The Future of Computing: Challenges and Opportunities

Download Report

Transcript The Future of Computing: Challenges and Opportunities 

Computer System Security
CSE 5339/7339
Session 20
October 28, 2004
Computer Science and Engineering
Contents
Separation
Assurance
Group Work
Evaluation
Examples
 Sandeep’s presentation
Computer Science and Engineering
Separation:




Physical Separation
Temporal Separation
Cryptographic Separation
Logical separation (isolation)
Computer Science and Engineering
Virtualization:
 Illusion
 The OS emulates or simulates a collection of a computer
system’s resources.
 Virtual Machine: Collection of real or simulated hardware
facilities – processor, memory, I/O devices
Computer Science and Engineering
IBM MVS/ESA
 Paging System
 Virtualization is used to provide logical separation that gives
the user the impression of physical separation.
 Each user feels that he/she has a separate machine
 Each user’s virtual memory space cab be as large as the total
addressable space.
Computer Science and Engineering
Virtual machine
Virtual
Machine
Virtual
Machine
Virtual
Machine
User 1
User 2
User 3
Real OS
Real System Resources
Computer Science and Engineering
Layered OS
User processes
Compilers, database
OS
Utility functions
File system, device allocation
Scheduling, sharing, MM
Synchronization, allocation
Security kernel
OS kernel
Security functions
Hardware
Computer Science and Engineering
Modules operating in Different Layers
Least trusted code
Most
trusted code
Data update
Data comparison
User ID lookup
User Authentication module
User interface
Computer Science and Engineering
Provably Secure Operating System
(PSOS)
 16 level Layered structure (see table – page 272)
 Each layer uses the services of the layers below it,
and provides certain level of functionality to the
layers above it.
 Peel off each layer and still have a logically
complete system with less functionality
Computer Science and Engineering
Conventionally vs. Hierarchically Designed
Systems
Level
Functions
Risk
All
Non-critical
Disaster possible
All
Less critical
Disaster possible
All
Most critical
Disaster possible
level
Functions
Risk
2
Non-critical
1
Less critical
0
Most critical
Computer Science and Engineering
Assurance
 Testing – based on the actual product being
evaluated, not on abstraction
 Verification – each of the system’s functions works
correctly
 Validation – the developer is building the right
product (according to the specification)
Computer Science and Engineering
Testing
 Can demonstrate the existence of a problem, but passing
tests does not imply the absence of problems
 Hard to achieve adequate test coverage within
reasonable time – inputs & internal states
 Observable effects versus internal structure
 real-time systems – hard to keep track of all states
 Penetrating Testing – tiger team analysis, ethical hacking
Team of experts in the design of OS tries to crack the
system
Computer Science and Engineering
Formal verification
 The most rigorous method
 Rules of mathematical logic to demonstrate that a
system has certain security property
 Proving a Theorem
 Time consuming – complex process
 Simple example
Computer Science and Engineering
Entry
Example:
find minimum
min  A[1]
i1
ii+1
yes
Exit
i>n
no
yes
min < A[i]
no
min  A[i]
Computer Science and Engineering
Example – Finding the minimum value
Assertions
P: n > 0
Q:
n > 0 and
1  i  n and
min  A[1]
R: n > 0 and
1  i  n and
for all j 1  j  i -1
min  A[j]
S:
n > 0 and
i = n + 1 and
for all j 1  j  i -1
min  A[j]
Computer Science and Engineering
Exercise 1
 Four sources of weaknesses in OS security:
 I/O
 Ambiguity in access policy
 Incomplete mediation
 Generality
Group work
Computer Science and Engineering
Validation
 Requirements checking – system does things it should
do (in security, system does not do things it is not
supposed to do)
 Design and code reviews – traceability from each
requirement to design and code components
 System testing – data expected from reading the
requirement document can be confirmed in the actual
running of the systems
Computer Science and Engineering
Evaluation
 Review: requirements, design, implementation, assurance
 US “Orange Book” Evaluation – Trusted Computer System
Evaluation Criteria (TCSEC)
 European ITSEC Evaluation – Information Technology
Security Evaluation Criteria
 US Combined Federal Criteria – 1992 joiintly buy NIST
and NSA
Computer Science and Engineering
TCSEC (Examine the table in page 284)
 The levels of trust are described as four divisions: A, B, C, D, where A
has the most comprehensive degree of security.
 Within a class, numbers are used. The higher numbers indicate tighter
security requirements.
 4 clusters of ratings:
 D – no requirements
 C1/C2/B1 – commercial OS
 B2 – proof of security of the underlying model
 B3/A1 – proven descriptive and formal design of the trusted OS
Computer Science and Engineering
Implementation Examples
 UNIX – environment of trustworthy collaborators
 PR/SM – protection against inadvertent or malicious
attempts by a process in one domain to interfere with one
in a different domain
 VAX Security Kernel – by DEC, targeted A1 level of the
TCSEC
Computer Science and Engineering
Exercise 2
Group work
Computer Science and Engineering