Secure Operating System Architectures Patterns Secure Systems Research

Secure Operating System Architectures Patterns Secure Systems Research Group - FAU

Security and operating systems (OS) • OS act as an intermediary between the user of a computer and its hardware • OS supports the execution of all the applications • The OS architecture is fundamental in the organization its components and for utilization of these component services in a given application • It is the most critical of the software layers because compromise can affect all applications and persistent data • Most reported attacks occur through the OS Secure Systems Research Group - FAU

OS architectures • Patterns representing an abstract view of the four basic architectures of operating systems: 1) Modular Operating System Architecture 2) Layered Operating System Architecture 3) Microkernel Operating System Architecture 4) Virtual Machine (VM) Operating System Architecture Secure Systems Research Group - FAU

Operating System Architectures Secure Systems Research Group - FAU

OS functional components • • Process Management Memory Management File Management I/O Management Networking Protection System User Interface Secure Systems Research Group - FAU

Object-oriented model of OS Components Secure Systems Research Group - FAU

Modular Operating System Architecture • Example – Our group is building a new OS that should support various types of devices requiring dynamic services with a large variety of security requirements. We want to dynamically add OS components, functions, and services, as well as tailor their security aspects according to the type of application. For example, a media player may require support to prevent copying of the contents. Or we could remove a module for which a vulnerability alert has been issued. • Context – Operating systems are large systems that must accommodate a variety of diverse applications. • Problem – We need to be able to add/ remove functions in the easiest way. How do we structure the functions for this purpose? Secure Systems Research Group - FAU

Modular Operating System Architecture • The possible solution is constrained by the following forces: – OSs for PCs and other types of uses require a large variety of plug -ins. New plug-ins appear frequently and we need the ability to add and remove them without disrupting normal operation. – Some of the plug-ins may contain malware, we need to isolate their execution so they do not affect other processes. – We would like to hide security-critical modules from other modules to avoid possible attacks. – Modules can call each other, which is a possible source of attacks. Secure Systems Research Group - FAU

The Modular Operating System Architecture pattern • An object oriented approach is used to dynamically load and link loadable modules to the core component of the OS Secure Systems Research Group - FAU

Solaris 10 Operating System Secure Systems Research Group - FAU

Solaris 10 Operating System Secure Systems Research Group - FAU

Modular Operating System Architecture • • Advantages: – Flexibility to add/ remove functions contributes to security in that we can add new versions of modules with better security. – Each module is separate and communicates with other modules over known interfaces. We can introduce controls in these interfaces. – It is possible to partially hide critical modules by loading them only when needed and removing them after use. – By giving each executing module its own address space we can isolate the effects of a rogue module. Liabilities: – Any module can see all the others and potentially interfere with their execution. – Uniformity of call interfaces between modules makes it difficult to apply stronger security restrictions to critical modules. Secure Systems Research Group - FAU

Modular Operating System Architecture • Known uses – Solaris version 10 – Extreme. Ware from Extreme Networks [Ext]. • Related patterns – The Controlled Execution Environment pattern [Fer 0] can be used to isolate executing modules. Secure Systems Research Group - FAU

Layered Operating System Architecture • Separate the OS into layers • OS has more control over separation of concerns • Overall features and functionality are separated into layers • Clearly defined interfaces between each kernel section of the OS and between user applications and the OS functions Secure Systems Research Group - FAU

Layered Operating System Architecture • Example – Our system is very complex and we would like to separate different aspects to handle them in a more systematic way. We want to control the use of OS components and services. • Context – Operating systems are large systems that must accommodate a variety of applications. • Problem – Structure the components into hierarchical layers. Secure Systems Research Group - FAU

Layered Operating System Architecture • The possible solution is constrained by the following forces: – Interfaces should be stable and well defined. Going through any interface could imply authorization checks. – Parts of the system should be exchangeable or removable without affecting the rest of the system. For example, we could have modules that perform more security checks than others. – Similar responsibilities should be grouped to help understandability and maintainability. This contributes indirectly to improve security. – We should control module visibility to avoid possible attacks from other modules – Complex components need further decomposition. This makes the design simpler and clearer and also improves security. Secure Systems Research Group - FAU

Layered Operating System Architecture Pattern • Define a hierarchical set of layers and assign components to each layer. Each layer presents an abstract machine to the layer above it. Secure Systems Research Group - FAU

Layered Operating System Architecture Pattern Secure Systems Research Group - FAU

Layered Operating System Architecture Pattern Dynamics • Sequence diagram for opening and reading a disk file • A user sends an open. File( ) request to the OSInterface • The OSInterface interprets the open. File( ) request • The open. File( ) request is sent from the OSInterface to the File. Manager • The File. Manager sends read. Disk( ) request to the Disk. Driver Secure Systems Research Group - FAU

Layered Operating System Architecture • Implementation – – List all units in the system and define their dependencies. – Assign units to levels such that units in higher levels depend only on units of lower levels. – Once the modules in a given level are assigned, define a language for this level. This language includes the operations that we want to make visible to the next level above. Add well-defined operation signatures and security checks in these operations to assure the proper use of the level. – Hide in lower levels those modules that control critical security functions. Secure Systems Research Group - FAU

OS Layered Architecture Secure Systems Research Group - FAU

Layered Operating System Architecture • Advantages: – Clearly defined interfaces between each OS layer and the user applications – Control of information using layer hierarchical rules using enforcement of security policies between layers Each core component is separate – Each layer hides existence of certain data structures, operations and hardware from higher levels – Lower levels can be changed without affecting higher layers Secure Systems Research Group - FAU

