Operating System Security

Three major tasks

Operating systems must provide efficient
resource mechanisms
It is the operating systems responsibility to
switch among the processes fairlyScheduling
Access to resources should be controlled,
such that one process cannot inadvertently
or maliciously impact the execution of
another.

 Ensuring the secure execution of all processes depends

on the correct implementation of resource and scheduling
mechanisms.
scheduling mechanisms must ensure availability of
resources to processes
Security becomes an issue because processes in
modern computer systems interact in a variety of ways,
and the sharing of data among users is a fundamental
use of computer systems.
First, the output of one process may be used by other
processes.
Second With the ubiquity of Internet-scale sharing
mechanisms, such as e-mail, the web, and instant
messaging, users may share anything with anyone in
the world

The current state of operating systems security takes two

forms:
(1) constrained systems that can enforce security goals
with a high degree of assurance and
(2) general-purpose systems that can enforce limited
security goals with a low to medium degree of assurance.

Security Goal
A secure operating system provides security mechanisms that
ensure that the system's security goals are enforced
despite the threats(threat model) faced by the system and
given a set of software, including the security mechanisms,
that must be trusted(i.e., a trust model).
A high degree of assurance in enforcement have been
called secure systems, or even more frequently trusted
Systems
A security goal defines the operations that can be executed
by a system while still preventing unauthorized access.
Security goals describe how the system implements
accesses to system resources that satisfy the following:
1. Secrecy,
2. Integrity,
3. Availability.

A security goal
-defines a requirement that the systems design can
satisfy and that a correct implementation must
A system access is traditionally stated in terms of which
subjects (e.g., processes and users) can perform which
operations (e.g., read and write) on Objects
objects may contain secrets that not all subjects are
permitted to know secrecy.
limit the objects that subjects can write because objects
may contain information that other subjects depend on
for their correct operation Integrity
limit the system resources (e.g., storage and CPU) that
subjects may consume Availability

Examples
Bell-LaPadula model
This goal states that a process cannot read an object
whose secrecy classification is higher than the processs.
This goal limits operations based on a security
requirement, secrecy
The principle of least privilege which limits a process to
only the set of operations necessary for its execution.
This goal is functional because encourages functional
restrictions that may prevent some attacks

TRUST MODEL
Trusted computing base (TCB)--the set of software and
data upon which the system depends for correct
enforcement of system security goals.
Minimal amount of software necessary to enforce the
security goals correctly
- the software that defines the security goals
- the software that enforces the security goals (i.e.,
the operating systems security mechanism).
- the software that bootstraps this software must also
be trusted.

 The enforcement mechanism is run within the operating

system the operating system depends on a variety of
programs to authenticate the identity of users
Trust model requires that:
(1) the system TCB must mediate all security-sensitive
operations;
(2)verification of the correctness of the TCB software
and its data;
The level of trust in TCB software can vary from software
that is
formally-verified (partially), fully-tested, and
reviewed to that which the user community trusts to
perform its appointed tasks.
(3) verification that the softwares execution cannot be
tampered by processes outside the TCB

THREAT MODEL
A set of operations that an attacker may use to compromise
a system
Attacker - who is capable of injecting operations from the
network and may be in control of some of the running
software on the system
- work to violate the system security goals
- provides access to secret information(i.e., violate secrecy
goals)
- permits the modification of information that subjects depend
on (i.e.,violate integrity goals)
The attacker may try any and all operations that are
permitted to the attacker
- If it can only access the system via the network, then the attacker may
try to send any operation to any processes that provide network access

This threat model exposes a fundamental weakness in

commercial operating systems (e.g.,UNIX and windows);
- they assume that all software running on behalf of a
subject is trusted by that subject
- commercial systems trust any user process to manage the
access of that users data (e.g., to change access rights to a
users files via chmod in a UNIX system)
Task of secure OS developer
To protect the TCB from the types of threats
Ensures that the system security goals will always be enforced
regardless of the behaviour of user processes
Identify threats, assess their impact on system security, and
provide effective countermeasures for such threats
must ensure that all the components of the trusted computing
base prevent such threats correctly

Access Control
An access enforcement mechanism authorizes requests
from multiple subjects (e.g. users, processes, etc.) to
perform operations (e.g., read, write, etc.) on objects
(e.g., files, sockets, etc.).
Two fundamental concepts of access control:
1. A protection system that defines the access control
specification
2. A reference monitor that is the systems access
enforcement mechanism that enforces this specification.

Protection system
A protection system consists of a protection state, which describes the
operations that system subjects can perform on system objects, and a
set of protection state operations, which enable modification of that
state.
A protection state consists of the specific system subjects, the specific
system objects, and the operations that those subjects can perform on those
objects.

