Operating System Security: Chapter 8

Questions and Answers

The guiding principle of protection states that a subject should be given just enough ______ to perform their task, limiting potential damage.

privilege

A ______ attack involves a malicious program inheriting user privileges to perform unauthorized actions on behalf of the user.

trojan horse

______ access control is a protection system that can only be modified by trusted administrators, providing a higher level of security than discretionary controls.

Mandatory

In mandatory protection, subjects and objects are represented by ______, influencing the operations a subject can perform on an object.

labels

The goal of ______ limits which objects a process can read, thereby protecting sensitive information from unauthorized disclosure.

secrecy

Achieving both secrecy and integrity in access control requires defining what rights an entity has for a set of objects, which is the purpose of an ______ system.

access control

A ______ from one access matrix state to another involves adding or deleting subject, object, and operation assignments, modifying access permissions.

transition

The principle that rights cannot be granted if the grantor does not possess them is known as the ______ of Rights Principle.

Attenuation

The combination of hardware, software, and procedural components that enforce system security policy is known as the ______.

Trusted Computed Base

Isolating security-critical components from non-trusted ones is the key characteristic of TCB, known as ______.

isolation

Ensuring users can only access authorized resources aligns with the ______ characteristic of TCB, safeguarding system integrity.

access control

The ______ Module within the Reference Monitor maps process identity to a subject level and object reference to an object level for authorization.

Authorization

To ensure security, the access enforcement mechanism and protection system must be small enough for analysis and tests, showing it is ______.

verifiable

One of the key components of a Trust Model is a ______, which serves as the basis for enforcing security goals.

Reference monitor

An ______ can actively work on violating system security goals by injecting operations from the network to compromise the system.

attacker

In the context of system security, the term ______ refers to active entities such as processes, that can request access to system resources.

subjects

The ______ ensures access enforcement by authorizing security-sensitive operations, protecting against those that may violate system security.

Reference Monitor

The three requirements of the Reference Monitor are complete mediation, being tamper-proof, and being ______.

verifiable

An ______ is a matrix that specifies what type of access each subject has to each object, defining permissions within the system.

access matrix

Revoking access rights can be immediate versus delayed, partial versus total, selective versus general, or temporary versus ______.

permanent

Flashcards

OS Security Responsibilities

OS manages resources and enforces security policies to prevent data theft and system crashes.

Principle of Least Privilege

A guiding principle where subjects are given only enough privilege to perform their tasks, limiting potential damage from bugs or abuse.

Protection

Ensures objects are accessed correctly and only by processes allowed to do so, using unique names and defined operations.

Discretionary Access Control (DAC)

DAC allows users to control access to their resources, but is vulnerable to Trojan horse attacks and unrestricted information flow.

Mandatory Access Control (MAC)

MAC is a protection system modified only by trusted administrators, using labels to define subject/object access rights.

Secrecy (Confidentiality)

Limits unauthorized disclosure by controlling which processes can read certain objects.

Integrity

Limits unauthorized modification by controlling which processes can write to certain objects.

Access Control System

Determines what rights an entity has for a set of objects, controlling access to ensure security.

Protection System Transition

Transition from one access matrix state to another, involving adding or deleting subject, object, or operation assignments.

Attenuation of Rights Principle

Subjects cannot grant rights they do not possess; they cannot give rights they don't have themselves.

Trusted Computing Base (TCB)

Combination of hardware, software, and procedural components enforcing the system's security policy.

Key Characteristics of TCB

Isolation, Minimality, Verification and Access control ensures users process only access authorized resources

Access Matrix

Determines who can access an object, what objects can be accessed by a subject, and what operations a subject can perform on an object.

Mechanism vs. Policy in Access Matrix

Provides the access matrix and rules, enforced strictly, while users dictate the policy of who can access what and how.

How Access Rights Can Be Revoked

Deletion of access rights from the access list; can be immediate, partial/total, selective/general, temporary/permanent.

Reference Monitor

Takes requests and returns a binary response, indicating if the request is authorized by the reference monitor control policy.

Reference Monitor Components

Reference Monitor Interface, Authorization Module, and Policy Store

Requirements of Reference Monitor

Complete Mediation, Tamper-proof, and Verifiable, which requires simplicity for analysis and testing.

Trust Model

Consists of MAC, Reference Monitor, and TCB, providing the basis for enforcing security goals.

Threat Model

Set of operations an attacker uses to compromise a system by injecting operations and violating security goals.

Study Notes

• CH 8 OS security is vital to prevent data theft.
• The OS responsibilities include managing resources and enforcing security policies.

OS Responsibilities

• OS performs various functions, including preventing system crashes and financial losses.
• Mechanisms should ensure high performance and maximum CPU utilization.
• Fair process switching (scheduling) and controlled access to resources are necessary.

