2-Intro (OperatingSysSec).pdf

Full Transcript

CYS 408 : Architecture of Secure Operating System
Topic: Operating System Security
[email protected]
Nazar Abbas Saqib , PhD

Outline
❑ What is an operating system?
❑ What is a secure operating system?
❑ Security goals
❑ Threat model
❑ Trust model

What is an Operating System?
▪ An Operating System (OS) is an interface between a
computer user and computer hardware
▪ Computer users interact with the computer hardware
through application software
▪ Some popular Operating Systems include Linux
Operating System, Windows Operating System, VMS,
OS/400, AIX, z/OS, etc.

What is an Operating System?
▪ Some of important functions of an operating System .
▪ Processor Management (Scheduling)
• how to switch between the processes?
▪ Resource Management
• How to make usage of hardware resources
▪ Security
• How to ensure OS security?

Operating System Kernel
▪ Operating system kernel, The Core of the
operating system that coordinates operating system
functions, such as control of memory, CPU access,
and storage.
- The kernel communicates with the BIOS, device
drivers, and the API to perform these functions.
- The Kernel interfaces with the resource
managers.

What is the difference between OS and OS Kernel?
OS is an interface between users and hardware resources
OS Kernel is an interface between software and hardware
of the computer
OS is a system program
OS Kernel is also a system program and heart of an OS
OS, in addition, to the responsibilities of Kernel, is
responsible for protection of security of the computer
OS Kernel is responsible for process management, task
management, memory management, disk management

Application Software
Application software , such as a spreadsheet or a word
processor
▪ Microsoft suite of products (Office, Excel, Word,
PowerPoint, Outlook, etc.)
▪ Internet browsers like Firefox, Safari, and Chrome.
▪ mobile pieces of software such as Pandora (for music
appreciation), Skype (for real -time online
communication), and Slack (for team collaboration)

Application programming interface (API)
Application programming interface (API), is software designed
to communicate with the application software and the user .
- Each time you use an app like Facebook, send an instant
message, or check the weather on your phone, you’re using an
API .
- A word -processing application may request to print some text,
and the API translates the request from the application to the
kernel .
▪ System call provides the services of the operating system to the
user programs via Application Program Interface (API )

General operating system design
▪ Device drivers, programs that take requests from the API
via the kernel and translate them into commands to
manipulate specific hardware devices, such as disks,
keyboards, monitors, and printers.
▪ Optional drivers , for other functions and devices, such as
sound.
▪ Computer hardware , such as storage devices, CPU, mouse,
keyboard, monitor, and printer.
▪ Resource managers , programs that manage computer
memory and central processor use.

Basic Input/Output System ( BIOS)
▪ BIOS ( provides the basic I/O functions to communicate with system
devices, such as the monitor, the keyboard, and disks.
▪ When BIOS boots up (starts up) the computer, it first determines
whether all of the attachments are in place and operational and then it
loads the operating system (or key parts of it) into your computer's
random access memory ( RAM ) from your hard disk or diskette drive.

Subjects, Objects and Operations
▪ Objects
Anything that holds data may be an object, including file, memory, directories, queues, inter -
process messages, network packets, input/output, (I/O) devices, and physical media.
▪ Subjects
Active entities that can access or manipulate objects are called subjects .
▪ Users are the subjects
▪ Within a system, a process, job, or task, operating on behalf of the user
▪ I/O devices either subject or object
▪ Operations
What the subjects can do on the objects ( e.g. read, write, append, update, execute, etc.)

How to build any successful operating System?
To build any successful operating system, three
major functions must be implemented in an
efficient way:
1. Resource Mechanisms
2. Scheduling (Process Management)
3. Security

▪ 1 st , Operating systems must provide efficient
resource mechanisms , such as file systems,
memory management systems, network
protocol stacks, etc., that define how
processes use the hardware resources
1
st
– Resource Mechanisms
* Memory -> usually RAM
* Disk -> Hard disk for storage
Resource Mechanisms

2
nd -
Scheduling
▪ 2 nd , switching between the processes is fair
such that the user experiences good
performance from each process
▪ The 2 nd problem is scheduling access to
computer resources
Scheduling

▪ 3 rd , access to resources should be controlled,
such that one process cannot accidentally or
maliciously impact the execution of another
▪ This 3 rd problem is the problem of ensuring the
security of all processes run on the system
How to ensure secure
execution of processes????
3
rd
- Security
Security

How to ensure secure execution of processes????
Ensuring the secure execution of all processes depends on the correct implementation of
resource and scheduling mechanisms .
Secure Execution of Processes
Correct implementation of resource mechanisms?
Correct implementation of scheduling mechanisms?

