5/17/2015 9:36 AM Confinement James Hook CS 591: Introduction to Computer Security.

Slides:



Advertisements
Similar presentations
System Integration and Performance
Advertisements

Hardware-assisted Virtualization
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Input and Output CS 215 Lecture #20.
Chap 2 System Structures.
 2004 Deitel & Associates, Inc. All rights reserved. 1 Chapter 3 – Process Concepts Outline 3.1 Introduction 3.1.1Definition of Process 3.2Process States:
A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC.
Process Description and Control
DIRECT MEMORY ACCESS CS 147 Thursday July 5,2001 SEEMA RAI.
CS-3013 & CS-502, Summer 2006 Virtual Machine Systems1 CS-502 Operating Systems Slides excerpted from Silbershatz, Ch. 2.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Figure 2.8 Compiler phases Compiling. Figure 2.9 Object module Linking.
OS Fall ’ 02 Introduction Operating Systems Fall 2002.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.
Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,
OS Spring’03 Introduction Operating Systems Spring 2003.
Figure 1.1 Interaction between applications and the operating system.
1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.
LINUX Virtualization Running other code under LINUX.
Chapter 1. Introduction What is an Operating System? Mainframe Systems
Operating System Review September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1.
Input and Output Computer Organization and Assembly Language: Module 9.
Secure Operating Stuff Lesson “like” 7 (a): Virtualization.
CS533 Concepts of Operating Systems Jonathan Walpole.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: Operating-System Structures.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
2 Systems Architecture, Fifth Edition Chapter Goals Describe the system bus and bus protocol Describe how the CPU and bus interact with peripheral devices.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
1 CSE451 Architectural Supports for Operating Systems Autumn 2002 Gary Kimura Lecture #2 October 2, 2002.
Lecture Topics: 10/29 Architectural support for operating systems –timers –kernel mode –system calls –protected instructions.
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
1 CS.217 Operating System By Ajarn..Sutapart Sappajak,METC,MSIT Chapter 2 Computer-System Structures Slide 1 Chapter 2 Computer-System Structures.
1 Computer Systems II Introduction to Processes. 2 First Two Major Computer System Evolution Steps Led to the idea of multiprogramming (multiple concurrent.
Full and Para Virtualization
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
Lecture 12 Virtualization Overview 1 Dec. 1, 2015 Prof. Kyu Ho Park “Understanding Full Virtualization, Paravirtualization, and Hardware Assist”, White.
Chapter 2 Process Management. 2 Objectives After finish this chapter, you will understand: the concept of a process. the process life cycle. process states.
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.
CSE 451: Operating Systems Winter 2015 Module 25 Virtual Machine Monitors Mark Zbikowski Allen Center 476 © 2013 Gribble, Lazowska,
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
1.1 Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 1: Introduction What Operating Systems Do √ Computer-System Organization.
Virtualization D. J. Foreman 2009.
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
CS352H: Computer Systems Architecture
Chapter 3 – Process Concepts
OS Virtualization.
Chapter 3: Windows7 Part 2.
Chapter 15, Exploring the Digital Domain
Chapter 17: Confinement Problem
Chapter 3: Windows7 Part 2.
A Survey on Virtualization Technologies
Chapter 33: Virtual Machines
Architectural Support for OS
Computer Security: Art and Science, 2nd Edition
CSE 451: Operating Systems Autumn 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 596 Allen Center 1.
CSE 451: Operating Systems Autumn 2001 Lecture 2 Architectural Support for Operating Systems Brian Bershad 310 Sieg Hall 1.
CSE 451: Operating Systems Winter 2007 Module 2 Architectural Support for Operating Systems Brian Bershad 562 Allen Center 1.
Shielding applications from an untrusted cloud with Haven
CSE 451: Operating Systems Winter 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 412 Sieg Hall 1.
Architectural Support for OS
Xen and the Art of Virtualization
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Chapter 13: I/O Systems.
Chapter 33: Virtual Machines
Chapter 13: I/O Systems “The two main jobs of a computer are I/O and [CPU] processing. In many cases, the main job is I/O, and the [CPU] processing is.
Presentation transcript:

5/17/2015 9:36 AM Confinement James Hook CS 591: Introduction to Computer Security

5/17/2015 9:36 AM The Confinement Problem Lampson, “A Note on the Confinement Problem”, CACM, This note explores the problem of confining a program during its execution so that it canot transmit information to any other program except its caller. A set of examples attempts to stake out the boundaries of the problem. Necessary conditions for a solution are stated and informally justified.

