Operating System - Resource Security
- Service Security
- Communication Security
- Other Security
- Operating System Design Options
- Access Control Lists
9Background
- I will assume that the audience has used a
computer and has some familiarity with a popular
operating system such as Microsoft Windows XP,
Unix, or MacOS. While each of these has the
characteristics of an operating system, none of
them could be considered very secure. That is
not to say that the world is necessarily at great
peril in terms of its information systems given
that the vast majority of computer systems use
such operating systems, however computer systems
security can never be extremely strong while we
continue with current systems and practices.
10Setting the scene
- An important issue is how important is security,
and how much are we willing to pay for it, in
financial, convenience, performance and other
terms. A perfectly secure system is unlikely to
be popular since it will by necessity, omit many
of the popular but highly insecure features to
which people have become accustomed.
Interestingly many of the emerging problems that
are now plaguing us as computer users, like junk
e-mail, computer viruses and worms, and loss of
privacy, are largely self-inflicted, through use
of insecure technologies. E-mail was safe
before the advent of attachments, especially
executable attachments. Web surfing was safe
before executable applets and other active sites
became possible and popular. However operating
systems have never really been secure in
themselves. They have tended to rely on skilled
users and administrators to cooperate in
maintaining security. Now that the end user and
administrator is likely to be technically naïve,
it is more important to design and produce
systems that give the lay users some hope of
maintaining their information security. This
requires good operating systems security
infrastructure provided in a form that is easy to
use and understand.
11Setting the scene - 2
- In this talk I can only outline the basic
principles and give pointers to appropriate
technologies that can assist us in our search for
information security. This is an open field
where there is a real need for new ideas, and an
even bigger need to question the current
practices. We have sold the public a way of
dealing with information that is inherently
insecure, and have made these unsafe practices
and technology ubiquitous. Huge industries have
developed based on insecurity of information and
in trading information. These could be
threatened by widespread use of secure systems.
Similarly there are many governments around the
world that have vested interests in ensuring that
peoples information systems are insecure, so as
to allow monitoring of the population are their
activities. There are enormous legal questions
regarding the safeguarding of information,
information privacy, international law,
intellectual property etc. Interestingly these
issues can all impact on the design,
implementation, deployment and use of secure
operating systems.
12Security - definitions
- a computer is secure if you can depend on it and
its software to behave as you expect - Garfinkel et al. (2003)
- the ability of a system to protect information
and system resources with respect to
confidentiality and integrity - Ross (1999)
- deals with the prevention and detection of
unauthorized actions by users of a computer
system - Gollman (1999)
13Security - definitions 2
- a secure system is a system on which enough
trust can be put to use it together with
sensitive information - Olovsson (1992)
- concerned with the protection of valuable assets
from harm, which is a significant negative
consequence to the asset security deals with
malicious harm, which is harm resulting from
attacks or probes by someone or something playing
the role of attacker - Firesmith (2004)
14Role of the Operating System
- The operating system can be considered in various
ways - an intermediary between the user software and the
hardware - an abstraction layer providing an idealized view
of the computer hardware - a virtual machine
- a set of services
15Security Policies
- Mandatory
- applied on a system-wide basis
- A means of restricting access to objects based
on the sensitivity of the information contained
in the objects and the formal authorization of
subjects to access information of such
