Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Topics in Systems and Program Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University November 7, 2008 Page 1
Project Analysis Due 10/24 Evaluate the security of your research project (as it is currently) against reference monitor guarantees Identify your project s reference monitor (2 pages max) Components that make up the reference monitor and its trusted computing base Evaluate your reference monitor s satisfaction of the reference monitor guarantees (4 pages max) Answer the questions in Section 2.4 Identify tasks to enable approximation of reference monitor guarantees (2 pages max) Page 2
Project Analysis Grading Plan was: 25 (reference monitor) 50 (evaluation) 25 (tasks) Problem: quite a few are missing one section or another Especially Tasks Page 3
Project Analysis Grading Is: 35 (reference monitor) 50 (evaluation) 10 (tasks) 5 (other insights) Page 4
Reference Monitor What s your reference monitor? Not clear that it is a reference monitor What do you depend on for your security enforcement? Could be multiple things That is OK include them all For some people, this means a lot of stuff Important to be comprehensive For end of semester, pick one component Page 5
Reference Monitor A few questions What is scope of reference monitor assessment? All the components that the system depends upon to make correct security decisions What do reference monitor guarantees show? What is a protection system? What makes a protection system mandatory? What are the components of a mandatory protection system? Page 6
Evaluation This must be against the questions in Section 2.4 Discussing all issues in an ad hoc way Not a clear proof (even informal) This must speak in concrete terms (or why it is not possible to be concrete that is a failure to meet guarantees) Challenge: Lots of layers For end of semester: For one layer/component, address one question as concretely as possible Page 7
Evaluation Criteria Time to assess Do they make sense? Need more tools/guidance to make them concrete? Are they exhaustive? Do they motivate concrete assessment? Page 8
Tasks How do you address the shortcomings in the evaluation? Specific tasks Relate to reference monitor criteria If we do this, then it will have X impact on criteria Y Choose a task, show conceptually how it will help, show concretely what needs to be done, choose an approach, implement approach, reflect on effectiveness of approach Some of you will need to revisit tasks Page 9
End of Semester Project For end of semester, pick one component/layer Show why it is a key component of your reference monitor As concretely as possible, evaluate against one reference monitor criteria (questions in 2.4) Show why this criterion is important/non-trivial Choose a task, show conceptually how it will help, show concretely what needs to be done, choose an approach, implement approach, reflect on effectiveness of approach Using tasks selected in midterm report (or others), affect improvements in this criteria (in some concrete manner not just paper) 11/17 specify component, criterion, task (1/2 page) Page 10
Two Directions OS Security from Reference Monitor perspective Mediation LSM Tamperproof Linux and TCB Simple enough to verify Correct code Correct policy Page 11
Basis for OS Security Isolation A protection domain defines a boundary of isolation Based on Rings Address spaces Access control policy Do these work in modern OSes? Page 12
Virtual Machine Systems Protection domain is extended to operating systems on one physical platform Invented for resource utilization But, also provide a potential security benefit due to default ISOLATION How does VM isolation differ from OS isolation? Page 13
Page 14
Page 15
Page 16
VM Systems and Ref Monitor How does a VM System improve ability to achieve reference monitor guarantees? Mediation Mediation between VM interactions Tamperproof Protection boundaries between OS Simple Enough to Verify Code that needs to be correct? Policy Page 17
VAX VMM A1-assured VMM system Carefully crafted VMM Mediation VM interaction Tamperproof Minimal TCB Simple enough to verify Code assurance Policy assurance: MLS policy, Biba policy, privileges Page 18
VAX VMM Design Applications (Top Secret) Applications (Secret) Applications (Unclassified) Ultrix OS VMS OS VMS OS VMM Security Kernel Memory Device Disk Device Print Device Display Device... Page 19
VAX VMM Reference Monitor Key design tasks Virtualize processor Make all sensitive instructions privileged More rings Need a new ring for the VMM I/O emulation Self-virtualizable What components constitute the VAX VMM reference monitor? Page 20
VAX VMM Policy MLS Control secrecy Biba Control integrity Privileges Exceptional accesses Audited There are more of these than meets the eye! How is the protection state modified? Page 21
VAX VMM Evaluation Mediation: ensure all security-sensitive operations are mediated? Virtualizing instructions, I/O emulation VM-level operations? Privileges Mediation: mediate all resources? VMM level Mediation: verify complete mediation? A1-assured at VMM level Page 22
VAX VMM Evaluation Tamperproof: protect VMM? Similar to Multics (no gatekeepers, but some kind of filters); authentication in VMM; protection system ops in VMM; fixed system? Tamperproof: protect TCB? All trusted code at ring 0; trusted path from VMs for admin; Verification: verify code? A1-assured at VMM level Verification: verify policy? MLS and Biba express goals and policy; Privileges are ad hoc Page 23
VAX VMM Tasks Despite A1 assurance still several challenges in VAX VMM system Device driver management; no network Amount of assembler code Covert channel countermeasures Implications of privileges Nonetheless, interesting mechanisms Trusted path administration Architecture of VMM Virtualization for security Page 24
Compare to Xen Reference Monitor XSM in Xen Scope includes dom0 Linux and user-level Mediation XSM to control VMM operations SELinux in dom0; use network to communicate Tamperproof Xen has a much larger TCB, and more flexible Verification Code lots Policy SELinux style Page 25
Take Away VM Systems provide isolation Process isolation on conventional OS is untrusted Proxos, Overshadow VM Systems enable a small TCB Type 1 VMMs A1-Assured, like VAX VMM VM Systems can mediate inter-vm actions Virtualized operations Inter-VM operations Page 26