Chapter 5 – Designing Trusted Chapter 5 – Designing Trusted Operating SystemsOperating Systems

What makes an operating system What makes an operating system “secure”? Or “trustworthy?“secure”? Or “trustworthy?

How are trusted systems designed, and How are trusted systems designed, and which of those design principles carry over which of those design principles carry over naturally to other program development naturally to other program development tasks?tasks?

How do we develop “assurance” of the How do we develop “assurance” of the correctness of a trusted operating correctness of a trusted operating systems?systems?

Designing Trusted Operating Designing Trusted Operating SystemsSystems

Primitive security servicesPrimitive security services• Memory protectionMemory protection• File protectionFile protection• General object access controlGeneral object access control• User authenticationUser authentication

OS is trusted if we have confidence OS is trusted if we have confidence that it provides these four services in that it provides these four services in a consistent and effective way.a consistent and effective way.

What is a trusted system?What is a trusted system?SecureSecure TrustedTrusted

Either-or: Either-or: something something either is or is not secureeither is or is not secure

Graded:Graded: There are There are degrees of degrees of “trustworthiness“trustworthiness

Property of Property of presenterpresenter Property of Property of receiverreceiver

AssertedAsserted based on based on product characteristicsproduct characteristics

JudgedJudged based on based on evidence and analysisevidence and analysis

Absolute:Absolute: not qualified as not qualified as to how, where, when, or to how, where, when, or by whom usedby whom used

RelativeRelative: viewed in : viewed in context of usecontext of use

A A goalgoal A A characteristiccharacteristic

What is a trusted system?What is a trusted system? Trusted processTrusted process – process that can affect system – process that can affect system

securitysecurity Trusted productTrusted product – evaluated and approved – evaluated and approved

productproduct Trusted softwareTrusted software- software portion of system that - software portion of system that

can be relied upon to enforce security policycan be relied upon to enforce security policy Trusted computing baseTrusted computing base – set of all protection – set of all protection

mechanisms within a computing system that mechanisms within a computing system that enforce a nified security policyenforce a nified security policy

Trusted systemTrusted system – system that employs sufficient – system that employs sufficient hardware and software integrity measures to hardware and software integrity measures to allow its use for processing sensitive informationallow its use for processing sensitive information

Security PoliciesSecurity Policies

security policy – security policy – statement of statement of security we expect the system to security we expect the system to enforceenforce

Military Security PolicyMilitary Security Policy• based on protecting classified based on protecting classified

informationinformation• Information access is limited by Information access is limited by need-need-

to-knowto-know rule rule• Each piece of classified info is Each piece of classified info is

associated with a associated with a compartmentcompartment

Military Security PolicyMilitary Security Policy Class (classification)Class (classification) - <rank; compartment> - <rank; compartment> Clearance - Clearance - indication that person is trusted to indication that person is trusted to

access info up to a certain level of sensitivityaccess info up to a certain level of sensitivity DominanceDominance – –

s <= O iff ranks <= O iff rankss <= rank <= rankoo and compartmentsand compartmentsss <= compartments <= compartmentsoo

Clearance level of subject is Clearance level of subject is at least as highat least as high as as that of the informationthat of the information

Subject has a need to know about Subject has a need to know about allall compartments for which the information is compartments for which the information is classified.classified.

Commercial Security PoliciesCommercial Security Policies

Data items at any level may have Data items at any level may have different degrees of sensitivity different degrees of sensitivity ((public, proprietary, internalpublic, proprietary, internal))

No formalized notion of clearancesNo formalized notion of clearances No No dominancedominance function for most function for most

commercial information accesscommercial information access

Clark-Wilson Commercial Security PolicyClark-Wilson Commercial Security Policy

Well-formed transactionsWell-formed transactions – – perform perform steps in order, exactly as listed & authenticating steps in order, exactly as listed & authenticating the individuals who perform the stepsthe individuals who perform the steps

Goal Goal – maintain consistency – maintain consistency between internal data and external between internal data and external expectations of the dataexpectations of the data

Process Process constrained data itemsconstrained data items by by transformation procedurestransformation procedures• <userID, TP<userID, TPii, {CDI, {CDIjj, CDI, CDIkk, …}>, …}>

Commercial Security PolicyCommercial Security Policy

Separation of dutySeparation of duty – division of – division of responsibilities (manual system)responsibilities (manual system)

Chinese Wall Security PolicyChinese Wall Security Policy – – • Confidentiality PolicyConfidentiality Policy• Objects Objects (e.g. files)(e.g. files)• Company GroupsCompany Groups (all objects (all objects

concerning a particular company)concerning a particular company)• Conflict classes Conflict classes (cluster competing (cluster competing

companies)companies)

Models of SecurityModels of Security

Security models are used toSecurity models are used to• Test a particular policy for completeness Test a particular policy for completeness

and consistencyand consistency• Document a policyDocument a policy• Help conceptualize and design an Help conceptualize and design an

implementationimplementation• Check whether an implementation Check whether an implementation

meets its requirementsmeets its requirements

Multilevel SecurityMultilevel Security

Want to build a model to represent a Want to build a model to represent a range of sensitivities and to reflect need to range of sensitivities and to reflect need to separate subjects from objects to which separate subjects from objects to which they should not have access.they should not have access.

