Operating systems

security

Dr. M. Brindha
Associate Professor
Department of CSE
NIT, Trichy-15
 Security
Goals
Protecting data and resources has three requirements
• Secrecy (confidentiality)
– Unauthorized disclosure
– Limits the objects (files/sockets) that a process can read
• Integrity
– Unauthorized modification
– Limits the objects that a process can write
(objects may contain information that other processes depend on)
• Availability
– Limits the system resources that processes (or users) may consume
– Therefore preventing denial of service attacks
– Achieved by OS resource management techniques like fair
scheduling

2
 Confidentiality &
Integrity
Achieved by Access Control
• Every access to an object in the system should be
controlled
• All and only authorized accesses can take place

Access ? Specifying an operation on the object like

read, write, execute, create, delete
3
 Access Control
Systems
• Development of an access control
Security Policy
system has three components
– Security Policy : high level rules that define
access control
– Security Model : a formal representation of
Security Model
the access control security policy and its
working.
(this allows a mathematical representation of
a policy; there by aid in proving that the Security
model is secure) Mechanisms
– Security Mechanism : low level (sw / hw)
functional implementations of policy
and model

4
 Security
Policy
• A scheme for specifying and enforcing
Security Policy
security policies in a system
• Driven by
– Understanding of threat and system
• design Security Model
Often take the form of a set of
statements
– Succinct statements
Security
– Goals are agreed upon either by Mechanisms
• The entire community
• Top management
• Or is the basis of a formal mathematical
analysis

5
A bad security policy model
of a company
Approval of policy should not be
part of the policy document
Who enforces this? itself.

Who determines
need to know?

How are breaches detected?

Who’s duty is it to report them

6
 Security
Model
• Why have it at all?
Security Policy
– It is a mathematical representation of
the policy.
– By proving the model is secure and
that the mechanism correctly Security Model

implements the model, we can argue

that the system is indeed secure (w.r.t.
the security policy) Security
Mechanisms

7
 Security
Mechanism
• Implementing a correct mechanism is non trivial
• Could contain bugs in implementation which would Security Policy
break the security
• The implementation of the security policy must work
as a ‘trusted base’ (reference monitor)
• Properties of the implementation Security Model
o Tamper proof
o Non-bypassable (all accesses should be evaluated by
the mechanism)
o Security kernel – must be confined to a limited part of Security
Mechanisms
the system (scattering security functions all over the
system implies that all code must be verified)
o Small – so as to achieve rigorous verification

8
 Access Control
Techniques
• DAC – Discretionary
• MAC – Mandatory
• RBAC -- Role-based

9
 Discretionary Access
Control
• Discretionary (DAC)
– Access based on
• Identity of requestor
• Access rules state what requestors are (or are not) allowed
to do
– Privileges granted or revoked by an administrator
– Users can pass on their privileges to other users
– Example. Access Matrix Model

10
 Access Matrix
Model
• By Butler Lampson, 1971
• Subjects : active elements requesting information
• Objects : passive elements storing information objects
– Subjects can also be objects
subjects

rights

Other actions : ownership (property of objects by a subject),

control (father-children relationships between processes)
Butler Lampson, “Protection”, 1971 11
 A formal representation of
Access Matrix
•
Model
Define an access matrix :
• Protection System consists of
– Generic rights :
thus
– Primitive
Operations

objects

subjects

Generic rights

Michael A. Harrison, Walter L. Ruzzo, Jeffrey D. Ullman, Protection in Operating Systems, 1974 12
 A formal representation of Access
Matrix Model
• Commands access matrix
Generic rights

Primitive
operations

13
Example
Commands
Create an object

Confer ‘r’ right

to a friend for the
object

Owner can revoke

Right from an ‘ex’friend

14
 States of Access
Matrix
• A protection system is a state transition system
command 1 command 2

• Leaky State:
– A state (access matrix) is said to leak a right ‘r’ if there exists a command
that adds right ‘r’ into an entry in the access matrix that did not previously
contain ‘r’

command r

– Leaks may not be always bad.

15
 Is my system
safe?
• Safety
– Definition 1: System is safe if access to an
object without owner’s concurrence is
impossible
– Definition 2: A user should be able to tell if
giving away a right would lead to further
leakage of that right.

