Computer Security

Updated 2007-02-02 01:52

Protection in General-Purpose Operating Systems

Multiprogrammingan OS supports multiprogramming; that is, the concurrent use of a system by more than one user.
Executivesthe first OS where simple utilities called executives, designed to assist individual programmers and to smooth the transition form one user to another.
Multi-programmed operating systems (monitors)Oversaw each program’s execution; Monitors took an active role, whereas executives were passive; Multiple users introduced more complexity and risk; Protecting one user’s programs and data from other users’ programs became an important issue in multi-programmed OS
What aspects of a computing system require protection?Memory; Sharable I/O devices, such as disks; Serially reusable I/O devices, such as printers and tape drives; Sharable programs and sub-procedures; Networks; Sharable data
Separation in an OS can occur in several ways (Mention 4)Physical separation; Temporal separation; Logical separation; Cryptographic separation
An OS can support separation on sharing in several ways, offering protection at any of several levels: (mention 6)Do not protect; Isolate; Share all or share nothing; Share via access limitation; Share by capabilities; Limit use of an object
Define Granularitythe size of something you are dealing with. The larger the level of object controlled, the easier it is to implement access control.
Fenceto prevent a faulty user program from destroying part of the resident portion of the OS. It is a method to confine users to one side of a boundary
Fence registeranother implementation which used a hardware register. Containing the address of the end of the OS. In contrast to a fixed fence, in this scheme the location of the fence could be changed. A fence register protects only in one direction.
Relocationis the process of taking a program written as if it began at address 0 and changing all addresses to reflect the actual address at which the program is located in memory.
Relocation Factoris the starting address of the memory assigned for the program
Base registera variable fence register is generally know as a base register.
Bounds registeris an upper address limit, in the same way that a base or fence register is a lower address limit
Context switchpreparation that the OS must perform when transferring control form one user to another
Tagged Architecturein which every word of machine memory has one or more extra bits to identify the access rights to that word.
Segmentationinvolves the simple notion of dividing a program into separate pieces. Each piece has a logical unity, exhibiting a relationship among all of its code or data values. Segmentation allows a program to be divided into many pieces having different access rights.
Segment Address TableThe operating system must maintain a table of segment names and their true addresses in memory
PagingOne alternative to segmentation is paging. The program is divided into equal-sized pieces called pages, and memory is divided into equal-sized units called page frames
objects for which protection is desirableMemory; A file or data set on an auxiliary storage device; An executing program in memory; A directory of files; A hardware device; A data structure, such as a stack; A table of the operating system; Instruction, especially privileged instructions; Passwords and the user authentication mechanism; The protection mechanism itself
Access control listThere is one such list for each object, and the list shows all subjects who should have access to the object and what their access is.
Wild cardsmeaning placeholders that designate "any user" (or "any group" or "any compartment").
Access control matrixa table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object
Capabilityis an unforgeable token that gives the possessor certain rights to an object.
Domain or local name spaceThe domain is the collection of objects to which the process has access. A domain for a user at a given time might include some programs, files, data segments, and I/O devices such as a printer and a terminal.
KerberosKerberos implements both authentication and access authorization by means of capabilities, called tickets, secured with symmetric cryptography. Microsoft has based much of its access control in NT+ on Kerberos. Kerberos requires two systems, called the authentication server (AS) and the ticket-granting server (TGS), which are both part of the key distribution center (KDC). A user presents an authenticating credential (such as a password) to the authentication server and receives a ticket showing that the user has passed authentication. Obviously, the ticket must be encrypted to prevent the user from modifying or forging one claiming to be a different user, and the ticket must contain some provision to prevent one user from acquiring another user's ticket to impersonate that user. Kerberos implements single sign-on; that is, a user signs on once and from that point on all the user's (allowable) actions are authorized without the user needing to sign on again.
procedure-orientedprotection, we imply the existence of a procedure that controls access to objects (for example, by performing its own user authentication to strengthen the basic protection provided by the basic operating system). In essence, the procedure forms a capsule around the object, permitting only certain specified accesses.