sensitivity - US DoD - Discretionary
- it is the users rather than the system
restricting access - A means of restricting access to objects based
on the identity of subjects and/or groups to
which they belong. The controls are
discretionary in the sense that a subject with a
certain access permission is capable of passing
that permission on to any other subject (unless
restrained by mandatory access control) - US DoD
16Security Policies - 2
- Access matrix style (Lampson 1974)
- Mapping of access of subjects to objects
- Role based
- Developed to address the needs of civilian rather
than military needs - Access is restricted based on the role the
individual has in the organization - An individual may have multiple roles
- Roles may change over time
17Properties of Security Policies
- Confidentiality
- Integrity
- Availability
- Confinement
- Identity
- Anonymity
- Non-repudiation
18Confinement of Information
- Lampson (1973) defined confinement as preventing
an executing program from transmitting
information to any other program except its
caller - A related confinement problem is that of ensuring
a program can only receive information from its
caller - It may be possible for the caller to authorize
some communication of information
19Security Policy Examples
- Bell-LaPadula (1973)
- mandatory policy
- designed to preserve confidentiality
- each subject and object is assigned a
classification - public, confidential, secret,
top secret. - subjects can only read information at their
classification or lower - Subjects can only write information to objects of
equal or higher classification
20Security Policy Examples - 2
- Biba (1977)
- mandatory
- aims to ensure integrity of information
- each subject and object is assigned an integrity
classification - lowest, low, high, highest - subjects can only read information at their
integrity classification or higher - subjects can only write information to objects of
equal or lower integrity classification
21Security Policy Examples - 3
- Clark-Wilson (1987)
- mandatory
- designed to ensure integrity of information
- data items in the model are either constrained or
unconstrained - Integrity verification procedures determine
whether a given data item satisfied integrity
constraints - Transformation procedures move data items from
one valid state to another - constrained data items may have restrictions
specified on allowable transformation procedures - enforces separation of duty - different users
must certify integrity and transformation
procedures
22Security Policy Examples - 4
- Chinese Wall (Brewer Nash 1989)
- mandatory
- role based security policy
- corporate information is organized in 3 levels
- Lowest level - individual items about a single
corporation - Middle level - information grouped by corporation
- Highest level - corporations in competition
grouped together - highest level groupings form conflict of interest
classes - Information may be accessed by a user only if it
does bot conflict with any other information he
holds
23Principle of Least Authority
- It is considered good security practice to allow
a subject access to information or authority to
do anything, only when it is necessary for his
doing the job in question - Ideally this would be enforced by a security
policy and by the operating system supporting it
24Operating System Security
- What kinds of security policies should be
supported? - What security services are required?
- Where are the boundaries of the system?
- Is it a distributed system?
- Are users distributed across time and space?
- Is there any concurrency involved?
25Requirements for Implementation of Secure
Operating Systems
- Supporting hardware
- Is virtualization needed?
- Is there fine enough access control in H/W?
- Is there adequate control at H/W level?
- Can H/W ensure O/S cannot be bypassed?
- Can the H/W support the required resources?
- Is the H/W scalable adequately?
- Is there support for multiple levels of privilege?
26Requirements for Implementation of Secure
Operating Systems - 2
- Computer System Environment
- Is the computer system in a secure environment?
- Are there adequate power, cooling, etc.?
- Is it networked?
- If so, is the networking environment secure?
- Are there backup or redundant H/W resources?
27What Security Services are Provided by the
Operating System?