5/17/2015 9:36 AM Possible Leaks 0. If a service has memory, it can collect data, wait for its owner to call it, then return the data 1.The service may write into a permanent file 2.The service may create a temporary file 3.The service may send a message to a process controlled by its owner [via ipc] 4.More subtly, the information may be encoded in the bill rendered for the service…

5/17/2015 9:36 AM Possible Leaks (cont) 5. If the system has interlocks which prevent files from being open for writing and reading at the same time, the service can leak data if it is merely allowed to read files which can be written by the owner.

5/17/2015 9:36 AM Leak 5 (cont) The interlocks allow a file to simulate a shared Boolean variable which one program can set and the other can’t Given a procedure open (file, error) which does goto error if the file is already open, the following procedures will perform this simulation: procedure settrue (file); begin loop1: open (file, loop1) end; procedure setfalse (file); begin close (file) end; Boolean procedure value (file); begin value : = true; open (file, loop2); value := false; close (file); loop2: end;

5/17/2015 9:36 AM Leak 5 (cont) Using these procedures and three files called data, sendclock, and receiveclock, a service can send a stream of bits to another concurrently running program. Referencing the files as though they were variables of this rather odd kind, then, we can describe the sequence of events for transmitting a single bit: sender: data : = bit being sent; sendclock : = true receiver:wait for sendclock = true; received bit : = data; receive clock : = true; sender:wait for receive clock = true; sendclock : = false; receiver:wait for sendclock = false; receiveclock : = false; sender:wait for receiveclock = false;

5/17/2015 9:36 AM Leak 6 6.By varying its ratio of computing to input/output or its paging rate, the service can transmit information which a concurrently running process can receive by observing the performance of the system. …

5/17/2015 9:36 AM One solution Just say no! Total isolation: A confined program shall make no calls on any other program Impractical

5/17/2015 9:36 AM Confinement rule Transitivity: If a confined program calls another program which is not trusted, the called program must also be confined.

5/17/2015 9:36 AM Classification of Channels: Storage Legitimate (such as the bill) Covert –I.e. those not intended for information transfer at all, such as the service program’s effect on the system load In which category does Lampson place 5?

5/17/2015 9:36 AM Root Problem: Resource sharing enables covert channels The more our operating systems and hardware enable efficient resource sharing the greater the risk of covert channels

5/17/2015 9:36 AM Resources Lampson, A note on the Confinement Problem, CACM Vol 16, no. 10, October 1973.Lampson, A note on the Confinement Problem, CACM Vol 16, no. 10, October –

5/17/2015 9:36 AM Discussion Bishop’s slides for Chapter 16 (with some minor modifications to one example)Chapter 16

5/17/2015 9:36 AM Virtualization Virtualization is returning to the mainstream with Intel’s Virtualization Technology (aka Vanderpool) Discussion following Bishop’s slides for Chapter 29 Chapter 29 –Secret decoder ring: PSL = Processor Status Longword (a vax status register)

5/17/2015 9:36 AM Applications of Virtualization Workload isolation Workload consolidation Workload migration (See Uhlig, et al, Fig 1)

5/17/2015 9:36 AM Virtualizing Intel architectures As is, Intel architectures do not meet the two requirements: –Nonfaulting access to privileged state IA-32 has registers that describe and manipulate the “global descriptor table” These registers can only be set in ring 0 They can be queried in any ring without generating a fault –This violates rule 2 (all references to sensitive data traps) Software products to virtualize Intel hardware had to get around this. –Vmware dynamically rewrote code!

5/17/2015 9:36 AM Intel solutions VT-x, virtualization for IA-32 VT-i, virtualization for Itanium Changed architecture to meet the criteria

5/17/2015 9:36 AM Ring aliasing and ring compression Solution is to allow guest to run at intended privilege level by augmenting privilege levels. See Figure 2(d).

5/17/2015 9:36 AM Nonfaulting access to privileged state Two kinds of changes –Make access fault to the VM –Allow nonfaulting access, but to state under the control of the VMM

5/17/2015 9:36 AM Intel Virtualization Paper –ftp://download.intel.com/technology/comp uting/vptech/vt-ieee-computer-final.pdfftp://download.intel.com/technology/comp uting/vptech/vt-ieee-computer-final.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.