Operating System Security

Questions and Answers

Which of the following is the MOST critical responsibility of an operating system regarding resource management?

• Focusing solely on speed and resource efficiency, disregarding process independence.
• Prioritizing resource allocation based on the user who initiated the process.
• Enabling high-performance use of computer resources while ensuring processes operate independently and fairly share those resources. (correct)
• Allowing any process unrestricted access to all system resources for maximum performance.

An operating system is tasked with managing multiple processes. What is the primary challenge in this scenario?

• Ensuring that all processes run sequentially to avoid conflicts.
• Allowing concurrent processes to use computer resources while preserving their independence and ensuring fair sharing. (correct)
• Guaranteeing that each process has exclusive access to all hardware resources at all times.
• Minimizing the number of processes running simultaneously to simplify resource allocation.

Why is controlling access to resources a crucial aspect of a secure operating system?

• To ensure that resources are used inefficiently, creating a challenge for developers.
• To guarantee that all processes have equal priority, regardless of their security needs.
• To allow processes to inadvertently impact each other's executions, fostering collaboration.
• To prevent one process from maliciously or inadvertently affecting the execution of another process. (correct)

What are the TWO critical components for ensuring secure execution of processes within an operating system?

Correct implementation of resource mechanisms and scheduling mechanisms. (A)

Which of the following is a KEY characteristic of a secure operating system?

It enforces security goals despite facing various threats. (A)

Which software component is MOST critical to include within the Trusted Computing Base (TCB)?

The software that defines security goals and enforces those security goals. (D)

Why is it important to trust the software responsible for authenticating users (e.g., login, SSH) when constructing a TCB?

Because correct identification of users is crucial for enforcing security goals. (C)

Why is verifying the correctness of TCB software a complex task for operating system developers?

Because the amount of TCB software outside the operating system can be substantial and impractical to verify formally. (D)

What is the MOST important reason for an operating system developer to prove that their system has a viable trust model?

To ensure the system TCB mediates all security-sensitive operations, can be verified, and cannot be tampered with. (C)

Which of the following BEST describes a key challenge in establishing a Trusted Computing Base (TCB)?

Identifying all the software components that must be included in the TCB. (B)

Why is the integrity of the TCB a critical concern for system security?

A compromised TCB can undermine all security mechanisms and allow attackers to bypass security policies. (B)

What is the primary security risk associated with windowing systems like the X Window System in the context of a TCB?

Windowing systems provide mechanisms for sharing data between applications that may violate system security goals. (B)

Which of the following best describes the role of security mechanisms in a secure operating system?

To enforce security goals within the resource and scheduling mechanisms. (C)

What is the primary characteristic of a 'trusted' system, as the term is used in the context of operating system security?

It provides a high degree of assurance in the enforcement of its security policies. (C)

Which statement best describes the purpose of security goals in the context of operating systems?

They define the operations a system can execute while preventing unauthorized access. (B)

In the context of security goals related to system resource access, what does the principle of 'secrecy' primarily address?

Restricting which subjects can read specific objects to protect sensitive information. (B)

Which aspect of system security does the principle of 'integrity' primarily safeguard?

Preventing unauthorized modification of data. (C)

What is the main objective of 'availability' as a security goal?

To ensure resources are not exhausted by any single subject. (A)

Which of the following describes the trust model's function in a secure operating system?

It defines the set of software and data critical for enforcing security goals. (B)

What is the significance of minimizing the size of the Trusted Computing Base (TCB) in a secure operating system?

It minimizes the amount of code that needs to be trusted for security. (C)

Flashcards

Operating System

Software that manages hardware resources (CPU, memory, devices) for a computer system.

Processes

Operating systems run programs within these isolated execution environments.

Resource Mechanisms

Mechanisms that enable efficient usage of computer resources like file systems and memory management.

Scheduling

The act of managing and prioritizing processes' access to computer resources.

Secure Operating System

An OS that incorporates security mechanisms to enforce security goals against potential threats.

Security Mechanisms

Mechanisms ensuring secure operation by addressing resource and scheduling aspects.

Security Goals

Requirements for a system to operate securely, covering all processes it executes.

Security Goal (Definition)

Operations the system can perform while preventing unauthorized access.

Secrecy Requirements

Restricting what subjects can read to protect sensitive information.

Integrity Requirements

Restricting write access to protect information integrity.

Trusted Computing Base (TCB)

Software that defines and enforces security goals. Includes bootstrapping software.

Trusted Authentication Programs

Programs outside the OS (login, SSH) that the OS relies on for correct user identification.

Availability Requirements

Limiting resource consumption to prevent exhaustion of crucial resources like CPU.

Trust Model (TCB)

Software and data critical for enforcing system security goals.

Trusted System Services

Services like windowing systems that operate on behalf of all processes and could introduce security vulnerabilities.

Viable Trust Model

Ensuring that the OS system has a working trust model.

TCB Mediation

The TCB must control all operations that involve security.

