System design issues

Similar documents
DAC vs. MAC. Most people familiar with discretionary access control (DAC)

1 HiStar OS. 2 Closing remarks. 3 Deian Stefan the industry perspective. - Software deployed on 200,000,000 systems

DAC vs. MAC. Bell-Lapadula model. Security levels. Security properties. The lattice model top-secret, {Nuclear, Crypto} Straw man MAC implementation

Discretionary Vs. Mandatory

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Access Control. Discretionary Access Control

DAC vs. MAC. Bell-Lapadula model. Security properties. Security levels. Straw man MAC implementation. The lattice model top-secret, {Nuclear, Crypto}

Labels and Information Flow

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

DAC vs. MAC. Most people familiar with discretionary access control (DAC) Discretionary means anyone with access can propagate information:

Complex Access Control. Steven M. Bellovin September 10,

Security Models Trusted Zones SPRING 2018: GANG WANG

Advanced Systems Security: Multics

Access control models and policies. Tuomas Aura T Information security technology

Access control models and policies

CSE Computer Security

Access control models and policies

Introduction to Computer Security

Operating Systems Design Exam 3 Review: Spring 2011

Advanced Systems Security: Integrity

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

1 / Must not leak contents of your files to network - Must not tamper with contents of your files 3 / 42

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

Asbestos Operating System

Exercises with solutions, Set 3

File. File System Implementation. File Metadata. File System Implementation. Direct Memory Access Cont. Hardware background: Direct Memory Access

Computer Security. Access control. 5 October 2017

CSL373: Lecture 5 Deadlocks (no process runnable) + Scheduling (> 1 process runnable)

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

CS 416: Operating Systems Design April 22, 2015

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

Process Time. Steven M. Bellovin January 25,

Notes based on prof. Morris's lecture on scheduling (6.824, fall'02).

Access Control Mechanisms

Design Overview of the FreeBSD Kernel CIS 657

Design Overview of the FreeBSD Kernel. Organization of the Kernel. What Code is Machine Independent?

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Towards Formal Evaluation of a High-Assurance Guard

Security Architecture

Operating systems and security - Overview

Operating systems and security - Overview

Internet Design Principles and Architecture

- Unix permission bits are an example - E.g., might set file private so that only group friends can read it:

Outline. 1 Mandatory access control. 2 Labels and lattices 3 LOMAC. 4 SELinux 1 / 43

Mandatory access control (MAC) can restrict propagation

G Robert Grimm New York University

Scheduling Mar. 19, 2018

Lecture 15 Designing Trusted Operating Systems

File. File System Implementation. Operations. Permissions and Data Layout. Storing and Accessing File Data. Opening a File

Stanford University Computer Science Department CS 240 Sample Quiz 2 Questions Winter February 25, 2005

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Flash: an efficient and portable web server

CIS433/533 - Introduction to Computer and Network Security. Access Control

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

CSE543 - Computer and Network Security Module: Virtualization

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

What is an Operating System? A Whirlwind Tour of Operating Systems. How did OS evolve? How did OS evolve?

Memory management. Last modified: Adaptation of Silberschatz, Galvin, Gagne slides for the textbook Applied Operating Systems Concepts

COMP 3361: Operating Systems 1 Final Exam Winter 2009

Computer Systems Assignment 4: Scheduling and I/O

Advanced Systems Security: Integrity

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

CS2506 Quick Revision

Administrative Details. CS 140 Final Review Session. Pre-Midterm. Plan For Today. Disks + I/O. Pre-Midterm, cont.

Review: Hardware user/kernel boundary

Architectural Support for A More Secure Operating System

CS140 Operating Systems Final Review. Mar. 13 th, 2009 Derrick Isaacson

-Device. -Physical or virtual thing that does something -Software + hardware to operate a device (Controller runs port, Bus, device)

Operating System. Operating System Overview. Structure of a Computer System. Structure of a Computer System. Structure of a Computer System

Processes and Threads

Lecture 21. Isolation: virtual machines, sandboxes Covert channels. The pump Why assurance? Trust and assurance Life cycle and assurance

Threads Chapter 5 1 Chapter 5

CS 856 Latency in Communication Systems

Receive Livelock. Robert Grimm New York University

Windows 7 Overview. Windows 7. Objectives. The History of Windows. CS140M Fall Lake 1

Access Control (slides based Ch. 4 Gollmann)

Introduction to Operating. Chapter Chapter

Chapter 8: Main Memory

ELEC 377 Operating Systems. Week 1 Class 2

Advanced Systems Security: Ordinary Operating Systems

Chapter 8: Memory-Management Strategies

Mandatory access control and information flow control

Introduction to Operating Systems. Chapter Chapter

Operating Systems Overview. Chapter 2

Introduction to Operating Systems. Chapter Chapter

Operating Systems. Memory Management. Lecture 9 Michael O Boyle

Access Control Part 3 CCM 4350

16 Sharing Main Memory Segmentation and Paging

CHAPTER 8 - MEMORY MANAGEMENT STRATEGIES

Operating System. Operating System Overview. Layers of Computer System. Operating System Objectives. Services Provided by the Operating System

