Presentation is loading. Please wait.

Presentation is loading. Please wait.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Published byBernice Murphy Modified over 9 years ago

Similar presentations

Presentation on theme: "G53SEC 1 Reference Monitors Enforcement of Access Control."— Presentation transcript:

1 G53SEC 1 Reference Monitors Enforcement of Access Control

2 G53SEC Overview of Today’s Lecture: Introduction Operating System Integrity Hardware Security Features Protecting Memory 2

3 G53SEC Introduction: Fundamental Concepts: Reference Monitor – an abstract concept Security Kernel – its implementation Trusted Computing Base (TCB) – kernel + other protection mechanisms 3

4 G53SEC Reference Monitor (RM): “An access control concept that refers to an abstract machine that mediates all access to objects by subjects.” Must be tamper proof/resistant Must always be invoked when access to object required Must be small enough to be verifiable / subject to analysis to ensure its correctness 4

5 G53SEC Security Kernel: “The hardware, firmware, and software elements of a TCB that implement the reference monitor.” Must mediate all access Must be protected from modification Must be verifiable for correctness Ideally in the bottom layers of a system 5

6 G53SEC Trusted Computing Base (TCB): “The totality of protection mechanisms within a computer system responsible for enforcing a security policy” One or more components Enforce a unified security policy over a product or system Correct enforcement depends on components within and input by system administrators 6

7 G53SEC Reference Monitor Placement: Can be placed anywhere  Hardware  Operating System Kernel  Operating System  Services Layer  Application 7

8 G53SEC Reference Monitor Placement: In relation to application it should control: 8 program RM programRM program application kernel RM in kernelInterpreter In-line RM

9 G53SEC Execution Monitors: Decision of a RM depends on: Information about a request Information about the target RMs differentiated based on the above: History of execution - Execution monitor Future of execution - Static type checking Rewriting 9

10 G53SEC Operating System Integrity: OS is not only the arbitrator of access requests OS is itself an object of access control “Users must not be able to modify the operating system” Users should be able to use the OS Users should not be able to misuse the OS 10

11 G53SEC Modes of Operation: Distinguish computations done “on behalf of”: the OS the user A Status flag allows the OS to operate in different modes. e.g. In Unix – supervisor (root) and user modes 11

12 G53SEC Controlled Invocation: User requiring supervisor mode for an operation Processor switches between modes Only predefined set of operations performed in supervisor mode System returns to user mode 12

13 G53SEC Hardware Security Features: Reasons for placing security in lower system levels: Possibility to evaluate security to a higher degree  reasonably simple structures  security mechanism compromised if layer below attacked Performance overheads reduced Access control decisions far removed from decisions made by applications 13

14 G53SEC Input/Output: How to ensure secure I/O operations? e.g. user inputs username and password (input) e.g. user signs documents (output) A trusted path between I/O device and the TCB required example – secure attention sequence (Windows) 14

15 G53SEC Memory Structures: Security characteristics of memory structures: 1.RAM – (R/W) - Cannot guarantee integrity or confidentiality 2.ROM – built-in integrity guarantee, good for storing parts of an OS 3.EPROM – useful for storing parts of OS or crypto keys, advanced attacks may pose a threat 4.WROM – good for storing crypto keys, disks used for audit trail logs 15

16 G53SEC continued… Volatile memory loses its contents on power off neither instantaneous nor complete reconstructable using special electronics defence – repeated overwrites Non-volatile (permanent) memory if attacker has access by bypassing CPU further measures required (e.g. cryptography) 16

17 G53SEC continued… Memory main memory cache buffers etc.. Data object may exist simultaneously in more than one location! Copy held in an unprotected memory = risk 17

18 G53SEC Processes and Threads: Process – program in execution, important unit of control in an OS and for security Works in its own address space Communicates with other processes with help of OS Separation useful for security Thread – a strand of execution within a process 18

19 G53SEC Controlled Invocation - Interrupts: Exceptions/Interrupts/Traps Interruptions of executions due to errors, user request, hardware failure, etc… Handled by CPU Improper handling leads to security flaws  CTRL-C during supervisor mode operations  Interrupt table entry change 19

20 G53SEC Processing Interrupt: 20 TRAP #n interrupt vector interrupt handler InterruptInterrupt vector table Memory n 1010

