slide1
Download
Skip this Video
Download Presentation
G53SEC

Loading in 2 Seconds...

play fullscreen
1 / 30

G53SEC - PowerPoint PPT Presentation


  • 106 Views
  • Uploaded on

G53SEC. Reference Monitors Enforcement of Access Control. 1. G53SEC. Overview of Today’s Lecture: Introduction Operating System Integrity Hardware Security Features Protecting Memory. 2. G53SEC. Introduction: Fundamental Concepts: Reference Monitor – an abstract concept

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' G53SEC' - monte


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

G53SEC

Reference Monitors

Enforcement of Access Control

1

slide2

G53SEC

  • Overview of Today’s Lecture:
    • Introduction
    • Operating System Integrity
    • Hardware Security Features
    • Protecting Memory

2

slide3

G53SEC

  • Introduction:
  • Fundamental Concepts:
    • Reference Monitor – an abstract concept
    • Security Kernel – its implementation
    • Trusted Computing Base (TCB) – kernel + other protection mechanisms

3

slide4

G53SEC

  • Reference Monitor (RM):
    • “An access control concept that refers to an abstract machine that mediates all access to objects by subjects.”
    • Must be tamper proof/resistant
    • Must always be invoked when access to object required
    • Must be small enough to be verifiable / subject to analysis to ensure its correctness

4

slide5

G53SEC

  • Security Kernel:
    • “The hardware, firmware, and software elements of a TCB that implement the reference monitor.”
    • Must mediate all access
    • Must be protected from modification
    • Must be verifiable for correctness
    • Ideally in the bottom layers of a system

5

slide6

G53SEC

  • Trusted Computing Base (TCB):
    • “The totality of protection mechanisms within a computer system responsible for enforcing a security policy”
    • One or more components
    • Enforce a unified security policy over a product or system
    • Correct enforcement depends on components within
    • and input by system administrators

6

slide7

G53SEC

  • Reference Monitor Placement:
    • Can be placed anywhere
      • Hardware
      • Operating System Kernel
      • Operating System
      • Services Layer
      • Application

7

slide8

G53SEC

  • Reference Monitor Placement:
    • In relation to application it should control:

In-line RM

RM in kernel

Interpreter

program

RM

program

application

program

RM

RM

kernel

8

slide9

G53SEC

  • Execution Monitors:
    • Decision of a RM depends on:
      • Information about a request
      • Information about the target
    • RMs differentiated based on the above:
      • History of execution - Execution monitor
      • Future of execution - Static type checking
      • Rewriting

9

slide10

G53SEC

  • Operating System Integrity:
    • OS is not only the arbitrator of access requests
    • OS is itself an object of access control
    • “Users must not be able to modify the operating system”
    • Users should be able to use the OS
    • Users should not be able to misuse the OS

10

slide11

G53SEC

  • Modes of Operation:
    • Distinguish computations done “on behalf of”:
      • the OS
      • the user
    • A Status flag allows the OS to operate in different modes.
    • e.g. In Unix – supervisor (root) and user modes

11

slide12

G53SEC

  • Controlled Invocation:
    • User requiring supervisor mode for an operation
    • Processor switches between modes
    • Only predefined set of operations performed in supervisor mode
    • System returns to user mode

12

slide13

G53SEC

  • Hardware Security Features:
    • Reasons for placing security in lower system levels:
    • Possibility to evaluate security to a higher degree
      • reasonably simple structures
      • security mechanism compromised if layer below attacked
    • Performance overheads reduced
    • Access control decisions far removed from decisions made by applications

13

slide14

G53SEC

  • Input/Output:
    • How to ensure secure I/O operations?
      • e.g. user inputs username and password (input)
      • e.g. user signs documents (output)
    • A trusted path between I/O device and the TCB required
    • example – secure attention sequence (Windows)

