Operating Systems Security

Download Report

Transcript Operating Systems Security

Operating Systems Security
1
Abstract
• Security is of increasing concern in the modern
world. Not only is our physical security becoming
more difficult to maintain, even in the developed
world, but with the advent of the information age,
our information and the infrastructure via which it
is stored, processed and communicated, is
increasingly important to control. The security of
our information and its supporting infrastructure is
the focus of this conference. One of the key
aspects of keeping computerized information
secure is keeping the computer system secure and
vital to that is the operating system.
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
2
Abstract - 2
• Operating system security is itself paramount if
we are to secure the information it controls. In
order to have a secure operating system it must be
supported by a suitable computer architecture, and
the implementation of the computer architecture
must of course itself be appropriately engineered.
If the underlying technology from which the
operating system is built and on which it is
supported is not secure, then one can have no
confidence in the security of the operating system
and of the information it maintains for the users.
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
3
Abstract - 3
• Even should the operating system and its
supporting infrastructure potentially be
secure, it is essential to follow appropriate
rules so as not to allow the users to
compromise their own security.
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
4
Abstract - 4
• Thus, in this short overview of operating systems
security we will delve into the requirements for
the supporting computer and communication
system, look at the design, operation and function
of the operating system, investigate the
implementation of a secure operating system,
discuss security policies that can be supported by
the system, and attempt to bring this complex
structure together in a way that provides some
insight into the design, construction and operation
of a secure operating system.
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
5
Acknowledgements
This is primarily a personal view of the current state of
operating systems security. At the end I include some
references but this is not a complete survey.
This presentation also contains material taken from the
background chapters of Dan Mossop’s PhD thesis.
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
6
Biographical Sketch
Ronald Pose completed his B.Sc.(Hons) degree and his Ph.D. at Monash University,
Melbourne, Australia. He majored in both Chemistry and in Computer Science, with a
minor in Mathematical Statistics. His Ph.D. involved the design and implementation of
a novel capability-based operating system kernel, the Password-Capability System, and
the design and construction of tightly-coupled multiprocessor hardware with novel
addressing mechanisms to support it.
In 1987 Ronald Pose was employed as a Research Scientist at Telecom Australia
Research Laboratories where he worked on the application of public key cryptography
and authentication and certification techniques.
He joined the faculty of Monash University in 1988. There he has supervised a number
of research students with whom he has worked on a wide variety of research projects
including neural networks, genetic algorithm function optimization, network routing,
low latency virtual reality address recalculation pipeline display system, and selfreconfigurable computer systems.
Dr. Pose's current research interests include virtual reality and telerobotics technology,
computer architecture, parallel and distributed computer systems architecture, secure
operating systems, reconfigurable computer systems architecture, multiprocessor
interconnection networks, wireless ad hoc networks and spread-spectrum microwave
communication technology, computer system security. He currently has Ph.D. students
working on computer security analysis, multi-user virtual reality, and wireless ad-hoc
networking.
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
7
Presentation Overview
•
•
•
•
•
•
Security
– General Definitions
– Role of the Operating System
– Security Policies
• Access Matrix Style
• Role Based
– Confinement of Information
– Principle of Least Authority
Operating System Security
– Requirements for Implementing a Secure Operating System
• Supporting Hardware
• Computer System Environment
– What Security Services are Provided by the Operating System
• Resource Security
• Service Security
• Communication Security
• Other Security
Operating System Design Options
– Access Control Lists
– Capabilities
• Capability Implementations
– Tagged, Segregated, Encrypted, Password
– Support for Object-Orientation
Analysis of Operating System Security
Impact of Operating Systems Design on Users
The Future of Operating Systems
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
8
Background
• I will assume that the audience has used a
computer and has some familiarity with a popular
operating system such as Microsoft Windows XP,
Unix, or MacOS. While each of these has the
characteristics of an operating system, none of
them could be considered very secure. That is not
to say that the world is necessarily at great peril in
terms of its information systems given that the
vast majority of computer systems use such
operating systems, however computer systems
security can never be extremely strong while we
continue with current systems and practices.
