The Security Kernel Layers of an IT system Applications Services Operating System OS kernel Hardware
OS integrity Orange Book Glossary – DoD Trusted Computing Evaluation Criteria TCSEC • Reference monitor • An abstract machine that mediates all accesses to object by subjects. • Security Kernel • Hardware, firmware & software that implement the reference monitor
OS integrity Orange Book Glossary – DoD Trusted Computing Evaluation Criteria TCSEC • Trusted computing base (TCB) • The protecting mechanisms within a computer system (hardware, firmware & software) that enforce the security policy.
OS integrity Generic security policies • Users must not be able to modify the operating system. • Users must not be able to • use (invoke) • misuse the operating system. To achieve these goals two mechanisms are used: • status information and controlled invocation.
OS integrity Modes of operation The OS should be able to distinguish computations on • supervisor (system) mode: on behalf of the OS from computations on behalf of the the users (user mode). This prevents users from writing directly to memory and corrupting the logical file structure. If a user wants to execute an operation requiring supervisor mode, then the processor has to switch modes –this process is called controlled invocation.
OS integrity Controlled invocation Example A user wants to execute an operation requiring supervisory mode, e.g, write to a memory location. To deal with this the processor has to switch between modes, but this is a problem. Simply changing the status bit to supervisor mode would give the user all privileges associated with this mode, without any control of what the user actually does.
OS integrity Controlled invocation Example –continued Therefore it is desirable that the system only performs a certain predefined set of operations in supervisory mode and then return to user mode before handing back control to the user. We refer to this as controlled invocation
OS integrity Hardware security features A schematic description of a computer CPU Bus Memory
Computer architecture • The Central Processing Unit • The Arithmetic Logic Unit • Registers • General purpose • Dedicated • Program counter • Stack pointer • Status register
Computer architecture • Memory structure • Random Access Memory • Security: integrity, confidentiality • Read-Only Memory • Security: confidentiality • Erasable & Programmable ROM • Security: more sophisticated attacks • Write-once ROM • Security: good for recording audit trails, storing crypto keys, etc.
Computer architecture Processes and Threads A process is a program in execution. It consists of: • executable code • data • the execution context. A process works in its own address space and can communicate with other processes only through the primitives provided by the OS. The logical separation between processes is a useful basis for security. On the other hand, a context switch between processes is an expensive operation as the OS has to save the whole execution context on the stack.
Computer architecture Processes and Threads Threadsare strands of execution within a process. As threads share an address space they avoid the overhead of a full context switch, but they also avoid control by a potential security mechanism.
Computer architecture Controlled Invocation – interrupts Processes are equipped to deal with interruptions of executions, created by errors in the program, user requests, hardware failure etc. The mechanisms to do this are called varyingly, exceptions, interrupts and traps. We shall use the term trap. When a trap occurs the system saves its current state on the stack and then executes theinterrupt handler.
Computer architecture Controlled Invocation – interrupts Interrupt Interrupt vector table Memory TRAP #n Interrupt vector Interrupt handler
Computer architecture Controlled Invocation – interrupts The interrupt handler has to make sure that the system is restored to a proper state, e.g., by clearing the supervisor status bit before returning control to the user program. It is possible for a further interrupt to arrive while the processor deals with a current interrupt.
Computer architecture Controlled Invocation – interrupts The processor may then have to interrupt the current handler. This may allow a user to enter supervisory mode by interrupting the execution of an OS call.
Computer architecture Reference Monitor Operating Systems manage access to data, and usually are not involved with the interpretation of data. They must protect their own integrity and prevent users from accidentally/intentionally accessing other users data.
Computer architecture Reference Monitor -integrity of OS This is achieved by separating user space from OS space. Logical separation of users protects accidental/intentional interference by users. Separation can take place at two levels: • file management –logical memory objects • memory management – physical memory objects
Reference Monitor Memory structure • segmentation • paging The first divides data into segments = logical units. Each segment has a name and items have an offset. The OS maintains a table of segment names with their true Addresses. Segmentation is used for logical access control. This is a good basis for enforcing security policies, however segments have variable length – memory management is harder.
Reference Monitor Memory structure - paging This divides memory into pages of equal size. Addresses consist of two parts, the page number and an offset (within a page). Paging allows for more efficient memory management, but is not a good basis for access control. • a page may contain objects which require different protection, • logical objects can be stored across the boundary of a page –this allows for a covert channel.
Reference Monitor Memory protection This OS must protect its own integrity and confine each process to a separate address space. This means that the OS must control data objects in memory. This can be achieved: • by modifying addresses it receives • Address sandboxing: the address has an identifier and a offset. Th OS sets the correct segment identifier. • by constructing effective addresses from relative addresses it receives • Relative addressing: the address is specified by an offset relative to a given base address • checking that the addresses it receives are within given bounds.
Kernel Primitives These are based on the Multics operating system, which is similar to BLP • subjects = processes • These contain a descriptor segment that contains information about the process, including the objects the process has access to. The object has a segment descriptor word. Multics segment descriptor word segment id pointer read: on execute: off write: on
Kernel Primitives • objects • These are memory segments, I/O devices etc. • They are organized hierarchically in a directory tree. • To access an object, a process has to traverse the • tree from root to the target object. • If any node of the path is not accessible then the • target object is not accessible --we require that the • security level of an object dominates that of its • directory.
Kernel Primitives Finally a set of primitives has to be specified. These are the state transitions, in an abstract BLP type Model. We then must show these preserve the BLP security policies.