Lecture 15 Designing Trusted Operating Systems

Similar documents
Introduction to Computer Security

Operating System Security

Operating System Architecture. CS3026 Operating Systems Lecture 03

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Kernel Types Simple OS Examples System Calls. Operating Systems. Autumn CS4023

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Chapter 2: Operating-System Structures. Operating System Concepts 8 th Edition

Tutorial on Memory Management, Deadlock and Operating System Types

Operating System Structure

Operating systems and security - Overview

Operating systems and security - Overview

Operating System Structure

CS 356 Operating System Security. Fall 2013

CS 550 Operating Systems Spring Operating Systems Overview

CHAPTER 8 FIREWALLS. Firewall Design Principles

Advanced Systems Security: Multics

Operating Systems. Operating System Structure. Lecture 2 Michael O Boyle

CSC Operating Systems Spring Lecture - II OS Structures. Tevfik Ko!ar. Louisiana State University. January 17 th, 2007.

Announcements. Operating System Structure. Roadmap. Operating System Structure. Multitasking Example. Tevfik Ko!ar

Influential OS Research Security. Michael Raitza

Administrative Details. CS 140 Final Review Session. Pre-Midterm. Plan For Today. Disks + I/O. Pre-Midterm, cont.

Labels and Information Flow

Hackveda Training - Ethical Hacking, Networking & Security

To provide a grand tour of the major operating systems components To provide coverage of basic computer system organization

DTOS General System Security and Assurability Assessment Report

Introduction to Operating Systems. Chapter Chapter

OS structure. Process management. Major OS components. CSE 451: Operating Systems Spring Module 3 Operating System Components and Structure

What are some common categories of system calls? What are common ways of structuring an OS? What are the principles behind OS design and

Operating Systems. Lecture Course in Autumn Term 2015 University of Birmingham. Eike Ritter. September 22, 2015

Operating Systems: Internals and Design Principles. Chapter 2 Operating System Overview Seventh Edition By William Stallings

Advanced Systems Security: Security-Enhanced Linux

SAZ4B/SAE5A Operating System Unit : I - V

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Four Components of a Computer System

Agenda Process Concept Process Scheduling Operations on Processes Interprocess Communication 3.2

6.033 Spring Lecture #6. Monolithic kernels vs. Microkernels Virtual Machines spring 2018 Katrina LaCurts

Protection. Thierry Sans

Trusted OS Design CS461/ECE422

Operating- System Structures

Qualifying exam: operating systems, 1/6/2014

Operating System Services. User Services. System Operation Services. User Operating System Interface - CLI. A View of Operating System Services

Course Details. Operating Systems with C/C++ Course Details. What is an Operating System?

Introduction to Operating. Chapter Chapter

Operating System Structure

Operating Systems Overview. Chapter 2

Information Security CS 526

Advanced Systems Security: Principles

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

Operating System Structure

Topics in Systems and Program Security

CS3600 SYSTEMS AND NETWORKS

CSE 565 Computer Security Fall 2018

Introduction to Operating Systems. Chapter Chapter

Advanced Systems Security: Principles

Introduction to Operating Systems

Subject: Operating System (BTCOC403) Class: S.Y.B.Tech. (Computer Engineering)

A Comparison of Two Distributed Systems: Amoeba & Sprite. By: Fred Douglis, John K. Ousterhout, M. Frans Kaashock, Andrew Tanenbaum Dec.

