Secure Operating Systems Lesson 10 SCOMP Where are

Secure Operating Systems Lesson 10: SCOMP

Where are we? o o Multics is busy being explored, which is kind of cool… But Multics wasn’t the end of custom built operating systems designed with security in mind: it’s natural successor was SCOMP

SCOMP: Verification o o Unlike Multics, the designers of SCOMP wanted verifiable security, and so the goal was chase the fledgling TCSEC A 1 evaluation We don’t see formal methods a lot day to day, but the value is we (theoretically) know the product conforms to its specfications n However, we do NOT know if the specifications are good…

A Quick Aside: TCSEC o o Trusted Computer System Evaluation Criteria AKA “Orange book” from the “Rainbow series” TCSEC still matters, though it was replaced by what is known as the “common criteria” in 2005 Defined multiple levels of security for a system (note that word)

Orange Book A-D o o D: Minimal Protection C: Discretionary Protection n n o B: Mandatory Protection n o C 1 – discretionary security protection C 2 – Controlled access protection Labeled Security Protection, Structured Protection, Security Domains (B 1, B 2, B 3) A: Verified Protection n n A 1 – Verified design Beyond A 1 – speaks to physical root of trust etc.

Design Choices o o o Some of the design choices in SCOMP were, I think, interesting The designers threw some compatibility away in the name of security, which I think was clever – as such, SCOMP was not Unix One particular problem they tried to address was interfacing groups with different security levels – a tough problem

Reference Monitor o Remember, the requirements for a reference monitor: n n n o Complete mediation Isolation Verification The “Security kernel” concept

Segment Access Control o Simple ACL n n o o Segments: read, write, execute Directories: status, modify, append However. The SDW also includes rings and brackets – this can be a little tricky To grant access, the ACL and Access brackets must both allow…

Mediation o Memory protection looked like this in SCOMP (source: “SCOMP: A Solution to the Multilevel Security Problem”):

Isolation o o Just like Multics, though there were 4 rings (sound familiar? ) Ring brackets were used (just like Multics) to provide control over operations

SCOMP Hardware Implementation o o o SCOMP used a security protection module which interfaced with the Virtual Memory Interface Unit The mechanism of the SPM is critical to SCOMP Mediation is trap based

Clever: IO o o SCOMP used descriptors for IO, similar to memory descriptors Because mediation happens in hardware, the drivers themselves do not need to be in Ring 0, decreasing the size (attack surface) of the security kernel n Remember, this is all A 1 stuff… what happens when we change it?

DMA o o o SCOMP did allow DMA for speed The initial transfer is mediated by the SPM There is a similar approach taken to virtual addresses, which is a little safer (why? )

Argument Addressing Mode o o Remember that whole confused deputy thing? SCOMP had an “argument addressing mode” which allowed the system to attempt to access parameters with the level of protection of the caller in hardware (avoiding software checks – clever stuff)

SCOMP was small o o o Security Kernel: about 10 k lines Trusted software: about 11 k lines SCOMP also has a “secure attention” key, which allowed a user to be sure that they were accessing the OS not something “in the middle”

SCOMP Kernel Interface Package o SKIP: n n n o Provide a hierarchical multilevel file system Provide the ability to create child processes Allow for process synchronization Provide an efficient interface Provide a low-level general purpose interface Not an OS, but an interface to a secure environment

Things to Do o Read: “SCOMP: A Solution to the Multilevel Security Problem”

Questions & Comments o What do you want to know?