409

410

Operating System security deals with four important functions.

411

Physical separation provides, perhaps, the most security, however is not practical for modern applications. Temporal separation use the same hardware to execute the tasks, but they are executed one after the other.

Sandboxing prevents code executing from doing something harmful. Access to resources outside the sandbox is strictly limited.

Cryptographic separation lets pages in the memory being encrypted by cryptographic keys. Although other processors may be able to read this information, they may not be able to decrypt the information without the key.

412

User processes can be limited to one side of the fence and system processes can be limited to the other side of the fence.

Sections of memory can be tagged, and accesses could be verified for the correct type of access.

413

For military systems and systems that need a higher level of security, Mandatory Access Control (MAC) is employed. In this case, system enforces access control.

Most practical applications, however, need only lesser degree of security. In Discretionary Access Control, users can control the security of their objects (eg files). This however may cause security problems, for example novice users, or careless users may not set the correct permission. Thus, DAC is unacceptable for highest level of security.

414

Having too little log will make it difficult to find out what happened if security related events are not all recorded. On the other hand, too much logging causes larger log files, difficult to search and store.

415

If the information is compromised when it flows through the trusted path, that can create security problems. A program can do little, if the secret read from the keyboard was compromised before reaching the program.

416

Since larger, complex software seems to be less secure, a core may be identified for performing security related functions. This core could be verified and checked for security vulnerabilities.

Reference monitor keeps track of all accesses to resources by users (or processors) and ensure all accesses are authorized.

417

The picture shows a typical design of a secure operating system. A Security kernel immediately above the hardware makes sure that all operations are secure. Rest of the Operating System (OS) interacts with security kernel and provides services. User programs run in User space interacting with OS.

418

419

A quick solution for protecting sensitive information would be to design partitioned systems with no communication allowed between the two systems. However when viewing from Users’ point of view, there is no communication possible between Alice and Bob -- it is important for Bob to report intelligence in a timely manner to higher levels although he is not cleared for Secret.

420

Bell-Lapadula Model prevents information leaks by allowing information flow from U to S and prohibiting information flow from

S to U.

421

From an attacker’s view point: a clever scheme may be devised to leak information even when

Bell-LaPadula model is used.

By controlling delays, a process can covertly signal 1 and 0. For example, a delay means 1. No delay means 0.

So, the sending process encodes information in delays.

The receiving process senses the delay and infers what was sent.

No direct information transfer takes place above. The information is sent through a covert channel.

422

Task 2 requests the lock and since no one is holding it, it gets the lock – there is no delay

423

In this case when task 2 is requesting an exclusive lock it is already held by Task 1. Thus, task 2 has to wait until Task 1 releases the lock.

Thus, processes can make use of shared devices or files to covertly signal information although there is no direct transfer of information.

While the presence of other tasks can introduce noise into the channel, it is possible to find a resource that is of less interest for others.

(For example, a process can create a file (choose a random file name) that nobody else needs)

424

425

Active learning task: explore how you can harden operating systems thinking from three perspectives

Offense -> Rename Administrator Account

Use -> push patches (users may cancel applying patches)

Defense -> apply security templates

426

Task: Research Usable Security of SELinux

Hands-on lab may be developed using BackTrack Linux (although not related to this course, School of Computer Sciences

and University Technology conduct Hacker challenge several times a year)

427

428

Use -> many users may not turn on drive encryption thinking that they may lose their data

users may not remember admin password and if installation of updates require admin password, they may not be applied on time!

429

430