Operating System Overview. Operating System

Advanced Systems Security: Integrity

Lecture 4: Memory Management & The Programming Interface

Chapter 8: Main Memory. Operating System Concepts 9 th Edition

Processes and Non-Preemptive Scheduling. Otto J. Anshus

CS 5523 Operating Systems: Midterm II - reivew Instructor: Dr. Tongping Liu Department Computer Science The University of Texas at San Antonio

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Native POSIX Thread Library (NPTL) CSE 506 Don Porter

Lecture 4: Bell LaPadula

CSE506: Operating Systems CSE 506: Operating Systems

Transcription:

System design issues Systems often have many goals: - Performance, reliability, availability, consistency, scalability, security, versatility, modularity/simplicity Designers face trade-offs: - Availability vs. consistency - Scalability vs. reliability - Reliability vs. performance - Performance vs. modularity - Modularity vs. versatility - Latency vs. throughput p.1/26

Engineering vs. research Engineering: - Find the right design point in the trade-off - Minimize cost/benefit, etc. Research: - Fundamentally alter the trade-offs - Ideally get best of both worlds p.2/26

Example: Scheduler activations Problem: Kernel-level threads suck - Many expensive context switches - Kernel doesn t know about application-specific priorities Problem: User-level threads suck - Scheduler doesn t know which system calls block Solution: New kernel interface - Expose information needed by user-level scheduler: preemption, blocking system calls, I/O completion,... - Provides the best of both worlds - Facilitates other abastractions, too! (async I/O) p.3/26

Example: Receive livelock Problem: Interrupt-driven network stack bad - Causes livelock under heavy load Problem: Polling adds too much latency Solution: Re-architect kernel for best of both worlds - Mogul and Ramakrishnan show several techniques - Hybrid interrupt/polling, queue-length feedback, CPU quotas - Could maybe unify some with BVT to reduce need for tuning p.4/26

The end-to-end principle Seminal paper by Saltzer, Reed, and Clark Articulated principle for where to place functionality Profoundly influenced the design of TCP/IP - Allowed Internet to evolve so much faster than phone network The function in question can completely and correctly be implemented only with the knowledge and help of the application standing at the end points of the communication system. Therefore, providing that questioned function as a feature of the communication system itself is not possible. (Somtimes an incomplete version of the function provided by the communication system may be useful as a performance enhancement.) p.5/26

Example applications of principle Link-by-link reliable message delivery - Often ensured by application (higher-level reply) - Can t trust every component of network - Inappropriate for many applications (e.g., voice over IP) FIFO message delivery, duplicate suppression - Redundant, just slows down two-phase commit, etc. Security and data integrity checks - Only make sense end-to-end p.6/26

End-to-end principle generalized Application user kernel Library kernel hardware Application user kernel Library kernel hardware router Place functionality closer to the endpoints Often leads to insight that yields best of both worlds! p.7/26

Applying the end-to-end argument Keep lower-level functionality only for performance - E.g., Ethernet tries several times after a collision - Avoids unnecessarily triggering TCP retransmits Provide least common denominator abstractions - Can implement threads on events, but not vice versa - Can implement threads or events on sched. activations - Can implement many tricks on top of good VM primitives p.8/26

Hints for low-level abstraction design Expose information - Lets applications/libraries make intelligent decisions (Is thread runnable? How much memory is available?) Expose hardware and other low-level functionality - Appel & Li: Exposing VM helps applications - Frangipani: Exploits low-level block protocol, locks Avoid outsmarting higher-level software - We still sometimes see papers on buffer cache management - Databases routinely bypass the buffer cache - Maybe OS shouldn t dictate the policy p.9/26

Things to think about System designers face many trade-offs When possible, gain the best of both choices - Rethink layer interfaces and abstractions - Push functionality upwards (end-to-end priciple) High-performance servers particularly demanding - Often uncomfortable fit on traditional OS abstractions Use OS techniques at application level p.10/26

[OS Security] p.11/26

DAC vs. MAC Most people familiar with discretionary access control (DAC) - Example: Unix user-group-other permission bits - Might set a file ÔÖ Ú Ø so only group Ö Ò can read it Discretionary means anyone with access can propagate information: - Å Ð ÒØ Ò Ñݺ ÓÚ ÔÖ Ú Ø Mandatory access control - Security administrator can restrict propagation - Abbreviated MAC (NOT a message authentication code) p.12/26

Bell-Lapadula model View the system as subjects accessing objects - The system input is requests, the output is decisions - Objects can be organized in one or more hierarchies, H (a tree enforcing the type of decendents) Four modes of access are possible: - execute no observation or alteration - read observation - append alteration - write both observation and modification The current access set, b, is (subj, obj, attr) tripples An access matrix M encodes permissible access types (subjects are rows, objects columns) p.13/26

