Transcript Chapter 1

Chapter 1
Introduction
Chapter Overview
•
Overview of Operating Systems
•
Secure Operating Systems
•
Basic Concepts in Information Security
•
Design of a Secure Operating System
•
Threats to a Secure Operating System
•
Define the problem (roughly)
What is an Operating System?

Provides/controls access to the various
hardware resources in the system.

Runs and administers processes.

Tasks:

Mechanisms that enable high performance
(efficient use) of computer systems.

Fair process administration.

Control access to resources to provide
security.
Figure of an Operating System
Why is security an issue?
•
•
Processes share data and interact in other ways:
–
The output of one process is often used by
other processes.
–
Processes can share information, often
across computers or networks.
–
Sometimes the shared information is badintentioned and wants to share other
information which should not be shared.
The challenge is to develop operating systems
which can share information without allowing this
behavior.
The state of Security in Operating
Systems
•
Formal security models and mechanisms
have been defined, but they do not
completely apply to practical systems.
•
Two kinds of operating systems:
•
–
Constrained, very secure systems
–
General purpose systems with a low level of
security assurance.
Recent advances are improving both kinds
of operating systems.
What is a Secure Operating
System?
•
A Secure Operating System provides
security mechanisms that ensure that the
system's security goals are enforced
despite the threats faced by the system.
•
It is an ideal, because it is impossible to
write a bug-free program.
•
It is an oxymoron in the sense that an OS
is too complicated to be secure.
Security Goals
•
Define the operations that can be executed
by a system while still preventing
unauthorized operations.
•
Should be defined at a high abstraction
level.
•
Should be implementable and
demonstrable.
Basic Concepts in Information
Security
•
Confidentiality: Keeping data from being
given to forbidden parties.
•
Integrity: Keeping data from being modified
except by authorized parties
•
Availability: Making it possible for data to
be accessed by those who are supposed
to access it.
Basic Parties and concepts in
Operating Systems Security
•
Subjects: Programs/processes (acting on a
user's behalf)
•
Objects: files, sockets and other system
resources.
•
Operations: What the subjects can do on
the objects (e.g. read, write, append,
update, execute, etc.)
The Security Quandary
•
Security goals should be defined so they can be
verified: functional goals are insufficient.
•
Confidentiality and integrity goals are so
restrictive that they prevent function in favor of
security.
•
New technology, for example virtual machine
technology, may bridge the gap.
•
Also, general purpose OS's may now be capable
of expressing and enforcing security goals.
The Trust Model
•
A system's Trust Model consists of the software
and data upon which the system depends for
system security.
•
For an OS, it is called its “Trusted Computing
Base” (TCB)
•
Ideally, the TCB should be minimal.
•
In a monolithic OS there are no boundaries, so
the TCB is the whole OS!
•
Some programs outside the OS may have to be
in the TCB also.
Requirements of the TCB
•
The TCB must mediate all security-sensitive
operations
•
The TCB and its data must be verifiably correct.
•
It must be possible to verify that the TCB cannot
be altered by processes outside it.
Assumed Threats
•
Powerful attacker.
•
Can inject operations from the network and
may be in control of some of the software
in the system.
•
Attacker is actively trying to violate
security.
The Task of The Secure OS
developer
•
Protect the TCB from the threats
mentioned in the previous slide.
•
That way, can maintain security by limiting
interactions of processes with data in the
system.
•
Protecting the TCB is more difficult
because it interacts with many untrusted
processes.
•
Countermeasures for each threat are
needed.