Chapter 6 Security Kernels.

Slides:



Advertisements
Similar presentations
Protection Goals of Protection Domain of Protection Access Matrix
Advertisements

Chapter 2 Operating System Overview
Trusted System Elements and Examples CS461/ECE422 Fall 2011.
Operating System Security
Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.
Chapter 4 Security in Ordinary Operating Systems
Secure Operating Systems Lesson 9: Multics. Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very.
Chap 2 System Structures.
Secure Operating Systems Lesson 10: SCOMP. Where are we?  Multics is busy being explored, which is kind of cool…  But Multics wasn’t the end of custom.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
Chapter 2: Operating-System Structures
Page 1 Processes and Threads Chapter Processes 2.2 Threads 2.3 Interprocess communication 2.4 Classical IPC problems 2.5 Scheduling.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
1/28/2004CSCI 315 Operating Systems Design1 Operating System Structures & Processes Notice: The slides for this lecture have been largely based on those.
Figure 1.1 Interaction between applications and the operating system.
OS Organization. OS Requirements Provide resource abstractions –Process abstraction of CPU/memory use Address space Concurrency Thread abstraction of.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
Systems Security & Audit Operating Systems security.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Segmentation & O/S Input/Output Chapter 4 & 5 Tuesday, April 3, 2007.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
How Hardware and Software Work Together
Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Windows 2000 Course Summary Computing Department, Lancaster University, UK.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Operating Systems David Goldschmidt, Ph.D. Computer Science The College of Saint Rose CIS 432.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Computers Operating System Essentials. Operating Systems PROGRAM HARDWARE OPERATING SYSTEM.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Protection (Chapter 14)
G53SEC 1 Reference Monitors Enforcement of Access Control.
UNIX System Protection. Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969.
Multics CysecLab Graduate School of Information Security KAIST.
UNIX Unit 1- Architecture of Unix - By Pratima.
Operating Systems Security
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
VMM Based Rootkit Detection on Android
What is a Process ? A program in execution.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
CSCI/CMPE 4334 Operating Systems Review: Exam 1 1.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
1.3 Operating system services An operating system provide services to programs and to the users of the program. It provides an environment for the execution.
Introduction to Operating Systems Concepts
Operating Systems: A Modern Perspective, Chapter 6
CS490 Windows Internals Quiz 2 09/27/2013.
Chapter 2: System Structures
UNIX System Protection
CSE 451: Operating Systems Autumn 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 596 Allen Center 1.
CSE 451: Operating Systems Autumn 2001 Lecture 2 Architectural Support for Operating Systems Brian Bershad 310 Sieg Hall 1.
Operating Systems: A Modern Perspective, Chapter 3
CSE 451: Operating Systems Winter 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 412 Sieg Hall 1.
Outline Operating System Organization Operating System Examples
Presentation transcript:

Chapter 6 Security Kernels

Chapter Overview Description Secure Communications Processor (Scomp) Architecture Hardware Trusted Operating Program Kernel Interface Package Applications Evaluation Gemini Secure Operating System Summary

Security Kernels Efforts from the 70s and early 80's” SCOMP (Honeywell) Gemini Secure OS (GEMSOS) Based on Provably secure OS design: Secure Ada Target (SAT) (Honeywell) LOCK (Secure Computing) Kernelized Secure OS (KSOS) (Ford Aerospace and Communications) Secure LAN (Boeing) etc.

The Security Kernel MITRE, 1974, 20 subroutines, 1000 SLOC Showed the what and the how. Focus became verification Three core principles: Implement a specific security policy Define a verifiable protection behavior of the system as a whole The implementation must be shown to be faithful to the security model's design

Secure Communications Processor (Scomp) Kernel-based system Designed to implement Multic's MLS requirements. Original idea was to build an emulator to allow execution on an ordinary OS (UNIX). Ended up with new API that provided the necessary security.