16
 Safety in the formal
model
• Suppose a subject s plans to give
subjects s’ right r to object o.
– with r entered into A[s’,o], is such that r could
subsequently be entered somewhere new.
– If this is possible, then the system is unsafe

17
 UnsafeState
(Example)
• Consider a protection system with two commands

• Scenario: Bob creates an application (object). He wants

it to be executed by all others but not modified by them
• The system is unsafe due to the presence of
MODIFY_RIGHT in the protection system.
– Alice could invoke MODIFY_RIGHT to get modification rights for
the application

18
 Access Matrix Model
Implementation
(Authorization
• Matrix not efficient Table)
– Too large and too sparse
• Authorization Table
– Used in databases
– Needs to search entire
table in order to identify
access permission

20
 Access Matrix Model
Implementation
• Capabilities (Capabilities)
– Each user associated with a
capability list, indicating, for
each object the permitted
operations
– Advantage in distributed
systems, since it prevents
repeated authentication of a
subject.
– Vulnerable to forgery: can
be copied and misused by
an attacker.

21
 Access Matrix Model
Implementation
(ACL)
• Access Control Lists
– Each object is associated
with a list indicating the
operations that each
subject can perform on it
– Easy to represent by small
bit-vectors

22
 ACL Implementation in
Unix
• Users belong to exactly one group
• Each file has an owner
• Authorization for each file can be specified
– For file’s owner (r,w,x  3 bits)
– For the group (r,w,x  3 bits)
– For the rest of the world (r,w, x  3 bits)

23
 Vulnerabilities in
Discretionary
Policies
• Subjected to Trojan Horse attacks
– A Trojan horse can inherit all the user’s
privileges
– Why?
• A trojan horse process started by a user sends
requests to OS on the user’s behalf

24
 Drawback of
Discretionary
• Policies
It is not concerned with
information flow
– Anyone with access can

co
d

p
propagate information rea

y
• Information flow
policies
– Restrict how information
flows between subjects and
objects

25
 Mandatory Access
Control
• Access based on regulations set by a central authority
• Most common form is multilevel security (MLS) policy
– Access Class
• Objects need a classification level
• Subjects needed a clearance level
–A subject with X clearance can
access all objects in X and below X
but not vice-versa
– Information only flows upwards
and
cannot flow downwards

30
 Bell-LaPadula
Model
• Developed in 1974
• Formal model for access control
• Four access modes:
– read, write, append, execute
• Two properties (MAC rules)
– No read up (simple
security property (ss-
property))
– No write down (*-property)

D. E. Bell and L. J. LaPadula, Secure Computer System: Unified 31

 No read
up

Clearance : Confidential

• Can only read confidential and unclassified files

32
 No Write
Down

Clearance : Confidential

• Cannot write into an unclassfied object

33
 Why No Write
Down?
Process with
confidential clearance

obje
ct trojan
fied
ssi
igher cla
h
Read
l
er leve
w
to a lo
te
Wri

• A process inflected with a trojan, could read confidential data

and write it down to unclassified
• We trust users but not subjects (like programs and
processes)
34
 Limitations of
BLP
• Write up is possible with BLP
• Does not address Integrity Issues
file with classification secret

Clearance : Confidential

User with clearance can modify a secret document

BLP only deals with confidentiality. Does not take care of integrity.

36
 Biba
Model
• Bell-LaPadula upside down
• Ignores confidentiality and only deals
with integrity
• Goals of integrity
– Prevent unauthorized users from making
modifications in a document
– Prevent authorized users from making improper
modifications in a document
• Incorporated in Microsoft Windows Vista

37
 BIBA
Properties
High integrity

Low integrity

Properties
No read down : Simple Integrity Theorem
No write up : * Integrity Theorem

38
 Why no Read
Down?
High integrity

Low integrity

• A higher integrity object may be modified based on a

lower integrity document

39
 Exampl
e
Read Up
General • A document from the general
should be read by all

No Read Down
Captains • A private’s document should not
affect the General’s decisions

Privates

40
 SecureOperating
Systems
• A secure OS has 3 requirements
– Complete mediation
• Access enforcement mechanisms of OS should mediate all
security-sensitive operations.
– Tamperproof
• Access enforcement mechanisms of OS should not be
modifiable by an untrusted process
– Verifiable
• The access enforcement mechanisms of OS must be small
enough to be completely and thoroughly tested.

41
THANK YOU