OS DESIGN PATTERNS II. CS124 Operating Systems Fall , Lecture 4

OS Structure. Kevin Webb Swarthmore College January 25, Relevant xkcd:

Operating System. Operating System Overview. Structure of a Computer System. Structure of a Computer System. Structure of a Computer System

Processes and Threads

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

Introduction to Security and User Authentication

ELEC 377 Operating Systems. Week 1 Class 2

Module 1 Introduction/OS Overview

Advanced Systems Security: Virtual Machine Systems

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

Motivation. Threads. Multithreaded Server Architecture. Thread of execution. Chapter 4

Roadmap. Tevfik Koşar. CSE 421/521 - Operating Systems Fall Lecture - II OS Structures. University at Buffalo. OS Design and Implementation

OS Design Approaches. Roadmap. System Calls. Tevfik Koşar. Operating System Design and Implementation. CSE 421/521 - Operating Systems Fall 2013

CS350: Final Exam Review

Process Description and Control

Operating Systems. Pablo Prieto Torralbo. 1. Introduction DEPARTMENT OF COMPUTER ENGINEERING

OS Design Approaches. Roadmap. OS Design Approaches. Tevfik Koşar. Operating System Design and Implementation

OPERATING SYSTEMS: Lesson 1: Introduction to Operating Systems

N-Variant SystemsA Secretless Framework for Security through. Diversity Cox et al.

Chapter 1: Introduction

IS 2150 / TEL 2810 Information Security and Privacy

Outline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution

Advanced Systems Security: Ordinary Operating Systems

RedCastle v3.0 for Asianux Server 3 Certification Report

CS 261 Fall Mike Lam, Professor. Virtual Memory

Linux Systems Security. Security Design NETS Fall 2016

Lecture Topics. Announcements. Today: Operating System Overview (Stallings, chapter , ) Next: Processes (Stallings, chapter

Operating-System Structures

Chapter 1: Introduction. Operating System Concepts 8th Edition,

Last 2 Classes: Introduction to Operating Systems & C++ tutorial. Today: OS and Computer Architecture

Processes & Threads. Process Management. Managing Concurrency in Computer Systems. The Process. What s in a Process?

CSC Operating Systems Fall Lecture - II OS Structures. Tevfik Ko!ar. Louisiana State University. August 27 th, 2009.

Announcements. Computer System Organization. Roadmap. Major OS Components. Processes. Tevfik Ko!ar. CSC Operating Systems Fall 2009

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Computer Systems Engineering: Spring Quiz I Solutions

CSE543 - Computer and Network Security Module: Virtualization

EEE 435 Principles of Operating Systems

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

Ethical Hacking and Countermeasures: Attack Phases, Second Edition. Chapter 1 Introduction to Ethical Hacking

Security System and COntrol 1

Role 1: The Operating System is an Abstract Machine. Learning Outcomes. Introduction to Operating Systems. What is an Operating System?

E M S C B Milestone No. I Secure Linux Hard-Disk Encryption REQUIREMENTS SPECIFICATION

Reserves time on a paper sign-up sheet. Programmer runs his own program. Relays or vacuum tube hardware. Plug board or punch card input.

Transcription:

Lecture 15 Designing Trusted Operating Systems Thierry Sans 15-349: Introduction to Computer and Network Security

Anatomy of an operating system

Concept of Kernel Definition Component that provides an communication layer between the hardware and the software The kernel is in charge of Managing the memory Managing processes (allocation and synchronization) Managing data resources (filesystem, I/O devices) Managing communication... and so in charge of enforcing security mechanisms

Two design philosophies Monolithic Kernels Like the Linux kernel Microkernels Like the Windows NT or BSD kernels (even though considered as hybrid kernels) Discussion between L. Torvalds and A. Tanenbaum

Monolithic kernels Philosophy All OS services run along with the main kernel thread in the same memory area Pros and Cons Easier to design Dependencies between components

Microkernels Philosophy Implement minimal OS services for memory and process management Other services (I/O, networking...) are implemented as servers in the user-space memory The first general-purpose microkernel was Mach (Carnegie Mellon University) Pros and Cons Easy to maintain Many system calls that can slow down the system

Where the security should be...