Principle of Protection

• The guiding principle is "least privilege", where a subject is given just enough privilege to perform tasks, limiting potential damage.
• Privilege can be static or dynamic, changing as needed during a process or system's life.
• Domain switching and privilege escalation are important concepts.

Types of Protection Systems

• Protection systems have defined security requirements.
• Protection aims at security goals met under trusted processes against errors from non-malicious entities.
• Security deals with achieving goals under potentially malicious processes.

Goals of Protection

• Protection ensures objects are accessed correctly by authorized processes.
• Protection includes a collection of objects (hardware or software) with unique names.

DAC (Discretionary Access Control)

• DAC involves user discretion in allowing processes.
• Users can pass their privileges to other users/processes.

DAC Vulnerabilities

• DAC is vulnerable to Trojan horse attacks, where malware can inherit user privileges.
• Unrestricted information flow can occur without proper information flow policies restricting flow between subjects and objects.

MAC (Mandatory Access Control)

• MAC is a protection system modifiable only by trusted administrators via trusted software.
• Subjects and objects are represented as labels, with the protection state defining allowable operations.
• Labeling state maps processes and system resources to labels.
• Transitioning state defines legal ways to relabel processes and system resources.
• Examples: Secret, unclassified, trusted, untrusted.
• Secrecy/Confidentiality limitations on object disclosure, or processes can read and integrity modifications on what processes can write to.

Achieving Secrecy and Integrity

• Achieved through Access Control Mechanisms.

Access Control Fundamentals

• Access control rules dictate that only authorized accesses can take place.
• The access control system determines what rights an entity has for a set of objects.

Protection System Transition

• It involves transitioning from one access matrix state to another and includes operations to add or delete subject, object, or permission assignments.

Transition Semantics

• Transition Semantics are owner-driven, delegated, or administrator-driven.

Attenuation of Rights Principle

• Entities cannot grant rights they do not possess.

Trusted Computed Base (TCB)

• TCB is the combination of hardware, software, and procedural components enforcing the system security policy.
• A smaller, verifiable TCB leads to a more secure system.

Basic Access Control

• Subject (active) and Object (passive)

Protection System

• It has security requirements defined within it.
• Consists of a protection state (links subjects to objects) and protection state operations.
• The protection domain of a process must satisfy system security goals for a secure OS.

Key Characteristics of TCB

• Isolation isolates security-critical components from non-trusted ones.
• Minimality reduces the attack surface.
• Verification ensures components are correct.
• Access control only allows authorized resources.

TCSEC Orange Book

• TCSEC orange book is a trusted computer system evaluation criteria.
• TCB-based security is used in modern OS.

Windows Security

• Windows Secure Kernel isolates security-critical functions in Virtual Secure Mode.
• TPM (Trusted Platform Module) ensures secure boot and execution.

Linux Security

• SELinux and AppArmor implement Mandatory Access Control (MAC).
• KVM and Docker allow for container-based isolation.

Access Matrix

• It consists of subjects, objects, and operations, defining who can access what.
• An operation to add or delete access rights, Special access rights: own, copy, control, transfer
• Mechanisim as provides access matrix and rules, the matrix can only be manipulated by authorized agenys and rules are strictly enforced

Separating Mechanism from Policy

• The access matrix can be expanded to dynamic protection.
• The User dictates policy: Who can access what object and in what mode

Revoking Access Rights

• This may be done immediately or delayed, partially or totally, selectively or generally, temporarily or permanently.
• In Access List, deleting access rights addresses immediate, partial/total, selective/general, temporary/permanent revocation.

Reference Monitor

• System calls undergo security checks in the reference monitor.
• Reference monitor takes requests as input and returns a binary response indicating authorization.

Components of a Reference Monitor

• Reference Monitor Interface interacts with the RM
• Authorization Module converts RM interface input into queries.
• Enforcement mechanism authorizes security-sensitive operations.
• Policy Store is a database housing protection, labeling, and transition states.

Requirements of Reference Monitor

• Complete Mediation ensures all security-sensitive operations are mediated.
• Tamper-proof: Access enforcement cannot be modified by untrusted processes.
• Verifiable access enforcement and protection system must be small and simple for analysis.
• System calls go for security checks in the reference monitor

Trust Model

• It consists of MAC, Reference monitor, and TCB.
• The threat model consists of MAC, reference monitor, and TCB and provides the basis for enforcing security goals.

Threat Model

• It involves operations an attacker uses to compromise the system.
• The attacker injects operations from the network, with the job of OS developers to Protect TCB,
• The attacker is in a control of running software in order to violate system security goals.