Chapter 5 Designing Trusted Operating Systems u u

Chapter 5 – Designing Trusted Operating Systems u u u What makes an operating system “secure”? Or “trustworthy? How are trusted systems designed, and which of those design principles carry over naturally to other program development tasks? How do we develop “assurance” of the correctness of a trusted operating systems?

Designing Trusted Operating Systems u Primitive security services • Memory protection • File protection • General object access control • User authentication u OS is trusted if we have confidence that it provides these four services in a consistent and effective way.

What is a trusted system? Secure Either-or: something either is or is not secure Property of presenter Asserted based on product characteristics Absolute: not qualified as to how, where, when, or by whom used A goal Trusted Graded: There are degrees of “trustworthiness Property of receiver Judged based on evidence and analysis Relative: viewed in context of use A characteristic

What is a trusted system? u u u Trusted process – process that can affect system security Trusted product – evaluated and approved product Trusted software- software portion of system that can be relied upon to enforce security policy Trusted computing base – set of all protection mechanisms within a computing system that enforce a nified security policy Trusted system – system that employs sufficient hardware and software integrity measures to allow its use for processing sensitive information

Security Policies security policy – statement of security we expect the system to enforce u Military Security Policy u • based on protecting classified information • Information access is limited by needto-know rule • Each piece of classified info is associated with a compartment

Military Security Policy u u u Class (classification) - <rank; compartment> Clearance - indication that person is trusted to access info up to a certain level of sensitivity Dominance – u u s <= O iff ranks <= ranko and compartmentss <= compartmentso Clearance level of subject is at least as high as that of the information Subject has a need to know about all compartments for which the information is classified.

Commercial Security Policies Data items at any level may have different degrees of sensitivity (public, proprietary, internal) u No formalized notion of clearances u No dominance function for most commercial information access u

Clark-Wilson Commercial Security Policy u Well-formed transactions – perform steps in order, exactly as listed & authenticating the individuals who perform the steps Goal – maintain consistency between internal data and external expectations of the data u Process constrained data items by transformation procedures u • <user. ID, TPi, {CDIj, CDIk, …}>

Commercial Security Policy Separation of duty – division of responsibilities (manual system) u Chinese Wall Security Policy – u • Confidentiality Policy • Objects (e. g. files) • Company Groups (all objects concerning a particular company) • Conflict classes (cluster competing companies)

Models of Security u Security models are used to • Test a particular policy for completeness and consistency • Document a policy • Help conceptualize and design an implementation • Check whether an implementation meets its requirements

Multilevel Security u u Want to build a model to represent a range of sensitivities and to reflect need to separate subjects from objects to which they should not have access. Use the lattice model of security • military security model where <= in the model is the relation operator in the lattice (transitive, antisymmetric) • Commercial security model (public, proprietary, internal)

Bell-La Padula Confidentiality Model u Formal description of allowable paths of information flow in a secure system • Simple Security Property. A subject s may have read access to an object o only if C(o) <= C(s) • *-Property – A subject s who has read access to an object o may have write access to an object p only if C(o) <= C(p) u The *-property is used to prevent write-down (subject with access to high-level data transfers that data by writing it to a low-level object.

Bibb Integrity Model Simple Integrity Property. Subject s can modify (have write access to) object o only if I(s) >= I(o) u Integrity *-Property. If subject s has read access to object o with integrity level I(o), s can have write access to object p only if I(o) >= I(p) u

Models Proving Theoretical Limitations of Security Systems u u Graham-Denning Model – introduced concept of a formal system of protection rules; constructs a model having generic protection properties Harrison-Ruzzo-Ullman Model – uses commands involving conditions and primitive operations where a protection system is a set of subjects, objects, rights, and commands

Take-Grant Systems u Four operations performed by subjects on objects with rights • Create(o, r) subject creates an object with certain rights • Revoke(o, r) subject removes rights from object • Grant(o, p, r) subject grants to o access rights on p • Take (o, p, r) subject removes from o access rights on p

Trusted System Design Elements Least privilege u Economy of mechanism u Open design u Complete mediation u Permission based u Separation of privilege u Least common mechanism u Ease of use u

Security Features of Ordinary Operating Systems u u u u Authentication of users Protection of memory File and I/O device access control Allocation and access control to general objects Enforcement of sharing Guarantee of fair service Interprocess communications and synchronization Protection of operating system protection data

Security Features of Trusted Operating Systems u u u Trusted systems incorporate technology to address both features and assurance Objects are accompanied (surrounded) by an access control mechanism Memory is separated by user, and data and program libraries have controlled sharing and separation

Security Features of Trusted Operating Systems u Identification and Authentication • Require secure id of individuals, each individual must be uniquely identified u Mandatory and Discretionary Access Control • MAC – access control policy decisions are made beyond the control of the individual owner of the object • DAC – leaves access control to the discretion of the object’s owner • MAC has precedence over DAC

Security Features of Trusted Operating Systems u Object Reuse Protection • Prevent object reuse leakage • OS clears (overwrites) all space to be reassigned • Problem of magnetic remanence u Complete Mediation • All accesses must be controled u Trusted Path • For critical operations (setting password, etc. ), users want unmistakable communications

Security Features of Trusted Operating Systems u Accountability and Audit • Maintain a log of security relevant events • Audit log must be protected from outsiders u Audit Log Reduction • Audit only open and close of files/objects u Intrusion detection • Build patterns of normal system usage, triggering an alarm any time usage seems abnormal • Intrusion prevention

Kernelized Design u Kernel – part of OS that performs lowest-level functions • Synchronization, interprocess communications, message passing, interrupt handling • Security kernel – responsible for enforcing security mechanism for entire OS; provides interface among the hardware, OS, and other parts of computer system