Secure Operating Systems Lesson 9: Multics. Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very.

Slides:



Advertisements
Similar presentations
Protection Goals of Protection Domain of Protection Access Matrix
Advertisements

Trusted System Elements and Examples CS461/ECE422 Fall 2011.
Operating System Security
Operating System Structures
Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.
Chapter 4 Security in Ordinary Operating Systems
Chapter 6 Security Kernels.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Secure Operating Systems Lesson 10: SCOMP. Where are we?  Multics is busy being explored, which is kind of cool…  But Multics wasn’t the end of custom.
CMPT 300: Operating Systems I Dr. Mohamed Hefeeda
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
OS Fall ’ 02 Introduction Operating Systems Fall 2002.
Reasons for Protection n Prevent users from accessing information they shouldn’t have access to. n Ensure that each program component uses system resources.
Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,
OS Spring’03 Introduction Operating Systems Spring 2003.
OPERATING SYSTEMS Introduction
Chapter 14: Protection.
Operating System Organization
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.
G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.
System Calls 1.
Secure Operating Systems
Systems Security & Audit Operating Systems security.
ISA 562 Internet Security Theory & Practice
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
CSC 501 Lecture 2: Processes. Process Process is a running program a program in execution an “instantiation” of a program Program is a bunch of instructions.
OS provide a user-friendly environment and manage resources of the computer system. Operating systems manage: –Processes –Memory –Storage –I/O subsystem.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Composition and Evolution of Operating Systems Introduction to Operating Systems: Module 2.
Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.
Recall: Three I/O Methods Synchronous: Wait for I/O operation to complete. Asynchronous: Post I/O request and switch to other work. DMA (Direct Memory.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Operating Systems David Goldschmidt, Ph.D. Computer Science The College of Saint Rose CIS 432.
G53SEC 1 Access Control principals, objects and their operations.
Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Protection (Chapter 14)
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
G53SEC 1 Reference Monitors Enforcement of Access Control.
SAM-21 Fortress Model and Defense in Depth Some revision on Computer Architecture.
Multics CysecLab Graduate School of Information Security KAIST.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
Operating Systems Security
Processes, Threads, and Process States. Programs and Processes  Program: an executable file (before/after compilation)  Process: an instance of a program.
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
Dr. Jeff Teo Class 4 July 2, Deliverables Lecture on Trusted Computing: Evolution and Direction Review of students’ blogs and assignments Summarize.
Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Operating Systems CMPSC 473 Introduction and Overview August 24, Lecture 1 Instructor: Bhuvan Urgaonkar.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
CSCI/CMPE 4334 Operating Systems Review: Exam 1 1.
Operating System Structure
Protection and Security
Protection and OS Structure
Protection of System Resources
Modularity and Memory Clearly, programs must have access to memory
What is an Operating System?
CE Operating Systems Lecture 21
UNIX System Protection
CSE 451: Operating Systems Spring 2012 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Chapter 33: Virtual Machines
Computer Security: Art and Science, 2nd Edition
Outline Operating System Organization Operating System Examples
Operating Systems Structure
Chapter 33: Virtual Machines
Presentation transcript:

Secure Operating Systems Lesson 9: Multics

Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very much Multics is pretty much the poster child for “proper” system design And we did it years ago

A Little History: 1963  Cuba transactions made illegal  Debut of Iron Man!!!  Beatles release their first album…  First James Bond movie  UCF founded  ZIP codes introduced  IEEE founded, ASCII introduced  Kevin Mitnick born ;)

In the Midst…  The Multics project begins  The move from batch systems to timesharing  Released as a commercial project in 1973… that’s a 10 year development cycle

Processes  We’re very comfortable with this idea, but it was newer then  Processes are the things that execute stuff in Multics  All the things the process accesses are stored as “segments”  The “protection domain” determines the segments a process can access

Segments  These are created hierarchically  This became the roadmap to things like the Unix file system  The process has a descriptor segment which contains a set of segment descriptor words (SDWs) that refer to all the segments the process can access directly

Security  Three primary parts: the supervisor, protection rings, and SDWs  The supervisor is the ultimate arbiter – it decides if a process can have a SDW This is isolated from other processes by protection rings (64 possible) The basic idea was to protect the supervisor from unauthorized changes

Segment Access Control  Simple ACL Segments: read, write, execute Directories: status, modify, append  However. The SDW also includes rings and brackets – this can be a little tricky  To grant access, the ACL and Access brackets must both allow…

Rings/Brackets  Imagine we have code running in Ring r.  Access brackets define access – range of rings is r 1, r 2 where r 1 < r 2  If r < r 1, the process has full access (r/w)  If r 1 ≤ r ≤ r 2, the process can read the segment only  If r 2 < r, then the process has no access

Call Brackets  Imagine we have code running in Ring r, trying to invoke a code segment  Call brackets define access – range of rings is (r 2, r 3 ) where r 2 ≤ r 3  If r < r 1, the process can execute, but there is a loss of privilege, where r changes to r_prime  If r 1 ≤ r ≤ r 2, the process executes with its current privilege  If r 2 ≤ r ≤ r 3, the process executes with higher privilege IF the location is authorized by the gates  If r 3 < r, then the process has no access

MLS  Multilevel Security was pioneered by Multics – the policy prevents a subject from reading data that is “more secret” than itself, or writing to objects that are “less secret”  This is part and parcel of the way the Multics protection system worked MLS is MAC, ACL and Ring Brackets are DAC  Think about performance for a minute…

The Gatekeeper  Multics tries hard to prevent the confused deputy problem…  The gatekeeper carefully (!) checks the parameters passed when privilege increases  The gatekeeper sometimes copies code to avoid giving a whole segment of the caller to the callee  The kernel is split between Ring 0 and 1 – the gatekeeper is Ring 0

Security Eval  Need: complete mediation, tamper proofing, and verifiability  How does Multics do?

Discussion  How does the reference monitor interface ensure that all security-sensitive operations are mediated correctly?  Does the reference monitor interface mediate security-sensitive operations on all system resources?  How do we verify that the reference monitor interface provides complete mediation?

Discussion  How does the system protect the reference monitor from modification?  Does the protection system protect all of the TCB?  What is the basis for the correctness of the system’s TCB?  Does the protection system enforce the system’s goals?

Multics Vulnerabilities  Karger and Schell’s analysis is very interesting  Primarily looks at implementation errors in the system  Actually included a hardware error that allowed instructions to bypass the SDW

Master Mode  To me, this is a classic  For performance, it’s ugly to have all traps dealt with by Ring 0  However, to handle that, we need a user level trap handler… which requires access to some privileged instructions  And the trap handler used a register to determine where to go… and thus, disaster

Lots to do!  2 weeks, large project  Write an essay that compares Multics with the modern OS of your choice: Linux, Windows or iOS. Look at the trajectory of your chosen OS, not just how it is today, but how it was  How does the modern OS handle the things that Multics already had?  You’re aiming at pages

Resources  You should read “Protection and the Control of Information Sharing in Multics” and “Thirty Years Later: Lessons from the Multics Security Evaluation”  Resource (long): Final Report of the Multics Kernel Design Project  We will discuss these papers a week Thursday, be ready to share your ideas

Questions & Comments  What do you want to know?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.