Correct implementation of resource mechanisms?
Any correct resource mechanism must provide boundaries between its objects and ensure that its operations do not
interfere with one another.
Example, resource mechanism
▪ A file system must not allow a process request to access one file to overwrite the disk space allocated to another
file.
▪ Also, file systems must ensure that one write operation is not impacted by the data being read or written in
another operation.
How to ensure secure execution of processes????

Scheduling mechanisms must ensure availability of resources to processes to prevent denial of service attacks.
Example, scheduling mechanisms
For example, the algorithms applied by scheduling mechanisms must ensure that all processes are eventually
scheduled for execution. These requirements are fundamental to operating system mechanisms
Correct implementation of scheduling mechanisms?
How to ensure secure execution of processes????

SECURE OPERATING SYSTEMS?
▪ A secure operating system provides security mechanisms that ensure that the
system’s security goals are enforced despite the threats faced by the system.
▪ These security mechanisms are designed to provide such a guarantee in the
context of the resource and scheduling mechanisms

Why it needs Operating System Security?
Security becomes an issue, due to two main reasons:
▪ 1st, Interaction of processes in modern computer system in a variety of ways
▪ Processes interact frequently: the output of one process may be used by other processes.
▪ For example, a programmer uses an editor program to write a computer program’s source code,
compilers and linkers to transform the program
▪ Possible for the two processes to be running on different machines
▪ OS may differ from one process to the other - need mediators (protocols)
Process
1
Process
2
Process
1
Process
2
Windows Windows Windows Linux
M1 M2 M1 M2

Why it needs Operating System Security? (Continued..)
▪ 2nd , sharing of data among users which is the fundamental use of computer systems
▪ Sharing of data such as e -mails, the web and instant messaging cause your computer to share
additional, unexpected resources
▪ Number of ways to convey malware on the system
▪ Variety of ways that users and processes tricked into running malware
Windows Windows
System 1 System 2
Chat app Chat app

DESIGNING A SECURE OPERATING SYSTEM
▪ To build any secure system requires that we consider how the system achieves its security goals under a set
of threats ( i.e.,a threat model) and given a set of software, including the security mechanisms, that must be
trusted (i.e., a trust model). It is answer the following:
▪ What are the security goals?
▪ What is the threat model?
▪ What is the trust model?
Secure
System
Security
Goals
Trust
Model
Threat
Model

THREAT MODEL
▪ A threat model defines a set of operations that an attacker may use to
compromise a system
▪ If attacker is able to find a vulnerability, then the attacker is said to have
compromised the system
▪ A secure operating system cannot trust processes outside of the TCB

THREAT MODEL
Main Threats of OS

THREAT MODEL
Main Threats of OS

SECURITY GOALS?
❑ Security goals describe how the system implements accesses to system resources that satisfy the following:
secrecy, integrity, and availability (CIA)
❑ A system access is traditionally stated in terms of which subjects (e.g., processes and users) can perform which
operations (e.g., read and write) on which objects (e.g., files and sockets).
▪ Secrecy (confidentiality) requirements limit the objects that individual subjects can read because objects may
contain secrets that not all subjects are permitted to know.
▪ Integrity requirements limit the objects that subjects can write because objects may contain information that
other subjects depend on for their correct operation. Some subjects may not be trusted to modify those objects.
▪ Availability requirements limit the system resources (e.g., storage and CPU) that subjects may consume
because they may exhaust these

TRUST MODEL
▪ A system's Trust Model consists of the software and data upon which the
system depends for system security
▪ For an OS, it is called its “Trusted Computing Base” (TCB)
▪ Ideally, the TCB should be minimal

REQUIREMENTS OF TRUST MODEL
The secure operating system developer must prove that their systems have a viable
trust model. This requires that:
(1) The system TCB must mediate all security -sensitive operations
(2) Verification of the correctness of the TCB software and its data; and
(3) Verification that the software’s execution cannot be tampered by
processes outside the TCB

REQUIREMENTS OF TRUST MODEL
Problems:
▪ Identifying the TCB Software itself is not a trivial task
▪ Verifying the correctness of the TCB software is a very complex task
▪ The system must protect the TCB software and its data

Summary
While building a truly secure operating system, it needs
▪ Enforce security goals
▪ Provide a clearly -identified trusted computing base that defines a trust model
▪ Define a threat model for the trusted computing base, and ensure protection of the trusted
computing base under that model