1 / 30

Enforcement of Access Control: Reference Monitors and OS Integrity

This lecture provides an overview of reference monitors, security kernels, and their placement in computer systems. It also discusses the importance of operating system integrity and hardware security features in enforcing access control. Topics covered include trusted computing base, execution monitors, modes of operation, controlled invocation, hardware security, and memory structures.

tgrenier
Download Presentation

Enforcement of Access Control: Reference Monitors and OS Integrity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. G53SEC Reference Monitors Enforcement of Access Control 1

  2. G53SEC • Overview of Today’s Lecture: • Introduction • Operating System Integrity • Hardware Security Features • Protecting Memory 2

  3. G53SEC • Introduction: • Fundamental Concepts: • Reference Monitor – an abstract concept • Security Kernel – its implementation • Trusted Computing Base (TCB) – kernel + other protection mechanisms 3

  4. G53SEC • Reference Monitor (RM): • “An access control concept that refers to an abstract machine that mediates all access to objects by subjects.” • Must be tamper proof/resistant • Must always be invoked when access to object required • Must be small enough to be verifiable / subject to analysis to ensure its correctness 4

  5. G53SEC • Security Kernel: • “The hardware, firmware, and software elements of a TCB that implement the reference monitor.” • Must mediate all access • Must be protected from modification • Must be verifiable for correctness • Ideally in the bottom layers of a system 5

  6. G53SEC • Trusted Computing Base (TCB): • “The totality of protection mechanisms within a computer system responsible for enforcing a security policy” • One or more components • Enforce a unified security policy over a product or system • Correct enforcement depends on components within • and input by system administrators 6

  7. G53SEC • Reference Monitor Placement: • Can be placed anywhere • Hardware • Operating System Kernel • Operating System • Services Layer • Application 7

  8. G53SEC • Reference Monitor Placement: • In relation to application it should control: In-line RM RM in kernel Interpreter program RM program application program RM RM kernel 8

  9. G53SEC • Execution Monitors: • Decision of a RM depends on: • Information about a request • Information about the target • RMs differentiated based on the above: • History of execution - Execution monitor • Future of execution - Static type checking • Rewriting 9

  10. G53SEC • Operating System Integrity: • OS is not only the arbitrator of access requests • OS is itself an object of access control • “Users must not be able to modify the operating system” • Users should be able to use the OS • Users should not be able to misuse the OS 10

  11. G53SEC • Modes of Operation: • Distinguish computations done “on behalf of”: • the OS • the user • A Status flag allows the OS to operate in different modes. • e.g. In Unix – supervisor (root) and user modes 11

  12. G53SEC • Controlled Invocation: • User requiring supervisor mode for an operation • Processor switches between modes • Only predefined set of operations performed in supervisor mode • System returns to user mode 12

  13. G53SEC • Hardware Security Features: • Reasons for placing security in lower system levels: • Possibility to evaluate security to a higher degree • reasonably simple structures • security mechanism compromised if layer below attacked • Performance overheads reduced • Access control decisions far removed from decisions made by applications 13

  14. G53SEC • Input/Output: • How to ensure secure I/O operations? • e.g. user inputs username and password (input) • e.g. user signs documents (output) • A trusted path between I/O device and the TCB required • example – secure attention sequence (Windows) 14

  15. G53SEC • Memory Structures: • Security characteristics of memory structures: • RAM – (R/W) - Cannot guarantee integrity or confidentiality • ROM – built-in integrity guarantee, good for storing parts of an OS • EPROM – useful for storing parts of OS or crypto keys, advanced attacks may pose a threat • WROM – good for storing crypto keys, disks used for audit trail logs 15

  16. G53SEC • continued… • Volatile memory • loses its contents on power off • neither instantaneous nor complete • reconstructable using special electronics • defence – repeated overwrites • Non-volatile (permanent) memory • if attacker has access by bypassing CPU • further measures required (e.g. cryptography) 16

  17. G53SEC • continued… • Memory • main memory • cache • buffers • etc.. • Data object may exist simultaneously in more than one location! • Copy held in an unprotected memory = risk 17

  18. G53SEC • Processes and Threads: • Process – program in execution, important unit of control in an OS and for security • Works in its own address space • Communicates with other processes with help of OS • Separation useful for security • Thread – a strand of execution within a process 18

  19. G53SEC • Controlled Invocation - Interrupts: • Exceptions/Interrupts/Traps • Interruptions of executions due to errors, user request, hardware failure, etc… • Handled by CPU • Improper handling leads to security flaws • CTRL-C during supervisor mode operations • Interrupt table entry change 19

  20. interrupt vector interrupt handler G53SEC Processing Interrupt: Memory Interrupt Interrupt vector table TRAP #n n 1 0 20

  21. interrupt vector G53SEC Processing Interrupt: Memory Interrupt Interrupt vector table TRAP #n viral code n 1 0 interrupt handler 21

  22. G53SEC • Intel 80x86: • 2-bit field in status register • Defines four privilege levels (protection rings) • Only one instruction can change this (POPF) • Instruction can only be executed at level 0 • Procedure -> object – in own or outer rings • Procedure -> subroutine - only within own ring 22

  23. G53SEC • Intel 80x86: • How to manage access to operations requiring higher privileges? • Gates • System object pointing to a procedure • In the same ring as the calling procedure • Has different privilege level than code it points to • Allow execute-only access to procedure in inner ring 23

  24. G53SEC • Intel 80x86: • Confused Deputy Problem: • Outer ring -> Gate to copy an object from inner ring to outer ring • This will not be prevented • Doesn’t violate security policy • Security policy needs to be extended – caller privilege • 80x86 contains prevention mechanism 24

  25. G53SEC • Protecting Memory: • OS integrity – preserved by separation of user & kernel space • Separation of users: • File management – logical memory object • Memory management – physical memory objects 25

  26. G53SEC • continued… • Segmentation – divides data into logical units • Good basis for enforcing security policy • Variable length – difficult memory management • Paging – divides memory into pages of equal size • Popular – efficient memory management • Not good for access control • A page might contain objects requiring different protection 26

  27. G53SEC • continued… • Possibility of a covert channel • Logical objects stored across boundaries page boundary P Pa Pa$ a$$w0RD $$w0RD $w0RD step 1 step 2 step 3 27

  28. G53SEC • Secure Addressing: • Confinement of processes to separate address spaces • Control access to data objects in memory • OS modifies addresses received from user • (address sandboxing) • OS constructs effective addresses from relative ones • (relative addressing) • OS checks whether address within given bounds • (base register addressing) 28

  29. G53SEC • Summary: • How Access Control is enforced • Why OS integrity is important • Security features of existing hardware • How to control access to memory • Next Lecture • Hands-on Unix Security 29

  30. G53SEC End 07/02/08 30

More Related