Security levels A security level is a (c, s) pair: - c = classification E.g., unclassified, secret, top secret - s = category-set E.g., Nuclear, Crypto (c 1, s 1 ) dominates (c 2, s 2 ) iff c 1 c 2 and s 2 s 1 - L 1 dominates L 2 sometimes written L 1 L 2 or L 2 L 1 - levels then form a lattice Subjects and objects are assigned security levels - level(s), level(o) security level of subject/object - current-level(s) subject may operate at lower level - level(s) bounds current-level(s) (current-level(s) level(s)) - Since level(s) is max, sometimes called S s clearance p.14/26

Security properties The simple security or ss-property: - For any (S, O, A) b, if A includes observation, then level(s) must dominate level(o) - E.g., an unclassified user cannot read a top-secret document The star security or *-property: - If a subject can observe O 1 and modify O 2, then level(o 2 ) dominates level(o 1 ) - E.g., cannot copy top secret file into secret file - More precisely, given (S, O, A) b: if A = r then current-level(s) level(o) ( no read up ) if A = a then current-level(s) level(o) ( no write down ) if A = w then current-level(s) = level (O) p.15/26

Straw man MAC implementation Take an ordinary Unix system Put labels on all files and directories to track levels Each user U has a security clearance (level(u)) Determine current security level dynamically - When U logs in, start with lowest curent-level - Increase current-level as higher-level files are observed (sometimes called a floating label system) - If U s level does not dominate current, kill program - If program writes to file it doesn t dominate, kill it Is this secure? p.16/26

No: Covert channels System rife with storage channels - Low current-level process executes another program - New program reads sensitive file, gets high current-level - High program exploits covert channels to pass data to low E.g., High program inherits file descriptor - Can pass 4-bytes of information to low prog. in file offset Labels themselves can be a storage channel - Arrange to raise process p i s label to communicate i Other storage channels: - Exit value, signals, terminal escape codes,... If we eliminate storage channels, is system secure? p.17/26

No: Timing channels Example: CPU utilization - To send a 0 bit, use 100% of CPU is busy-loop - To send a 1 bit, sleep and relinquish CPU - Repeat to transfer more bits Example: Resource exhaustion - High prog. allocate all physical memory if bit is 1 - If low prog. slow from paging, knows less memory available More examples: Disk head position, processor cache/tlb polution,... p.18/26

Reducing covert channels Observation: Covert channels come from sharing - If you have no shared resources, no covert channels - Extreme example: Just use two computers Problem: Sharing needed - E.g., read unclassified data when preparing classified Approach: Strict partitioning of resources - Strictly partition and schedule resources between levels - Occasionally reapportion resources based on usage - Do so infrequently to bound leaked information - In general, only hope to bound bandwidth of covert channels - Approach still not so good if many security levels possible p.19/26

Declassification Sometimes need to prepare unclassified report from classified data Declassification happens outside of system - Present file to security officer for downgrade Job of declassification often not trivial - E.g., Microsoft word saves a lot of undo information - This might be all the secret stuff you cut from document p.20/26

Biba integrity model Problem: How to protect integrity - Suppose text editor gets trojaned, subtly modifies files, might mess up attack plans Observation: Integrity is the converse of secrecy - In secrecy, want to avoid writing less secret files - In integrity, want to avoid writing higher-integrity files Use integrity hierarchy parallel to secrecy one - Now security level is a (c, s, i) triple, i =integrity - Only trusted users can operate at low integrity levels - If you read less authentic data, your current integrity level gets raised, and you can no longer write low files p.21/26

DoD Orange book DoD requirements for certification of secure systems 4 Divisions: - D been through certification and not secure - C discretionary access control - B mandatory access control - A like B, but better verified design - Classes within divisions increasing level of security p.22/26

Divisions C and D Level D: Certifiably insecure Level C1: Discretionary security protection - Need some DAC mechanism (user/group/other, ACLs, etc.) - TCB needs protection (e.g., virtual memory protection) Level C2: Controlled access protection - Finer-graunlarity access control - Need to clear memory/storage before reuse - Need audit facilities Many OSes have C2-security packages - Is, e.g., C2 Solaris more secure than normal Solaris? p.23/26

Division B B1 - Labeled Security Protection - Every object and subject has a label - Some form of reference monitor - Use Bell-LaPadula model and some form of DAC B2 - Structured Protection - More testing, review, and validation - OS not just one big program (least priv. within OS) - Requires covert channel analysis B3 - Security Domains - More stringent design, w. small ref monitor - Audit required to detect imminent violations - requires security kernel + 1 or more levels *within* the OS p.24/26

Division A A1 Verified Design - Design must be formally verified - Formal model of protection system - Proof of its consistency - Formal top-level specification - Demonstration that the specification matches the model - Implementation shown informally to match specification p.25/26

Limitations of Orange book How to deal with floppy disks? How to deal with networking? Takes too long to certify a system - People don t want to run n-year-old software Doesn t fit non-military models very well What if you want high assurance & DAC? p.26/26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback