chapter 1 introduction. chapter overview overview of operating systems secure operating systems...
Post on 20-Dec-2015
228 views
TRANSCRIPT
Chapter 1
Introduction
Chapter Overview
• Overview of Operating Systems
• Secure Operating Systems
• Basic Concepts in Information Security
• Design of a Secure Operating System
• Threats to a Secure Operating System
• Define the problem (roughly)
What is an Operating System?
Provides/controls access to the various hardware resources in the system.
Runs and administers processes. Tasks:
Mechanisms that enable high performance (efficient use) of computer systems.
Fair process administration. Control access to resources to provide
security.
Figure of an Operating System
Why is security an issue?
• Processes share data and interact in other ways:
– The output of one process is often used by other processes.
– Processes can share information, often across computers or networks.
– Sometimes the shared information is bad-intentioned and wants to share other information which should not be shared.
• The challenge is to develop operating systems which can share information without allowing this behavior.
The state of Security in Operating Systems
• Formal security models and mechanisms have been defined, but they do not completely apply to practical systems.
• Two kinds of operating systems:
– Constrained, very secure systems
– General purpose systems with a low level of security assurance.
• Recent advances are improving both kinds of operating systems.
What is a Secure Operating System?
• A Secure Operating System provides security mechanisms that ensure that the system's security goals are enforced despite the threats faced by the system.
• It is an ideal, because it is impossible to write a bug-free program.
• It is an oxymoron in the sense that an OS is too complicated to be secure.
Security Goals
• Define the operations that can be executed by a system while still preventing unauthorized operations.
• Should be defined at a high abstraction level.
• Should be implementable and demonstrable.
Basic Concepts in Information Security
• Confidentiality: Keeping data from being given to forbidden parties.
• Integrity: Keeping data from being modified except by authorized parties
• Availability: Making it possible for data to be accessed by those who are supposed to access it.
Basic Parties and concepts in Operating Systems Security
• Subjects: Programs/processes (acting on a user's behalf)
• Objects: files, sockets and other system resources.
• Operations: What the subjects can do on the objects (e.g. read, write, append, update, execute, etc.)
The Security Quandary
• Security goals should be defined so they can be verified: functional goals are insufficient.
• Confidentiality and integrity goals are so restrictive that they prevent function in favor of security.
• New technology, for example virtual machine technology, may bridge the gap.
• Also, general purpose OS's may now be capable of expressing and enforcing security goals.
The Trust Model
• A system's Trust Model consists of the software and data upon which the system depends for system security.
• For an OS, it is called its “Trusted Computing Base” (TCB)
• Ideally, the TCB should be minimal.
• In a monolithic OS there are no boundaries, so the TCB is the whole OS!
• Some programs outside the OS may have to be in the TCB also.
Requirements of the TCB
• The TCB must mediate all security-sensitive operations
• The TCB and its data must be verifiably correct.
• It must be possible to verify that the TCB cannot be altered by processes outside it.
Assumed Threats
• Powerful attacker.
• Can inject operations from the network and may be in control of some of the software in the system.
• Attacker is actively trying to violate security.
The Task of The Secure OS developer
• Protect the TCB from the threats mentioned in the previous slide.
• That way, can maintain security by limiting interactions of processes with data in the system.
• Protecting the TCB is more difficult because it interacts with many untrusted processes.
• Countermeasures for each threat are needed.