TEAM R H osmah idup

Computer Security:
Chapter 5
( Designing Trusted Operating System )
Presented By: Harikeesh A/L Mohanan
Mohan A/L Selvaraj
Ong Zheng Young
Sahfrie Yue Chai
 Trusted Operating Systems
Four Requirements from Designers Perspective
• Security Policy
– A set of rules that lay out what is to be secured and why.
– A statement of the security we expect the system to enforce.
• Model
– Construct model for environment to be secured.
– Model represents policy to be enforced.
• Design
– How do you implement the security policy?
– Several choices to choose from.
• Trust
– Assurance from users that OS meets security expectation.
– OS will enforce security correctly.
 Security Policies
Military Security Policy
• Based on protecting classified information
• Information is ranked at different sensitivity level,
e.g.
– Unclassified
– Restricted
– Confidential
Figure 5-1  Hierarchy of Sensitivities.
– Secret
– Top Secret
• Each piece of classified information may be
associated with one or more projects, called
compartments.
• A compartment may include information at only one
Figure 5-2  Compartments and Sensitivity Levels.
or several sensitivity levels
 Models Of Security
• Why study Models Of Computer Security?
– To determining the policies a secure system should enforce
– To understand the properties of protection systems

• Models are essential in the design of security policies

• Multilevel Security
– Lattice Model of Access Security
– Bell–La Padula Confidentiality Model
– Biba Integrity Model
• Models Proving Theoretical Limitations of Security Systems
– Graham–Denning Model
– Harrison–Ruzzo–Ullman Results
– Take–Grant Systems
 Trusted System Design Elements
• Design Principles for Good Security
– Least privilege. Users and programs should use the fewest privileges possible to minimize
malicious attack
– Economy of mechanism. The protection system should be small, simple, and straightforward
– Open design. The protection mechanism should be public, depending on secrecy of
relatively few key items, such as a password table
– Complete mediation. Every access attempt must be checked
– Permission based. The default condition should be denial of access
– Separation of privilege. Access to objects should depend on more than one condition, e.g.
authentication plus a cryptographic key
– Least common mechanism. Shared objects provide potential channels for information flow.
Systems employing physical or logical separation reduce the risk from sharing
– Ease of use. If a protection mechanism is easy to use, it is unlikely to be avoided
Security Features of Trusted Operating Systems

• Regular OS –
addresses features
only
• Trusted OS –
addresses features
and assurance (Figure
5-11) Figure 5-11  Security Functions of a Trusted Operating System.
 Key Features of Trusted Operating Systems

• User Identification and Authentication

• Know who is requesting access and verify identity
• Mandatory Access Control
• Access control policy decisions are beyond the control of the individual
• Discretionary Access Control
• Owner determines who should have access rights to an object and what those rights should
be
• Object Reuse Protection
• Ability to control reusable resources from serious vulnerability

• Complete Mediation
• All access are controlled
 Key Features of Trusted Operating Systems

• Trusted Path
• Allow users to supply protected information only to a legitimate receivers

• Accountability and Audit

• Create audit log – list events and people responsible for addition, deletion and change
• Audit Log Reduction
• Audit log may be too difficult to handle, owing to volume and analysis
• Problem is simplified by an audit of only the opening (first access to) and closing of (last access
to) files or similar objects
• Objects such as individual memory locations, hardware registers, and instructions are not
audited
• Intrusion Detection Software
• Builds patterns of normal system usage and triggers an alarm when usage seems abnormal
 Virtualization
• Virtualization
– The operating system emulates or simulates a
collection of a computer system’s resources
(processor , storage, and some I/O devices)
– Allows users to access complex objects in a
carefully controlled manner
Figure 5-18  Conventional Operating System.
• Virtual Machine
– Collection of real or simulated hardware
facilities
– A virtual machine gives the user a full set of
hardware features/complete machine that may
be substantially different from the real machine
– Virtual memory gives the user a memory space
that is logically separated from real memory
and may be larger than real memory
Figure 5-19  Virtual Machine.
 Assurance in Trusted Operating Systems
• Assurance methods - ways of convincing others that a model,
design, and implementation are correct
– Testing
• widely accepted assurance technique
• Conclusion based on actual product tested
– Penetrating testing
• Also called tiger team analysis, or ethical hacking
• Experts crack the system being tested
– Formal verification
• most rigorous method of analyzing security
• confirms whether the operating system provides the security features it should and
nothing else.
Evaluating Trustworthiness of an Operating System
• Desirable Qualities
– Extensibility – Can the evaluation be extended as the product is enhanced?
– Granularity – Does the evaluation look at the product at the right level of detail?
– Speed – Can the evaluation be done quickly enough to allow the product to compete in
the marketplace?
– Thoroughness - Does the evaluation look at all relevant aspects of the product?
– Objectivity – Is the evaluation independent of the reviewer's opinions?
– Portability – Does the evaluation apply to the product no matter what platform the product
runs on?
– Consistency – Do similar products receive similar ratings?
– Compatibility – Could a product be evaluated similarly under different criteria?
– Exportability – Could an evaluation under one scheme be accepted as meeting all or
certain requirements of another scheme
So that's all for the CHAPTER 5,
THANKS FOR WATCHING