Topics in Systems and Program Security

Similar documents
Advanced Systems Security: Virtual Machine Systems

Advanced Systems Security: Virtual Machine Systems

Topics in Systems and Program Security

Virtual Machine Security

Advanced Systems Security: Principles

Advanced Systems Security: Principles

Advanced Systems Security: Principles

Advanced Systems Security: Multics

Advanced Systems Security: Securing Commercial Systems

Advanced Systems Security: Security-Enhanced Linux

Advanced Systems Security: Ordinary Operating Systems

CSE543 - Computer and Network Security Module: Virtualization

CSE543 - Computer and Network Security Module: Virtualization

Operating System Security: Building Secure Distributed Systems

CSE543 - Computer and Network Security Module: Virtualization

CSE Computer Security

Advanced Systems Security: Integrity

The Evolution of Secure Operating Systems

The Evolution of Secure Operating Systems

Advanced Systems Security: Integrity

Advanced Systems Security: Security Goals

Advanced Systems Security: Integrity

Advanced Systems Security: Putting It Together Systems

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 544 Advanced Systems Security

Toward Automated Information-Flow Integrity Verification for Security-Critical Applications

Systems Security Research in SIIS Lab

Advanced Systems Security: Ordinary Operating Systems

Operating System Security

Towards Application Security on Untrusted Operating Systems

Justifying Integrity Using a Virtual Machine Verifier

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Advanced Systems Security: Future

Wrapup. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Advanced Systems Security: Security-Enhanced Linux

Introduction to Computer Security

Justifying Integrity Using a Virtual Machine Verifier

BUILDING A FRAMEWORK FOR INFORMATION FLOW AWARE WEB APPLICATIONS

Transforming Commodity Security Policies to Enforce Clark-Wilson Integrity

Virtualization. Pradipta De

Multics C H A P T E R MULTICS HISTORY

CIS433/533 - Introduction to Computer and Network Security. Access Control

Advanced Systems Security: Security-Enhanced Linux

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

SELinux Protected Paths Revisited

Architectural Support for A More Secure Operating System

Lecture 15 Designing Trusted Operating Systems

Security Kernels C H A P T E R 6

COS 318: Operating Systems. Virtual Machine Monitors

IBM Research Report. Bridging Mandatory Access Control Across Machines

Retrofitting Legacy Code for Authorization Policy Enforcement

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

The Future of Virtualization

Chapter 33: Virtual Machines

About Me. Office Hours: Tu 4-5, W 1-2, or by appointment Office: 346A IST Bldg

Secure Sharing of an ICT Infrastructure Through Vinci

IBM Research Report. Building a MAC-based Security Architecture for the Xen Opensource Hypervisor

CMPSC 497 Attack Surface

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Operating Systems, Spring 2015 Course Syllabus

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Inevitable Failure: The Flawed Trust Assumption in the Cloud

Operating Systems CMPSC 473. Introduction January 15, Lecture 1 Instructor: Trent Jaeger

W11 Hyper-V security. Jesper Krogh.

CSE Computer Security

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Lecture 4 - Authorization

OS Security IV: Virtualization and Trusted Computing

CIS 5373 Systems Security

Operating systems and security - Overview

Operating systems and security - Overview

Lecture 3: O/S Organization. plan: O/S organization processes isolation

Xen Security Modules (XSM)

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Module: Cloud Computing Security

Issues of Operating Systems Security

State of the Port to x86_64 April 2017

Integrity Policies. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

System design issues

, Inc

Verifiable Security Goals

Multilevel relations: Schema and multiple instances based on each access class. A multilevel relation consists of two parts:

Virtual Machines. Part 1: 54 years ago. Operating Systems In Depth VIII 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Access control models and policies

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Leveraging IPsec for Mandatory Access Control of Linux Network Communications

Verifying System Integrity by Proxy

Lecture 21. Isolation: virtual machines, sandboxes Covert channels. The pump Why assurance? Trust and assurance Life cycle and assurance

IBM Research Report. shype: Secure Hypervisor Approach to Trusted Virtualized Systems

Attack Graphs. Systems and Internet Infrastructure Security

? Resource. Outline. Lecture 9: Access Control and Operating System Security. Access control. Access control matrix. Two implementation concepts

Access control models and policies. Tuomas Aura T Information security technology

Helgi Sigurbjarnarson

Practical Verification of System Integrity in Cloud Computing Environments

Virtualization. Darren Alton

INF3510 Information Security. Lecture 6: Computer Security. Universitetet i Oslo Audun Jøsang

Influential OS Research Security. Michael Raitza

Transcription:

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Topics in Systems and Program Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University November 7, 2008 Page 1

Project Analysis Due 10/24 Evaluate the security of your research project (as it is currently) against reference monitor guarantees Identify your project s reference monitor (2 pages max) Components that make up the reference monitor and its trusted computing base Evaluate your reference monitor s satisfaction of the reference monitor guarantees (4 pages max) Answer the questions in Section 2.4 Identify tasks to enable approximation of reference monitor guarantees (2 pages max) Page 2