21 G53SEC Processing Interrupt: 21 TRAP #n interrupt vector interrupt handler InterruptInterrupt vector table Memory n 1010 viral code

22 G53SEC Intel 80x86: 2-bit field in status register Defines four privilege levels (protection rings) Only one instruction can change this (POPF) Instruction can only be executed at level 0 Procedure -> object – in own or outer rings Procedure -> subroutine - only within own ring 22

23 G53SEC Intel 80x86: How to manage access to operations requiring higher privileges? Gates System object pointing to a procedure In the same ring as the calling procedure Has different privilege level than code it points to Allow execute-only access to procedure in inner ring 23

24 G53SEC Intel 80x86: Confused Deputy Problem: Outer ring -> Gate to copy an object from inner ring to outer ring This will not be prevented Doesn’t violate security policy Security policy needs to be extended – caller privilege 80x86 contains prevention mechanism 24

25 G53SEC Protecting Memory: OS integrity – preserved by separation of user & kernel space Separation of users: File management – logical memory object Memory management – physical memory objects 25

26 G53SEC continued… Segmentation – divides data into logical units Good basis for enforcing security policy Variable length – difficult memory management Paging – divides memory into pages of equal size Popular – efficient memory management Not good for access control A page might contain objects requiring different protection 26

27 G53SEC continued… Possibility of a covert channel Logical objects stored across boundaries 27 P a$$w0RD Pa $$w0RD Pa$ $w0RD page boundary step 1step 2step 3

28 G53SEC Secure Addressing: Confinement of processes to separate address spaces Control access to data objects in memory 1.OS modifies addresses received from user (address sandboxing) 2.OS constructs effective addresses from relative ones (relative addressing) 3.OS checks whether address within given bounds (base register addressing) 28

29 G53SEC 29 Summary: How Access Control is enforced Why OS integrity is important Security features of existing hardware How to control access to memory Next Lecture Hands-on Unix Security

30 G53SEC End 30 07/02/08

Download ppt "G53SEC 1 Reference Monitors Enforcement of Access Control."

Similar presentations

Computer-System Structures Er.Harsimran Singh www.ProgrammingPlaza.com.

Computer-System Structures Er.Harsimran Singh
CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.

CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.
Secure Operating Systems Lesson 9: Multics. Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very.

Secure Operating Systems Lesson 9: Multics. Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Silberschatz, Galvin and Gagne  2002 2.1 Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.
CMPT 300: Operating Systems I Dr. Mohamed Hefeeda

CMPT 300: Operating Systems I Dr. Mohamed Hefeeda
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
OS2-1 Chapter 2 Computer System Structures. OS2-2 Outlines Computer System Operation I/O Structure Storage Structure Storage Hierarchy Hardware Protection.

OS2-1 Chapter 2 Computer System Structures. OS2-2 Outlines Computer System Operation I/O Structure Storage Structure Storage Hierarchy Hardware Protection.
1 School of Computing Science Simon Fraser University CMPT 300: Operating Systems I Dr. Mohamed Hefeeda.

1 School of Computing Science Simon Fraser University CMPT 300: Operating Systems I Dr. Mohamed Hefeeda.
OS Fall ’ 02 Introduction Operating Systems Fall 2002.

OS Fall ’ 02 Introduction Operating Systems Fall 2002.
Silberschatz, Galvin and Gagne  2002 2.1 Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.
Silberschatz, Galvin and Gagne  2002 2.1 Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
Abhinav Kamra Computer Science, Columbia University 2.1 Operating System Concepts Silberschatz, Galvin and Gagne  2002 Chapter 2: Computer-System Structures.

Abhinav Kamra Computer Science, Columbia University 2.1 Operating System Concepts Silberschatz, Galvin and Gagne  2002 Chapter 2: Computer-System Structures.
General System Architecture and I/O.  I/O devices and the CPU can execute concurrently.  Each device controller is in charge of a particular device.

General System Architecture and I/O.  I/O devices and the CPU can execute concurrently.  Each device controller is in charge of a particular device.
ISA 562 Internet Security Theory & Practice

ISA 562 Internet Security Theory & Practice
Operating System Review September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1.

Operating System Review September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
2.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 2: Computer-System Structures Computer System Operation I/O Structure.

2.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 2: Computer-System Structures Computer System Operation I/O Structure.

Similar presentations

Ads by Google