UNIT-4

INTRODUCTION TO OS SECURITY
 Introduction to security
 Any program that is run on a computer system has instructions executed by that computer’s CPU, but
these programs may also require the use of other peripheral resources of these complex systems.
 To build any successful operating system, we identify three major tasks. First, the operating system
must provide various mechanisms that enable high performance use of computer resources .
 resource mechanisms
 Scheduling
 Security

 Operating systems must provide efficient resource mechanisms, such as file systems, memory manage-
ment systems, network protocol stacks, etc., that define how processes use the hardware resources.
 Second, it is the operating system’s responsibility to switch among the processes fairly, such that the
user experiences good performance from each process in concert with access to the computer’s devices.
This second problem is one of scheduling access to computer resources
 Introduction to os security
 Third, access to resources should be controlled, such that one process cannot inadvertently or
maliciously impact the execution of another. This third problem is the problem of ensuring the security
of all processes run on the system.
 Ensuring the secure execution of all processes depends on the correct implementation of resource and
scheduling mechanisms
 SECURE OPERATING SYSTEMS

 The ideal goal of operating system security is the development of a secure operating system.
 A secure operating system provides security mechanisms that ensure that the system’s security goals are
enforced despite the threats faced by the system.
 The security mechanisms must ensure these goals regardless of the possible ways that the system may
be misused (i.e., is threatened) by attackers.
 SECURITY GOALS
 A security goal defines the operations that can be executed by a system while still preventing unautho-
rized access.
 Security goals describe how the system implements accesses to system resources that satisfy the
following:
 Secrecy
 Integrity
 Availability
 A system access is traditionally stated in terms of which subjects (e.g., processes and users) can perform
which operations (e.g., read and write) on which objects (e.g., files and sockets).
 Secrecy requirements limit the objects that individual subjects can read because objects may contain
secrets that not all subjects are permitted to know.
 Integrity requirements limit the objects that subjects can write because objects may contain
information that other subjects depend on for their correct operation.
 SECURITY GOALS
An example of a goal defined in terms of security requirements is the simple-
security property of the Bell-LaPadula model .
The task of the secure operating system developer is to define security goals for
which the security of the system can be verified, so functional goals are
insufficient.
 Emerging technology, such as virtual machine technology enables multiple,
commercial software systems to be run in an isolated manner on the same
hardware.
Thus, software that used to be run on the same system can be run in separate,
isolated virtual systems.
 Security policy
What is security policy?
 Security policies in a computer system refer to a set of rules, guidelines, and
permissions that govern access to system resources.
 these policies define how users, processes, or entities interact with the system
and its components.
• Access Control
• Authentication and Authorization
• Confidentiality, Integrity, and Availability
 Confidentiality: Protect sensitive information from unauthorized access.
 Integrity: Ensure data remains accurate and unaltered.
 Availability: Ensure resources are accessible when needed.
 TRUST MODEL
 A system’s trust model defines the set of software and data upon which the system depends for correct enforcement of system
security goals.
 For an operating system, its trust model is synonymous with the system’s trusted computing base (TCB).
• a system TCB should consist of the minimal amount of software necessary to enforce the security goals correctly .
• The Trusted Computing Base (TCB) plays a critical role in ensuring the security of a computer system .
• What is the Trusted Computing Base (TCB)?
• The TCB refers to the set of components within a computer system that are essential for establishing and maintaining system-wide
information security policies. These components include hardware, firmware, and software. Here are the key points about the TCB:
1.Foundation for Security:
1. The TCB serves as the foundation for a system’s security.
2. It enforces security policies, ensuring that critical security mechanisms are in place.
2.Components Included:
1. Hardware components (such as processors, memory, and storage devices).
2. Firmware (e.g., BIOS, firmware controlling peripheral devices).
3. Software (including the operating system kernel and security-critical processes).
 Trust model
1.Not Necessarily Secure:
1. Contrary to the usual connotations of the word “trust,” a “trusted” component
within the TCB is not necessarily secure or trustworthy.
2. In this context, “trusted” simply means critical to security within the system.
2.Extra Scrutiny:
1. Any component within the TCB should undergo extra scrutiny.
2. We must ensure that each trusted component merits the trust placed in it.
 Access Control Fundamentals

 An access enforcement mechanism authorizes requests (e.g., system calls) from multiple subjects (e.g.,
users, processes, etc.) to perform operations (e.g., read, write, etc.) on objects (e.g., files, sockets, etc.).