- Resource security
- Service security
- Communication security
- Authentication of users
- Authentication of resources
- Privacy
- Anonymity
- Other security services
28Operating System Design Options
- Access Control Lists (ACL)
- Common method of implementing access matrices
- Each object (resource) has a list of authorized
subjects (users) who may obtain specified access
rights to that object - Subjects must be authenticated
- Unix, Windows XP, and many others
29Operating System Design Options - 2
- Capabilities
- Dennis and Van Horn (1966)
- An alternative method of implementing access
matrices - Each subject (user) has possession of a set of
tokens, each granting authorization to gain
access to an object - Subjects may be anonymous
- Capabilities must be protected from forgery or
modifcation to increase access rights
30Capabilities versus ACLs
- ACL may be likened to a guard at the door to an
object/resource - He checks whether the subject/user is on the
authorized list, and only then lets them in - Capabilities may be likened to door keys
- Objects/resources are protected by locks, and
only those with keys can get in - Possession of a key that works is all that is
required
31Capabilities versus ACLs - 2
- ACLs and Capabilities appear to be equivalent
ways of expressing the permissions described by
the access matrix - There are dynamic and operational differences
especially when considering role-based security
policies or when there are dynamic changes in
authorizations - Capabilities have extra flexibility
- Hybrid schemes are possible
32Capability Implementations
- Tagged
- Each word of memory is tagged by the hardware to
indicate whether it is a capability or not - Segregated
- Capabilities are stored in separate memory
segments or capability-lists protected by the
operating system - Encrypted
- Capabilities are encrypted to protect them
- Password-Capabilities
- Capabilities are protected with a random password
33Support for Object-Orientation
- Operating system support for object-oriented
systems is essential to ensure security of such
systems in terms of enforcing the
object-orientation methodology - Otherwise the object-orientation is simply a
convention
34Analysis of operating system security
- A formal requirements analysis
- A formal risk analysis
- A formal operating system security analysis
- All are required to have certifiable confidence
in operating systems security
35Requirements for Operating System Security
Analysis
- Simple conceptual model
- Small implementation
- Well defined specifications and implementation
- Well defined communication paths
36Impact of Operating Systems Design on Users
- ACL and Capability paradigms appear quite
differently to users - ACLs are more familiar in terms of computing
- There is a simple login (authentication) process
and then all resources are available - Owners may add others to ACLs as appropriate
- Capability systems appear differently
- Capabilities must be distributed to the required
users - Capabilities may be passed on to third parties
depending on security policy - Potentially no login process, but must present a
capability for every resource to be accessed
37Future of Operating Systems
- Are they a bonus or a liability?
- Should we have them?
- We require new paradigms for O/S security
- How will new hardware designs affect them?
- Good topic for a conference session since it
affects security, usability, and many other
issues.
38References
- Anderson, M.S., Pose, R.D. and Wallace,C.S.
(1986) - The Password-Capability System, The Computer
Journal, 29(1) 1-8 - Wallace, C.S. and Pose, R.D. (1990)
- Charging in a Secure Environment, in J. Rosenberg
and J. Keedy (eds), Security and Persistence,
Bremen, Springer-Verlag, pp.85-97
39References - 2
- Bell, D.E. and LaPadula, L.J. (1973)
- Secure computer systems mathematical
foundations. Tech. Rep. 2547 (Volume 1), Mitre
Corp, Massachusetts, USA - Biba, K.J. (1977)
- Integrity considerations for secure computer
systems. Tech. Rep. ESD-TR-76-372, USAF
Electronic Systems Division, Hanscon Airforce
Base, Massachusetts, USA - Clark, D.D. and Wilson, D.R. (1987)
- A comparison of commercial and military computer
security policies, Proc. IEEE Symp. On Security
and Privacy, pp.184-194. - Dennis, J.B. and Van Horn, E.C. (1966)
- Programming semantics for multiprogrammed
computations, CACM 9(3) 143-155.
40References - 3
- Firesmith, D.G. (2004)
- A taxonomy of safety-related requirements.
Requirements Engineering 2004 (RE04),
Requirements for High Assurance Systems (RHAS),
Kyoto, Japan, IEEE CS. - Garfinkel, S., Spafford, G. and Schwarz, A.
(2003) - Practical Unix and Internet Security, 3rd ed.,
OReilly, California, USA. ISBN 0-596-00323-4 - Gollman, D. (1999)
- Computer Security, John Wiley Sons Ltd.,
ISBN 0-471-38922-6 - Lampson, B.W. (1973)
- A note on the confinement problem, CACM 16(10)
613-615 - Lampson, B.W. (1974)
- Protection, ACM Operating Systems Review
8(1)18-24 - Olovsson, T. (1992)
- A structured approach to computer security, Tech.
Rep. 122, Chalmers University of Technology,
Sweden
41References - 4
- Ross, S.T. (1999)
- UNIX System Security Tools, McGraw-Hill, ISBN
0-079-13788-1