Trusted OS Technology In Webbased Computing

1
Trusted OS TechnologyIn Web-based Computing

• An Argus Overview

Paul A. McNabb VP CTO
2
Agenda

• Explain the history and the development of
  trusted operating systems
• Describe the features of a trusted operating
  system
• Show where, how, and why trusted operating
  systems are used

3
Trusted OS History
4
Unix Transformation

• Unix use expanded rapidly between the 1970s and
  the 1990s
• Unix changed from a research/educational
  environment to a commercial environment
• Unix became the foundation of mission critical
  systems
• Massive interconnectivity increased quantity and
  quality of threats

5
Advances in Security

• New encryption algorithms and products
• Government evaluation criteria and procedures
  (TCSEC, ITSEC, etc.)
• Firewall and router security
• Auditing and intrusion detection tools
• Security clearing houses and tiger teams (CERT,
  CIAC, COAST, etc.)

6
Unix Security Enhancements

• Better auditing and logging
• Fewer superuser and setuid holes
• Better tools for checking system configuration

However... ... the basic UNIX security
paradigm is the same as it was in 1975!
7
Very Brief History

• 1985 Trusted Computer Security Evaluation
  Criteria (TCSEC or Orange Book)
• 1987 Compartmented Mode Workstation Requirements
  (CMWREQ) (1991 CMWEC)
• 1991 Information Technology Security Evaluation
  Criteria (ITSEC)
• 1992 Federal Criteria for Information Technology
  Security (Federal Criteria)
• 1996 Common Information Technology Security
  Criteria (Common Criteria)

8
Common Opinions about Trusted OS
Everyone who has heard of trusted systems has an
opinion

• They are dinosaurs that are extinct through the
  process of natural selection.
• Theyre the answer to our prayers!
• They might be useful in a military environment,
  but are otherwise irrelevant.
• They help with host security but arent much use
  in a network environment.

9
Basic Trusted OS Characteristics

• Security Features (e.g., login, permission bits,
  audit)
• Security Assurances (e.g., testing, design
  documentation, administration manuals)
• Security Evaluation (e.g., documentation review,
  penetration testing, analyses)

10
Assurances

• functionality/security testing
• penetration testing
• design documentation
• formal/informal specifications
• code design/architecture (modularity)
• covert channel analyses (storage timing)
• configuration management
• development site controls
• engineering environment
• formal verification

11
Orange Book Security Levels

• To provide criteria for building and evaluating
  secure computer systems, in 1985 the U.S.
  Department of Defense issued the rainbow series
  of documents.
• The criteria include both security features and
  security assurances.

12
C2 vs. B1 vs. B2

• C2 Security
• IA, DAC, audit, object reuse
• for secured sites with strong personnel controls
• B1 Security
• C2 plus labels and Mandatory Access Controls
• major changes required for commercial OSes
• B2 Security
• B1 plus login TP, roles, covert channel analysis,
  formal SPM, CM, reference monitor, least
  privilege
• strong emphasis on assurance

13
CMW Definition
A Compartmented Mode Workstation is a trusted,
window-based system that meets

• all functional and security requirements for a B1
  system, as defined in the the U.S. DoD Orange
  Book
• all additional requirements specified by the U.S.
  MITRE/DIA Compartmented Mode Workstation
  Evaluation Criteria

14
CMW vs. Orange Book Levels
15
Trusted OS Generations
16
Beyond the Orange Book

• The Orange Book has been superceded by other
  security criteria (ITSEC, Common Criteria)
• The old C2/B1 terms are still used by many to
  describe classes of trusted operating systems
• The term Trusted OS better describes these
  systems since specifications dont list required
  security functions

17
Who has Trusted Operating Systems?

• Argus Systems
• Bull
• Data General
• DEC
• HP
• SCO
• Secure Computing

• Sequent
• Silicon Graphics
• Sun Federal
• TIS
• Unisys
• Wang

(Apple, ATT, Gould, Harris, IBM, Pyramid)
18
Trusted OS Features
19
What is a Trusted Operating System?

• An OS that grants fine-grained controls over all
  privileged operations
• A user (or process) can be given small subsets of
  the total security override capabilities
• An OS that implements a mandatory policy
• A user (or process) cant give away information
  under his (its) control
• An OS where these mechanisms are imposed on all
  system resources
• processes, file systems, networking, IPC

.
20
Least Privilege

• The kernel does not recognize UID 0 as a special
  user ID
• Processes have a privilege set that indicates
  what special override abilities the process has
  (read bit override, uadmin, mount)
• Within a partition, normal root operation (with
  UID 0) can be granted to a process

.
21
Least Privilege

• Processes have new privilege attributes
• Kernel uses privileges instead of UID
• Privileges are single purpose
• override read bit
• allow use of mount() system call
• open privileged port
• Privileges can be permanently restricted.

22
System Administration

• Programs have privileges that may be given to a
  process on exec()
• Programs and users have limited power
• Access to programs can be restricted by a
  database or new file attributes
• A user can only run a program if it is accessible
  under all security policies (discretionary and
  mandatory)

23
Privilege Inheritance

• Privileges copied on a fork()
• Privileges replaced on an exec()
• Privileges can be acquired from an executable
  (subject to limitations)
• Privileges can be removed from a running process
  (e.g., child process)

24
Partitioning the System

• All processes, file system objects, and packets
  are given an unchangeable label
• Anything created is created with the processs
  label (within the same partition)
• Within a partition, only standard Unix access
  controls are used
• Partitions can be completely segregated or one
  can have read/execute access to another

.
25
Partitioned Directories

• Isolated applications need to share directories.
• Isolated applications need to share file names
  (even if file doesnt need to be shared).
• Need to provide virtual file system view.

