G53SEC - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

G53SEC

Description:

'An access control concept that refers to an abstract machine ... 'The hardware, firmware, and software elements of a TCB that implement the reference monitor. ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 31
Provided by: csNo
Category:
Tags: g53sec | firmware

less

Transcript and Presenter's Notes

Title: G53SEC


1
G53SEC
Reference Monitors Enforcement of Access Control
1
2
G53SEC
  • Overview of Todays Lecture
  • Introduction
  • Operating System Integrity
  • Hardware Security Features
  • Protecting Memory

2
3
G53SEC
  • Introduction
  • Fundamental Concepts
  • Reference Monitor an abstract concept
  • Security Kernel its implementation
  • Trusted Computing Base (TCB) kernel other
    protection mechanisms

3
4
G53SEC
  • Reference Monitor (RM)
  • An access control concept that refers to an
    abstract machine that mediates all access to
    objects by subjects.
  • Must be tamper proof/resistant
  • Must always be invoked when access to object
    required
  • Must be small enough to be verifiable / subject
    to analysis to ensure its correctness

4
5
G53SEC
  • Security Kernel
  • The hardware, firmware, and software elements of
    a TCB that implement the reference monitor.
  • Must mediate all access
  • Must be protected from modification
  • Must be verifiable for correctness
  • Ideally in the bottom layers of a system

5
6
G53SEC
  • Trusted Computing Base (TCB)
  • The totality of protection mechanisms within a
    computer system responsible for enforcing a
    security policy
  • One or more components
  • Enforce a unified security policy over a
    product or system
  • Correct enforcement depends on components
    within
  • and input by system administrators

6
7
G53SEC
  • Reference Monitor Placement
  • Can be placed anywhere
  • Hardware
  • Operating System Kernel
  • Operating System
  • Services Layer
  • Application

7
8
G53SEC
Reference Monitor Placement In relation to
application it should control
In-line RM
RM in kernel
Interpreter
program
RM
program
application
program
RM
RM
kernel
8
9
G53SEC
  • Execution Monitors
  • Decision of a RM depends on
  • Information about a request
  • Information about the target
  • RMs differentiated based on the above
  • History of execution - Execution monitor
  • Future of execution - Static type checking
  • Rewriting

9
10
G53SEC
  • Operating System Integrity
  • OS is not only the arbitrator of access
    requests
  • OS is itself an object of access control
  • Users must not be able to modify the operating
    system
  • Users should be able to use the OS
  • Users should not be able to misuse the OS

10
11
G53SEC
  • Modes of Operation
  • Distinguish computations done on behalf of
  • the OS
  • the user
  • A Status flag allows the OS to operate in
    different modes.
  • e.g. In Unix supervisor (root) and user modes

11
12
G53SEC
  • Controlled Invocation
  • User requiring supervisor mode for an operation
  • Processor switches between modes
  • Only predefined set of operations performed in
    supervisor mode
  • System returns to user mode

12
13
G53SEC
  • Hardware Security Features
  • Reasons for placing security in lower system
    levels
  • Possibility to evaluate security to a higher
    degree
  • reasonably simple structures
  • security mechanism compromised if layer below
    attacked
  • Performance overheads reduced
  • Access control decisions far removed from
    decisions made by applications

13
14
G53SEC
  • Input/Output
  • How to ensure secure I/O operations?
  • e.g. user inputs username and password (input)
  • e.g. user signs documents (output)
  • A trusted path between I/O device and the TCB
    required
  • example secure attention sequence (Windows)

14
15
G53SEC
  • Memory Structures
  • Security characteristics of memory structures
  • RAM (R/W) - Cannot guarantee integrity or
    confidentiality
  • ROM built-in integrity guarantee, good for
    storing parts of an OS
  • EPROM useful for storing parts of OS or crypto
    keys, advanced attacks may pose a threat
  • WROM good for storing crypto keys, disks used
    for audit trail logs

15
16
G53SEC
  • continued
  • Volatile memory
  • loses its contents on power off
  • neither instantaneous nor complete
  • reconstructable using special electronics
  • defence repeated overwrites
  • Non-volatile (permanent) memory
  • if attacker has access by bypassing CPU
  • further measures required (e.g. cryptography)

16
17
G53SEC
  • continued
  • Memory
  • main memory
  • cache
  • buffers
  • etc..
  • Data object may exist simultaneously in more than
    one location!
  • Copy held in an unprotected memory risk

17
18
G53SEC
  • Processes and Threads
  • Process program in execution, important unit of
    control in an OS and for security
  • Works in its own address space
  • Communicates with other processes with help of
    OS
  • Separation useful for security
  • Thread a strand of execution within a process

18
19
G53SEC
  • Controlled Invocation - Interrupts
  • Exceptions/Interrupts/Traps
  • Interruptions of executions due to errors, user
    request, hardware failure, etc
  • Handled by CPU
  • Improper handling leads to security flaws
  • CTRL-C during supervisor mode operations
  • Interrupt table entry change

19
20
G53SEC
Processing Interrupt
Interrupt
Interrupt vector table
Memory
TRAP n
n
1 0
20
21
G53SEC
Processing Interrupt
Interrupt
Interrupt vector table
Memory
TRAP n
viral code
n
1 0
interrupt handler
21
22
G53SEC
  • Intel 80x86
  • 2-bit field in status register
  • Defines four privilege levels (protection
    rings)
  • Only one instruction can change this (POPF)
  • Instruction can only be executed at level 0
  • Procedure -gt object in own or outer rings
  • Procedure -gt subroutine - only within own ring

22
23
G53SEC
  • Intel 80x86
  • How to manage access to operations requiring
    higher privileges?
  • Gates
  • System object pointing to a procedure
  • In the same ring as the calling procedure
  • Has different privilege level than code it points
    to
  • Allow execute-only access to procedure in inner
    ring

23
24
G53SEC
  • Intel 80x86
  • Confused Deputy Problem
  • Outer ring -gt Gate to copy an object from inner
    ring to outer ring
  • This will not be prevented
  • Doesnt violate security policy
  • Security policy needs to be extended caller
    privilege
  • 80x86 contains prevention mechanism

24
25
G53SEC
  • Protecting Memory
  • OS integrity preserved by separation of user
    kernel space
  • Separation of users
  • File management logical memory object
  • Memory management physical memory objects

25
26
G53SEC
  • continued
  • Segmentation divides data into logical units
  • Good basis for enforcing security policy
  • Variable length difficult memory management
  • Paging divides memory into pages of equal size
  • Popular efficient memory management
  • Not good for access control
  • A page might contain objects requiring different
    protection

26
27
G53SEC
  • continued
  • Possibility of a covert channel
  • Logical objects stored across boundaries

P
Pa
Pa
page boundary
aw0RD
w0RD
w0RD
step 1
step 2
step 3
27
28
G53SEC
  • Secure Addressing
  • Confinement of processes to separate address
    spaces
  • Control access to data objects in memory
  • OS modifies addresses received from user
  • (address sandboxing)
  • OS constructs effective addresses from relative
    ones
  • (relative addressing)
  • OS checks whether address within given bounds
  • (base register addressing)

28
29
G53SEC
  • Summary
  • How Access Control is enforced
  • Why OS integrity is important
  • Security features of existing hardware
  • How to control access to memory
  • Next Lecture
  • Hands-on Unix Security

29
30
G53SEC
End
07/02/08
30
Write a Comment
User Comments (0)
About PowerShow.com