G53SEC

1
G53SEC
Reference Monitors Enforcement of Access Control
1
2
G53SEC

• Overview of Todays Lecture
• Introduction
• Operating System Integrity
• Hardware Security Features
• Protecting Memory

2
3
G53SEC

• Introduction
• Fundamental Concepts
• Reference Monitor an abstract concept
• Security Kernel its implementation
• Trusted Computing Base (TCB) kernel other
  protection mechanisms

3
4
G53SEC

• Reference Monitor (RM)
• An access control concept that refers to an
  abstract machine that mediates all access to
  objects by subjects.
• Must be tamper proof/resistant
• Must always be invoked when access to object
  required
• Must be small enough to be verifiable / subject
  to analysis to ensure its correctness

4
5
G53SEC

• Security Kernel
• The hardware, firmware, and software elements of
  a TCB that implement the reference monitor.
• Must mediate all access
• Must be protected from modification
• Must be verifiable for correctness
• Ideally in the bottom layers of a system

5
6
G53SEC

• Trusted Computing Base (TCB)
• The totality of protection mechanisms within a
  computer system responsible for enforcing a
  security policy
• One or more components
• Enforce a unified security policy over a
  product or system
• Correct enforcement depends on components
  within
• and input by system administrators

6
7
G53SEC

• Reference Monitor Placement
• Can be placed anywhere
• Hardware
• Operating System Kernel
• Operating System
• Services Layer
• Application

7
8
G53SEC
Reference Monitor Placement In relation to
application it should control
In-line RM
RM in kernel
Interpreter
program
RM
program
application
program
RM
RM
kernel
8
9
G53SEC

• Execution Monitors
• Decision of a RM depends on
• Information about a request
• Information about the target
• RMs differentiated based on the above
• History of execution - Execution monitor
• Future of execution - Static type checking
• Rewriting

9
10
G53SEC

• Operating System Integrity
• OS is not only the arbitrator of access
  requests
• OS is itself an object of access control
• Users must not be able to modify the operating
  system
• Users should be able to use the OS
• Users should not be able to misuse the OS

10
11
G53SEC

• Modes of Operation
• Distinguish computations done on behalf of
• the OS
• the user
• A Status flag allows the OS to operate in
  different modes.
• e.g. In Unix supervisor (root) and user modes

11
12
G53SEC

• Controlled Invocation
• User requiring supervisor mode for an operation
• Processor switches between modes
• Only predefined set of operations performed in
  supervisor mode
• System returns to user mode

12
13
G53SEC

• Hardware Security Features
• Reasons for placing security in lower system
  levels
• Possibility to evaluate security to a higher
  degree
• reasonably simple structures
• security mechanism compromised if layer below
  attacked
• Performance overheads reduced
• Access control decisions far removed from
  decisions made by applications

13
14
G53SEC

• Input/Output
• How to ensure secure I/O operations?
• e.g. user inputs username and password (input)
• e.g. user signs documents (output)
• A trusted path between I/O device and the TCB
  required
• example secure attention sequence (Windows)

14
15
G53SEC

• Memory Structures
• Security characteristics of memory structures
• RAM (R/W) - Cannot guarantee integrity or
  confidentiality
• ROM built-in integrity guarantee, good for
  storing parts of an OS
• EPROM useful for storing parts of OS or crypto
  keys, advanced attacks may pose a threat
• WROM good for storing crypto keys, disks used
  for audit trail logs

15
16
G53SEC

• continued
• Volatile memory
• loses its contents on power off
• neither instantaneous nor complete
• reconstructable using special electronics
• defence repeated overwrites
• Non-volatile (permanent) memory
• if attacker has access by bypassing CPU
• further measures required (e.g. cryptography)

16
17
G53SEC

• continued
• Memory
• main memory
• cache
• buffers
• etc..
• Data object may exist simultaneously in more than
  one location!
• Copy held in an unprotected memory risk

17
18
G53SEC

• Processes and Threads
• Process program in execution, important unit of
  control in an OS and for security
• Works in its own address space
• Communicates with other processes with help of
  OS
• Separation useful for security
• Thread a strand of execution within a process

18
19
G53SEC

• Controlled Invocation - Interrupts
• Exceptions/Interrupts/Traps
• Interruptions of executions due to errors, user
  request, hardware failure, etc
• Handled by CPU
• Improper handling leads to security flaws
• CTRL-C during supervisor mode operations
• Interrupt table entry change

19
20
G53SEC
Processing Interrupt
Interrupt
Interrupt vector table
Memory
TRAP n
n
1 0
20
21
G53SEC
Processing Interrupt
Interrupt
Interrupt vector table
Memory
TRAP n
viral code
n
1 0
interrupt handler
21
22
G53SEC

• Intel 80x86
• 2-bit field in status register
• Defines four privilege levels (protection
  rings)
• Only one instruction can change this (POPF)
• Instruction can only be executed at level 0
• Procedure -gt object in own or outer rings
• Procedure -gt subroutine - only within own ring

22
23
G53SEC

• Intel 80x86
• How to manage access to operations requiring
  higher privileges?
• Gates
• System object pointing to a procedure
• In the same ring as the calling procedure
• Has different privilege level than code it points
  to
• Allow execute-only access to procedure in inner
  ring

23
24
G53SEC

• Intel 80x86
• Confused Deputy Problem
• Outer ring -gt Gate to copy an object from inner
  ring to outer ring
• This will not be prevented
• Doesnt violate security policy
• Security policy needs to be extended caller
  privilege
• 80x86 contains prevention mechanism

24
25
G53SEC

• Protecting Memory
• OS integrity preserved by separation of user
  kernel space
• Separation of users
• File management logical memory object
• Memory management physical memory objects

25
26
G53SEC

• continued
• Segmentation divides data into logical units
• Good basis for enforcing security policy
• Variable length difficult memory management
• Paging divides memory into pages of equal size
• Popular efficient memory management
• Not good for access control
• A page might contain objects requiring different
  protection

26
27
G53SEC

• continued
• Possibility of a covert channel
• Logical objects stored across boundaries

P
Pa
Pa
page boundary
aw0RD
w0RD
w0RD
step 1
step 2
step 3
27
28
G53SEC

• Secure Addressing
• Confinement of processes to separate address
  spaces
• Control access to data objects in memory
• OS modifies addresses received from user
• (address sandboxing)
• OS constructs effective addresses from relative
  ones
• (relative addressing)
• OS checks whether address within given bounds
• (base register addressing)

28
29
G53SEC

• Summary
• How Access Control is enforced
• Why OS integrity is important
• Security features of existing hardware
• How to control access to memory
• Next Lecture
• Hands-on Unix Security

29
30
G53SEC
End
07/02/08
30