Project Analysis Grading Plan was: 25 (reference monitor) 50 (evaluation) 25 (tasks) Problem: quite a few are missing one section or another Especially Tasks Page 3

Project Analysis Grading Is: 35 (reference monitor) 50 (evaluation) 10 (tasks) 5 (other insights) Page 4

Reference Monitor What s your reference monitor? Not clear that it is a reference monitor What do you depend on for your security enforcement? Could be multiple things That is OK include them all For some people, this means a lot of stuff Important to be comprehensive For end of semester, pick one component Page 5

Reference Monitor A few questions What is scope of reference monitor assessment? All the components that the system depends upon to make correct security decisions What do reference monitor guarantees show? What is a protection system? What makes a protection system mandatory? What are the components of a mandatory protection system? Page 6

Evaluation This must be against the questions in Section 2.4 Discussing all issues in an ad hoc way Not a clear proof (even informal) This must speak in concrete terms (or why it is not possible to be concrete that is a failure to meet guarantees) Challenge: Lots of layers For end of semester: For one layer/component, address one question as concretely as possible Page 7

Evaluation Criteria Time to assess Do they make sense? Need more tools/guidance to make them concrete? Are they exhaustive? Do they motivate concrete assessment? Page 8

Tasks How do you address the shortcomings in the evaluation? Specific tasks Relate to reference monitor criteria If we do this, then it will have X impact on criteria Y Choose a task, show conceptually how it will help, show concretely what needs to be done, choose an approach, implement approach, reflect on effectiveness of approach Some of you will need to revisit tasks Page 9

End of Semester Project For end of semester, pick one component/layer Show why it is a key component of your reference monitor As concretely as possible, evaluate against one reference monitor criteria (questions in 2.4) Show why this criterion is important/non-trivial Choose a task, show conceptually how it will help, show concretely what needs to be done, choose an approach, implement approach, reflect on effectiveness of approach Using tasks selected in midterm report (or others), affect improvements in this criteria (in some concrete manner not just paper) 11/17 specify component, criterion, task (1/2 page) Page 10

Two Directions OS Security from Reference Monitor perspective Mediation LSM Tamperproof Linux and TCB Simple enough to verify Correct code Correct policy Page 11

Basis for OS Security Isolation A protection domain defines a boundary of isolation Based on Rings Address spaces Access control policy Do these work in modern OSes? Page 12

Virtual Machine Systems Protection domain is extended to operating systems on one physical platform Invented for resource utilization But, also provide a potential security benefit due to default ISOLATION How does VM isolation differ from OS isolation? Page 13

Page 14

Page 15

Page 16

VM Systems and Ref Monitor How does a VM System improve ability to achieve reference monitor guarantees? Mediation Mediation between VM interactions Tamperproof Protection boundaries between OS Simple Enough to Verify Code that needs to be correct? Policy Page 17

VAX VMM A1-assured VMM system Carefully crafted VMM Mediation VM interaction Tamperproof Minimal TCB Simple enough to verify Code assurance Policy assurance: MLS policy, Biba policy, privileges Page 18

VAX VMM Design Applications (Top Secret) Applications (Secret) Applications (Unclassified) Ultrix OS VMS OS VMS OS VMM Security Kernel Memory Device Disk Device Print Device Display Device... Page 19

VAX VMM Reference Monitor Key design tasks Virtualize processor Make all sensitive instructions privileged More rings Need a new ring for the VMM I/O emulation Self-virtualizable What components constitute the VAX VMM reference monitor? Page 20

VAX VMM Policy MLS Control secrecy Biba Control integrity Privileges Exceptional accesses Audited There are more of these than meets the eye! How is the protection state modified? Page 21

VAX VMM Evaluation Mediation: ensure all security-sensitive operations are mediated? Virtualizing instructions, I/O emulation VM-level operations? Privileges Mediation: mediate all resources? VMM level Mediation: verify complete mediation? A1-assured at VMM level Page 22

VAX VMM Evaluation Tamperproof: protect VMM? Similar to Multics (no gatekeepers, but some kind of filters); authentication in VMM; protection system ops in VMM; fixed system? Tamperproof: protect TCB? All trusted code at ring 0; trusted path from VMs for admin; Verification: verify code? A1-assured at VMM level Verification: verify policy? MLS and Biba express goals and policy; Privileges are ad hoc Page 23

VAX VMM Tasks Despite A1 assurance still several challenges in VAX VMM system Device driver management; no network Amount of assembler code Covert channel countermeasures Implications of privileges Nonetheless, interesting mechanisms Trusted path administration Architecture of VMM Virtualization for security Page 24

Compare to Xen Reference Monitor XSM in Xen Scope includes dom0 Linux and user-level Mediation XSM to control VMM operations SELinux in dom0; use network to communicate Tamperproof Xen has a much larger TCB, and more flexible Verification Code lots Policy SELinux style Page 25

Take Away VM Systems provide isolation Process isolation on conventional OS is untrusted Proxos, Overshadow VM Systems enable a small TCB Type 1 VMMs A1-Assured, like VAX VMM VM Systems can mediate inter-vm actions Virtualized operations Inter-VM operations Page 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback