300 likes | 435 Vues
G53SEC. Reference Monitors Enforcement of Access Control. 1. G53SEC. Overview of Today’s Lecture: Introduction Operating System Integrity Hardware Security Features Protecting Memory. 2. G53SEC. Introduction: Fundamental Concepts: Reference Monitor – an abstract concept
E N D
G53SEC Reference Monitors Enforcement of Access Control 1
G53SEC • Overview of Today’s Lecture: • Introduction • Operating System Integrity • Hardware Security Features • Protecting Memory 2
G53SEC • Introduction: • Fundamental Concepts: • Reference Monitor – an abstract concept • Security Kernel – its implementation • Trusted Computing Base (TCB) – kernel + other protection mechanisms 3
G53SEC • Reference Monitor (RM): • “An access control concept that refers to an abstract machine that mediates all access to objects by subjects.” • Must be tamper proof/resistant • Must always be invoked when access to object required • Must be small enough to be verifiable / subject to analysis to ensure its correctness 4
G53SEC • Security Kernel: • “The hardware, firmware, and software elements of a TCB that implement the reference monitor.” • Must mediate all access • Must be protected from modification • Must be verifiable for correctness • Ideally in the bottom layers of a system 5
G53SEC • Trusted Computing Base (TCB): • “The totality of protection mechanisms within a computer system responsible for enforcing a security policy” • One or more components • Enforce a unified security policy over a product or system • Correct enforcement depends on components within • and input by system administrators 6
G53SEC • Reference Monitor Placement: • Can be placed anywhere • Hardware • Operating System Kernel • Operating System • Services Layer • Application 7
G53SEC • Reference Monitor Placement: • In relation to application it should control: In-line RM RM in kernel Interpreter program RM program application program RM RM kernel 8
G53SEC • Execution Monitors: • Decision of a RM depends on: • Information about a request • Information about the target • RMs differentiated based on the above: • History of execution - Execution monitor • Future of execution - Static type checking • Rewriting 9
G53SEC • Operating System Integrity: • OS is not only the arbitrator of access requests • OS is itself an object of access control • “Users must not be able to modify the operating system” • Users should be able to use the OS • Users should not be able to misuse the OS 10
G53SEC • Modes of Operation: • Distinguish computations done “on behalf of”: • the OS • the user • A Status flag allows the OS to operate in different modes. • e.g. In Unix – supervisor (root) and user modes 11
G53SEC • Controlled Invocation: • User requiring supervisor mode for an operation • Processor switches between modes • Only predefined set of operations performed in supervisor mode • System returns to user mode 12
G53SEC • Hardware Security Features: • Reasons for placing security in lower system levels: • Possibility to evaluate security to a higher degree • reasonably simple structures • security mechanism compromised if layer below attacked • Performance overheads reduced • Access control decisions far removed from decisions made by applications 13
G53SEC • Input/Output: • How to ensure secure I/O operations? • e.g. user inputs username and password (input) • e.g. user signs documents (output) • A trusted path between I/O device and the TCB required • example – secure attention sequence (Windows) 14
G53SEC • Memory Structures: • Security characteristics of memory structures: • RAM – (R/W) - Cannot guarantee integrity or confidentiality • ROM – built-in integrity guarantee, good for storing parts of an OS • EPROM – useful for storing parts of OS or crypto keys, advanced attacks may pose a threat • WROM – good for storing crypto keys, disks used for audit trail logs 15
G53SEC • continued… • Volatile memory • loses its contents on power off • neither instantaneous nor complete • reconstructable using special electronics • defence – repeated overwrites • Non-volatile (permanent) memory • if attacker has access by bypassing CPU • further measures required (e.g. cryptography) 16
G53SEC • continued… • Memory • main memory • cache • buffers • etc.. • Data object may exist simultaneously in more than one location! • Copy held in an unprotected memory = risk 17
G53SEC • Processes and Threads: • Process – program in execution, important unit of control in an OS and for security • Works in its own address space • Communicates with other processes with help of OS • Separation useful for security • Thread – a strand of execution within a process 18
G53SEC • Controlled Invocation - Interrupts: • Exceptions/Interrupts/Traps • Interruptions of executions due to errors, user request, hardware failure, etc… • Handled by CPU • Improper handling leads to security flaws • CTRL-C during supervisor mode operations • Interrupt table entry change 19
interrupt vector interrupt handler G53SEC Processing Interrupt: Memory Interrupt Interrupt vector table TRAP #n n 1 0 20
interrupt vector G53SEC Processing Interrupt: Memory Interrupt Interrupt vector table TRAP #n viral code n 1 0 interrupt handler 21
G53SEC • Intel 80x86: • 2-bit field in status register • Defines four privilege levels (protection rings) • Only one instruction can change this (POPF) • Instruction can only be executed at level 0 • Procedure -> object – in own or outer rings • Procedure -> subroutine - only within own ring 22
G53SEC • Intel 80x86: • How to manage access to operations requiring higher privileges? • Gates • System object pointing to a procedure • In the same ring as the calling procedure • Has different privilege level than code it points to • Allow execute-only access to procedure in inner ring 23
G53SEC • Intel 80x86: • Confused Deputy Problem: • Outer ring -> Gate to copy an object from inner ring to outer ring • This will not be prevented • Doesn’t violate security policy • Security policy needs to be extended – caller privilege • 80x86 contains prevention mechanism 24
G53SEC • Protecting Memory: • OS integrity – preserved by separation of user & kernel space • Separation of users: • File management – logical memory object • Memory management – physical memory objects 25
G53SEC • continued… • Segmentation – divides data into logical units • Good basis for enforcing security policy • Variable length – difficult memory management • Paging – divides memory into pages of equal size • Popular – efficient memory management • Not good for access control • A page might contain objects requiring different protection 26
G53SEC • continued… • Possibility of a covert channel • Logical objects stored across boundaries page boundary P Pa Pa$ a$$w0RD $$w0RD $w0RD step 1 step 2 step 3 27
G53SEC • Secure Addressing: • Confinement of processes to separate address spaces • Control access to data objects in memory • OS modifies addresses received from user • (address sandboxing) • OS constructs effective addresses from relative ones • (relative addressing) • OS checks whether address within given bounds • (base register addressing) 28
G53SEC • Summary: • How Access Control is enforced • Why OS integrity is important • Security features of existing hardware • How to control access to memory • Next Lecture • Hands-on Unix Security 29
G53SEC End 07/02/08 30