Secure Operating Systems Lesson 10: SCOMP. Where are we?  Multics is busy being explored, which is kind of cool…  But Multics wasn’t the end of custom.

Slides:



Advertisements
Similar presentations
Operating Systems Manage system resources –CPU scheduling –Process management –Memory management –Input/Output device management –Storage device management.
Advertisements

System Area Network Abhiram Shandilya 12/06/01. Overview Introduction to System Area Networks SAN Design and Examples SAN Applications.
Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Secure Operating Systems Lesson 9: Multics. Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very.
Chapter 6 Security Kernels.
Secure Operating Systems Lesson 0x11h: Systems Assurance.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Information Systems Security Security Architecture Domain #5.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Operating System Organization
G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
COMPUTER SYSTEMS An Integrated Approach to Architecture and Operating Systems Chapter 14 Epilogue: A Look Back at the Journey ©Copyright 2008 Umakishore.
Windows Server 2008 R2 CSIT 320 (Blum) 1. Server Consolidation – Today’s chips have enhanced capabilities compared to those of the past. In particular.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
SOFTWARE.
Secure Operating Systems
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 20 October 28, 2004.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
ISA 562 Internet Security Theory & Practice
G53SEC 1 Reference Monitors Enforcement of Access Control.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
Recall: Three I/O Methods Synchronous: Wait for I/O operation to complete. Asynchronous: Post I/O request and switch to other work. DMA (Direct Memory.
Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.
Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.
Operating Systems. Overview What is an Operating System (OS) What is an Operating System (OS) What Operating Systems do. What Operating Systems do. Operating.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
G53SEC 1 Reference Monitors Enforcement of Access Control.
(a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not always the same. So please give three examples.
Processes Introduction to Operating Systems: Module 3.
UNIX System Protection. Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969.
Operating System Structure A key concept of operating systems is multiprogramming. –Goal of multiprogramming is to efficiently utilize all of the computing.
Multics CysecLab Graduate School of Information Security KAIST.
Chapter 3.7 Segmentation. Memory allocation as a concept ● This presentation is about memory management specifically about memory segmentation and paging.
Trusted Operating Systems
Secure Operating Systems Lesson F: Capability Based Systems.
Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.
Dr. Jeff Teo Class 4 July 2, Deliverables Lecture on Trusted Computing: Evolution and Direction Review of students’ blogs and assignments Summarize.
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Concepts and Structures. Main difficulties with OS design synchronization ensure a program waiting for an I/O device receives the signal mutual exclusion.
Chapter 8: Principles of Security Models, Design, and Capabilities
Design and Implementation MAC in Security Operating System CAI Yi, ZHENG Zhi-rong, SHEN Chang-xiang Presented By, Venkateshwarlu Jangili. 1.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
Chap5: Designing Trusted Operating Systems.  What makes an operating system “secure”? Or “trustworthy”?  How are trusted systems designed, and which.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Introduction to Operating Systems Concepts
Operating System Structure
Why VT-d Direct memory access (DMA) is a method that allows an input/output (I/O) device to send or receive data directly to or from the main memory, bypassing.
Computer Data Security & Privacy
Modularity and Memory Clearly, programs must have access to memory
Official levels of Computer Security
OS Virtualization.
THE ORANGE BOOK Ravi Sandhu
Module 2: Computer-System Structures
UNIX System Protection
CSE 451: Operating Systems Spring 2012 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Outline Chapter 2 (cont) OS Design OS structure
Operating Systems: A Modern Perspective, Chapter 3
Outline Operating System Organization Operating System Examples
Computer Security Access Control
Module 2: Computer-System Structures
Presentation transcript:

Secure Operating Systems Lesson 10: SCOMP

Where are we?  Multics is busy being explored, which is kind of cool…  But Multics wasn’t the end of custom built operating systems designed with security in mind: it’s natural successor was SCOMP

SCOMP: Verification  Unlike Multics, the designers of SCOMP wanted verifiable security, and so the goal was chase the fledgling TCSEC A1 evaluation  We don’t see formal methods a lot day to day, but the value is we (theoretically) know the product conforms to its specfications However, we do NOT know if the specifications are good…

A Quick Aside: TCSEC  Trusted Computer System Evaluation Criteria  AKA “Orange book” from the “Rainbow series”  TCSEC still matters, though it was replaced by what is known as the “common criteria” in 2005  Defined multiple levels of security for a system (note that word)

Orange Book A-D  D: Minimal Protection  C: Discretionary Protection C1 – discretionary security protection C2 – Controlled access protection  B: Mandatory Protection Labeled Security Protection, Structured Protection, Security Domains (B1, B2, B3)  A: Verified Protection A1 – Verified design Beyond A1 – speaks to physical root of trust etc.

Design Choices  Some of the design choices in SCOMP were, I think, interesting  The designers threw some compatibility away in the name of security, which I think was clever – as such, SCOMP was not Unix  One particular problem they tried to address was interfacing groups with different security levels – a tough problem

Reference Monitor  Remember, the requirements for a reference monitor: Complete mediation Isolation Verification  The “Security kernel” concept

Segment Access Control  Simple ACL Segments: read, write, execute Directories: status, modify, append  However. The SDW also includes rings and brackets – this can be a little tricky  To grant access, the ACL and Access brackets must both allow…

Mediation  Memory protection looked like this in SCOMP (source: “SCOMP: A Solution to the Multilevel Security Problem”):

Isolation  Just like Multics, though there were 4 rings (sound familiar?)  Ring brackets were used (just like Multics) to provide control over operations

SCOMP Hardware Implementation  SCOMP used a security protection module which interfaced with the Virtual Memory Interface Unit  The mechanism of the SPM is critical to SCOMP  Mediation is trap based

Clever: IO  SCOMP used descriptors for IO, similar to memory descriptors  Because mediation happens in hardware, the drivers themselves do not need to be in Ring 0, decreasing the size (attack surface) of the security kernel Remember, this is all A1 stuff… what happens when we change it?

DMA  SCOMP did allow DMA for speed  The initial transfer is mediated by the SPM  There is a similar approach taken to virtual addresses, which is a little safer (why?)

Argument Addressing Mode  Remember that whole confused deputy thing?  SCOMP had an “argument addressing mode” which allowed the system to attempt to access parameters with the level of protection of the caller in hardware (avoiding software checks – clever stuff)

SCOMP was small  Security Kernel: about 10k lines  Trusted software: about 11k lines  SCOMP also has a “secure attention” key, which allowed a user to be sure that they were accessing the OS not something “in the middle”

SCOMP Kernel Interface Package  SKIP: Provide a hierarchical multilevel file system Provide the ability to create child processes Allow for process synchronization Provide an efficient interface Provide a low-level general purpose interface  Not an OS, but an interface to a secure environment

Things to Do  Read: “SCOMP: A Solution to the Multilevel Security Problem”

Questions & Comments  What do you want to know?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.