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
9
Setting the scene
• An important issue is how important is security, and how much are we willing
to pay for it, in financial, convenience, performance and other terms. A
perfectly secure system is unlikely to be popular since it will by necessity, omit
many of the popular but highly insecure features to which people have become
accustomed. Interestingly many of the emerging problems that are now
plaguing us as computer users, like junk e-mail, computer viruses and worms,
and loss of privacy, are largely self-inflicted, through use of insecure
technologies. E-mail was ‘safe’ before the advent of attachments, especially
executable attachments. Web surfing was ‘safe’ before executable applets and
other active sites became possible and popular. However operating systems
have never really been secure in themselves. They have tended to rely on
skilled users and administrators to cooperate in maintaining security. Now that
the end user and administrator is likely to be technically naïve, it is more
important to design and produce systems that give the lay users some hope of
maintaining their information security. This requires good operating systems
security infrastructure provided in a form that is easy to use and understand.
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
10
Setting the scene - 2
• In this talk I can only outline the basic principles and give pointers to
appropriate technologies that can assist us in our search for information
security. This is an open field where there is a real need for new ideas, and an
even bigger need to question the current practices. We have sold the public a
way of dealing with information that is inherently insecure, and have made
these unsafe practices and technology ubiquitous. Huge industries have
developed based on insecurity of information and in trading information. These
could be threatened by widespread use of secure systems. Similarly there are
many governments around the world that have vested interests in ensuring that
people’s information systems are insecure, so as to allow monitoring of the
population are their activities. There are enormous legal questions regarding
the safeguarding of information, information privacy, international law,
intellectual property etc. Interestingly these issues can all impact on the design,
implementation, deployment and use of secure operating systems.
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
11
Security - definitions
“a computer is secure if you can depend on it and its software
to behave as you expect”
Garfinkel et al. (2003)
“the ability of a system to protect information and system
resources with respect to confidentiality and integrity”
Ross (1999)
“deals with the prevention and detection of unauthorized
actions by users of a computer system”
Gollman (1999)
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
12
Security - definitions 2
“a secure system is a system on which enough trust can be put
to use it together with sensitive information”
Olovsson (1992)
“concerned with the protection of valuable assets from harm,
which is a significant negative consequence to the asset …
security deals with malicious harm, which is harm
resulting from attacks or probes by someone or something
playing the role of attacker”
Firesmith (2004)
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
13
Role of the Operating System
• The operating system can be considered in
various ways:
– an intermediary between the user software and
the hardware
– an abstraction layer providing an idealized view
of the computer hardware
– a virtual machine
– a set of services
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
14
Security Policies
• Mandatory
– applied on a system-wide basis
– “A means of restricting access to objects based on the
sensitivity of the information contained in the objects
and the formal authorization of subjects to access
information of such sensitivity” - US DoD
• Discretionary
– it is the users rather than the system restricting access
– “A means of restricting access to objects based on the
identity of subjects and/or groups to which they belong.
The controls are discretionary in the sense that a subject
with a certain access permission is capable of passing
that permission on to any other subject (unless
restrained by mandatory access control)” - US DoD
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
15
Security Policies - 2
• Access matrix style (Lampson 1974)
– Mapping of access of subjects to objects
• Role based
– Developed to address the needs of civilian rather than
military needs
– Access is restricted based on the role the individual has
in the organization
– An individual may have multiple roles
– Roles may change over time
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
16
Properties of Security Policies
•
•
•
•
•
•
•
Confidentiality
Integrity
Availability
Confinement
Identity
Anonymity
Non-repudiation
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
17
Confinement of Information
• Lampson (1973) defined confinement as
preventing an executing program from
transmitting information to any other program
except its caller
• A related confinement problem is that of ensuring
a program can only receive information from its
caller
• It may be possible for the caller to authorize some
communication of information
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
18
Security Policy Examples
• Bell-LaPadula (1973)
– mandatory policy
– designed to preserve confidentiality
– each subject and object is assigned a classification public, confidential, secret, top secret.
