1 / 48

Security Mechanisms

Security Mechanisms. Last week’s lecture dealt with access control policies at an abstract level. How can computer systems enforce such policies in practice? You have to answer the following questions: Where should access control be located? (Second Fundamental Design Decision)

tamira
Télécharger la présentation

Security Mechanisms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Mechanisms • Last week’s lecture dealt with access control policies at an abstract level. • How can computer systems enforce such policies in practice? • You have to answer the following questions: • Where should access control be located? (Second Fundamental Design Decision) • Are there any additional security requirements your solution forces you to consider? MT5104 - Computer Security - Security Mechanisms

  2. Agenda • Historic examples, to keep matters simple • Reference monitor, security kernel, and TCB • Status information & controlled invocation • Security features in microprocessors • Memory management and access control • The Multics interpretation of Bell-LaPadula • Wrappers, reflection, and in-line reference monitors MT5104 - Computer Security - Security Mechanisms

  3. Important Concepts (TCSEC) • Reference monitor: access control concept that refers to an abstract machine that mediates all accesses to objects by subjects. • Security Kernel: The hardware firmware, and software elements of a TCB that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct. MT5104 - Computer Security - Security Mechanisms

  4. Important Concepts (TCSEC) • Trusted Computing Base (TCB): The totality of protection mechanisms within a computer system - including hardware, firmware, and software - the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of the TCB to correctly enforce a security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user’s clearance) related to the security policy. MT5104 - Computer Security - Security Mechanisms

  5. Operating System (O/S) Integrity • Assume that your O/S prevents unauthorized access to resources (as long as it works as intended). • To bypass the protection mechanisms, an attacker may try to disable the security controls by modifying the O/S. You now face an integrity problem, even if your original concern was confidentiality. The O/S is not only the arbitrator of access requests, it is itself an object of access control. • New security policy: Users must not be able to modify the operating system. • This is a generic security policy, needing strong and efficient support. MT5104 - Computer Security - Security Mechanisms

  6. Operating System Integrity • To make life more complicated, you have to address two competing requirements. • Users should be able to use (invoke) the O/S. • Users should not be able to misuse the O/S. • Two important concepts commonly used to achieve these goals are: • status information • controlled invocation, also called restricted privilege • These concepts can be used in any layer of a computing system, be it application software, operating system, or hardware. MT5104 - Computer Security - Security Mechanisms

  7. Modes of Operation • To protect itself, an O/S must be able to distinguish computations ‘on behalf’ of the O/S from computations ‘on behalf’ of a user. • A status flag allows the system to work in different modes. • Motorola 68000: one status bit to distinguish between user mode and supervisor (system) mode • Intel 80x86: two status bits and four modes • Unix distinguishes between user and superuser (root) • Why are such modes useful? For example, to stop users from writing directly to memory and corrupting the logical file structure, the O/S could grant write access to memory locations only if the processor is in supervisor mode. MT5104 - Computer Security - Security Mechanisms

  8. Controlled Invocation • We continue our example. A user wants to execute an operation requiring supervisor mode, e.g. write to memory. • To deal with this request, the processor has to switch between modes, but how should this switch be performed? • Simply changing the status bit to supervisor mode would give all privileges associated with this mode to the user without any control on what the user actually does. • Therefore, it is desirable that the system only performs a predefined set of operations in supervisor mode and then returns to user mode before handing control back to the user. We refer to this process as controlled invocation. MT5104 - Computer Security - Security Mechanisms

  9. Core Security Mechanisms applications services operating system OS kernel hardware MT5104 - Computer Security - Security Mechanisms

  10. Why Put Mechanisms at the Core? • To facilitate security evaluation at a higher level of assurance. A security mechanism in a given layer can be compromised from a layer below. To evaluate security, you have to check that security mechanisms cannot be bypassed. The more complex a system is, the more difficult this check becomes. At the core of a system you may find simple structures which are amenable to thorough analysis. • Putting security mechanisms into the core of the system can reduce performance overheads caused by security. Processor performance depends on the right choice and efficient implementation of a generic set of operations that is most useful to the majority of users. The same holds for security mechanisms. • Note: Some sources assume that TCBs and security kernels must enforce BLP-like policies. MT5104 - Computer Security - Security Mechanisms

