The Evolution of Secure Operating Systems

Similar documents
The Evolution of Secure Operating Systems

Advanced Systems Security: Multics

Topics in Systems and Program Security

Advanced Systems Security: Principles

Topics in Systems and Program Security

Virtual Machine Security

CSE543 - Computer and Network Security Module: Virtualization

Advanced Systems Security: Ordinary Operating Systems

Practical Verification of System Integrity in Cloud Computing Environments

Multics C H A P T E R MULTICS HISTORY

Advanced Systems Security: Principles

Advanced Systems Security: Virtual Machine Systems

Advanced Systems Security: Securing Commercial Systems

CSE543 - Computer and Network Security Module: Virtualization

CSE Computer Security

Advanced Systems Security: Virtual Machine Systems

CSE543 - Computer and Network Security Module: Virtualization

Advanced Systems Security: Security-Enhanced Linux

CSE 544 Advanced Systems Security

Advanced Systems Security: Integrity

Advanced Systems Security: Integrity

Advanced Systems Security: Integrity

Advanced Systems Security: Principles

Operating System Security: Building Secure Distributed Systems

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Systems Security: Security Goals

Security Kernels C H A P T E R 6

Systems Security Research in SIIS Lab

T to determine what is required to build a productionquality

Operating System Security

Transforming Commodity Security Policies to Enforce Clark-Wilson Integrity

CIS 5373 Systems Security

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

Advanced Systems Security: Cloud Computing Security

Wrapup. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

L17: Assurance. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

About Me. Office Hours: Tu 4-5, W 1-2, or by appointment Office: 346A IST Bldg

Operating Systems CMPSC 473. Introduction January 15, Lecture 1 Instructor: Trent Jaeger

CMPSC 497 Attack Surface

Justifying Integrity Using a Virtual Machine Verifier

Toward Automated Information-Flow Integrity Verification for Security-Critical Applications

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

Advanced Systems Security: Putting It Together Systems

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Advanced Systems Security: Ordinary Operating Systems

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

CIS433/533 - Introduction to Computer and Network Security. Access Control

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Module: Cloud Computing Security

Architectural Support for A More Secure Operating System

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Discretionary Vs. Mandatory

CSE 544 Advanced Systems Security

Inevitable Failure: The Flawed Trust Assumption in the Cloud

Introduction to Security and User Authentication

Access control models and policies. Tuomas Aura T Information security technology

Practical DIFC Enforcement on Android

Lecture Embedded System Security Introduction to Trusted Computing

Lecture 4: Bell LaPadula

Introduction to Computer Security

Laying a Secure Foundation for Mobile Devices. Stephen Smalley Trusted Systems Research National Security Agency

Access control models and policies

Lecture Embedded System Security Introduction to Trusted Computing

8.3 Mandatory Flow Control Models

CSE 565 Computer Security Fall 2018

Lecture Embedded System Security Introduction to Trusted Computing

Module: Future of Secure Programming

Access Control. Discretionary Access Control

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Creating a Practical Security Architecture Based on sel4

Amplifying. Only stack module can alter, read x So process doesn t get capability, but needs it when x is referenced a problem!

ACCESSPROV: Tracking the Provenance of Access Control Decisions

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Assurance for Defense in Depth via Retrofitting

Advanced Systems Security: Future

SELinux Protected Paths Revisited

Influential OS Research Security. Michael Raitza

Access Control (slides based Ch. 4 Gollmann)

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

Visualizing Access Control Policies in Databases. Jared Chandler. Comp 116 Fall 2015

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

System design issues

Asbestos Operating System

Amplifying. Examples

CSE 120 Principles of Operating Systems

Advanced Systems Security: New Threats

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Lecture 4 - Authorization

Effective Threat Modeling using TAM

OS Structure. Hardware protection & privilege levels Control transfer to and from the operating system

Information Flow Control For Standard OS Abstractions

Module: Future of Secure Programming

Access Control. Steven M. Bellovin September 13,

Operating systems and security - Overview

Operating systems and security - Overview

Integrating SELinux with Security-typed Languages

CCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson

Unofficial Part 4 of the Common Criteria. mandag 31. august 2009

C1: Define Security Requirements

Transcription:

The Evolution of Secure Operating Systems Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University 1

Operating Systems Make computer systems easier to use Improve productivity and collaboration

Operating Systems Users make mistakes that may affect others Users may have malicious intentions

Need for Security The need for operating systems to enforce security requirements was recognized from the advent of multi-user operating systems

Need for Security The need for operating systems to enforce security requirements was recognized from the advent of multi-user operating systems F. J. Corbato and V. A. Vyssotsky. Introduction and overview of the Multics System. In Proceedings of the 1965 AFIPS Fall Joint Computer Conference, 1965. Of considerable concern is the issue of privacy. Experience has shown that privacy and security are sensitive issues in a multiuser system where terminals are anonymously remote.

