IS_Module4_Chap1_Operating_System_Security_Models_ksz1yXNKXz

Operating System Security Models

Overview of Security Models

• Operating System Security Model (Trusted Computing Base, TCB)

  • Set of rules or protocols governing security functionality.

  • Security begins at the network protocol level, extending up to OS operations.

  • Effective security protects the entire host, including all software and hardware.

  • Modern OS use a compartmentalized approach to enhance security.

Microkernel Approach

• Definition: Built around a compact kernel managing a common hardware level.

• Key Advantages:

  • Smaller and easier to port across systems.

  • Supports a compartmentalized security strategy, which isolates damage potential.

Security Risks of Underlying Protocols

TCP/IP Vulnerabilities

• If underlying protocols are insecure, the entire OS is at risk.

• Main TCP/IP issues include:

  • Vulnerable to spoofing.

  • Vulnerable to session hijacking.

  • Predictable sequence guessing.

  • Lack of authentication and encryption.

  • Susceptible to SYN flooding.

Benefits of TCP/IP Version 6

• Security Improvements with IPv6:

  • Incorporates IPSEC for enhanced security.

  • Includes authentication and encryption features.

  • Provides resilience against spoofing and safeguards for data integrity.

  • Ensures confidentiality and privacy for data exchanges.

Access Control Lists (ACLs)

Purpose of ACLs

• An ACL defines the access rights each user possesses for objects like files or file directories.

• Access is determined when the server receives a request based on predefined rules.

Structure of ACLs

• Entries: Each object has a security attribute identifying its ACL, with entries for each user’s access privileges.

• Common Privileges:

  • Read access to files or directories.

  • Write access to files.

  • Execute permission for executable files.

Implementation in Windows

• Each object associates with an ACL containing access control entries (ACEs), listing user or group names and their access rights defined by an access mask.

Security Descriptors

• An object's security descriptor can contain two ACLs:

  • Discretionary Access Control List (DACL): Identifies users/groups allowed or denied access.

  • System Access Control List (SACL): Controls access auditing.

• Unix Systems: Also utilize access control based on user permissions and defined group roles.

Mandatory vs. Discretionary Access Control (MAC vs. DAC)

Key Differences

• Discretionary Access Control (DAC):

  • Users can assign access privileges.

  • Common in commercial and academic sectors; not suited for military.

  • Allows flexible access controls, suitable for individual users.

• Mandatory Access Control (MAC):

  • Access control cannot be influenced by individual object owners and is strictly governed.

  • Provides stringent security suitable for secure environments where sensitive information management is critical.

Security Models Summary

Primary Security Models

• Bell-LaPadula:

  • Prevents users from reading data above their security level; focuses on data classification.

  • Prevents writing to lower classification data.

• Biba:

  • Focus on integrity rather than confidentiality; prevents unauthorized modifications.

  • Ensures that no lower integrity data can be modified by higher integrity users.

• Clark-Wilson:

  • Defined to support well-formed transactions, ensuring steps are performed in specified order and authenticated.

Trusted Computer System Evaluation Criteria (TCSEC)

Overview of TCSEC

• Heavily influenced by the Bell-LaPadula model; aimed at classifying systems (levels A through D).

• Three objectives in TCSEC development:

  1. Provide assessment yardstick for users on trusted computer systems.

  2. Guide manufacturers on building secure products.

  3. Set a basis for specifying security requirements for software/hardware acquisitions.

TCSEC Ratings and Classifications

• D - Minimal Protection:

  • No security requirements; basic systems such as MS-DOS fall here.

• C1 - Discretionary Protection:

  • Limited user access control; familiar user groups.

• C2 - Controlled Access Protection:

  • Enhanced with auditing and more formal user roles and security.

• B1 - Labeled Security Protection:

  • Mandatory security labeling and integrity checks on objects.

• B2 - Structured Protection:

  • Advanced security model, tighter operational control.

• B3 - Security Domains:

  • Comprehensive controls with mandated access and covert channel analysis.

• A1 - Verified Design:

  • Highest certification demanding formal verification methods.

Labels in TCSEC

Role of Labels

• Security labels contain critical classification information related to files, processes, and devices.

• Sensitivity labels establish classification levels with potential categories.

• Integrity labels determine the reliability of data for users.

Reference Monitor Concept

Overview

• Developed in 1972 by a U.S. Air Force panel to address security issues in shared environments.

• Acts as an access control point enforcing security policies.

Key Features of Reference Monitor

• Always active; immune to preemption.

• Designed to be tamper-proof and lightweight.

Windows Security Reference Monitor

• Validates access permissions for processes against security descriptors for objects, ensuring compliance of access requests.

Trustworthy Computing Initiative

Goals

• Focused on security, privacy, reliability, and business integrity.

• Framework developed to ensure products are secure by design, default, and deployment.

Secure by Design Requirements

1. Build a secure architecture with security features.

2. Reduce vulnerabilities in code.

3. Ongoing protection post-deployment.

International Standards for Operating System Security

Common Criteria

• Established to standardize information security evaluation.

• Provides objective measures for assessing the security of IT products and systems.

Structure of Common Criteria

1. Part 1: Introduction.

2. Part 2: Security functional requirements.

3. Part 3: Security assurance requirements.

Protection Profiles and Security Targets

• Defines standard security requirements for product types.

• Ensures thorough documentation of product implementation and security threats.

Challenges of Common Criteria

• Administrative overhead and expense leading to labor-intensive certification.

• Required knowledgeable analysts and limited testing laboratories.

• Extended timelines to establish evaluation labs.