  11. Computer Architecture • For our purpose, a simple schematic description of a computer will do. We have • a central processing unit (CPU) • memory • a bus connecting CPU and memory CPU Memory Bus MT5104 - Computer Security - Security Mechanisms

  12. CPU • The core CPU components are: • Registers: general purpose registers and dedicated registers like • program counter: points to the memory location containing the next instruction to be executed • stack pointer: points to the top of the system stack • status register: allows the CPU to keep essential state information • Arithmetic Logic Unit (ALU): executes instructions given in a machine language; executing an instruction may also set bits in the status register. MT5104 - Computer Security - Security Mechanisms

  13. Processes and Threads • A processis a program in execution, consisting of • executable code, data, and the execution context, e.g. the contents of certain CPU registers. • A process works in its own address space and communicates with other processes only through O/S primitives. This logical separation between processes is a useful basis for security. However, a context switch between processes is expensive as the O/S has to save the entire execution context on the stack. • Threads are strands of execution within a process. Threads share an address space to avoid the overheads of a full context switch, but they also avoid potential security controls. • Processes (and threads) are important units of control for the O/S, and for security. They are the ‘subjects’ of access control. MT5104 - Computer Security - Security Mechanisms

  14. System Stack • The system stack is a specially designated part of memory. The stack can be accessed by pushing data on its top or by popping data from its top. • To switch between different processes, the CPU performs a context switch saving the state of the current process, e.g. program counter, status register, etc., on the stack before giving control to the new process. • Beware of the dangers of abstraction. In an abstract discussion it is reasonable to pretend that the size of the stack is unlimited. An actual implementation, however, could well allocate a fixed memory section for the stack. If the stack is allowed to grow beyond its maximal size, security problems can occur, have occurred, and will occur. MT5104 - Computer Security - Security Mechanisms

  15. Memory Structures The security characteristics of different types of memory: • RAM (random access memory): read/write memory; no guarantees for integrity and confidentiality • ROM (read-only memory): provides integrity, does not guarantee confidentiality; ROM could store (part of) the O/S. • EPROM (erasable and programmable read-only memory): could store parts of the O/S or cryptographic keys; techno-logically more sophisticated attacks threaten security. • WROM (write-once memory): memory contents are frozen once and for all, e.g. by blowing a fuse placed on the write line; WROM could hold cryptographic keys or audit logs. MT5104 - Computer Security - Security Mechanisms

  16. Memory Structures • Volatile memory loses its contents when power is switched off. To be precise, memory contents degrade and may still be present after a short power loss and can be constructed by special electronic techniques if power has been switched off for some time. To counter such attacks, memory has to be overwritten repeatedly with suitable bit patterns. • Non-volatile (permanent) memory keeps its content when power is switched off. If attackers have direct access to memory bypassing the CPU, cryptographic or physical measures are needed to protect sensitive data. • For example, a light sensor in a tamper resistant module may detect an attempted manipulation and trigger the deletion of the data kept in the module. MT5104 - Computer Security - Security Mechanisms

  17. Traps - Interrupts • The CPU deals with interruptions of executions, created by errors in the program, user requests, hardware failure, etc., through mechanisms called exceptions, interrupts, and traps. These terms may refer to different types of events, but as ever there are competing classifications. We use trap as the generic term. • A trap is a special input to the CPU, which includes an address (interrupt vector) in an interrupt vector table giving the location of the program (interrupt handler) which deals with the condition specified in the trap. • When a trap occurs, the CPU saves its current state on the stack and then executes the interrupt handler. In this way, control is taken away from the user. The interrupt handler has to restore the CPU to a proper state, e.g. by clearing the supervisor status bit, before returning control to the user. MT5104 - Computer Security - Security Mechanisms