PROTECTION SYSTEM:
 The security requirements of a operating system are defined in its protection system.
 A protection system consists of a protection state, which describes the operations that system subjects can
perform on system objects, and a set of protection state operations, which enable modification of that
state.
 LAMPSON’S ACCESS MATRIX

 Lampson defined the idea that a protection state is represented by an access matrix, in general.
 An access matrix consists of a set of subjects s ∈ S, a set of objects o ∈ O, a set of operations op ∈ OP ,
and a function ops(s, o) ⊆ OP , which determines the operations that subject s can perform on object o.
The function ops(s, o) is said to return a set of operations corresponding to cell (s, o).

File 1 File 2 File 3 Process 1 Process 2

Process 1 Read Read, Write Read, Write Read -

Process 2 - Read Read, Write - Read

 LAMPSON’S ACCESS MATRIX
 If the subjects correspond to processes and the objects correspond to files, then we need protection
state operations to update the protection state as new files and processes are created.
 For example, when a new file is created, at least the creating process should gain access to the file.
 In this case, a protection state operation create_file(process, file) would add a new column for the new
file and add read and write operations to the cell (process, file).
 A protection domain specifies the set of resources (objects) that a process can access and the operations
that the process may use to access such resources.
 By examining the rows in the access matrix, one can see all the operations that a subject is authorized
to perform on system resources. This determines what information could be read and modified by a
processes running on behalf of that subject.
 For a secure operating system, we will want to ensure that the protection domain of each process
satisfies system security goals (e.g., secrecy and integrity).
 One representation stores the protection state using individual object columns, describing which
subjects have access to a particular object. This representation is called an access control list or ACL.
 The other representation stores the other dimension of the access matrix, the subject rows.
 objects that a particular subject can access are stored. This representation is called a capability list or C-List.
 There are advantages and disadvantages to both the C-List and ACL representations of protection
states.
 For the ACL approach, the set of subjects and the operations that they can perform are stored with the
objects, making it easy to tell which subjects can access an object at any time.
 MANDATORY PROTECTION SYSTEMS
 This access matrix model presents a problem for secure systems: untrusted processes can tamper
with the protection system.
 Using protection state operations, untrusted user processes can modify the access matrix by adding
new subjects, objects, or operations assigned to cells.
 A protection system that permits untrusted processes to modify the protection state is called a
discretionary access control (DAC) system.
 The problem of ensuring that particular protection state and all possible future protection states
derivable from this state will not provide an unauthorized access is called the safety problem
 A mandatory protection system is a protection system that can only be modified by trusted
administrators via trusted software, consisting of the following state representations:
 A mandatory protection state is a protection state where subjects and objects are represented by
labels where the state describes the operations that subject labels may take upon object labels;
 A labeling state for mapping processes and system resource objects to labels;
 A transition state that describes the legal ways that processes and system resource objects
may be relabeled.
 Information flow
• An information flow occurs between a subject s ∈ S and an object o ∈ O if the subject performs a read or
write operation on the object.
• The information flow s → o is from the subject to the object if the subject writes to the object.
• The information flow s ← o is from the object to the subject if the subject reads from the object.
• Information flow represents how data moves among subjects and objects in a system. When a subject
(e.g., process) reads from an object (e.g., a file), the data from the object flows into the subject’s memory
.
• If there are secrets in the object, then information flow shows that these secrets may flow to
the subject when the subject reads the object.
• However, if the subject holds the secrets, then information flow also can show that the subject
may leak these secrets if the subject writes to the object.
• Note that every operation on an object is either an information flow read (i.e., extracts data from the
object), an information flow write (i.e., updates the object with new data), or a combination of both.
 Information flow
• An information flow graph for a protection state is a directed graph G = (V, E) where: (1) the set of
vertices V consists of the union of the set of subjects and set of objects in the protection state and (2)
the set of directed edges E consists of each read and write information flow in the protection state.
• An information flow graph for a protection state can be constructed as follows. First, we create a vertex
for each subject and object in the protection state.
• Then, we add the information flow edges. To do this, we determine whether each operation in the
protection state results in a read, write, or combination information flow.
• Then, we add an information flow edge from a subject vertex to an object vertex when the subject has
permission to a write information flow operation for the object in the protection state.
• Likewise, we add an information flow edge from an object vertex to a subject vertex when the subject
has permission to a read information flow operation in the protection state.
Information flow graph
 INFORMATION FLOW SECRECY MODELS
• For information flow secrecy, we want to ensure that no matter which programs a user runs, she cannot
leak information to an unauthorized subject.
• The classical problem is that the user may be coerced into running a program that contains malware
that actively wants to leak her information.
• For example, a Trojan horse is a type of malware that masquerades as a legitimate program, but
contains a malicious component that tries to leak data to the attacker.
• The access control models of UNIX and Windows cannot prevent such an attack
(1)they do not account for all the information flows that may be used to leak information
(2) the policies are discretionary, so the malware can modify the policy to introduce illegal information
flows.
 DENNING’S LATTICE MODEL
• Two information flow model policies: (a) consists of isolated security class where no infor- mation
flows among them and (b) is a totally-ordered sequence of security classes where information flows
upwards only.
...
• u3 ui Top-
u1 u2
secret

