1 / 15

Trusted Operating Systems

Trusted Operating Systems. What is a trusted operating system. Four aspects of a trusted OS Information compartmentalization Role compartmentalization Least privilege Kernel level enforcement “if it’s easy to administer, it’s probably easy to break into”. Pros Difficult to compromise

walterijackson
Download Presentation

Trusted Operating Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trusted Operating Systems

  2. What is a trusted operating system • Four aspects of a trusted OS • Information compartmentalization • Role compartmentalization • Least privilege • Kernel level enforcement • “if it’s easy to administer, it’s probably easy to break into”

  3. Pros Difficult to compromise One compromise will not lead to another Useful for mission critical applications Protects against inside attacks Cons Software compatibility Difficulty in administration Performance overhead More cumbersome for users Pros and cons

  4. Information Compartmentalization • Information restricted without regard to user ID or “owner” • No user, even administrators, can see or modify information they are not cleared to see • Compromised applications cannot be used for further access, since they cannot see information unrelated to their task

  5. Mandatory Access Control • In DAC (Discretionary Access Control), users own files • User can determine if a file is readable, writable, executable, etc, and by whom • In MAC, restrictions are based on the sensitivity of information • All objects have Sensitivity Labels which define a level or range of levels encompassing the information • SLs cannot be overruled by the owner of a file or even a system administrator

  6. Sensitivity Labels • Two components • Classification • Compartment • Dominant • Top Secret SL can read but not write Confidential SL • Equal • Only time modification is permitted • Disjoint • Prevents equal classifications from accessing other compartments • Top Secret A cannot read Secret A B, since Top Secret A does not have access to the B compartment

  7. Role Compartmentalization • No user can perform all system tasks • There is no “root”, administrators are limited in their privileges • Important system actions must be confirmed by multiple administrators • Execution of a privileged program is still limited by privilege of user

  8. Least Privilege • Processes only have access to the minimum amount of information and privilege required to perform their task • Mail server cannot modify web pages • Web server cannot send email • Even if running as an administrator • Permissions are strictly limited in scope and type

  9. Kernel Level Enforcement • Security related operations happen in kernel mode, where they cannot be circumvented by any amount of user level action • However, operations happen at the highest level possible, limiting potential damage as much as possible • Application cannot override kernel decisions

  10. Trusted OS Implementations • Trusted Solaris • Password generator enforces strong passwords • MAC • Trusted symbol prevents spoofing • Full system auditing • Trusted IRIX • MAC • Mandatory Integrity • Trusted Networking • MAC labeling of input and output

  11. Trusted OS Implementations • Trusted BSD • Based on FreeBSD • Fine grained auditing • Fine grained policy • SELinux • Patches to Linux published by the NSA • Argus Pitbull LX • Trusted environment that runs on top of Linux, Solaris, or AIX • Domain Based Access Control • Has root, but restricted • Allows trusted applications to be run in alongside non-trusted applications, providing flexibility

  12. “Orange Book” standards • Levels of security policies and accountability mechanisms • Certification to use in given situations • C2: Controlled Access Protection (5) • B1: Labeled Security Protection (7) • B2: Structured Protection (1) • B3: Security Domains (1) • A1: Verified Design (0)

  13. Audit Cryptographic support Communications User Data Protection Identification and Authentication Security Management Privacy Protection of the TOE Security Functions Resource Utilization TOE Access Trusted Path/Channels Common Criteria • Supercedes “Orange Book” • Worldwide effort, combines international criteria • Broken into functional requirements:

  14. Common Criteria Assurance Levels • EAL1: Functionally tested • EAL2: Structurally tested • EAL3: Methodically tested and checked • EAL4: Methodically designed, tested, and reviewed • EAL5: Semiformally designed and tested • EAL6: Semiformally verified design and tested • EAL7: Formally verified design and tested

  15. References • http://www.argus-systems.com/product/white_paper/pitbull/oss/2.shtml • http://rr.sans.org/securitybasics/trusted_OS.php • http://www.sei.cmu.edu/str/descriptions/trusted_body.html • http://www.computerworld.com/cwi/story/0,1199,NAV47_STO53293,00.html • http://www.commoncriteria.org • http://www.securityhorizon.com/whitepapers/archives/tos.html • http://rr.sans.org/securitybasics/trusted_OS.php • http://www.nsa.gov/selinux/index.html • http://wwws.sun.com/software/solaris/trustedsolaris/ts_tech_faq/

More Related