Problems with the emulation Incompatible representations between the two systems: UNIX I/O copies data directly to application's address space, SCOMP maintains data in individually managed segments to which access must be authorized. There are Unix mechanisms that are inherently insecure: for example fork and exec share file descriptors, thereby leaking data and authorization problems.

Scomp Architecture

SCOMP Architecture notes Accesses to protected resources are mediated using an MLS policy: App requests hardware descriptor sufficient to access resource. If granted, security kernel builds the descriptor (object+permissions) and returns a reference Isolation/tamperproofing provided by ring mechanism. Rings and transitions are implemented in hardware. Verification was part of the process.

SCOMP Hardware 1 Based on Multics design with two key changes: Only four rings, all in hardware. Argument addressing mode prevents confused deputy problem. Hardware includes a security protection module (SPM). It mediates the main system bus (peripherals and memory). Virtual memory interface unit uses SPM to convert between virtual and physical addresses

SCOMP Hardware 2 Each process includes a descriptor base root: References memory and I/O descriptors Used for mediating memory and I/O references. DMA is authorized on a per-transaction basis. I/O descriptors are built by kernel. Hardware does all authorizations. Drivers are not part of kernel! (more efficient and secure)

SCOMP Security Protection Module

Scomp Trusted Operating Program (STOP) Three components: A security kernel. (ring 0) A set of trusted software A kernel interface package for user applications.

SCOMP Trusted Operating Program Security Kernel Memory management, process scheduling, interrupt management, audit and reference monitor. 10K SLOC mostly in Pascal. Objects consist of processes, segments, devices, identified by a unique 64 bit id. Access control similar to Multics, but ring brackets allow for owner/group/others 38 gates to enter ring 0

SCOMP Trusted Software 1 Two types: Trusted not to violate system or integrity goals: e.g. secure loader is trusted to load a process for any subject that ensure correct enforcement of information flows. Trusted to maintain security policy correctly: e.g. user authentication. 23 processes implement trusted functions: 11K SLOC in C

SCOMP Trusted Software 2 Three kinds of user processes: Trusted user processes: login, dac management, mandatory level selection, process management. Trusted operation services: system management, logging, startup, shutdown, set time, etc. Trusted maintenance services: modify system data, install new program versions, etc. Invoked through a secure communications path directly by the user.

Scomp Kernel Interface Package (SKIP) 1 Uniform interface for user applications to access trusted functions. Two parts SKIP functions SKIP libraries

Scomp Kernel Interface Package (SKIP) 2 SKIP functions do trusted operations on user level objects Files via a hierarchical file system Process management Concurrent I/O through an event mechanism Allowed to manipulate system state, so trusted not to violate MLS requirements, like trusted software. In ring 2, invoked via gates

SCOMP Kernel Interface Package (SKIP) 3 SKIP Library runs in level 3, provides interface to SKIP functions. There are applications to access files, modify file contents, manage file hierarchy. File operations are authorized based on requester's sensitivity level and ring number, thus sensitivity level is nondecreasing from the root. Library also provides I/O, and the device drivers are part of the library. Handlers are also run in the library

Scomp Applications Unix?? Mail guard Secure Office Management System

Scomp Evaluation 1: Complete Mediation How does the reference monitor interface ensure that all security operations are mediated correctly? All mediation done in hardware Does the reference monitor interface mediate security-sensitive operations on all system resources? Initial access to file data depends on access to I/O How do we verify that the reference monitor provides complete mediation? Hardware.

Scomp Evaluation 2: Tamperproof How does the system protect the reference monitor, including its protection system, from modification? Protection rings, but not complete, due to need. Does the protection system protect the trusted computing base programs? Also protection rings

Scomp Verification: Verifiable What is the basis for the correctness of the system's TCB? Verified with Formal analysis tools Does the protection system enforce the system's security goals? Also verified for correctness.

Gemini Secure Operating System

GEMSOS Security Kernel Layers

Summary