LAMPSONS ACCESSMATRIX
a protection state is represented by an access matrix
An access matrix consists of a set of subjects s S, a
set of objects o O, a set of operations op OP, and a
function ops(s, o) OP, which determines the
operations that subjects can perform on object o. The
function ops(s, o) is said to return a set of operations
corresponding to cell (s, o).

 update the protection state as new files and processes

are created
defines operations that determine which subjects can
modify cells
- When a subject is permitted for the own operation
for an object o, that subject can modify the other cells
associated with that object o
used to define the protection domain of a process
- A protection domain specifies the set of resources
(objects) that a process can access and the operations
that the process may use to access such resources

Other representations of protection states

Because the access matrix would be a sparse data
structure
Access control list or ACL
- stores the protection state using individual object
columns, describing which subjects have access to a
particular object
- easy to tell which subjects can access an object at any
time
Capability list or C-List
- the objects that a particular subject can access are
stored
- easy to identify a processs protection domain

Problems with access matrix

Untrusted processes can tamper with the protection system.
A protection system that permits untrusted processes to modify the
protection state is called a discretionary access control (DAC)
system.

Mandatory protection system

A mandatory protection system is a protection system that can only be
modified by trusted administrators via trusted software, consisting of
the following state representations:
A mandatory protection state is a protection state where subjects and
objects are represented by labels where the state describes the
operations that subject labels may take upon object labels;
A labeling state for mapping processes and system resource objects to
labels;
A transition state that describes the legal ways that processes and
system resource objects may be relabeled.
- Labels are tamperproof because:
(1) the set of labels is defined by trusted administrators using trusted
software
(2) the set of labels is immutable

Mandatory access control

A labeling state assigns labels to new subjects and objects.

A transition state enables a secure operating system to change

the label of a process or a system resource.

Reference Monitor
Takes a request as input, and returns a binary response
indicating whether the request is authorized by the
reference monitors access control policy
Three distinct components of a reference monitor:

(1) its interface;

(2) its authorization module; and (3) its policy store
Reference Monitor Interface

- defines where the authorization module needs to be

invoked to perform an authorization query to the protection
state, a labeling query to the labeling state, or a transition
query to the transition state

 determine
- what to authorize (e.g., directory searches, link traversals, and
finally the operations for the target files inode),
- where to perform such authorizations (e.g., authorize
a directory search for each directory inode in the file path)
- what information to pass to the reference monitor to authorize
the open (e.g., an inode reference)
Authorization Module
- takes interfaces inputs (e.g., process identity, object
references, and system call name), and converts these to a
query for the reference monitors policy store.
1. map the process identity to a subject label
2. the object references to an object label,
3. determine the actual operations to authorize (e.g., there may
be multiple operations per interface)

Policy Store
The policy store is a database for the protection state,
labeling state, and transition state.
An authorization query
- These queries are of the form {subject_label,
object_label, operation_set} and return a binary
authorization reply.

Labeling queries are of the form {subject_label, resource}

Transition query - {subject_label, object_label, operation,

resource}

SECUREOPERATING SYSTEMDEFINITION
Asecure operating system is an operating system where
its access enforcement satisfies the reference monitor
concept
The reference monitor concept defines the necessary and
sufficient properties of any system that securely enforces a
mandatory protection system, consisting of three
guarantees:
1. Complete Mediation: The system ensures that its
access enforcement mechanism mediates all securitysensitive operations.
2. Tamperproof: The system ensures that its access
enforcement mechanism, including its protection system,
cannot be modified by untrusted processes.

3. Verifiable:The access enforcement mechanism, including

its protection system,must be small enough to be
subject to analysis and tests, the completeness of which
can be assured

Assessment criteria
1. Complete Mediation: How does the reference monitor interface
ensure that all securitysensitive operations are mediated
correctly?
2. Complete Mediation: Does the reference monitor interface
mediate security-sensitive operations on all system resources?
3. Complete Mediation: How do we verify that the reference
monitor interface provides complete mediation?
4. Tamperproof: How does the system protect the reference
monitor, including its protection system, from modification?
6. Verifiable:What is basis for the correctness of the systems
trusted computing base?
7. Verifiable: Does the protection system enforce the systems
security goals?

MULTICS
First modern operating system
Large, long-term operating system project where many of our
fundamental operating systems concepts, including those for
secure operating systems, were invented
-segmented and virtual memory,
- shared memory multiprocessors,
- hierarchical file systems,
- online reconfiguration among others.

For secure operating systems

- the ideas of the reference monitor, protection systems, protection domain
transitions, and multilevel security policies

MULTICS FUNDAMENTALS
A layered architecture - access named system resources
that are organized hierarchically
processes- the executable contexts in Multicsprogram
code
segments- All code, data, I/O devices, etc. accessed by a
process
- organized into a hierarchy of directories
A processs protection domain defines the segments that
it can access
- consists of the segments that could be loaded into its
descriptor segment and the operations that the process
could then perform on those segments

Each process is associated with its own descriptor segment that

contains a set of segment descriptor words (SDWs) that refer to all
the segments that the process can directly access.

When Multics process requests a segment that is not already in its

descriptor segment - using what is analogous to a file path

MULTICS SECURITY FUNDAMENTALS

User log in to a Multics system
user login requires that a component of the trusted
computing base (TCB) verify the users password
User logins are implemented by a process called the
answering service.
To authenticate the user, the answering service retrieve the
password segment from the file system by loading the
password SDW into its descriptor segment.
If authorized, a SDW for the password segment is loaded
into the answering services descriptor segment.
If the user and password match, then the answering service
creates a user process with the appropriate code and data
segments for running on behalf of that user.