Secret

Confi-
dential

Unclass
-ified
 BELL-LAPADULA MODEL
• Bell-LaPadula
• This Model was invented by Scientists David Elliot Bell and Leonard .J. LaPadula.
• Thus this model is called the Bell-LaPadula Model. This is used to maintain
the Confidentiality of Security.
• Here, the classification of Subjects(Users) and Objects(Files) are organized in a non-
discretionary fashion, with respect to different layers of secrecy.

It has mainly 3 Rules:

SIMPLE CONFIDENTIALITY RULE
STAR CONFIDENTIALITY RULE
STRONG STAR CONFIDENTIALITY RULE
 3RULES
• SIMPLE CONFIDENTIALITY RULE: Simple Confidentiality Rule
states that the Subject can only Read the files on the Same Layer of Secrecy
and the Lower Layer of Secrecy but not the Upper Layer of Secrecy, due to
which we call this rule as NO READ-UP

• STAR CONFIDENTIALITY RULE: Star Confidentiality Rule states that

the Subject can only Write the files on the Same Layer of Secrecy and the
Upper Layer of Secrecy but not the Lower Layer of Secrecy, due to which we
call this rule as NO WRITE-DOWN

• STRONG STAR CONFIDENTIALITY RULE: Strong Star

Confidentiality Rule is highly secured and strongest which states that
the Subject can Read and Write the files on the Same Layer of Secrecy only
and not the Upper Layer of Secrecy or the Lower Layer of Secrecy, due to
which we call this rule as NO READ WRITE UP DOWN
 INTEGRITY MODEL -BIBA

• This Model was invented by Scientist Kenneth .J. Biba.

Thus this model is called Biba Model. This is used to
maintain the Integrity of Security.
• Here, the classification of Subjects(Users) and
Objects(Files) are organized in a non-discretionary
fashion, with respect to different layers of secrecy.
• This works the exact reverse of the Bell-LaPadula Model.
 3 RULES
It has mainly 3 Rules:
• SIMPLE INTEGRITY RULE: Simple Integrity Rule states that
the Subject can only Read the files on the Same Layer of
Secrecy and the Upper Layer of Secrecy but not the Lower Layer
of Secrecy, due to which we call this rule as NO READ DOWN

• STAR INTEGRITY RULE: Star Integrity Rule states that

the Subject can only Write the files on the Same Layer of
Secrecy and the Lower Layer of Secrecy but not the Upper Layer
of Secrecy, due to which we call this rule as NO WRITE-UP

• STRONG STAR INTEGRITY RULE

 Clarke Wilson Security Model
• SUBJECT: It is any user who is requesting for Data
Items.
• CONSTRAINED DATA ITEMS: It cannot be accessed
directly by the Subject. These need to be accessed
via Clarke Wilson Security Model
• UNCONSTRAINED DATA ITEMS: It can be accessed
directly by the Subject.
Clarke Wilson Security Model
The Components of Clarke Wilson Security Model

• TRANSFORMATION PROCESS: Here, the Subject’s request to

access the Constrained Data Items is handled by the
Transformation process which then converts it into permissions
and then forwards it to Integration Verification Process

• INTEGRATION VERIFICATION PROCESS: The Integration

Verification Process will
perform Authentication and Authorization. If that is
successful, then the Subject is given access to Constrained Data
Items.