26
Partitioned Directories
DirectoryA (SL Range U S)
hidden psdir SL S
hidden psdir SL U
FileA (SL U)
FileB (SL U)
FileA (SL U)
FileB (SL S)
hard link
27
Trusted Network Extensions

• Modern trusted systems extend all security over
  the network
• All security attributes (UID, GID, MAC label,
  process privileges, etc.) are included in the
  network packet
• Incoming packets from non-trusted hosts can be
  assigned default security attributes
• Filtering and routing can be based on security
  attributes

28
Web-Based Computing
29
Accelerating Internet Trends

• Massive shift from providing information to
  transaction processing
• Huge increase in value of transactions
  (200M-500M by 2002)
• Transition from indirect transactions (changing
  copies of data) to direct transactions (changing
  corporate databases)

.
30
What is Web-based Computing

• Real-time connection between the outside
  (Internet) and the inside (back-end network)
• Real-time dataflow between the outside and the
  inside
• Interactive interface to the outside
• Commercial applications servicing requests from
  the outside

.
31
Traditional Web Server
Users interact with web server and copy of data
Information transferred to back end separately
32
Direct Transaction Server
Users interact directly with back end system
Mainframe
Internet
Web Server
33
Architectural Requirements

• Must be simultaneously connected to the Internet
  and to a backend network
• Requires multiple applications, at least one
  connected to the Internet (e.g., webserver) and
  at least one to the backend
• Requires the front-end app to accept user
  requests and to send requests to the back end in
  real time

.
34
What are the threats?

• An unauthorized person might gain access
• A customers session might be compromised
• An authorized customer might gain administrator
  ability
• An application bug might be exploitable
• The server might be used to launch an attack on
  the internal corporate network.

.
35
Absolute Security Requirements
There are three security components that every
direct transaction server MUST have

• Network encryption
• User authentication
• Trusted operating system

36
Why Trusted Operating System?

• The system must be protected from flaws in
  commercial software
• Applications must be protected from other
  (potentially flawed) applications
• Applications (even those running with
  administrative capabilities) must be limited to
  authorized functions
• The system must be protected against insider
  attack and attacks against administrator accounts

.
37
Capabilities Unique to the OS
There are certain threats and risks that can only
be controlled via the operating system

• Stack overwrite bugs
• Administrator hijacking
• Multi-network communication
• Improper application interaction
• Other COTS/middleware software bugs

The OS can impose controls on all software.
38
Where does a Trusted OS fit?

• A TOS doesnt take the place of encryption,
  firewalls, intrusion detection, or authentication
  mechanisms
• It adds extra layer of security that can
  strengthen other security mechanisms
• It provides strong platform security for
  Internet-based commercial applications
• It prevents damage outside of a MAC partition and
  limits damage from buffer overflows.

39
Isolated System Compartments
Shared System Files (Read Only)
40
Multiple Compartment Isolation
Outside Compartment
Application 1 Compartment
LAN
Application 2 Compartment
Security Gateway
LAN
Internet
Application 3 Compartment
LAN
Internet
LAN
41
TOS-based Webserver Architecture
UDE
42
Limited Privilege in Virtual Systems
LAN interface
partition B
partition A
root process
root process
virtual interface
virtual interface
43
Unassailable Security Fact
The threats posed by the modern computing
environment cannot be addressed without secure
operating systems. Any security effort which
ignores this fact can only result in a fortress
built upon sand. -- The Inevitability of
Failure The Flawed Assumption of Security in
Modern Computing Environments, 1998 Loscocco,
Smalley, Muckelbauer, Taylor, Turner, and
Farrell National Security Agency
44
Summary of Web-based Computing

• A direct transaction server can provide enormous
  benefits to a organization
• Direct transaction servers involve new and
  serious risks
• Direct transaction servers require encryption,
  authentication, and a trusted operating system
• Failure to provide sufficient security may be
  improper exercise of fiduciary responsibility and
  may involve liability

45
Commercial TOS Uses

• Integrated Web Platform Products
• Argus Systems Group - Gibraltar
• Hewlett-Packard - Virtual Vault
• Trusted Computer Solutions - SecureGate
• TOS-based Firewalls
• BDM/TRW - Cybershield (DG)
• Bull - SecurWare Netwall (AIX)
• Checkpoint - Firewall-1 (Argus)
• Compaq - Digital Firewall (Digital)
• Cyberguard - Cyberguard Firewall (Unixware)
• Norman - Norman Firewall (HP)
• Secure Computing - Sidewinder (BSD)

46
Trusted OS Environments

• Electronic Commerce
• Internet Banking
• Financial Services
• Application Service Providers
• Medical/Health Services
• Insurance
• Secure Web Servers
• Certificate Authorities
• Trusted Firewalls

47
Trusted OS Trend

• Losing image of old DoD systems
• Being designed to meet commercial stability and
  functionality requirements
• Becoming requirement for direct transaction
  servers
• Becoming part of the standard toolkit for
  security professionals securing high risk
  environments.

48
Argus Systems

• Securing the Future

49
For More Information