Questions So, were we done? No, still several difficult questions to address, including (1) What does security mean? Policy: What access can be allowed to sensitive data while still protecting its secrecy and integrity? (2) How do we enforce security effectively? Mechanism: What should be the requirements of a security mechanism to enforce security policies correctly? (3) How do we validate correctness in enforcement? Validation: What methods are necessary to validate the correctness requirements for enforcing a security policy?

Evolution of Secure OS In this talk, I will review the evolution of the design of secure operating systems with respect to these questions Phase 1: The (Early) Multics Experience (to 1977) Phase 2: The Security Kernel Experience (to early 90s) Phase 3: Recent and Future Directions (from 90s)

Evolution of Secure OS In this talk, I will review the evolution of the design of secure operating systems with respect to these questions Phase 1: The (Early) Multics Experience Archaen the formation of continents and life started to form Phase 2: The Security Kernel Experience Proterozoic from the appearance of oxygen in Earth's atmosphere to just before the proliferation of complex life Phase 3: Recent and Future Directions Phanerozoic starts with the rapid emergence of a number of life forms

Multics Project (to 1977) Importantly, the Multics project explored all three big questions And made important contributions to each

Multics Project (to 1977) Importantly, the Multics project explored all three big questions And made important contributions to each What does security (policy) mean? Security has to protect secrecy and integrity even when adversaries control processes à mandatory access control

Multics Project (to 1977) Importantly, the Multics project explored all three big questions And made important contributions to each What does security (policy) mean? Security has to protect secrecy and integrity even when adversaries control processes à mandatory access control What does enforcement mean? Enforcement mechanisms must satisfy the reference monitor concept

Multics Project (to 1977) Importantly, the Multics project explored all three big questions And made important contributions to each What does security (policy) mean? Security has to protect secrecy and integrity even when adversaries control processes à mandatory access control What does enforcement mean? Enforcement mechanisms must satisfy the reference monitor concept What does validation require? Small code base; design for security; formal verification

Security Policy in Multics Found that security is more than protection (Lampson) Protection makes trust assumptions about a user s processes Your processes are not out to get you Your processes can resist determined attacks

Security Policy in Multics Found that security is more than protection (Lampson) Protection makes trust assumptions about a user s processes Your processes are not out to get you Your processes can resist determined attacks

Mandatory Access Control Multics introduced mandatory access control (MAC) to prevent such attacks Mandatory System-defined administration of policies Access control Information flow or MLS (e.g., Bell-La Padula, Biba) User programs are not authorized to Read/Write to data to unauthorized files or processes Or change the access control policy Prevents Trojan horses (malware) and compromised programs from violating expected data security No permissions that leak data or depend on less trusted data

MAC Challenges Information flow is an ideal Real systems often require operations that violate information flow E.g., services that manage secrets must still be able to reply to client requests Resulting in implementation artifacts outside model Trusted readers/writers or guards that can violate information flow Ad hoc declassifers (secrecy) and endorsers (integrity) to change information flow policies Trust in these artifacts requires validation Need (mostly) automated support to fill these gaps

Enforcement in Multics Found that enforcement itself must be systematic and secured Which OS operations should be protected by authorization checks? How do we know that authorization checks are performed correctly? How do we know that authorization checks and the policy enforced cannot be modified? Clearly, an informal approach to the enforcement of policies is insufficient

Reference Monitor The Anderson report (USAF 1972) proposed the reference monitor concept to provide Explicit control must be established over each user s (programs) access to any system resource which is shared with any other user or system program. Reference Monitor Concept requirements: The reference validation mechanism must be tamperproof The reference validation mechanism must always be invoked (complete mediation over security-sensitive operations) The reference validation mechanism must be small enough to be subject to analysis and tests, the completeness of which can be assured (validation)