Open Design principle Open Design A protection mechanism must not depend on the fact that its design is secret Kerckhoffs' principle Unfortunately wrong designs, that violates this principle, exist in practice See lecture 17 on Digital Rights Management (DRM)

Design principles to restrict privileges Least Privilege Each user (understand each program) must have the smallest privilege set needed to operate Separation of privileges A business process must be split in different elementary tasks with minimum privileges Least Common Mechanism Reduce and control the exchange of information between shared objects and resources (potential channels for information leakage)

Access Control design principles Permission based Identifies what can be permitted and any unidentified access ( close world hypothesis) Complete mediation Every access attempt must be checked and cannot be circumvent Trusted path Access control mechanisms cannot be spoofed or intercepted by a malicious user program

The keep it simple and usable principles Economy of mechanism The design of a security mechanism must be small and easy to analyze Increasing the reliability in security mechanisms Ease of use A security mechanism must be easy to use Avoiding users and/or administrators to disable security mechanisms

Security features for Operating Systems Identification and Authentication of users Protection of the execution context Focus: protecting the processes Protection of general objects (access control) Focus: the reference monitor Focus: the object reuse attack Protection of administrative data and processes Focus: managing the logs

Protection of the execution context Protection of the memory Already seen in lecture 12 In a concurrent context, a process needs to Access to some resources Synchronize with other processes Be executed All of these must be controlled by the operating system

Focus: Protecting processes Enforced Sharing Must have access to resources as appropriate Interprocess communication and Synchronization Must have access to synchronization mechanisms Guaranteed Fair Service Must get a fair CPU allocation time to run (preventing starvation)

Protection of general objects Two kind of objects to consider Static objects File and I/O devices Dynamic objects Mainly used for synchronization and sharing between concurrent programs The Reference Monitor In charge of enforcing the access control policy (DAC and/or MAC)

Focus: the concept of Reference Monitor Objective Controlling access to objects Not necessarily a single piece of code but rather a collection of protection mechanisms The reference Monitor must be Tamperproof - impossible to weaken or disable Unbypassable - always invoked on every access Analyzable - small enough to be easily validated

Focus: The Object Reuse attack Reusable objects Free disk or memory space can contain old (and sensitive) data that have been previously disallocated Possible counter-measure Clear the portion of memory by rewriting it with garbage code A more general problem Magnetic remanence How to discard old magnetic devices?

Security features for administration Protect security configuration data and processes Definition of system (and/or security) administrators Configuring (even implementing) an administration model for access control Setup and protect accountability mechanisms Useful to detect a misconfiguration or an attack (remember an attack is not necessarily disruptive) Useful to recover from attack and take countermeasures

Focus: Managing and analyzing logs Problem Logs are difficult to manage and analyze in practice For instance, a program can cause hundreds of access creating a huge volume of data making it hard to analyze Solution Classify the logs according to their sensitivity level Analyzed the logs using specialized audit programs (or intrusion detection programs) Passive (off-line or on-line) raise an alert Pro-active (on-line) block the access (IPS)

Strengthening the security of an OS Trust Computing Base Operating Systems make a distinction between TCB and non-tcb components of the kernel TCB components that handles the security of the system and that must not be tampered by users (nor even administrators) Non-TCB components that will not jeopardize the security of the system if tampered by the users (or administrators)

Example of Trusted-OS: SELinux Security-Enhanced Linux (SELinux) Developed by the NSA to implements the multilevel military security policy proposed by the US DoD First released as a Linux patch, SELinux is now fully integrated into the Linux Kernel (version 2.6)

Virtualization Objective Provide a constraint execution environment by simulating a collection resources Examples The Java virtual machine Virtual Memory Space Virtual Machines

Virtual Machines

Conclusion The best way to learn more...... is to take a closer look at your OS Play with your OS and learn how it has been built Identify the security mechanims and understand how they contribute to secure the system Play with other OS and compare them Learn about the details and found the breach Create a proof of concept attack (exploit) and become an ethical hacker

Open question... Policy Administrates Administrates How can I be sure that Bob will not tamper its system to bypass access control mechanisms and have a full access to my data?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback