G53SEC
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

G53SEC PowerPoint PPT Presentation


  • 87 Views
  • Uploaded on
  • Presentation posted in: General

G53SEC. Reference Monitors Enforcement of Access Control. 1. G53SEC. Overview of Today’s Lecture: Introduction Operating System Integrity Hardware Security Features Protecting Memory. 2. G53SEC. Introduction: Fundamental Concepts: Reference Monitor – an abstract concept

Download Presentation

G53SEC

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


G53sec

G53SEC

Reference Monitors

Enforcement of Access Control

1


G53sec

G53SEC

  • Overview of Today’s Lecture:

    • Introduction

    • Operating System Integrity

    • Hardware Security Features

    • Protecting Memory

2


G53sec

G53SEC

  • Introduction:

  • Fundamental Concepts:

    • Reference Monitor – an abstract concept

    • Security Kernel – its implementation

    • Trusted Computing Base (TCB) – kernel + other protection mechanisms

3


G53sec

G53SEC

  • Reference Monitor (RM):

    • “An access control concept that refers to an abstract machine that mediates all access to objects by subjects.”

    • Must be tamper proof/resistant

    • Must always be invoked when access to object required

    • Must be small enough to be verifiable / subject to analysis to ensure its correctness

4


G53sec

G53SEC

  • Security Kernel:

    • “The hardware, firmware, and software elements of a TCB that implement the reference monitor.”

    • Must mediate all access

    • Must be protected from modification

    • Must be verifiable for correctness

    • Ideally in the bottom layers of a system

5


G53sec

G53SEC

  • Trusted Computing Base (TCB):

    • “The totality of protection mechanisms within a computer system responsible for enforcing a security policy”

    • One or more components

    • Enforce a unified security policy over a product or system

    • Correct enforcement depends on components within

    • and input by system administrators

6


G53sec

G53SEC

  • Reference Monitor Placement:

    • Can be placed anywhere

      • Hardware

      • Operating System Kernel

      • Operating System

      • Services Layer

      • Application

7


G53sec

G53SEC

  • Reference Monitor Placement:

    • In relation to application it should control:

In-line RM

RM in kernel

Interpreter

program

RM

program

application

program

RM

RM

kernel

8


G53sec

G53SEC

  • Execution Monitors:

    • Decision of a RM depends on:

      • Information about a request

      • Information about the target

    • RMs differentiated based on the above:

      • History of execution - Execution monitor

      • Future of execution - Static type checking

      • Rewriting

9


G53sec

G53SEC

  • Operating System Integrity:

    • OS is not only the arbitrator of access requests

    • OS is itself an object of access control

    • “Users must not be able to modify the operating system”

    • Users should be able to use the OS

    • Users should not be able to misuse the OS

10


G53sec

G53SEC

  • Modes of Operation:

    • Distinguish computations done “on behalf of”:

      • the OS

      • the user

    • A Status flag allows the OS to operate in different modes.

    • e.g. In Unix – supervisor (root) and user modes

11


G53sec

G53SEC

  • Controlled Invocation:

    • User requiring supervisor mode for an operation

    • Processor switches between modes

    • Only predefined set of operations performed in supervisor mode

    • System returns to user mode

12


G53sec

G53SEC

  • Hardware Security Features:

    • Reasons for placing security in lower system levels:

    • Possibility to evaluate security to a higher degree

      • reasonably simple structures

      • security mechanism compromised if layer below attacked

    • Performance overheads reduced

    • Access control decisions far removed from decisions made by applications

13


G53sec

G53SEC

  • Input/Output:

    • How to ensure secure I/O operations?

      • e.g. user inputs username and password (input)

      • e.g. user signs documents (output)

    • A trusted path between I/O device and the TCB required

    • example – secure attention sequence (Windows)

14


G53sec

G53SEC

  • Memory Structures:

  • Security characteristics of memory structures:

    • RAM – (R/W) - Cannot guarantee integrity or confidentiality

    • ROM – built-in integrity guarantee, good for storing parts of an OS

    • EPROM – useful for storing parts of OS or crypto keys, advanced attacks may pose a threat

    • WROM – good for storing crypto keys, disks used for audit trail logs

15


G53sec

G53SEC

  • continued…

    • Volatile memory

      • loses its contents on power off

      • neither instantaneous nor complete

      • reconstructable using special electronics

      • defence – repeated overwrites

    • Non-volatile (permanent) memory

      • if attacker has access by bypassing CPU

      • further measures required (e.g. cryptography)

16


G53sec

G53SEC

  • continued…

    • Memory

      • main memory

      • cache

      • buffers

      • etc..

    • Data object may exist simultaneously in more than one location!

    • Copy held in an unprotected memory = risk

17


G53sec

G53SEC

  • Processes and Threads:

    • Process – program in execution, important unit of control in an OS and for security

    • Works in its own address space

    • Communicates with other processes with help of OS

    • Separation useful for security

    • Thread – a strand of execution within a process

18


G53sec

G53SEC

  • Controlled Invocation - Interrupts:

    • Exceptions/Interrupts/Traps

      • Interruptions of executions due to errors, user request, hardware failure, etc…

      • Handled by CPU

      • Improper handling leads to security flaws

        • CTRL-C during supervisor mode operations

        • Interrupt table entry change

19


G53sec

interrupt vector

interrupt handler

G53SEC

Processing Interrupt:

Memory

Interrupt

Interrupt vector table

TRAP #n

n

1

0

20


G53sec

interrupt vector

G53SEC

Processing Interrupt:

Memory

Interrupt

Interrupt vector table

TRAP #n

viral code

n

1

0

interrupt handler

21


G53sec

G53SEC

  • Intel 80x86:

    • 2-bit field in status register

    • Defines four privilege levels (protection rings)

    • Only one instruction can change this (POPF)

    • Instruction can only be executed at level 0

    • Procedure -> object – in own or outer rings

    • Procedure -> subroutine - only within own ring

22


G53sec

G53SEC

  • Intel 80x86:

    • How to manage access to operations requiring higher privileges?

    • Gates

      • System object pointing to a procedure

      • In the same ring as the calling procedure

      • Has different privilege level than code it points to

      • Allow execute-only access to procedure in inner ring

23


G53sec

G53SEC

  • Intel 80x86:

    • Confused Deputy Problem:

      • Outer ring -> Gate to copy an object from inner ring to outer ring

      • This will not be prevented

      • Doesn’t violate security policy

      • Security policy needs to be extended – caller privilege

      • 80x86 contains prevention mechanism

24


G53sec

G53SEC

  • Protecting Memory:

    • OS integrity – preserved by separation of user & kernel space

    • Separation of users:

      • File management – logical memory object

      • Memory management – physical memory objects

25


G53sec

G53SEC

  • continued…

    • Segmentation – divides data into logical units

      • Good basis for enforcing security policy

      • Variable length – difficult memory management

    • Paging – divides memory into pages of equal size

      • Popular – efficient memory management

      • Not good for access control

      • A page might contain objects requiring different protection

26


G53sec

G53SEC

  • continued…

    • Possibility of a covert channel

    • Logical objects stored across boundaries

page

boundary

P

Pa

Pa$

a$$w0RD

$$w0RD

$w0RD

step 1

step 2

step 3

27


G53sec

G53SEC

  • Secure Addressing:

    • Confinement of processes to separate address spaces

    • Control access to data objects in memory

      • OS modifies addresses received from user

      • (address sandboxing)

      • OS constructs effective addresses from relative ones

      • (relative addressing)

      • OS checks whether address within given bounds

      • (base register addressing)

28


G53sec

G53SEC

  • Summary:

    • How Access Control is enforced

    • Why OS integrity is important

    • Security features of existing hardware

    • How to control access to memory

  • Next Lecture

  • Hands-on Unix Security

29


G53sec

G53SEC

End

07/02/08

30


  • Login