  18. Interrupt Vectors Interrupt vector table Memory Interrupt TRAP #n Interrupt vector Interrupt handler MT5104 - Computer Security - Security Mechanisms

  19. Interrupting Interrupts • A further interrupt may arrive while the CPU deals with a current interrupt. The CPU may then have to interrupt the current interrupt handler. • Improper handling of such a situation can lead to security flaws. Consider a system where a user can interrupt the execution of a program by typing CTRL-C so that the CPU returns to the O/S prompt with the status bit of the current process. A user could then enter supervisor mode by interrupting the execution of an O/S call. • The interrupt table is a particularly interesting point of attack and has to be protected adequately. Redirecting pointers is a very efficient way of compromising the integrity of the O/S. MT5104 - Computer Security - Security Mechanisms

  20. Example 1: Motorola 68000 • The Motorola 68000 has a 16-bit status register. The top section of the status register, the system byte, contains bits relevant for security controls. • S: supervisor bit, two modes • T: trace bit, exception raised after each instruction • I2I1I0: interrupt level number • After a reset, the 68000 always boots in supervisor mode. Once the S bit has been set to 0, it can only be set to 1 by a TRAP #n instruction. The operand #n gives the exception (interrupt) vector. The S bit is reset by the RTE instruction. • There are seven levels of interrupt priorities. Interrupts can be masked: interrupts with a higher priority will not be interrupted by a low priority interrupt. MT5104 - Computer Security - Security Mechanisms

  21. Memory Management • Memory mapped I/O treats memory and input/output devices in a unified manner. • The function codes FC2, FC1, FC0 indicate the processor status so that the address decoder may select between user and supervisor memory or between data and programs. FC2 FC1 FC0 0 0 0 (undefined,reserved) 0 0 1 user data 0 1 0 user program 0 1 1 (undefined,reserved) (undefined,reserved) 1 0 0 1 0 1 supervisor data 1 1 0 supervisor program 1 1 1 interrupt acknowledge MT5104 - Computer Security - Security Mechanisms

  22. General Lessons • The ability to distinguish between data and programs is a useful security feature, providing a basis for protecting programs from modification. • From a more abstract point of view, memory has been divided into different regions. Access control can then refer to the location a data object or program comes from. • This can serve as a first example for location based access control. Distributed systems or computer networks may use location based access control at the level of network nodes. MT5104 - Computer Security - Security Mechanisms

  23. Example 2: Intel 80x86 • The Intel 80386/80486 is a 32-bit processor. Support for access control at machine language level is based on protection rings. • A two-bit field in the status register defines four privilege levels. Unix and Windows NT use levels 0 (O/S) and 3 (user). • Privilege levels can only be changed through the POPF command. • Processes can only access objects in their ring or in outer rings. • Processes can invoke subroutines only within their ring. • Processes need gates to execute procedures in an inner ring. • Information about system objects like memory segments, access control tables, or gates is stored in descriptors. The privilege level of an object is stored in the DPL field of its descriptor. MT5104 - Computer Security - Security Mechanisms

  24. Intel 80x86 - Access Control • Descriptors are held in the descriptor table and are accessed via selectors. A selector is a 16-bit field containing an index for the object’s entry in the descriptor table and a requested privilege level (RPL) field. Only the O/S has access to selectors. • Current privilege level (CPL): the code segment register stores the selector of the current process. Access control decisions can be made by comparing CPL (subject) and DPL (object). INDEX RPL Descriptor selector DPL Descriptor table MT5104 - Computer Security - Security Mechanisms

  25. Intel 80x86 - Controlled Invocation • A gate is a system object that points to a procedure, where the gate has a privilege level different from that of the procedure it points to. A process can only use gates has in its own ring. • Gates allow execute-only access to procedures in an inner ring. • A subroutine call saves state information about the calling process and the return address on the stack. • Should this stack be in the inner ring? Violates the security policy forbidding write to an inner ring. • Should this stack be in the outer ring? The return address could be manipulated from the outer ring. • Therefore, part of the stack (how much is described in the gate’s descriptor) is copied to a more privileged stack segment. MT5104 - Computer Security - Security Mechanisms