Layered Operating System Architecture • Liabilities: – It is not clear what to put in each layer – There may be less efficiency as information needs to go through each layer – The layers are restricted to interface only with immediate neighboring layers. This restriction reduces flexibility and provides additional over head for to go through adjacent layers in order to use the services of layers i+2 and greater or layers i– 2 and less. Secure Systems Research Group - FAU

Symbian layered OS architecture Secure Systems Research Group - FAU

Unix layered OS architecture Secure Systems Research Group - FAU

Layered Operating System Architecture • Known uses – OS/2 of IBM, Symbian OS [Sym 01] • Related patterns – specialization of the Layers architectural pattern [Bus 96]. – A security version of the layers pattern is presented in [Fer 02] and in [Som 05]. Secure Systems Research Group - FAU

Microkernel Operating System Architecture • Move as much of the OS functionality from the kernel space • Very basic set of functions in microkernel • Use external and internal servers Secure Systems Research Group - FAU

Microkernel Operating System Architecture • Example We are building an OS for a range of applications with different reliability and security requirements and a variety of plug-ins. We would like to provide OS versions with different types of modules, some more secure, some less so. • Context – Operating systems are large systems that require decomposition for control of system functions • Problem – In general purpose environments we need to be able to add new functionality and security Secure Systems Research Group - FAU

Microkernel Operating System Architecture • The possible solution is constrained by the following forces: – The application platform must cope with continuous hardware and software evolution; these additions may have very different security or reliability requirements. – Strong security or reliability requirements indicate the need for modules with well-defined interfaces. – We may want to perform different types of security checks in different modules, depending their security criticality. – We would like a minimum of functionality in the kernel so we have a minimum of processes running in supervisor mode. A simple kernel can be checked and this is good for security. Secure Systems Research Group - FAU

Microkernel Operating System Architecture pattern • Separate all functionality into specialized services and provide an efficient way to route requests to the appropriate servers • microkernel is the central communication for the OS • one microkernel and several internal and external servers • an adapter is used between the client and the microkernel or an external server Secure Systems Research Group - FAU

Microkernel Operating System Architecture pattern Secure Systems Research Group - FAU

Microkernel Operating System Architecture pattern dynamics Secure Systems Research Group - FAU

QNX Microkernel Architecture • The QNX Microkernel responsibilities include the following [QNX]: – IPC (interprocess communication) – low-level network communication – process scheduling – first-level interrupt handling Secure Systems Research Group - FAU

QNX Microkernel Architecture source: [QNX ] Secure Systems Research Group - FAU

Microkernel Operating System Architecture • Advantages: – Provides a good degree of security because of the well defined interfaces between servers. – Can add even more security by putting fundamental functions in internal servers. • Liabilities: – Communication overhead due to message passing Secure Systems Research Group - FAU

Microkernel Operating System Architecture Variants • The Microkernel OS Architecture Pattern can be combined with the Layered OS Architecture pattern – Many applications in the Palm. OS do not use the microkernel services; they are handled automatically by the system – microkernel functionality is provided for internal use by system software or for certain special purpose applications Secure Systems Research Group - FAU

Microkernel Operating System Architecture Variants source: [Palm. OS ] Secure Systems Research Group - FAU

Microkernel Operating System Architecture • Known uses – Palm. OS [Palm. OS], QNX [QNX] • Related patterns – specialization of the microkernel pattern [Bus 96]. Secure Systems Research Group - FAU

Virtual Machine Operating System Architecture • Provides a set of replicas of the hardware architecture to separate operating systems • Strong isolation between each OS Secure Systems Research Group - FAU

Virtual Machine Operating System Architecture • Example – A web server is hosting applications for two competing companies. These companies use different operating systems. We want to ensure that there is no access to their files • Context – Mutually suspicious sets of applications that need to execute in the same hardware. Each set requires isolation from the other sets. • Problem – Sometimes we need to execute different operating systems in the same hardware. How do we keep those OSs isolated from each other? Secure Systems Research Group - FAU

Virtual Machine Operating System Architecture • The possible solution is constrained by the following forces – Each OS has its own set of machine dependent features – When an OS crashes or is penetrated by a hacker, the effects of this situation should not propagate to other OSs in the same hardware Secure Systems Research Group - FAU

Virtual Machine Operating System Architecture pattern • Define an architectural layer that is in control of the hardware and supervises and coordinates the execution of each OS environment. • This extra layer, usually called a Virtual machine Monitor (VMM) or Hypervisor presents to each operating system a replica of the hardware. • The VMM intercepts all system calls and interprets them according to the OS from where they came. Secure Systems Research Group - FAU

Virtual Machine Operating System Architecture pattern Secure Systems Research Group - FAU

Virtual Machine Operating System Architecture pattern dynamics Secure Systems Research Group - FAU

Virtual Machine Operating System Architecture example resolved • Two companies using Unix and Linux in different virtual machines Secure Systems Research Group - FAU

Virtual Machine Operating System Architecture • Advantages – Each environment (VM) does not know about the other VM(s). – Errors or attacks to a given VM have no way to propagate to other VMs • Liabilities – Extra overhead in use of privileged instructions – It is rather complex to let VMs communicate to each other (If this is needed). Secure Systems Research Group - FAU

Virtual Machine Operating System Architecture • Known uses – IBM VM/SP, Vmware • Related patterns Secure Systems Research Group - FAU