computer security the security kernel l.
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Security The Security Kernel PowerPoint Presentation
Download Presentation
Computer Security The Security Kernel

Loading in 2 Seconds...

play fullscreen
1 / 25

Computer Security The Security Kernel - PowerPoint PPT Presentation

  • Uploaded on

Computer Security The Security Kernel The Security Kernel Layers of an IT system Applications Services Operating System OS kernel Hardware OS integrity Orange Book Glossary – DoD Trusted Computing Evaluation Criteria TCSEC Reference monitor

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Computer Security The Security Kernel' - ostinmannual

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the security kernel
The Security Kernel

Layers of an IT system



Operating System

OS kernel


os integrity
OS integrity

Orange Book Glossary – DoD Trusted Computing Evaluation Criteria TCSEC

  • Reference monitor
    • An abstract machine that mediates all accesses to object by subjects.
  • Security Kernel
    • Hardware, firmware & software that implement the reference monitor
os integrity4
OS integrity

Orange Book Glossary – DoD Trusted Computing Evaluation Criteria TCSEC

  • Trusted computing base (TCB)
    • The protecting mechanisms within a computer system (hardware, firmware & software) that enforce the security policy.
os integrity5
OS integrity

Generic security policies

  • Users must not be able to modify the operating system.
  • Users must not be able to
    • use (invoke)
    • misuse

the operating system.

To achieve these goals two mechanisms are used:

    • status information and controlled invocation.
os integrity6
OS integrity

Modes of operation

The OS should be able to distinguish computations on

  • supervisor (system) mode: on behalf of the OS from computations on behalf of the the users (user mode).

This prevents users from writing directly to memory and

corrupting the logical file structure.

If a user wants to execute an operation requiring

supervisor mode, then the processor has to switch

modes –this process is called controlled invocation.

os integrity7
OS integrity

Controlled invocation


A user wants to execute an operation requiring supervisory

mode, e.g, write to a memory location.

To deal with this the processor has to switch between modes,

but this is a problem.

Simply changing the status bit to supervisor mode would give

the user all privileges associated with this mode, without any

control of what the user actually does.

os integrity8
OS integrity

Controlled invocation

Example –continued

Therefore it is desirable that the system only performs

a certain predefined set of operations in supervisory

mode and then return to user mode before handing

back control to the user.

We refer to this as controlled invocation

os integrity9
OS integrity

Hardware security features

A schematic description of a computer




computer architecture
Computer architecture
  • The Central Processing Unit
    • The Arithmetic Logic Unit
    • Registers
      • General purpose
      • Dedicated
        • Program counter
        • Stack pointer
        • Status register
computer architecture11
Computer architecture
  • Memory structure
    • Random Access Memory
      • Security: integrity, confidentiality
    • Read-Only Memory
      • Security: confidentiality
    • Erasable & Programmable ROM
      • Security: more sophisticated attacks
    • Write-once ROM
      • Security: good for recording audit trails, storing crypto keys, etc.
computer architecture12
Computer architecture

Processes and Threads

A process is a program in execution. It consists of:

  • executable code
  • data
  • the execution context.

A process works in its own address space and can communicate

with other processes only through the primitives provided by

the OS.

The logical separation between processes is a useful basis

for security.

On the other hand, a context switch between processes is an

expensive operation as the OS has to save the whole execution

context on the stack.

computer architecture13
Computer architecture

Processes and Threads

Threadsare strands of execution within a process.

As threads share an address space they avoid the

overhead of a full context switch, but they also avoid

control by a potential security mechanism.

computer architecture14
Computer architecture

Controlled Invocation – interrupts

Processes are equipped to deal with interruptions of

executions, created by errors in the program,

user requests, hardware failure etc.

The mechanisms to do this are called varyingly,

exceptions, interrupts and traps.

We shall use the term trap.

When a trap occurs the system saves its current state

on the stack and then executes theinterrupt handler.

computer architecture15
Computer architecture

Controlled Invocation – interrupts

Interrupt Interrupt vector table Memory


Interrupt vector

Interrupt handler

computer architecture16
Computer architecture

Controlled Invocation – interrupts

The interrupt handler has to make sure that the system

is restored to a proper state, e.g., by clearing the

supervisor status bit before returning control to the user


It is possible for a further interrupt to arrive while the

processor deals with a current interrupt.

computer architecture17
Computer architecture

Controlled Invocation – interrupts

The processor may then have to interrupt the current

handler. This may allow a user to enter supervisory

mode by interrupting the execution of an OS call.

computer architecture18
Computer architecture

Reference Monitor

Operating Systems manage access to data, and usually

are not involved with the interpretation of data.

They must protect their own integrity and prevent users

from accidentally/intentionally accessing other users


computer architecture19
Computer architecture

Reference Monitor -integrity of OS

This is achieved by separating user space from OS


Logical separation of users protects accidental/intentional

interference by users.

Separation can take place at two levels:

  • file management –logical memory objects
  • memory management – physical memory objects
reference monitor
Reference Monitor

Memory structure

  • segmentation
  • paging

The first divides data into segments = logical units.

Each segment has a name and items have an offset.

The OS maintains a table of segment names with their true


Segmentation is used for logical access control. This is a good

basis for enforcing security policies, however segments have variable length

– memory management is harder.

reference monitor21
Reference Monitor

Memory structure - paging

This divides memory into pages of equal size.

Addresses consist of two parts, the page number and an

offset (within a page).

Paging allows for more efficient memory management,

but is not a good basis for access control.

  • a page may contain objects which require different protection,
  • logical objects can be stored across the boundary of a page –this allows for a covert channel.
reference monitor22
Reference Monitor

Memory protection

This OS must protect its own integrity and confine each process to a

separate address space.

This means that the OS must control data objects in memory.

This can be achieved:

  • by modifying addresses it receives
    • Address sandboxing: the address has an identifier and a offset. Th OS sets the correct segment identifier.
  • by constructing effective addresses from relative addresses it receives
    • Relative addressing: the address is specified by an offset relative to a given base address
  • checking that the addresses it receives are within given bounds.
kernel primitives
Kernel Primitives

These are based on the Multics operating system, which

is similar to BLP

  • subjects = processes
    • These contain a descriptor segment that contains information about the process, including the objects the process has access to. The object has a segment descriptor word.

Multics segment descriptor word

segment id pointer

read: on execute: off write: on

kernel primitives24
Kernel Primitives
  • objects
  • These are memory segments, I/O devices etc.
  • They are organized hierarchically in a directory tree.
  • To access an object, a process has to traverse the
  • tree from root to the target object.
  • If any node of the path is not accessible then the
  • target object is not accessible --we require that the
  • security level of an object dominates that of its
  • directory.
kernel primitives25
Kernel Primitives

Finally a set of primitives has to be specified.

These are the state transitions, in an abstract BLP type


We then must show these preserve the BLP security