  26. A Loophole? • When invoking a subroutine through a gate, the CPL changes to the level of the code the gate is pointing to. On returning from the subroutine, the CPL is restored to that of the calling process. • The outer-ring process may now ask the inner-ring procedure to copy an object residing in the inner ring to the outer ring. This will not be prevented by any of the mechanisms presented so far, nor does it actually violate the stated security policy. • To take into account the level of the calling process, use the adjust privilege level (ARPL) instruction. This instruction changes the RPL fields of all selectors to the CPL of the calling process. The system then compares the RPL (in the selector) and the DPL (in the descriptor) of an object when making access control decisions. MT5104 - Computer Security - Security Mechanisms

  27. Comparing RPL and DPL Descriptor table selector INDEX RPL Descriptor DPL ? = MT5104 - Computer Security - Security Mechanisms

  28. Security Mechanisms in O/S • O/S manage access to data and resources. Multitasking O/S interleave the execution of processes belonging to different users. They have to • separate user space from O/S space • logically separate users • restrict the memory objects a process can access • Logical separation of users can take place at two levels: • file management, deals with logical memory objects • memory management, deals with physical memory objects • As far as security is concerned, this distinction is important. MT5104 - Computer Security - Security Mechanisms

  29. Segments and Pages • Segmentation divides memory into logical units of variable lengths. • A division into logical units is a good basis for enforcing a security policy. • Units of variable length make memory management more difficult. • Paging divides memory into pages of equal length. • Fixed length units allow efficient memory management. • Paging is not a good basis for access control as pages are not logical units. One page may contain objects requiring different protection. Page faults can create a covert channel. MT5104 - Computer Security - Security Mechanisms

  30. A Covert Channel • When a process makes access to a logical object stored on more than one page, a page fault occurs whenever a new page is requested. • A covert channel exists if page faults can be observed. • Consider a password scheme where the password entered is compared character by character with the reference password stored in memory. Access is denied the moment an incorrect match is found. • If a password is stored across a page boundary, then ob-serving a page fault indicates that the piece of the password on the first page has been guessed correctly. If the attacker can control where the password is stored on the page, password guessing becomes rather easy. MT5104 - Computer Security - Security Mechanisms

  31. Memory Protection • The O/S has to control access to data objects in memory. A data object is physically represented as a collection of bits stored in certain memory locations. Access to a logical object is ultimately translated into access operations at machine language level. At this level, you can pursue three options for controlling access to memory locations, • the operating system modifies the addresses it receives from user processes, • the operating system constructs the effective addresses from relative addresses it receives from user processes, • the operating system checks whether the addresses it receives from user processes are within given bounds. MT5104 - Computer Security - Security Mechanisms

  32. Address Sandboxing (Modification) • An address consists of a segment identifier and an offset. When the operating system receives an address, it sets the correct segment identifier as follows: First, a bitwise AND of the address with mask_1 clears the segment identifier. Then a bitwise OR with mask_2 sets the segment identifier to the intended value SEG_ID. address seg_id offset } bitwise AND mask_1 0....0 1….1 0….0 offset } bitwise OR mask_2 SEG_ID 0….0 effective address SEG_ID offset MT5104 - Computer Security - Security Mechanisms

  33. Relative Addressing • Clever use of addressing modes can keep processes out of forbidden memory areas. • Fence registers: base register addressing keeps users out of O/S space. • Bounds register define the bottom of the user space. Base and bounds registers allow to separate program from data space. • Tagged architectures indicate the type of each memory object. memory fence register O/S space base top of user space + offset MT5104 - Computer Security - Security Mechanisms