Supervisor The loading and subsequent use of the password

segment authorized
Implements the most trusted functionality
Isolated from other processes by protection rings- a
hierarchical layering from the most privileged ring, ring 0
where the most-privilege code
- No process running in a higher ring can modify lower
ring segments
- protect the supervisor from malicious input in these
calls

Segment Descriptor Word

The SDW contains the address of the segment in memory,
length,
ring brackets,
processs permissions (rwe) for this segment, and,
for code segments, the number of gates defined
When the process references an SDW, its ring bracket
limits access based on the current ring in which the
process is running.
The process permissions (rwe) limit the operations that
the process can ever perform on this segment

MULTICS PROTECTION SYSTEM MODELS

three different, interacting models
1. Access Control List each object (i.e., segment or directory) is associated with its
own access control list (ACL).
- entry specifies a user identity of processes and the
operations that processes with that identity can perform on
this object
Segments and directories have different operation sets.
For Segments: read (r), written (w), or executed (e),
For directories: obtain the status of the entry (s), modify an
entry(m), or append an entry to the directory(a)
The ACLs for a segment are stored in its parent directory, so
access is checked at the parent determine

 If the user associated with the process has an entry in the

ACL that permits the requested operations.
If so, the reference monitor authorizes the construction of
an SDW with those operations

Example
Segment
rew Jaeger.SysAdmin.*
rBackup.SysDaemon.*
rw *.SysAdmin.*

Directory
Sma Jaeger.SysAdmin.*
S Backup.SysDaemon.*
Sm *.SysAdmin.*

2. Rings and Brackets

limits access based on the protection ring of the process
a segments access bracket defines the ranges of rings that
can read and write to a segment.
- access bracket - specified by a range of rings (r1, r2)
where r1 r2 (i.e., r1 is more privileged than r2).

Suppose a process is running in ring r, then the access

rights of that process to a segment with an access bracket
of (r1, r2) are determined by:

If r < r1, then the process can read and write to the segment.
If r1 r r2, then the process can read the segment only.
If r2 < r, then the process has no access to the segment.
ensures that lower rings (i.e., more privileged) have strictly
greater access to segments than the higher rings.

 uses rings to control the invocation of code segments.

call bracket
- determine how a process in ring r invokes a code
segment.
The call bracket is (r2, r3), where r2 is same r2 as in the
access bracket and r2 r3.
If a process at ring r tries to invoke a code segment with
an access bracket of (r1, r2) and a call bracket of (r2, r3),
the following cases are possible:
If r < r1, then the process can execute the code segment,
but there is a ring transition from r to a lower privileged
ring r1 r r2 specified by the segment
If r1 r r2, then the process invokes the code segment
in its current ring r (i.e., no ring transition).

 If r2 r r3, then the process can execute the code

segment, there is a ring transition from r to the higher
privileged ring r if authorized by the gates in the code
segments SDW.
If r3 < r, then the process cannot invoke the code
segment.

3. Multilevel Security(MLS)
prevents a subject from reading data that is more secret than
the subject or writing data to less secret objects
each directory stores a mapping from each segment to a
secrecy level and between each process and its secrecy level
A request is authorized if one of three conditions met:
1. Write: The process requests write access only and the level of the
segment/directory is greater than (i.e., dominates) or equal to the
level of the process.
2. Read: The process requests read access only and the level of the
segment/directory is less than (i.e., dominated by) or equal to the
level of the process.
3. Read/Write: The process requests read and write access and the
level of the segment/directory is the same as the process or the
process is designated as trusted.

Multics Protection System

Read and write request
An execute request
- the call bracket is used instead of the access bracket,
transition from the processs current ring r
when this process invokes a code segment with a call
bracket where r < r1, then the process must transition to r
(i.e., a lower-privileged ring).
when this process invokes a code segment with a call
bracket where r2 r r3, then the process must use one of
the valid segment gates as an entry point and transition to r
Both the ACL and ring bracket policies --discretionary access
control policies.
MLS policy is nondiscretionary or mandatory.

MULTICS REFERENCE MONITOR

implemented by the supervisor.
In addition to protection state queries, the supervisor
also performs protection domain transitions by changing
the processs ring
transitions require entry through a special gate segment
that verifies: (1) the number of arguments expected; (2)
the data typeon each argument; and (3) access
requirements for each argument (e.g., read only or readwrite).
The gate segment, also called a gatekeeper, aims to
protect the invoked code from potentially malicious input
from lower-privileged code.

 The transition to a lower-privileged ring also generates some

security issues. In this case, we
leak information as a result of the call to a lower-privileged
ring and that the higher privileged code must protect itself on
a return.
each segment in which an argument is contained must be
accessible to the called procedure.
The caller must be careful not to copy unauthorized
information, such as private keys, that the less-privileged
code may be able to use to impersonate the higherprivileged code.
Multics enables the caller to provide a gate for the return,
called a return gate.
While supervisor functions are implemented in rings 0 and 1,
the fundamental reference monitor services are all in ring 0