Chapter 6

Security Kernels

Chapter Overview

• Description

• Secure Communications Processor (Scomp)

– Architecture

– Hardware

– Trusted Operating Program

– Kernel Interface Package

– Applications

– Evaluation

• Gemini Secure Operating System

• Summary

Security Kernels

• Efforts from the 70s and early 80's”

– SCOMP (Honeywell)

– Gemini Secure OS (GEMSOS)

– Based on Provably secure OS design:• Secure Ada Target (SAT) (Honeywell)

• LOCK (Secure Computing)

– Kernelized Secure OS (KSOS) (Ford Aerospace and Communications)

– Secure LAN (Boeing)

– etc.

The Security Kernel

• MITRE, 1974, 20 subroutines, 1000 SLOC

– Showed the what and the how.

– Focus became verification

– Three core principles:• Implement a specific security policy

• Define a verifiable protection behavior of the system as a whole

• The implementation must be shown to be faithful to the security model's design

Secure Communications Processor (Scomp)

• Kernel-based system

• Designed to implement Multic's MLS requirements.

• Original idea was to build an emulator to allow execution on an ordinary OS (UNIX).

• Ended up with new API that provided the necessary security.

Problems with the emulation

• Incompatible representations between the two systems:

– UNIX I/O copies data directly to application's address space,

– SCOMP maintains data in individually managed segments to which access must be authorized.

• There are Unix mechanisms that are inherently insecure: for example fork and exec share file descriptors, thereby leaking data and authorization problems.

Scomp Architecture

SCOMP Architecture notes

• Accesses to protected resources are mediated using an MLS policy:

– App requests hardware descriptor sufficient to access resource.

– If granted, security kernel builds the descriptor (object+permissions) and returns a reference

• Isolation/tamperproofing provided by ring mechanism. Rings and transitions are implemented in hardware.

• Verification was part of the process.

SCOMP Hardware 1

• Based on Multics design with two key changes:

– Only four rings, all in hardware.• Argument addressing mode prevents confused

deputy problem.

– Hardware includes a security protection module (SPM).

• It mediates the main system bus (peripherals and memory).

• Virtual memory interface unit uses SPM to convert between virtual and physical addresses

SCOMP Hardware 2

• Each process includes a descriptor base root:

– References memory and I/O descriptors

– Used for mediating memory and I/O references.

– DMA is authorized on a per-transaction basis.

• I/O descriptors are built by kernel.• Hardware does all authorizations.• Drivers are not part of kernel! (more

efficient and secure)

SCOMP Security Protection Module

Scomp Trusted Operating Program (STOP)

Three components:

– A security kernel. (ring 0)

– A set of trusted software

– A kernel interface package for user applications.

SCOMP Trusted Operating Program Security Kernel• Memory management, process

scheduling, interrupt management, audit and reference monitor. 10K SLOC mostly in Pascal.

• Objects consist of processes, segments, devices, identified by a unique 64 bit id.

• Access control similar to Multics, but ring brackets allow for owner/group/others

• 38 gates to enter ring 0

SCOMP Trusted Software 1

• Two types:

– Trusted not to violate system or integrity goals: e.g. secure loader is trusted to load a process for any subject that ensure correct enforcement of information flows.

– Trusted to maintain security policy correctly: e.g. user authentication.

– 23 processes implement trusted functions: 11K SLOC in C

SCOMP Trusted Software 2

• Three kinds of user processes:

– Trusted user processes: login, dac management, mandatory level selection, process management.

– Trusted operation services: system management, logging, startup, shutdown, set time, etc.

– Trusted maintenance services: modify system data, install new program versions, etc.

• Invoked through a secure communications path directly by the user.

Scomp Kernel Interface Package (SKIP) 1

• Uniform interface for user applications to access trusted functions.

• Two parts

– SKIP functions

– SKIP libraries

Scomp Kernel Interface Package (SKIP) 2

– SKIP functions do trusted operations on user level objects

• Files via a hierarchical file system

• Process management

• Concurrent I/O through an event mechanism

– Allowed to manipulate system state, so trusted not to violate MLS requirements, like trusted software.

– In ring 2, invoked via gates

SCOMP Kernel Interface Package (SKIP) 3

• SKIP Library runs in level 3, provides interface to SKIP functions.

• There are applications to access files, modify file contents, manage file hierarchy. File operations are authorized based on requester's sensitivity level and ring number, thus sensitivity level is nondecreasing from the root.

• Library also provides I/O, and the device drivers are part of the library. Handlers are also run in the library

Scomp Applications

• Unix??

• Mail guard

• Secure Office Management System

Scomp Evaluation 1: Complete Mediation

• How does the reference monitor interface ensure that all security operations are mediated correctly?

– All mediation done in hardware

• Does the reference monitor interface mediate security-sensitive operations on all system resources?

– Initial access to file data depends on access to I/O

• How do we verify that the reference monitor provides complete mediation?

– Hardware.

Scomp Evaluation 2: Tamperproof

• How does the system protect the reference monitor, including its protection system, from modification?

– Protection rings, but not complete, due to need.

• Does the protection system protect the trusted computing base programs?

– Also protection rings

Scomp Verification: Verifiable

• What is the basis for the correctness of the system's TCB?

– Verified with Formal analysis tools

• Does the protection system enforce the system's security goals?

– Also verified for correctness.

Gemini Secure Operating System

GEMSOS Security Kernel Layers

Summary