  34. Logical Protection in Multics • We will examine logical protection in the historic example of the Multics operating system and demonstrate how Bell-LaPadula is used in the design of a secure O/S. • Multics was designed to be a secure, reliable, etc multi-user O/S. Multics became too cumbersome for some project members, who then created something much simpler, viz Unix. • The history of the two systems is ample evidence for the relation between commercial success and the balance between usability and security. • The inductive definition of security in BLP makes it relatively easy to build a secure system. To show that Multics is secure, one has to find a description of the O/S, which is consistent with BLP and verify that all state transitions are secure. MT5104 - Computer Security - Security Mechanisms

  35. The Multics Interpretation of BLP • The subjects in Multics are processes. Each subject has a descriptor segment that contains information about the process. • For each object the process currently has access to, there is a segment descriptor word (SDW) in the subject’s descriptor segment. The SDW contains the name of the object, a pointer to the object, and flags for read, execute, and write access. • The security level of subjects are kept in a process level table and a current-level table. The active segment table records all active processes. Only active processes have access to an object. segment descriptor word Segment_id pointer r: on e: off w: on MT5104 - Computer Security - Security Mechanisms

  36. Compatibility • Objects are memory segments, I/O devices, ... • Objects are organised hierarchically in a directory tree. Directories are again segments. Information about an object, like its security level or its access control list (ACL), are kept in the object’s parent directory. To change an object’s access control parameters and to create or delete an object requires write or append access rights to the parent directory. • To access an object, a process has to traverse the directory tree from the root directory to the target object. If any directory in this path is not accessible to the process, the target object is not accessible either. • Compatibility: The security level of an object must always dominate the security level of its parent directory. MT5104 - Computer Security - Security Mechanisms

  37. BLP State in Multics Components of the BLP state in Multics: • Current access b: stored in the SDWs in the descriptor segments of the active processes; the active processes are found in the active segment table. The descriptor segment base register (DSBR) points to the descriptor segment of the current process. • Access control matrix M: represented by the ACLs; for each object, the ACL is stored in its parent directory; each ACL entry specifies a process and the access rights the process has on that object. • Level function f: the security levels of the subjects are stored in the process level table and the current-level table; the security level of an object is stored in its parent directory. MT5104 - Computer Security - Security Mechanisms

  38. current proc. Lc segment-id LO descriptor segment of current process segment-id DSBR segment-id ptr current process r:off e:off w:on subject object LC LO? current-level table parent directory MT5104 - Computer Security - Security Mechanisms

  39. MAC in Multics • Multics access attributes for data segments: • read r • execute e,r • read and write w • write a • The -property for Multics: for any SDW in the descriptor segment of an active process, the current level of the process • dominates the level of the segment if the read or execute flags are on and the write flag is off, • Is dominated by the level of the segment if the read flag is off and the write flag is on, • is equal to the level of the segment if the read flag is on and the write flag is on. MT5104 - Computer Security - Security Mechanisms

  40. Kernel Primitives • If the state transitions in an abstract model of the Multics kernel preserve the BLP security policies, then the BLP Basic Security Theorem proves the ‘security’ of Multics. • Example: the get-read primitive takes as its parameters a process-id and a segment-id. The O/S has to check whether • the ACL of segment-id, stored in the segment's parent directory, lists process-id with read permission, • the security level of process-id dominates the security level of segment-id, • process-id is a trusted subject, or the current security level of process-id dominates the security level of segment-id. • If all three conditions are met, access is permitted and a SDW in the descriptor segment of process-id is added/updated. MT5104 - Computer Security - Security Mechanisms

  41. More Kernel Primitives • release-read: release an object; the read flag in the corresponding SDW is turned off; if thereafter no flag is on, the SDW is removed from the descriptor segment. • give-read: grant read access to another process (DAC). • rescind-read: withdraw a read permission given to another process. • create-object: create an object; the O/S has to check that write access on the object's directory segment is permitted and that the security level of the segment dominates the security level of the process. • change-subject-current-security-level: the O/S has to check that no security violations are created by the change; this kernel primitive, as well as the primitive change-object-security-level were not intended for implementation (tranquility). MT5104 - Computer Security - Security Mechanisms