Role-based access controllets us associate privileges with groups, such as all administrators can do this or candlestick makers are forbidden to do this. Administering security is easier if we can control access by job demands, not by person. Access control keeps up with a person who changes responsibilities, and the system administrator does not have to choose the appropriate access control settings for someone.
all-or-none protection is unacceptable for several reasonsLack of trust; Too coarse; Rise of sharing; Complexity; File listings
Authentication mechanisms use any of three qualities to confirm a user’s identity1) Something the user knows: Password, PIN numbers, mother ‘s maiden name. etc. 2) Something the user has: Identity badges, physical keys, driver license, etc. 3)Something the user is: (biometrics) fingerprint, person’s voice, face (picture), etc.
Biometricsare based on a physical characteristic of the user, such as a fingerprint, the pattern of a person's voice, or a face (picture). These authentication methods are old (we recognize friends in person by their faces or on a telephone by their voices) but are just starting to be used in computer authentications.
Multifactor AuthenticationUsing additional authentication information is called multifactor authentication
two-factor authenticationtwo forms of authentication
Attacks on Passwords, (in decreasing order of difficulty)• Try all possible passwords. •Try frequently used passwords. •Try passwords likely for the user. •Search for the system list of passwords. •Ask the user.
exhaustive or brute force attackthe attacker tries all possible passwords, usually in some automated fashion.
Saltis a 12-bit number formed from the system time and the process identifier. Thus, the salt is likely to be unique for each user, and it can be stored in plaintext in the password file.
Password Selection Criteria•Use characters other than just AZ •Choose long passwords. •Avoid actual names or words •Choose an unlikely password •Change the password regularly •Don't write it down •Don't tell anyone else (social engineering)
One-time passwordis one that changes every time it is used. Instead of assigning a static phrase to a user, the system assigns a static mathematical function. The system provides an argument to the function, and the user computes and returns the function value. Such systems are also called challenge-response systems because the system presents a challenge to the user and judges the authenticity of the user by the user's response.
Identification versus AuthenticationTwo concepts are easily confused: identification and authentication. Biometrics are very reliable for authentication but much less reliable for authentication. The reason is mathematical. All biometric readers operate in two phases: First, a user registers with the reader, during which time a characteristic of the user (for example, the geometry of the hand) is captured and reduced to a template or pattern. During registration, the user may be asked to present the hand several times so that the registration software can adjust for variations, such as how the hand is positioned. Second, the user later seeks authentication from the system, during which time the system remeasures the hand and compares the new measurements with the stored template. If the new measurement is close enough to the template, the system accepts the authentication; otherwise, the system rejects it. Every template is thus a pattern of some number of measurements.
Problems with Biometrics•Biometrics are relatively new, and some people find their use intrusive. •Biometric recognition devices are costly •All biometric readers use sampling and establish a threshold for when a match is close enough to accept. •Biometrics can become a single point of failure. Consider a retail application in which a biometric recognition is linked to a payment scheme: As one user puts it, "If my credit card fails to register, I can always pull out a second card, but if my fingerprint is not recognized, I have only that one finger." Forgetting a password is a user's fault; failing biometric authentication is not. • Although equipment is improving, there are still false readings. •The speed at which a recognition must be done limits accuracy •Although we like to think of biometrics as unique parts of an individual, forgeries are possible. The most famous example was an artificial fingerprint produced by researchers in Japan
Phishingin which an unsuspecting user submits sensitive information to a malicious system impersonating a trustworthy one. Common targets of phishing attacks are banks and other financial institutions because fraudsters use the sensitive data they obtain from customers to take customers' money from the real institutions.

Designing Trusted Operating Systems

Security services general operating systems provide1.memory protection 2.file protection 3.general object access control 4.user authentication
Four major underpinnings of a trusted operating system1.Policy 2.Model 3.Design 4.Trust
Our trust in the system is rooted in two aspects1.Features: the operation system has all the necessary functionality needed to enforce the expected security policy. 2.Assurance: the operation system has been implemented in such a way that we have confidence it will enforce the security policy correctly and effectively.
We say that software is trusted software if we know that the code has been rigorously developed and analyzed, giving us reason to trust that the code does what it is expected to do and nothing more.
Trusted Processa process that can affect system security, or a process whose incorrect or malicious execution is capable of violating system security policy.
Trusted Productan evaluated and approved product.
Trusted Softwarethe software portion of a system that can be relied upon to enforce security policy.
Trusted computing basethe set of all protection mechanisms within a computing system, including hardware, firmware, and software, that together enforce a unified security policy over a product or system.
Trusted Systema system that employs sufficient hardware and software integrity measures to allow its use for processing sensitive information.
Security Policyis a statement of the security we expect the system to enforce.
Military Security Policyis based on protecting classified information. Each piece of information is ranked at a particular sensitivity level, such as: •Unclassified •Restricted •Confidential •Secret •Top secret
Need-to-know ruleaccess to sensitive data is allowed only to subjects who need to know those data to perform their jobs.
CompartmentsEach piece of classified information may be associated with one or more projects, called compartments.
Class or Classificationis the combination <rank; compartments> of a piece of information.
Clearanceis an indication that a person is trusted to access information up to a certain level of sensitivity and that the person needs to know certain categories of sensitive information.
Two significant differences between commercial & military information securityo Out of the military there is usually no formalized notion of clearances o The rules for allowing access are less regularized out of the military
Clark-Wilson Commercial Security Policy• Well-formed transaction: Performing the steps in order, performing exactly the steps listed, and authenticating the individuals who perform the steps • The goal of the Clark-Wilson policy is to maintain consistency between the internal data and the external (users) expectations of those data. • Clark and Wilson present their policy in terms of constrained data items, which are processed by transformation procedures. • Transformation procedures: is like a monitor in that it performs only particular operations on specific kinds of data items. The transformation procedures maintain the integrity of the data items by validating the processing to be performed. • Clark and Wilson propose defining the policy in terms of access triples: <userID, TPi, {CDIj, CDIk, …}> o Combining a transformation procedure, one or more constrained data items, and the identification of a user who is authorized to operate on those data items by means of the transaction procedure.
Separation of Duty • Clark and Wilson raised this issue in their analysis of commercial security requirements, and Lee and Nah and Poland added to the concept. • The required division of responsibilities is called separation of duty.
Chinese Wall Security Policy • Brewer and Nash defined a security policy called the Chinese Wall that reflects certain commercial needs for information access protection. • The security requirements reflect issues relevant to those people in legal, medical, investment, or accounting firms who might be subject to conflict of interest. • Conflict of Interest: exists when a person in one company can obtain sensitive information about people, products, or services in competing companies. • The security policy builds on three levels of abstraction: o Objects o Company groups o Conflict classes • Each object belongs to a unique company group, and each company group is contained in a unique conflict class. A conflict class may contain one or more company groups. • The Chinese Wall is a commercially inspired confidentiality policy. • Most other commercial policies focus on integrity. • It is also interesting because access permission change dynamically as a subject accesses some objects, other objects that would previously have been accessible are subsequently denied.
Lattice Model2005, Bell. Is called like this, because its elements form a mathematical structure called lattice. • The largest element of the lattice is the classification <top secret; all compartments> and the smallest element is <unclassified; no compartments> • The military model is a lattice
Bell-La Padula Confidentiality Model• Is a formal description of the allowable paths of information flow in a secure system. • The model’s goal is to identify allowable communication when maintaining secrecy is important. • This model is a formalization of the military security policy and was central to the US Department of Defence’s evaluation criteria. • Bell-La Padula model is useful as the basis for the design of systems that handle data of multiple sensitivities. • Two properties characterize the secure flow of information: 1. Simple Security Property: a subject s may have read access to an object o only if C(o) ≤ C(s) 2. *-Property (called the “star property”): a subject s who has read access to an object o may have write access to an object p only if C(o) ≤ C(p)
Biba Integrity ModelBiba constructed a model for preventing inappropriate modification of data. • Biba defines integrity levels which are analogous to the sensitivity levels of the Bell La Padula model • The properties are: 1. Simple Integrity Property: Subject s can modify object o only if I(s) ≥ I(o) 2. Integrity *-Property
Graham-Denning Model• A formal system of protection rules • This model forms the basis for two later models of security systems • The Graham-Dennimg model operates on a set of subjects S, a set of objects O, a set of rights R, and an access control matrix A. • For each object, one subject designated the “owner” has special rights • Another subject designated the “controller” has special rights • The Graham-Denning model has eight primitive protection rights: ( 1. Create object 2. Create subject 3. Delete object 4. Delete subject 5. Read access right of s on o 6. Delete access right r of s on o 7. Grant access right r to s on o 8. Transfer access right r or r* to s on o)
Harrison-Ruzzo-Ullman Results (HRU)• Proposed a variation on the Graham-Denning model. • This revised model answered several questions concerning the kinds of protection a system • This model is also called HRU model. • This model is based on commands, where each command involves conditions and primitive operations. • This command is structured like a procedure, with parameters o1 through ok. • In HRU every subject is an object, too. • Each r is a generic right, and each op is a primitive operation
Take-Grant Systems• This model has only four primitive operations: o Create, revoke, take, and grant • This operations are presented most naturally through the use of graphs
Trusted Operating SystemsAdding the responsibility for security enforcement to the operating system substantially increases the difficulty of designing an operating system.
Security Features of Ordinary Operating Systems• User Authentication • Memory protection • File and I/O device access control • Allocation and access control to general objects • Enforced sharing • Guaranteed fair service • Interprocess communication and synchronization • Protected operation system protection data
Magnetic remanencevery precise and expensive equipment can sometimes separate the most recent data from the data previously recorded, form that data before that, and so forth.
Complete Mediationmeans that all access are checked.
Trusted Pathan unmistakable communication, to ensure that they are supplying protected information only to a legitimate receiver.
Accountability and AuditAccountability usually entails maintaining a log of security-relevant events that have occurred, listing each event and the person responsible for the addition, deletion, or change.
Audit Log ReductionAudit reduction, using separate tools to reduce the volume of the audit data. In this way, if an event occurs, all the data have been recorded and can be consulted directly. However, for most analysis, the reduced audit log is enough to review.
Intrusion DetectionIntrusion detection software builds patterns of normal system usage, triggering an alarm any time the usage seems abnormal. After a decade of promising research results in intrusion detection, products are now commercially available. Some trusted operating systems include a primitive degree of intrusion detection software.
3 Trusted operating systems properties1) Kernelized design (a result of least privilege and economy of mechanism) 2) Isolation (the logical extension of least common mechanism) 3) Ring-structuring (an example of open design and complete mediation).
Kernelized DesignA kernel is the part of an operating system that performs the lowest-level functions. In standard operating system design, the kernel implements operations such as synchronization, interprocess communication, message passing, and interrupt handling. The kernel is also called a nucleus or core.
Reference monitorThe portion that controls accesses to objects. A reference monitor is not necessarily a single piece of code; rather, it is the collection of access controls for devices, files, memory, interprocess communication, and other kinds of objects. A reference monitor acts like a brick wall around the operating system or trusted software.
Trusted computing base, or TCBIs the name we give to everything in the trusted operating system necessary to enforce the security policy. Alternatively, we say that the TCB consists of the parts of the trusted operating system on which we depend for correct enforcement of policy. The TCB, which must maintain the secrecy and integrity of each domain, monitors four basic interactions: Process activation. -Execution domain switching. - Memory protection. -I/O operation.
Four ways to separate one process from othersPhysical-temporal - cryptographic - Logical separation.
Hierarchical structuring• Permits identification of the most critical parts, which can then be analyzed intensely for correctness, so the number of problems should be smaller. • Isolation limits effects of problems to the hierarchical levels at and above the point of the problem, so the effects of many problems should be confined.
Assuranceways of convincing others that a model, design, and implementation are correct