Systems Security & Audit

Operating Systems security

Contents

Review on objective of operating system Things to protect and protection methods Trusted Operating System Protection of memory Protection of other objects

Function of Operation System

Control the use of resources of the computerCPU timeMemory I/O File storage

CPU time

Fair use No hogging by single process (multi-

processing) Managed by a scheduler

Memory

Assign sufficient memory to run the program Return memory to OS after use Managed by programmer and later the

memory manager (part of OS)

Objects that are protected

Memory Sharable I/O devices, e.g. disks Serially reusable I/O devices, e.g. printers Sharable programs and procedures Sharable data

Process

A program in execution Requires CPU time and memory (address

space) to run Address space contains program code,

program’s data, and stack System calls are required to run the program

Memory protection

Fence

Relocation

Base/Bounds Register

Tagged architecture

Segmentation

Paging

Segregation of memory: Fence

Memory

System Memory

User memory

Example: DOS

Memory

System Memory

User memory

00000

FFFFF

AFFFF

00010Interrupt Vectors

COM files have fixed starting address

Memory

00000

00010

COM file1

I normally start here

COM file2

I am OK.This is mystarting point

COM files have fixed starting address

Memory

00000

00010

COM file3

COM file2

Oops! I cannotrun

EXE files areRELOCATABLE

Memory

00000

00010

COM file3

EXE file1

I can startanywhere

Base and Bound Register

UserMemory

Application1

Base Address

Bound Address

I cannot go over this address

Application2

I am safehere

Data

Tagged architecture

Tag

Machine Word

I have thedata address

I know whocan access this

address

Segmentation

Memory

Segment 1

Segment 2

Segment 3

We haveDifferentSegment no.

Our addressStart fromzero

The CPU hasA no. of segment registers

Segment of a process

Text (code)

Stack

Data

Room for growthMemoryassigned

Paging

We are fixedsize

We are virtualmemory

Paging

Technique used in virtual memory system to give a linear addressing space

Pages are of fixed size The actual storage location may be in

physical memory or in the hard disk MMU maps virtual memory to physical

memory using page tables

Paging

Can run program that is too big to fit into the physical memory

Make programming easier as memory is assigned by MMU

The programmer (instructions he wrote) cannot access the physical memory directly

So MORE SAFE

Operation System Layered system

Instructions have different privilege Operating system structured in layers More structure means better management

and better protection, but less efficient

Layer system

Layer 0: Processor allocation Layer 1: Memory management Layer 2: Process communication Layer 3: Input/output management Layer 4: User programs

Ring system: Pentium

Ring O: Kernel Ring 1: System calls Ring 2: Shared library Ring 3: User program

Kernel

The core of the OS that manage the CPU, memory and I/O service

Security kernel

The place where the security mechanism and policies are applied

It prevents unauthorized access to system resources

It implements the Reference Monitor concept

Kernel

Part of the OS that performs the lowest level functions such as Synchronization Interprocess communication Message parsing Interrupt handling

Separate Security KernelLevel

1. Hardware

2. Security KernelAccess controlAuthentication

3. Operating SystemResource allocationSharingHardware interactions

4. User tasks

Intel Premium Chip Ring Structure

Protection of shared objects

No protection Isolation Share via access limitation (ACL)

Refer Bell La Padula model Share by capabilities Limited use of an object (permissions) Process execution domain

Namespace Share all or share nothing (declared public or

private)

File protection

Each file has a name and its data, the attributes. The attribute can be a protection field or a password

File system such as NTFS can provide DACL to each individual file

Encryption can also be applied to files

Access Control Matrix

Operation System

Accounts Program

Accounting Data

Audit Trail

Sam

(Sysop)rwx rwx rw r

Alice

(Mgr)rx x rx -

Bob

(Auditor)rx r r r

Access Control List

Operation System

Accounts Program

Accounting Data

Audit Trail

Sam

(Sysop)rwx rwx rw r

Alice

(Mgr)rx x rx -

Bob

(Auditor)rx r r r

Capacity

Operation System

Accounts Program

Accounting Data

Audit Trail

Sam(Sysop)

rwx rwx rw r

Alice(Mgr)

rx x rx -

Bob(Auditor)

rx r r r

ACL of Unix

Owner, Group, World Read, Write, Execute Example

drwxrwxrwx Alice Accounts -rw-r----- Alice Accounts

ACL of Windows

Many defined groups including everyone Finer division of privilege:

Take ownership List folder content Delete etc.

Use of domains and trust Groups policy to associate with sites,

domains, and operating units in Active Directory

Well-formed Transaction

Operation System

Accounts Program

Accounting Data

Audit Trail

Sam(Sysop)

rwx rwx r r

Alice(Mgr)

rx x - -

Accounts Program

rx r rw w

Bob(Auditor)

rx r r r

Well-formed Transaction

Access Triple of User Program File

Refer the Clark Wilson model

Access Control Model

ReferenceMonitor

Subject

Principal

Request Object

Access Control Model

Principals The user or machine that has a name and a SID The local user is Machine\principal The domain user is Domain\Principal

Subject A program with a user identity

Request Set of operations: read/write/execute/append/erase

Object Resources, memory, files, registry, printer

Windows authorization model

Access Token

Security credentials of subjects

Virtualization

A virtual machine is a collection of real or simulated hardware facilities: a CPU that runs an instructor set, an amount of addressable memory space, and some I/O devices. This enables programs designed for that CPU be executed on the host computer.

Virtualization

It provides another layer of control between the OS and the application programs in the computer system. Thus fault in one virtual machine does not affect the operation of another virtual machine, and the whole system.

It is a sandbox for insecure operation

Reading

Security in Computing Chapter 6