14

slide15

G53SEC

  • Memory Structures:
  • Security characteristics of memory structures:
    • RAM – (R/W) - Cannot guarantee integrity or confidentiality
    • ROM – built-in integrity guarantee, good for storing parts of an OS
    • EPROM – useful for storing parts of OS or crypto keys, advanced attacks may pose a threat
    • WROM – good for storing crypto keys, disks used for audit trail logs

15

slide16

G53SEC

  • continued…
    • Volatile memory
      • loses its contents on power off
      • neither instantaneous nor complete
      • reconstructable using special electronics
      • defence – repeated overwrites
    • Non-volatile (permanent) memory
      • if attacker has access by bypassing CPU
      • further measures required (e.g. cryptography)

16

slide17

G53SEC

  • continued…
    • Memory
      • main memory
      • cache
      • buffers
      • etc..
    • Data object may exist simultaneously in more than one location!
    • Copy held in an unprotected memory = risk

17

slide18

G53SEC

  • Processes and Threads:
    • Process – program in execution, important unit of control in an OS and for security
    • Works in its own address space
    • Communicates with other processes with help of OS
    • Separation useful for security
    • Thread – a strand of execution within a process

18

slide19

G53SEC

  • Controlled Invocation - Interrupts:
    • Exceptions/Interrupts/Traps
      • Interruptions of executions due to errors, user request, hardware failure, etc…
      • Handled by CPU
      • Improper handling leads to security flaws
        • CTRL-C during supervisor mode operations
        • Interrupt table entry change

19

slide20

interrupt vector

interrupt handler

G53SEC

Processing Interrupt:

Memory

Interrupt

Interrupt vector table

TRAP #n

n

1

0

20

slide21

interrupt vector

G53SEC

Processing Interrupt:

Memory

Interrupt

Interrupt vector table

TRAP #n

viral code

n

1

0

interrupt handler

21

slide22

G53SEC

  • Intel 80x86:
    • 2-bit field in status register
    • Defines four privilege levels (protection rings)
    • Only one instruction can change this (POPF)
    • Instruction can only be executed at level 0
    • Procedure -> object – in own or outer rings
    • Procedure -> subroutine - only within own ring

22

slide23

G53SEC

  • Intel 80x86:
    • How to manage access to operations requiring higher privileges?
    • Gates
      • System object pointing to a procedure
      • In the same ring as the calling procedure
      • Has different privilege level than code it points to
      • Allow execute-only access to procedure in inner ring

23

slide24

G53SEC

  • Intel 80x86:
    • Confused Deputy Problem:
      • Outer ring -> Gate to copy an object from inner ring to outer ring
      • This will not be prevented
      • Doesn’t violate security policy
      • Security policy needs to be extended – caller privilege
      • 80x86 contains prevention mechanism

24

slide25

G53SEC

  • Protecting Memory:
    • OS integrity – preserved by separation of user & kernel space
    • Separation of users:
      • File management – logical memory object
      • Memory management – physical memory objects

25

slide26

G53SEC

  • continued…
    • Segmentation – divides data into logical units
      • Good basis for enforcing security policy
      • Variable length – difficult memory management
    • Paging – divides memory into pages of equal size
      • Popular – efficient memory management
      • Not good for access control
      • A page might contain objects requiring different protection

26

slide27

G53SEC

  • continued…
    • Possibility of a covert channel
    • Logical objects stored across boundaries

page

boundary

P

Pa

Pa$

a$$w0RD

$$w0RD

$w0RD

step 1

step 2

step 3

27

slide28

G53SEC

  • Secure Addressing:
    • Confinement of processes to separate address spaces
    • Control access to data objects in memory
      • OS modifies addresses received from user
      • (address sandboxing)
      • OS constructs effective addresses from relative ones
      • (relative addressing)
      • OS checks whether address within given bounds
      • (base register addressing)

28

slide29

G53SEC

  • Summary:
    • How Access Control is enforced
    • Why OS integrity is important
    • Security features of existing hardware
    • How to control access to memory
  • Next Lecture
  • Hands-on Unix Security

29

slide30

G53SEC

End

07/02/08

30

ad