Enforcement in Multics Found that enforcement itself must be systematic and secured Which OS operations should be protected by authorization checks? Complete mediation over security-sensitive operations How do we know that authorization checks are performed correctly? Validation How do we know that authorization checks and the policy enforced cannot be modified? Tamperproof Provides guidance over how to build correct enforcement mechanisms But, some further work is necessary to make these ideas precise

Enforcement in Multics Tamperproofing Protection rings Kernel in ring 0 Gates protecting kernel entry and exit Complete mediation Resources modeled as segments Control all segment operations (ACLs, MLS, ring brackets) Validation Come back to this

Karger-Schell Analysis Demonstrated the importance of following the reference monitor concept Flaws in Tamperproofing Untrusted master mode code run outside Ring 0 for performance Flaws in Complete Mediation Failure to mediate some indirect memory accesses However, these were both flaws in implementation, not design, that would have been alleviated by following the reference monitor concept correctly

Validation in Multics Challenges were seen for validating Multics (circa 1977) Size of the code base 54 SLOC Although the Multics Final Report suggests that the kernel size can be reduced by approximately half How to do formal validation on a kernel? To this point techniques had not been developed Ultimately, the Multics design formed the basis for the B2 assurance level of the Orange Book + Security policy model clearly defined and formally documented (B2) - Satisfies reference monitor requirements (B3)

Security Kernel Experience A number of projects emerged to address the challenge of validating secure operating systems Which came to be called security kernels To address three main challenges Reduce size and complexity of operating systems and utility software Define security enforced by the OS internal controls Validate the correctness of the implemented security controls From Ames and Gasser, IEEE Computer, July 1983

July 1983, IEEE Computer

Security Kernel Approach Security Kernel Design: Ames, Gasser, and Schell Basic Principles A formally defined security model Complete, mandatory, and validated for security requirements Faithful implementation Transfer model to design incrementally and formally While addressing practical considerations Extracting security relevant functionality from OS at large Formal specification and validation methods

the policy model. One common technique, securityjflow analysis, is a relatively simple way to identify and analyze information flows in a specification.7 Note that only the security of the interface specification must be demonstrated, not the more difficult problem of its functional "correctness," since functional properties, most of which are not security related, are not addressed by the model. In the second class of formal verification techniques, we verify the correspondence or correctness of mappings between any intermediate specifications in the hierarchy and the interface specifications. Finally, a third class of verification techniques, the most traditional way to prove correctness, shows that the kernel implementation corresponds to its specification. Cheheyl et al. have documented a survey of current verification systems covering most of these techniques, best illustrated in the context of a general-purpose operating system with online, interactive users (Figure 3). The kernel, as already noted, provides a relatively small and simple subset of the operating system functions. The kernel primitives are the interface of this subset to the rest of the operating system (generally referred to as the supervisor). In turn, the supervisor primitives provide the general-purpose operating system functions used by the applications. Figure 2. Development and verification hierarchy. Figure 3. Structure of a kernel-based operation system. Security Kernel Approach From model to implementation Kernel/supervisor trade-offs. An operating system is usually broken down into functional areas, such as process management, file system management for segments, and I/O control. Within each area, some functions are clearly security relevant and must be in the kernel, while some are not. The rules of the policy model help to clearly identify which functions are security relevant. 17 July 1983

Formal Verification What techniques are necessary to formally assure a kernel implementation satisfies a security model? verification has turned out to be more difficult than we expected Goal: correctness Techniques not ready to prove correctness Approaches (at this time) Compare kernel security to information flows allowed Specification and implementation correspondence

VMM Security Kernel Choices in bringing security kernel OS to market High-assurance version of existing OS But, would trail the standard product development lifecycle Custom, high-assurance OS Lack application and ecosystem support Alternative: high-assurance virtual machine monitor (VMM) Motivation for the VMM Security Kernel for VAX in 1990 IEEE Symposium on Security and Privacy VMM security kernel layers under commercial OSes To support multiple OSes and versions

VAX/SVS Project Project Successes System was piloted in 1989 reasonably successful A VMM Security Kernel for the VAX Architecture was lead paper and Best Paper Award winner at the 1990 IEEE Symposium on Security and Privacy Comprehensive effort for A1 assurance applying formal methods for system design, test, maintenance, and cover channels Nonetheless, the project was cancelled in 1990 Lack of customers export controls did not help Lack of features e.g., no Ethernet support Secure server SSVR KI VPrint VTerm VOL F11F AUD HLS VMV VMP IOS LLS HIH Users Security perimeter Kernel interface Visual printers Virtual terminals Volumes Files-11 files Audit trail Higher-level scheduler VM-virtual space manager VM-physical space manager I/O services Virtual machine operating system Virtual VAX Lower-level scheduler Hardware interrupt handlers Modified microcode for virtualization VVAX VAX hardware

