Computer security the security kernel
Download
1 / 25

Computer Security The Security Kernel - PowerPoint PPT Presentation

Computer Security The Security Kernel The Security Kernel Layers of an IT system Applications Services Operating System OS kernel Hardware OS integrity Orange Book Glossary – DoD Trusted Computing Evaluation Criteria TCSEC Reference monitor

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

Computer Security The Security Kernel

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Computer SecurityThe Security Kernel


The Security Kernel

Layers of an IT system

Applications

Services

Operating System

OS kernel

Hardware


OS integrity

Orange Book Glossary – DoD Trusted Computing Evaluation Criteria TCSEC

  • Reference monitor

    • An abstract machine that mediates all accesses to object by subjects.

  • Security Kernel

    • Hardware, firmware & software that implement the reference monitor


OS integrity

Orange Book Glossary – DoD Trusted Computing Evaluation Criteria TCSEC

  • Trusted computing base (TCB)

    • The protecting mechanisms within a computer system (hardware, firmware & software) that enforce the security policy.


OS integrity

Generic security policies

  • Users must not be able to modify the operating system.

  • Users must not be able to

    • use (invoke)

    • misuse

      the operating system.

      To achieve these goals two mechanisms are used:

    • status information and controlled invocation.


OS integrity

Modes of operation

The OS should be able to distinguish computations on

  • supervisor (system) mode: on behalf of the OS from computations on behalf of the the users (user mode).

    This prevents users from writing directly to memory and

    corrupting the logical file structure.

    If a user wants to execute an operation requiring

    supervisor mode, then the processor has to switch

    modes –this process is called controlled invocation.


OS integrity

Controlled invocation

Example

A user wants to execute an operation requiring supervisory

mode, e.g, write to a memory location.

To deal with this the processor has to switch between modes,

but this is a problem.

Simply changing the status bit to supervisor mode would give

the user all privileges associated with this mode, without any

control of what the user actually does.


OS integrity

Controlled invocation

Example –continued

Therefore it is desirable that the system only performs

a certain predefined set of operations in supervisory

mode and then return to user mode before handing

back control to the user.

We refer to this as controlled invocation


OS integrity

Hardware security features

A schematic description of a computer

CPU

Bus

Memory


Computer architecture

  • The Central Processing Unit

    • The Arithmetic Logic Unit

    • Registers

      • General purpose

      • Dedicated

        • Program counter

        • Stack pointer

        • Status register


Computer architecture

  • Memory structure

    • Random Access Memory

      • Security: integrity, confidentiality

    • Read-Only Memory

      • Security: confidentiality

    • Erasable & Programmable ROM

      • Security: more sophisticated attacks

    • Write-once ROM

      • Security: good for recording audit trails, storing crypto keys, etc.


Computer architecture

Processes and Threads

A process is a program in execution. It consists of:

  • executable code

  • data

  • the execution context.

    A process works in its own address space and can communicate

    with other processes only through the primitives provided by

    the OS.

    The logical separation between processes is a useful basis

    for security.

    On the other hand, a context switch between processes is an

    expensive operation as the OS has to save the whole execution

    context on the stack.


Computer architecture

Processes and Threads

Threadsare strands of execution within a process.

As threads share an address space they avoid the

overhead of a full context switch, but they also avoid

control by a potential security mechanism.


Computer architecture

Controlled Invocation – interrupts

Processes are equipped to deal with interruptions of

executions, created by errors in the program,

user requests, hardware failure etc.

The mechanisms to do this are called varyingly,

exceptions, interrupts and traps.

We shall use the term trap.

When a trap occurs the system saves its current state

on the stack and then executes theinterrupt handler.


Computer architecture

Controlled Invocation – interrupts

Interrupt Interrupt vector table Memory

TRAP #n

Interrupt vector

Interrupt handler


Computer architecture

Controlled Invocation – interrupts

The interrupt handler has to make sure that the system

is restored to a proper state, e.g., by clearing the

supervisor status bit before returning control to the user

program.

It is possible for a further interrupt to arrive while the

processor deals with a current interrupt.


Computer architecture

Controlled Invocation – interrupts

The processor may then have to interrupt the current

handler. This may allow a user to enter supervisory

mode by interrupting the execution of an OS call.


Computer architecture

Reference Monitor

Operating Systems manage access to data, and usually

are not involved with the interpretation of data.

They must protect their own integrity and prevent users

from accidentally/intentionally accessing other users

data.


Computer architecture

Reference Monitor -integrity of OS

This is achieved by separating user space from OS

space.

Logical separation of users protects accidental/intentional

interference by users.

Separation can take place at two levels:

  • file management –logical memory objects

  • memory management – physical memory objects


Reference Monitor

Memory structure

  • segmentation

  • paging

    The first divides data into segments = logical units.

    Each segment has a name and items have an offset.

    The OS maintains a table of segment names with their true

    Addresses.

    Segmentation is used for logical access control. This is a good

    basis for enforcing security policies, however segments have variable length

    – memory management is harder.


Reference Monitor

Memory structure - paging

This divides memory into pages of equal size.

Addresses consist of two parts, the page number and an

offset (within a page).

Paging allows for more efficient memory management,

but is not a good basis for access control.

  • a page may contain objects which require different protection,

  • logical objects can be stored across the boundary of a page –this allows for a covert channel.


Reference Monitor

Memory protection

This OS must protect its own integrity and confine each process to a

separate address space.

This means that the OS must control data objects in memory.

This can be achieved:

  • by modifying addresses it receives

    • Address sandboxing: the address has an identifier and a offset. Th OS sets the correct segment identifier.

  • by constructing effective addresses from relative addresses it receives

    • Relative addressing: the address is specified by an offset relative to a given base address

  • checking that the addresses it receives are within given bounds.


Kernel Primitives

These are based on the Multics operating system, which

is similar to BLP

  • subjects = processes

    • These contain a descriptor segment that contains information about the process, including the objects the process has access to. The object has a segment descriptor word.

      Multics segment descriptor word

segment id pointer

read: on execute: off write: on


Kernel Primitives

  • objects

  • These are memory segments, I/O devices etc.

  • They are organized hierarchically in a directory tree.

  • To access an object, a process has to traverse the

  • tree from root to the target object.

  • If any node of the path is not accessible then the

  • target object is not accessible --we require that the

  • security level of an object dominates that of its

  • directory.


Kernel Primitives

Finally a set of primitives has to be specified.

These are the state transitions, in an abstract BLP type

Model.

We then must show these preserve the BLP security

policies.


ad
  • Login