– subjects can only read information at their classification
or lower
– Subjects can only write information to objects of equal
or higher classification
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
19
Security Policy Examples - 2
• Biba (1977)
– mandatory
– aims to ensure integrity of information
– each subject and object is assigned an integrity
classification - lowest, low, high, highest
– subjects can only read information at their integrity
classification or higher
– subjects can only write information to objects of equal
or lower integrity classification
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
20
Security Policy Examples - 3
• Clark-Wilson (1987)
– mandatory
– designed to ensure integrity of information
– data items in the model are either constrained or
unconstrained
– Integrity verification procedures determine whether a
given data item satisfied integrity constraints
– Transformation procedures move data items from
one valid state to another
– constrained data items may have restrictions specified
on allowable transformation procedures
– enforces separation of duty - different users must
certify integrity and transformation procedures
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
21
Security Policy Examples - 4
• Chinese Wall (Brewer & Nash 1989)
– mandatory
– role based security policy
– corporate information is organized in 3 levels
• Lowest level - individual items about a single corporation
• Middle level - information grouped by corporation
• Highest level - corporations in competition grouped together
– highest level groupings form conflict of interest classes
– Information may be accessed by a user only if it does
bot conflict with any other information he holds
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
22
Principle of Least Authority
• It is considered good security practice to
allow a subject access to information or
authority to do anything, only when it is
necessary for his doing the job in question
• Ideally this would be enforced by a security
policy and by the operating system
supporting it
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
23
Operating System Security
• What kinds of security policies should be
supported?
• What security services are required?
• Where are the boundaries of the system?
• Is it a distributed system?
• Are users distributed across time and space?
• Is there any concurrency involved?
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
24
Requirements for Implementation
of Secure Operating Systems
• Supporting hardware
–
–
–
–
–
–
–
Is virtualization needed?
Is there fine enough access control in H/W?
Is there adequate control at H/W level?
Can H/W ensure O/S cannot be bypassed?
Can the H/W support the required resources?
Is the H/W scalable adequately?
Is there support for multiple levels of privilege?
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
25
Requirements for Implementation
of Secure Operating Systems - 2
• Computer System Environment
– Is the computer system in a secure environment?
– Are there adequate power, cooling, etc.?
– Is it networked?
• If so, is the networking environment secure?
– Are there backup or redundant H/W resources?
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
26
What Security Services are Provided
by the Operating System?
•
•
•
•
•
•
•
•
Resource security
Service security
Communication security
Authentication of users
Authentication of resources
Privacy
Anonymity
Other security services
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
27
Operating System Design Options
• Access Control Lists (ACL)
– Common method of implementing access
matrices
– Each object (resource) has a list of authorized
subjects (users) who may obtain specified
access rights to that object
– Subjects must be authenticated
– Unix, Windows XP, and many others
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
28
Operating System Design Options - 2
• Capabilities
– Dennis and Van Horn (1966)
– An alternative method of implementing access matrices
– Each subject (user) has possession of a set of tokens,
each granting authorization to gain access to an object
– Subjects may be anonymous
– Capabilities must be protected from forgery or
modifcation to increase access rights
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
29
Capabilities versus ACLs
• ACL may be likened to a guard at the door to an
object/resource
• He checks whether the subject/user is on the
authorized list, and only then lets them in
• Capabilities may be likened to door keys
• Objects/resources are protected by locks, and only
those with keys can get in
• Possession of a key that works is all that is
