Chapter 1

Introduction

Chapter Overview

• Overview of Operating Systems

• Secure Operating Systems

• Basic Concepts in Information Security

• Design of a Secure Operating System

• Threats to a Secure Operating System

• Define the problem (roughly)

What is an Operating System?

Provides/controls access to the various hardware resources in the system.

Runs and administers processes. Tasks:

Mechanisms that enable high performance (efficient use) of computer systems.

Fair process administration. Control access to resources to provide

security.

Figure of an Operating System

Why is security an issue?

• Processes share data and interact in other ways:

– The output of one process is often used by other processes.

– Processes can share information, often across computers or networks.

– Sometimes the shared information is bad-intentioned and wants to share other information which should not be shared.

• The challenge is to develop operating systems which can share information without allowing this behavior.

The state of Security in Operating Systems

• Formal security models and mechanisms have been defined, but they do not completely apply to practical systems.

• Two kinds of operating systems:

– Constrained, very secure systems

– General purpose systems with a low level of security assurance.

• Recent advances are improving both kinds of operating systems.

What is a Secure Operating System?

• A Secure Operating System provides security mechanisms that ensure that the system's security goals are enforced despite the threats faced by the system.

• It is an ideal, because it is impossible to write a bug-free program.

• It is an oxymoron in the sense that an OS is too complicated to be secure.

Security Goals

• Define the operations that can be executed by a system while still preventing unauthorized operations.

• Should be defined at a high abstraction level.

• Should be implementable and demonstrable.

Basic Concepts in Information Security

• Confidentiality: Keeping data from being given to forbidden parties.

• Integrity: Keeping data from being modified except by authorized parties

• Availability: Making it possible for data to be accessed by those who are supposed to access it.

Basic Parties and concepts in Operating Systems Security

• Subjects: Programs/processes (acting on a user's behalf)

• Objects: files, sockets and other system resources.

• Operations: What the subjects can do on the objects (e.g. read, write, append, update, execute, etc.)

The Security Quandary

• Security goals should be defined so they can be verified: functional goals are insufficient.

• Confidentiality and integrity goals are so restrictive that they prevent function in favor of security.

• New technology, for example virtual machine technology, may bridge the gap.

• Also, general purpose OS's may now be capable of expressing and enforcing security goals.

The Trust Model

• A system's Trust Model consists of the software and data upon which the system depends for system security.

• For an OS, it is called its “Trusted Computing Base” (TCB)

• Ideally, the TCB should be minimal.

• In a monolithic OS there are no boundaries, so the TCB is the whole OS!

• Some programs outside the OS may have to be in the TCB also.

Requirements of the TCB

• The TCB must mediate all security-sensitive operations

• The TCB and its data must be verifiably correct.

• It must be possible to verify that the TCB cannot be altered by processes outside it.

Assumed Threats

• Powerful attacker.

• Can inject operations from the network and may be in control of some of the software in the system.

• Attacker is actively trying to violate security.

The Task of The Secure OS developer

• Protect the TCB from the threats mentioned in the previous slide.

• That way, can maintain security by limiting interactions of processes with data in the system.

• Protecting the TCB is more difficult because it interacts with many untrusted processes.

• Countermeasures for each threat are needed.