IS_Module4_Chap1_Operating_System_Security_Models_ksz1yXNKXz

Operating System Security Models

Overview of Security Models

  • Operating System Security Model (Trusted Computing Base, TCB)

    • Set of rules or protocols governing security functionality.

    • Security begins at the network protocol level, extending up to OS operations.

    • Effective security protects the entire host, including all software and hardware.

    • Modern OS use a compartmentalized approach to enhance security.

Microkernel Approach

  • Definition: Built around a compact kernel managing a common hardware level.

  • Key Advantages:

    • Smaller and easier to port across systems.

    • Supports a compartmentalized security strategy, which isolates damage potential.

Security Risks of Underlying Protocols

TCP/IP Vulnerabilities

  • If underlying protocols are insecure, the entire OS is at risk.

  • Main TCP/IP issues include:

    • Vulnerable to spoofing.

    • Vulnerable to session hijacking.

    • Predictable sequence guessing.

    • Lack of authentication and encryption.

    • Susceptible to SYN flooding.

Benefits of TCP/IP Version 6

  • Security Improvements with IPv6:

    • Incorporates IPSEC for enhanced security.

    • Includes authentication and encryption features.

    • Provides resilience against spoofing and safeguards for data integrity.

    • Ensures confidentiality and privacy for data exchanges.

Access Control Lists (ACLs)

Purpose of ACLs

  • An ACL defines the access rights each user possesses for objects like files or file directories.

  • Access is determined when the server receives a request based on predefined rules.

Structure of ACLs

  • Entries: Each object has a security attribute identifying its ACL, with entries for each user’s access privileges.

  • Common Privileges:

    • Read access to files or directories.

    • Write access to files.

    • Execute permission for executable files.

Implementation in Windows

  • Each object associates with an ACL containing access control entries (ACEs), listing user or group names and their access rights defined by an access mask.

Security Descriptors

  • An object's security descriptor can contain two ACLs:

    • Discretionary Access Control List (DACL): Identifies users/groups allowed or denied access.

    • System Access Control List (SACL): Controls access auditing.

  • Unix Systems: Also utilize access control based on user permissions and defined group roles.

Mandatory vs. Discretionary Access Control (MAC vs. DAC)

Key Differences

  • Discretionary Access Control (DAC):

    • Users can assign access privileges.

    • Common in commercial and academic sectors; not suited for military.

    • Allows flexible access controls, suitable for individual users.

  • Mandatory Access Control (MAC):

    • Access control cannot be influenced by individual object owners and is strictly governed.

    • Provides stringent security suitable for secure environments where sensitive information management is critical.

Security Models Summary

Primary Security Models

  • Bell-LaPadula:

    • Prevents users from reading data above their security level; focuses on data classification.

    • Prevents writing to lower classification data.

  • Biba:

    • Focus on integrity rather than confidentiality; prevents unauthorized modifications.

    • Ensures that no lower integrity data can be modified by higher integrity users.

  • Clark-Wilson:

    • Defined to support well-formed transactions, ensuring steps are performed in specified order and authenticated.

Trusted Computer System Evaluation Criteria (TCSEC)

Overview of TCSEC

  • Heavily influenced by the Bell-LaPadula model; aimed at classifying systems (levels A through D).

  • Three objectives in TCSEC development:

    1. Provide assessment yardstick for users on trusted computer systems.

    2. Guide manufacturers on building secure products.

    3. Set a basis for specifying security requirements for software/hardware acquisitions.

TCSEC Ratings and Classifications

  • D - Minimal Protection:

    • No security requirements; basic systems such as MS-DOS fall here.

  • C1 - Discretionary Protection:

    • Limited user access control; familiar user groups.

  • C2 - Controlled Access Protection:

    • Enhanced with auditing and more formal user roles and security.

  • B1 - Labeled Security Protection:

    • Mandatory security labeling and integrity checks on objects.

  • B2 - Structured Protection:

    • Advanced security model, tighter operational control.

  • B3 - Security Domains:

    • Comprehensive controls with mandated access and covert channel analysis.

  • A1 - Verified Design:

    • Highest certification demanding formal verification methods.

Labels in TCSEC

Role of Labels

  • Security labels contain critical classification information related to files, processes, and devices.

  • Sensitivity labels establish classification levels with potential categories.

  • Integrity labels determine the reliability of data for users.

Reference Monitor Concept

Overview

  • Developed in 1972 by a U.S. Air Force panel to address security issues in shared environments.

  • Acts as an access control point enforcing security policies.

Key Features of Reference Monitor

  • Always active; immune to preemption.

  • Designed to be tamper-proof and lightweight.

Windows Security Reference Monitor

  • Validates access permissions for processes against security descriptors for objects, ensuring compliance of access requests.

Trustworthy Computing Initiative

Goals

  • Focused on security, privacy, reliability, and business integrity.

  • Framework developed to ensure products are secure by design, default, and deployment.

Secure by Design Requirements

  1. Build a secure architecture with security features.

  2. Reduce vulnerabilities in code.

  3. Ongoing protection post-deployment.

International Standards for Operating System Security

Common Criteria

  • Established to standardize information security evaluation.

  • Provides objective measures for assessing the security of IT products and systems.

Structure of Common Criteria

  1. Part 1: Introduction.

  2. Part 2: Security functional requirements.

  3. Part 3: Security assurance requirements.

Protection Profiles and Security Targets

  • Defines standard security requirements for product types.

  • Ensures thorough documentation of product implementation and security threats.

Challenges of Common Criteria

  • Administrative overhead and expense leading to labor-intensive certification.

  • Required knowledgeable analysts and limited testing laboratories.

  • Extended timelines to establish evaluation labs.