Use the Use the lattice modellattice model of security of security• military security model where <= in the model military security model where <= in the model

is the relation operator in the lattice (transitive, is the relation operator in the lattice (transitive, antisymmetric)antisymmetric)

• Commercial security model (public, Commercial security model (public, proprietary, internal)proprietary, internal)

Bell-La Padula Confidentiality ModelBell-La Padula Confidentiality Model

Formal description of allowable paths of Formal description of allowable paths of information flow in a secure systeminformation flow in a secure system• Simple Security Property. Simple Security Property. A subject A subject ss may may

have have readread access to an object access to an object oo only if C(o) <= only if C(o) <= C(s)C(s)

• *-Property*-Property – A subject – A subject ss who has who has readread access access to an object to an object oo may have may have writewrite access to an access to an object object pp only if C(o) <= C(p) only if C(o) <= C(p)

The *-property is used to prevent The *-property is used to prevent write-down write-down (subject with access to high-level data transfers that (subject with access to high-level data transfers that data by writing it to a low-level object.data by writing it to a low-level object.

Bibb Integrity ModelBibb Integrity Model

Simple Integrity PropertySimple Integrity Property. Subject . Subject ss can modify (have can modify (have writewrite access to) access to) object object oo only if I(s) >= I(o) only if I(s) >= I(o)

Integrity *-PropertyIntegrity *-Property. If subject . If subject ss has has readread access to object access to object oo with with integrity level I(o), integrity level I(o), ss can have can have writewrite access to object access to object pp only if I(o) >= I(p) only if I(o) >= I(p)

Models Proving Theoretical Models Proving Theoretical Limitations of Security SystemsLimitations of Security Systems

Graham-Denning ModelGraham-Denning Model – introduced – introduced concept of a formal system of protection concept of a formal system of protection rules; constructs a model having generic rules; constructs a model having generic protection propertiesprotection properties

Harrison-Ruzzo-Ullman ModelHarrison-Ruzzo-Ullman Model – uses – uses commands involving conditions and commands involving conditions and primitive operations where a primitive operations where a protection protection systemsystem is a set of subjects, objects, is a set of subjects, objects, rights, and commandsrights, and commands

Take-Grant SystemsTake-Grant Systems

Four operations performed by Four operations performed by subjects on objects with rightssubjects on objects with rights• Create(o,r) subject creates an object Create(o,r) subject creates an object

with certain rightswith certain rights• Revoke(o,r) subject removes rights from Revoke(o,r) subject removes rights from

objectobject• Grant(o,p,r) subject grants to o access Grant(o,p,r) subject grants to o access

rights on prights on p• Take (o,p,r) subject removes from o Take (o,p,r) subject removes from o

access rights on paccess rights on p

Trusted System Design ElementsTrusted System Design Elements

Least privilegeLeast privilege Economy of mechanismEconomy of mechanism Open designOpen design Complete mediationComplete mediation Permission basedPermission based Separation of privilegeSeparation of privilege Least common mechanismLeast common mechanism Ease of useEase of use

Security Features of Ordinary Security Features of Ordinary Operating SystemsOperating Systems

Authentication of usersAuthentication of users Protection of memoryProtection of memory File and I/O device access controlFile and I/O device access control Allocation and access control to general Allocation and access control to general

objectsobjects Enforcement of sharingEnforcement of sharing Guarantee of fair serviceGuarantee of fair service Interprocess communications and Interprocess communications and

synchronizationsynchronization Protection of operating system protection Protection of operating system protection

datadata

Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems

Trusted systems incorporate technology to Trusted systems incorporate technology to address both features and assuranceaddress both features and assurance

Objects are accompanied (surrounded) by Objects are accompanied (surrounded) by an access control mechanisman access control mechanism

Memory is separated by user, and data Memory is separated by user, and data and program libraries have controlled and program libraries have controlled sharing and separationsharing and separation

Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems

Identification and AuthenticationIdentification and Authentication• Require secure id of individuals, each Require secure id of individuals, each

individual must be uniquely identifiedindividual must be uniquely identified Mandatory and Discretionary Access Mandatory and Discretionary Access

ControlControl• MAC – access control policy decisions are made MAC – access control policy decisions are made

beyond the control of the individual owner of beyond the control of the individual owner of the objectthe object

• DAC – leaves access control to the discretion of DAC – leaves access control to the discretion of the object’s ownerthe object’s owner

• MAC has precedence over DACMAC has precedence over DAC

Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems

Object Reuse ProtectionObject Reuse Protection• Prevent object reuse leakagePrevent object reuse leakage• OS clears (overwrites) all space to be OS clears (overwrites) all space to be

reassignedreassigned• Problem of Problem of magnetic remanencemagnetic remanence

Complete MediationComplete Mediation• All accesses must be controledAll accesses must be controled

Trusted PathTrusted Path• For critical operations (setting password, etc.), For critical operations (setting password, etc.),

users want unmistakable communicationsusers want unmistakable communications

Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems

Accountability and AuditAccountability and Audit• Maintain a log of security relevant eventsMaintain a log of security relevant events• Audit log must be protected from outsidersAudit log must be protected from outsiders

Audit Log ReductionAudit Log Reduction• Audit only open and close of files/objectsAudit only open and close of files/objects

Intrusion detectionIntrusion detection• Build patterns of normal system usage, Build patterns of normal system usage,

triggering an alarm any time usage seems triggering an alarm any time usage seems abnormalabnormal

• Intrusion preventionIntrusion prevention

Kernelized DesignKernelized Design

Kernel – part of OS that performs Kernel – part of OS that performs lowest-level functionslowest-level functions• Synchronization, interprocess Synchronization, interprocess

communications, message passing, communications, message passing, interrupt handlinginterrupt handling

• Security kernel – responsible for Security kernel – responsible for enforcing security mechanism for entire enforcing security mechanism for entire OS; provides interface among the OS; provides interface among the hardware, OS, and other parts of hardware, OS, and other parts of computer systemcomputer system