Transcript Chapter 1
Chapter 1 Introduction Chapter Overview • Overview of Operating Systems • Secure Operating Systems • Basic Concepts in Information Security • Design of a Secure Operating System • Threats to a Secure Operating System • Define the problem (roughly) What is an Operating System? Provides/controls access to the various hardware resources in the system. Runs and administers processes. Tasks: Mechanisms that enable high performance (efficient use) of computer systems. Fair process administration. Control access to resources to provide security. Figure of an Operating System Why is security an issue? • • Processes share data and interact in other ways: – The output of one process is often used by other processes. – Processes can share information, often across computers or networks. – Sometimes the shared information is badintentioned and wants to share other information which should not be shared. The challenge is to develop operating systems which can share information without allowing this behavior. The state of Security in Operating Systems • Formal security models and mechanisms have been defined, but they do not completely apply to practical systems. • Two kinds of operating systems: • – Constrained, very secure systems – General purpose systems with a low level of security assurance. Recent advances are improving both kinds of operating systems. What is a Secure Operating System? • A Secure Operating System provides security mechanisms that ensure that the system's security goals are enforced despite the threats faced by the system. • It is an ideal, because it is impossible to write a bug-free program. • It is an oxymoron in the sense that an OS is too complicated to be secure. Security Goals • Define the operations that can be executed by a system while still preventing unauthorized operations. • Should be defined at a high abstraction level. • Should be implementable and demonstrable. Basic Concepts in Information Security • Confidentiality: Keeping data from being given to forbidden parties. • Integrity: Keeping data from being modified except by authorized parties • Availability: Making it possible for data to be accessed by those who are supposed to access it. Basic Parties and concepts in Operating Systems Security • Subjects: Programs/processes (acting on a user's behalf) • Objects: files, sockets and other system resources. • Operations: What the subjects can do on the objects (e.g. read, write, append, update, execute, etc.) The Security Quandary • Security goals should be defined so they can be verified: functional goals are insufficient. • Confidentiality and integrity goals are so restrictive that they prevent function in favor of security. • New technology, for example virtual machine technology, may bridge the gap. • Also, general purpose OS's may now be capable of expressing and enforcing security goals. The Trust Model • A system's Trust Model consists of the software and data upon which the system depends for system security. • For an OS, it is called its “Trusted Computing Base” (TCB) • Ideally, the TCB should be minimal. • In a monolithic OS there are no boundaries, so the TCB is the whole OS! • Some programs outside the OS may have to be in the TCB also. Requirements of the TCB • The TCB must mediate all security-sensitive operations • The TCB and its data must be verifiably correct. • It must be possible to verify that the TCB cannot be altered by processes outside it. Assumed Threats • Powerful attacker. • Can inject operations from the network and may be in control of some of the software in the system. • Attacker is actively trying to violate security. The Task of The Secure OS developer • Protect the TCB from the threats mentioned in the previous slide. • That way, can maintain security by limiting interactions of processes with data in the system. • Protecting the TCB is more difficult because it interacts with many untrusted processes. • Countermeasures for each threat are needed.