required
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
30
Capabilities versus ACLs - 2
• ACLs and Capabilities appear to be equivalent
ways of expressing the permissions described by
the access matrix
• There are dynamic and operational differences
especially when considering role-based security
policies or when there are dynamic changes in
authorizations
• Capabilities have extra flexibility
• Hybrid schemes are possible
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
31
Capability Implementations
• Tagged
– Each word of memory is tagged by the hardware to indicate
whether it is a capability or not
• Segregated
– Capabilities are stored in separate memory segments or
capability-lists protected by the operating system
• Encrypted
– Capabilities are encrypted to protect them
• Password-Capabilities
– Capabilities are protected with a random password
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
32
Support for Object-Orientation
• Operating system support for objectoriented systems is essential to ensure
security of such systems in terms of
enforcing the object-orientation
methodology
• Otherwise the object-orientation is simply a
convention
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
33
Analysis of operating system security
• A formal requirements analysis
• A formal risk analysis
• A formal operating system security analysis
• All are required to have certifiable
confidence in operating systems security
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
34
Requirements for Operating
System Security Analysis
• Simple conceptual model
• Small implementation
• Well defined specifications and
implementation
• Well defined communication paths
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
35
Impact of Operating Systems
Design on Users
• ACL and Capability paradigms appear quite differently
to users
– ACLs are more familiar in terms of computing
– There is a simple login (authentication) process and then all
resources are available
– Owners may add others to ACLs as appropriate
• Capability systems appear differently
– Capabilities must be distributed to the required users
– Capabilities may be passed on to third parties depending on
security policy
– Potentially no login process, but must present a capability for
every resource to be accessed
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
36
Future of Operating Systems
•
•
•
•
Are they a bonus or a liability?
Should we have them?
We require new paradigms for O/S security
How will new hardware designs affect
them?
• Good topic for a conference session since it
affects security, usability, and many other
issues.
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
37
References
• Anderson, M.S., Pose, R.D. and
Wallace,C.S. (1986)
– The Password-Capability System, The
Computer Journal, 29(1): 1-8
• Wallace, C.S. and Pose, R.D. (1990)
– Charging in a Secure Environment, in J.
Rosenberg and J. Keedy (eds), Security and
Persistence, Bremen, Springer-Verlag, pp.85-97
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
38
References - 2
• Bell, D.E. and LaPadula, L.J. (1973)
– Secure computer systems: mathematical foundations. Tech. Rep. 2547
(Volume 1), Mitre Corp, Massachusetts, USA
• Biba, K.J. (1977)
– Integrity considerations for secure computer systems. Tech. Rep. ESD-TR76-372, USAF Electronic Systems Division, Hanscon Airforce Base,
Massachusetts, USA
• Clark, D.D. and Wilson, D.R. (1987)
– A comparison of commercial and military computer security policies, Proc.
IEEE Symp. On Security and Privacy, pp.184-194.
• Dennis, J.B. and Van Horn, E.C. (1966)
– Programming semantics for multiprogrammed computations, CACM 9(3):
143-155.
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
39
References - 3
• Firesmith, D.G. (2004)
– A taxonomy of safety-related requirements. Requirements Engineering 2004
(RE’04), Requirements for High Assurance Systems (RHAS), Kyoto, Japan,
IEEE CS.
• Garfinkel, S., Spafford, G. and Schwarz, A. (2003)
– Practical Unix and Internet Security, 3rd ed., O’Reilly, California, USA.
ISBN: 0-596-00323-4
• Gollman, D. (1999)
– Computer Security, John Wiley & Sons Ltd., ISBN: 0-471-38922-6
• Lampson, B.W. (1973)
– A note on the confinement problem, CACM 16(10): 613-615
• Lampson, B.W. (1974)
– Protection, ACM Operating Systems Review 8(1):18-24
• Olovsson, T. (1992)
– A structured approach to computer security, Tech. Rep. 122, Chalmers
University of Technology, Sweden
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
40
References - 4
• Ross, S.T. (1999)
– UNIX System Security Tools, McGraw-Hill,
ISBN: 0-079-13788-1
15 Nov 2006
MCIS-2006 OS Security - Dr. Ronald Pose
41