Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.

Slides:



Advertisements
Similar presentations
Trusted System Elements and Examples CS461/ECE422 Fall 2011.
Advertisements

Operating System Security
JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.
Chapter 4 Security in Ordinary Operating Systems
Secure Operating Systems Lesson 9: Multics. Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very.
Chapter 6 Security Kernels.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Secure Operating Systems Lesson 10: SCOMP. Where are we?  Multics is busy being explored, which is kind of cool…  But Multics wasn’t the end of custom.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Secure Operating Systems Lesson 0x11h: Systems Assurance.
Chapter 9 Building a Secure Operating System for Linux.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Figure 1.1 Interaction between applications and the operating system.
Towards Application Security On Untrusted OS
Information Systems Security Security Architecture Domain #5.
The Mach System "Operating Systems Concepts, Sixth Edition" by Abraham Silberschatz, Peter Baer Galvin, and Greg Gagne Presentation by Jonathan Walpole.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.
Secure Operating Systems
G53SEC 1 Reference Monitors Enforcement of Access Control.
Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
Providing Policy Control Over Object Operations in a Mach Based System By Abhilash Chouksey
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.
Secure Active Network Prototypes Sandra Murphy TIS Labs at Network Associates March 16,1999.
Secure Operating System. Mandatory Protection Systems Problem of discretionary access control: untrusted processes can modify protection states Mandatory.
G53SEC 1 Reference Monitors Enforcement of Access Control.
0 Penn State, NSRC Industry Day, Trent Jaeger – Past Projects and Results Linux Security –Aim to Build Measurable, High Integrity Linux Systems.
Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.
SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.
Operating Systems Security
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Wireless and Mobile Security
Final Exam Review. Common Attack Techniques Stack overflow – Basic version – Advanced versions Mitigations – Canary – W^X page – ASLR.
Trusted Operating Systems
Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.
Archictecture for MultiLevel Database Systems Jeevandeep Samanta.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
5/7/2007CoreMcClug/SELinux 1 By: Corey McClurg. Outline A History of SELinux What is SELinux and how do I get it? Getting Started Mandatory Access Control.
Silberschatz, Galvin and Gagne ©2011 Operating System Concepts Essentials – 8 th Edition Chapter 2: The Linux System Part 2.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models.
Computer System Structures
Secure Operating System
Secure Operating System Example: SELinux
Official levels of Computer Security
Mach Kernel Kris Ambrose Kris Ambrose 2003.
Chapter 19: Building Systems with Assurance
Chapter 2: The Linux System Part 2
THE ORANGE BOOK Ravi Sandhu
SELinux (Security Enhanced Linux)
An Overview Rick Anderson Pat Demko
UNIX System Protection
NSA Security-Enhanced Linux (SELinux)
Preventing Privilege Escalation
Presentation transcript:

Chapter 7 Securing Commercial Operating Systems

Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial Era Microkernel Era UNIX Era – IX – Domain and Type Enforcement – Recent Unix Systems Summary

Retrofitting Security into a Commercial OS Requires reference Monitor Concept – Complete Mediation – Tamperproofing – Verifiability

Complete Mediation Challenges Identify all security-sensitive operations – Some embedded deep inside the kernel code. – Examples: Open Sockets Shared memory, etc. – Covert channel identification is usually not even attempted

Tamperproofing Challenges Obvious: place in ring 0, but Kernel is often updated. /dev/kmem, /proc, Sysfs, netlink sockets → Every root process must STILL be part of the UNIX TCB

Verification Challenges Musts: – Mediation is implemented correctly, but Mediation interface designed manually Implemented in unsafe languages – Policy enforces required security goals Large number of queries and processes. Complicate policies. – Reference monitor implementation is correct Rest of TCB is huge. – Rest of the TCB behaves correctly.

History of Retrofitting Commercial OS's Commercial Era – Emulate system on security kernel – Retrofit security into OS – → UNIX MLS Microkernel Era – Independent Server Processes → went to kernel – New security models addressing both confidentiality and integrity Unix Era – Composed solutions from the two eras with focus on system integrity.

Commercial Era Emulated Systems – Data Secure UNIX – KSOS KVM/370 – 25% Performance overhead VAX/VMS DEC/Sandia Labs: MLS Secure Xenix (IBM) Access control and auditing – Added Compatibility Retrofitted Unix services Hidden subdirectories – Polyinstantiated file systems – Trusted Path (Secure attention sequence) 1990 saw many secure Unix variants

Microkernel Era Goal: minimal size kernel emphasizing system abstractions; no emphasis on security per se. Source: Mach (1980's) – Trusted Mach (Tmach) – Distributed Trusted Mach (DTMach) – Distributed Trusted OS (DTOS) – Flask

Trusted Mach Built by Trusted Information Systems (TIS) Added MLS for files, memory. Aim was to provide function for other systems like Unix and Windows. (Single level)

Distributed Trusted Mach Secure Computing Corporation and NSA Hybrid access control model: – MLS labels for confidentiality – Type Enforcement labels for integrity (TE) Similar architecture to Tmach + servers for networking and general security policy server.

DTMach II DTMach = Mach + security server – Security server = reference monitor outside the kernel Each port access implies an authorization query For example, opening a file opens a port to the file server, etc. – Security server used both MLS and TE rules. TE rules: – code could only be modified by administrators – Limited code that could be executed There were limitations: – For example, there was an arbitrary send right...

Distributed Trusted OS (DTOS) AIM: True reference monitor in the Mach microkernel. Richer set of operations for ports than just send. Microkernel: – Managed labeling of subjects and kernel objects. – Mediated each kernel operation by querying security server. Focus on verifiability of microkernel and TCB.

Flask Fluke was a second generation microkernel developed at University of Utah, better than Mach. Flask = DTOS – Mach / Fluke More emphasis on TE.

UNIX Era By early 1990's, many Unices had MLS support. Search for adding integrity (very ad-hoc at this point). Cover two systems: – IX – DTE

IX AT&T prototype, enforces MLS and integrity. Includes a reference monitor over file access Mandatory access control policy providing both confidentiality and integrity protections. Care has been taken to prevent tampering in the TCB. Verification not a goal. MLS was high water mark, for files and processes. However processes could not go beyond a certain ceiling.

IX (2) Integrity was LoMac, with floors. Since levels are dynamic, each data transfer must be checked/mediated. No memory-mapped files. Trusted paths/pipes between processes (pex); a pex includes a label for the process at each end so that only that process may work with it.

An assured pipeline in IX

Domain and Type Enforcement Trusted Information Systems: Problem: protecting TCB from vulnerable root processes Runs on Tmach system, but reference monitor added to OSF/1.

DTE Policy Model Subject types are now called Domains, object types are still types. Each domain is a triple (access rights to objects, access rights to subjects in other domains (signals), entry point program) A domain describes how a process accesses files, signals other processes and creates processes. DTE Unix defines limited protection domains for root processes. Key point is “least privilege”. Domain transitions are limited and their execution is limited also. Labeled Networking.

Recent Unix Systems BSD variants – Trusted BSD MAC, auditing, authentication Reference monitor interface similar to LSM SEBSD is a version of SELinux for BSD – FreeBsd Jail – OpenBSD emphasizes correct coding and configuration Code separation Buffer overflow protection Least privilege configurations – NetBSD In-kernel authentication and verification of file execution Veriexec

Summary Retrofitting Security into a Commercial OS - Requirements and Challenges - History Commercial Era Microkernel Era Unix Era – recent Unix variants

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.