TCB Correctness Verification

Verifying that the TCB software including data is working as expected.

TCB Integrity Protection

Protecting the TCB software from modification by processes outside its boundaries.

Study Notes

• Operating systems are software that grants access to hardware resources such as the CPU, memory, and devices.
• Programs on a computer system necessitate CPU instruction execution and use of peripheral resources.
• Operating systems run programs as processes.
• Developers must allow concurrently executing processes to use resources while preserving their independence and ensuring resource fair sharing.

Building a Successful Operating System

• The operating system must provide mechanisms enabling high-performance use of a computer's resources.
• Operating systems should offer efficient resource management via file systems, memory management, and network protocol stacks so processes can use hardware.
• The operating system should switch among processes fairly for good performance and access to the computer's devices.
• Scheduling access to computer resources is essential.
• Resource access should be controlled to prevent one process from negatively impacting another, either inadvertently or maliciously.
• Ensuring the secure execution of processes involves system security.
• Correct resource and scheduling mechanism implementation is critical for secure execution.
• Resource mechanisms must provide boundaries to prevent interference.
• Scheduling mechanisms should make sure resources are available to prevent denial of service (DoS) attacks.

Secure Operating Systems

• Security mechanisms within a secure operating system ensure security goals are enforced despite potential threats.
• These mechanisms operate within the context of resource and scheduling mechanisms.
• Security goals define secure operation requirements for any processes the system may execute.
• Security mechanisms have to uphold these goals and prevent system misuse by attackers.
• The idea of a "secure operating system" is considered an ideal concept.
• Systems with a high degree of enforcement assurance are called secure or "trusted," but completely secure systems are rare given modern systems' complexity.
• Studying how to build an ideal secure operating system is important when assessing OS security.

Security Goals

• Security goals define how a system can execute operations while preventing unauthorized access
• Security goals describe system access to implement resources, satisfying secrecy, integrity, and availability.
• System access is based on subject operations (processes/users) performing actions (read/write) on objects (files/sockets).
• Secrecy limits objects that subjects can read for secret containment.
• Integrity limits objects that subjects can write, especially if others rely on the contained information for correct functioning.
• Some subjects cannot be trusted to modify objects.
• Availability limits system resources that subjects consume to avoid exhaustion.
• Security goals need to be clearly defined, practical, and enable popular software execution effectively.

Trust Model

• A system's trust model defines the software and data crucial for enforcing system security goals.

• The trust model for operating systems is termed the Trusted Computing Base (TCB).

• A system TCB should have the minimum amount of software to enforce security goals correctly.

• The software that must be trusted includes the software defining and enforcing the security goals which includes the OS security mechanisms.

• Software that bootstraps the TCB must be trusted.

• Ideally, a TCB includes an element that enables security goals to be loaded and enforced throughout the system's lifespan beginning from the software bootstrapping mechanism.

• In practice, a system TCB contains wide-ranging software and the enforcement mechanism operates within the OS.

• Software running outside the OS has to be trusted.

• For example, the OS relies on programs like login and SSH to authenticate users which requires trust for correct identification.

• Certain services are trusted to ensure a secure computing environment, such as windowing systems like X Window, which perform actions on behalf of running OS processes and have mechanisms that can violate security goals.

• X Window and other software must be added to a system’s TCB.

Operating System Developer (Trust Model)

• Developers must prove that their systems have viable trust models.
• This involves the TCB mediating security-sensitive operations, verifying the correctness of the software, and preventing external tampering.
• Identifying the TCB software is a complex process that often leads to challenges.
• Verifying the correctness of TCB software can be a complex task.
• With general-purpose systems, the amount of software that is not part of the main OS but is still part of the TCB, often exceeds the core, so this is impossible to verify formally.
• The system needs to protect the TCB and its data from unauthorized modification.
• Maintaining TCB integrity to resist system threats is essential, because compromised software is not trustworthy.

Threat Model

• A threat model defines how attackers can compromise system security.
• Attackers are able to inject network operations and control software outside the TCB.
• Attackers may actively try to violate the security goals of the system.
• If attacker vulnerabilities allow access to secret information or permits the subjects whose dependants' information to be modified, then compromised occurs.

Task of a Secure Operating System Developer

• This involves protecting the TCB from different threats.
• Protecting the TCB ensures the security goals become enforced from user processes.
• User processes are untrusted but protected from threats.
• A secure OS prevents user processes with secret data access from exfiltration by limiting process interactions.
• Protecting the TCB proves difficult because interactions with the untrusted processes is inevitable.
• The developer has to identify and assess threats, their system's security impact, and implement effective mitigation strategies so threats can be countered.
• The trusted computing base component has identify where untrusted network requests have come from, determine how system threats can impact component functions, and limit possible commands and inputs as countermeasures.
• The developer also needs to ensure that the components that have roles in the trusted computing base effectively prevent system threats.

Description

These questions cover the core security responsibilities of operating systems, including resource management, process isolation, and access control. It also covers Trusted Computing Base (TCB) and trust models.