VAX/SVS Project Other issues that may have had an impact Drivers are in the VMM security kernel Direct Memory Access was not controlled All new device drivers must be fully assured Multi-user and privileged VMs Achieving A1 assurance in practice requires tracking individual users, but no visibility into VMs Assembly code About 11K SLOC of the VMM security kernel was implemented in assembly

Recent and Future Work Significant advances since then Hardware support for security E.g., IOMMU Software architectures for security E.g., Decentralized information flow control Program analysis for security E.g., Validation and retrofitting of security in programs Formal methods for security E.g., sel4 These advances address several prior limitations

Hardware Support A variety of hardware features have been explored and even introduced in production hardware IOMMU Control direct memory access for devices Critical for drivers in security kernels Native virtualization For VMM security kernels Features for specific security requirements ARM TrustZone, Intel SGX, Intel MPX, Intel PT, etc. Research systems: CHERI

Software Architectures Information flow control in systems and software has been explored broadly - Decentralized information flow control Systems that enforce information flow comprehensively and flexibly All processes are controlled or within the model Compiler-based methods for validating information flow control enforcement in programs Declassification/endorsement as first-order principles in languages Applications of such methods to real systems (in research) Android-Weir (USENIX 2016), OpenStack-Pileus (ACSAC 2016), Web Applications-DATS (ASPLOS 2018), Fabric/Mobile Fabric (Oakland 2012)

Program Analysis In addition to information flow, program analysis methods for security examine a number of other challenges Automated Privilege Separation Enable programmers to decompose their monolithic programs into components to satisfy information flow Program Specialization Remove code unnecessary for particular deployment Automated Hook Placement Identify where to place security checks into existing programs How to utilize such techniques in concert to design for security?

Take Away The importance of enforcing security in operating systems has been long recognized Multics examined the dimensions of what to enforce (policy) how to enforce (mechanism), and need for validation Security kernel projects explore how to validate real systems based on security designs converted to implementations Recent and future work shows promise of overcoming some of the major challenges that have held back prior work With the availability of a formally verified core kernel, there is an opportunity to develop secure operating environment

Thank You! Questions? E-mail : tjaeger@cse.psu.edu 36

Thank You! Questions? E-mail : tjaeger@cse.psu.edu Series Editor: Ravi Sandhu, University of Texas at San Antonio Series ISSN: XXXX-XXXX SYNTHESIS LECTURES ON INFORMATION SECURITY, PRIVACY, AND TRUST Operating System Security Trent Jaeger, The Pennsylvania State University Operating systems provide the fundamental mechanisms for securing computer processing. Since the 1960s, operating systems designers have explored how to build secure operating systems operating systems whose mechanisms protect the system against a motivated adversary. Recently, the importance of ensuring such security has become a mainstream issue for all operating systems. In this book, we examine past research that outlines the requirements for a secure operating system and research that implements example systems that aim for such requirements. For system designs that aimed to satisfy these requirements, we see that the complexity of software systems often results in implementation challenges that we are still exploring to this day. However, if a system design does not aim for achieving the secure operating system requirements, then its security features fail to protect the system in a myriad of ways. We also study systems that have been retrofit with secure operating system features after an initial deployment. In all cases, the conflict between function on one hand and security on the other leads to difficult choices and the potential for unwise compromises. From this book, we hope that systems designers and implementers will learn the requirements for operating systems that effectively enforce security and will better understand how to manage the balance between function and security. JAEGER OPERATING SYSTEM SECURITY & M C Morgan & Claypool Publishers Operating System Security Trent Jaeger About SYNTHESIs This volume is a printed version of a work that appears in the Synthesis Digital Library of Engineering and Computer Science. Synthesis Lectures provide concise, original presentations of important research and development topics, published quickly, in digital and print formats. For more information visit www.morganclaypool.com Morgan & Claypool Publishers ISBN: 978-1-59829-212-1 90000 www.morganclaypool.com 9 781598 292121 Morgan & Claypool SYNTHESIS LECTURES ON INFORMATION SECURITY, PRIVACY, AND TRUST Ravi Sandhu, Series Editor 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback