IS 430 Chapter 5

Operating system

fundamental controllers of all system resources

Operating System features

Enforce sharing

Synchronization

Protect Critical data

Guarantee Service

Interface to Hardware

User Authentication

Memory Protection

Access Control

The first operating systems were simple utilities

executives

T/F The transition of operating system from executive to monitor was also a shift from supporting to controlling the user .

True

Process

assigned system resources

domain

resources of a process

A process has one or more

threads

tasks

smallest executable unit of code.

Protect objects

Memory

Shareable I/O devices, disks

serially reusable I/O devices, printers and tape drives

Shareable programs and sub procedures

Networks

Shareable data

audit logs

show what happened in an incident

Virtualization

providing the appearance of one set of resources by using different resources

Hypervisor or Virtual Machine Monitor (VMM)

software that implements a virtual machine

sandbox

an environment from which a process can have only limited, controlled impact on outside resources

honeypot

system to lure an attacker into an environment that can be both controlled and monitored

Separation in an OS

Physical separation - diff processes use diff physical objects

Temporal separation - processes having diff security requirements are exec at diff times

Logical separation - users operate under illusion that no other processes exist

Cryptographic separation - processes conceal their data and computations

Methods of supporting separating/sharing

Do not protect

Isolate

Share all or share nothing

Share but limit access

Limit use of an object

Fence

Memory protection to prevent a faulty user program from destroying part of the resident portion of the OS.

fence register

location of the fence could be changed.

T/F A fence register protects in only one direction

True

base register

Variable fence register supporting the OS ability to dynamically load processes (lower memory location)

bounds register

upper address limit that allows the operating system to bound the users program space.

T/FEach program address is forced to be above the base address and below the bounds address.

True

tagged architecture

every word or machine memory has one or more extra bit to identify access rights to that word

(2 bytes, old and uncommon, better than a ton of fences)

segmentation

notion of dividing a program into separate pieces. loading programs eagerly into memory, separating them into segments where necessary

Segmentation security benefits

-Each address reference is checked

-Many diff classes of data items can be assigned diff levels of protection

-Two or more users can share access to segment

-A user cannot generate an address or access to an unpermitted segment

paging

The program is divided into equal sized pieces called pages and memory is divided into equal sized units called page frame.

Allows the security advantages of segmentation with more efficient memory managment

Paging

Difference between segmentation and paging

The basic difference between paging and segmentation is that a page is always of fixed block size whereas, a segment is of variable size.

Paging may lead to internal fragmentation as the page is of fixed block size, but it may happen that the process does not acquire the entire block size which will generate the internal fragment in memory. The segmentation may lead to external fragmentation as the memory is filled with the variable sized blocks.

In paging the user only provides a single integer as the address which is divided by the hardware into a page number and Offset. On the other hands, in segmentation the user specifies the address in two quantities i.e. segment number and offset.

Page out

blocks that are not likely to be used soon

Page in

blocks that are needed now

thrashing

paging in/out repeatedly to the point of significantly degraded performance

Pinned Pages

Pages that are never swapped once loaded

Combined paging with segmentation

programmer could divide a program into logical segments. Each segment was then broken into fixed size pages

Simplicity design of OS

designing to avoid complications

Layered Design

Layers enable trust and limit risk

kernel

part of OS that performs the lowest level functions. (synchronization, interprocess, communication, message passing, interrupt handling)

security kernal

responsible for enforcing the security mechanisms

Design reasons why security functions may be isolated in a security kernal

Coverage- every access to a protected object must pass thru security kernel

Separation - isolation makes it easier to protect those mechanisms from penetration by the OS or the users.

Unity - security functions performed by single set of code, it is easier to trace the cause of any problems

Modifiability- changes easier to make and test

Compactness - performs only security functions

Venerability - security kernel can be analyzed rigorously

Disadvantage of security kernel

May degrade system performance because the kernel adds another layer of interface between users programs and operating system resources.

The most important part of a security kernel the

reference monitor (controls accesses to objects)

Reference monitor

separates subjects and objects, enforcing that a subject can access only those objects allowed by security policy

Correctness

Implies that because an operating system controls the interaction between subjects and objects, security must be considered in every aspect of its design

Completeness

requires that security functionality be included in all place necessary

Secure Design Principles

least privilege

economy of mechanism

open design

complete mediation

Permission based

separation of privilege

least common mechanism

ease of use

Trusted system

is one that has been shown to warrant some degree of trust that it will perform certain activities faithfully

To trust any program, these certain key characteristics are important

Functional correctness - does what its supposed to

Enforcement of integrity - maintains correctness of data

Limited Privilege - access secure data w minimized access

Appropriate confidence level - degree of trust appropriate for kind of data

Trusted systems have three characteristics

a defined policy

appropriate measures and mechanism

independent scrutiny or evaluation to ensure that mechanisms have been selected and implemented

Other trusted system characteristics

secure startup

trusted path

object reuse control

Audit

Trusted Computing Base (TCB)

name we give to everything in the trusted operating system that is necessary to enforce the security policy.

elements on which security enforcement could depend

Hardware

processes

primitive files

protected memory

some interprocess communication

TCB monitors four basic interactions

Process activation

Execution domain switching

Memory Protection

I/O operation

TCB Design

TCB code must run in some protected state that it distinguishes it and protects it from interference or compromise by any code outside the TCB.

Security Kernel

1. Hardware

2. Operating System Kernel: Hardware interactions and access control

3. Operating System Kernel: resource allocation, sharing, access control and authentication

4. User Tasks

Secure startup

ensures no malicious code can block or interfere with security

Trusted path

unforgeable connection by which the user can be confident of communicating directly w the OS

Object reuse control

OS clears memory before reassigning it to ensure that leftover data doesn't become compromised

Audit

Trusted systems track security-relevant changes, such as installation of new programs or OS modification

Root

most privilege subject

(in unix system)

rootkit

An attack package that attains root status

splicing

technique allowing third-party code to be invoked to service interrupts and device driver calls

hooked

driver infected by splicing

Kernel-mode Rootkits

Traditional rootikit

Drawback: may make system less stable and be easier to detect

User-mode Rootkits:

remain installed by copying required files to the computer's hard drive

Firmware Rootkits - reinstalls from non-disk, firmware every reboot

Virtual Rootkits - system now boots into a custom VM that is pre-rooted