  42. Logical Protection in a ‘Real’ O/S Covered by guest speakers. For each O/S, find out: • What are the principals? • What are the subjects? • What are the objects? • Which access control structures are used? • What are the rules for evaluating the access control structures? • What are the main issues when mapping an organisational security policy into an automated security policy? MT5104 - Computer Security - Security Mechanisms

  43. Logical Protection at the Application Level • Protection at the application level can be implemented by placing a reference monitor ‘in front of’ the component to be protected. Instead of calling the component directly, other components have to call the reference monitor (wrapper) first. • Wrappers in Unix (more in a moment) • Reflection in object-oriented systems: I.Welch, R.J.Stroud: Using Reflection as a Mechanism for Enforcing Security Policies in Mobile Code, ESORICS 2000, pages 309-322 • In-line Reference Monitors (IRMs): U.Erlingsson, F.Schneider: IRM Enforcement of Java Stack Inspection, 2000 IEEE Symposium on Security and Privacy, pages 246-255 MT5104 - Computer Security - Security Mechanisms

  44. Example: Unix Telnet Wrapper • A Unix networkservice like telnet work as follows.The inetd daemon listens to incoming network connections. When aconnection is made, inetd starts the appropriate server program and thenreturns to listening for further connections. • The inetddaemon has a configuration file that maps services (port numbers) to programs. Entries in this file have the format service type protocol waitflag userid executable command-line • The entry for telnet could be telnet stream tcp nowait root /usr/bin/in.telnetd in.telnet • When inetd receives a request for a service,it consults the configuration file and creates a new process that runs the program (executable)specified. The name of this new process is thename given in the command-line field. MT5104 - Computer Security - Security Mechanisms

  45. Usually, the name of the executable and the command-line entry are the same. In this case,point the inetd daemon to a wrapper program instead of the original executable; use the name of the process to remember the name of the original executable, which iscalled after the wrapper has performedits security controls. • In our example, change the configuration file entry for telnet to telnet stream tcp nowait root /usr/bin/tcpd in.telnet • The program executed is now /usr/bin/tcpd, the TCPwrapper executable. The process executing the wrapper will still be calledin.telnet. Within this wrapper, you can perform all the access control or logging you want to do. • The wrapper knows the directoryit is in, i.e. /usr/bin, and its own name, in.telnet, so it can call the original server program /usr/bin/in.telnet. • Users see no difference and receive the same service asbefore. • There is a nice trick and a fundamental design principle. MT5104 - Computer Security - Security Mechanisms

  46. Exercises - 1 • If the trace bit in the Motorola 68000 is set, an exception is created after each instruction that has been executed, allowing the programmer to run an interrupt handler, e.g. to debug programs. What are the security implications of setting the trace bit? Why has the trace bit to be cleared when processing an exception? • Smart card processors used to have their entire card O/S in ROM. Today, there are moves towards processors where part of the O/S can be loaded into E2PROM. What are the advantages and disadvantages of keeping the O/S in ROM? What are the security implications of moving parts of the O/S into E2PROM? • Justify the rephrasing of the - property for Multics. Why do we have to consider just the three cases mentioned? MT5104 - Computer Security - Security Mechanisms

  47. Exercises - 2 • Which level should be assigned to the root directory of a multi-level secure O/S? • Analyse the security and usability implications of the following options for storing the security level of a file in a multi-level secure O/S: • Store the security level of the file with the file name in the directory. • Store the security level of the file with the file itself, the directory has only the file name. • Divide the directory into partitions for each security level. File names are put into the division corresponding to their security level. • For each of the talks on IBM products, Unix, and Windows, write an essay answering the questions from slide 42. MT5104 - Computer Security - Security Mechanisms

  48. Further reading • Gasser, M.: Building a Secure Computer System, Van Nostrand Reinhold, New York, 1988 (many useful pointers to technical reports on O/S security) • Sibert, O., Porras, P.A. and Lindell, R.: An Analysis of the Intel 80x86 Processor Architecture and Implementation, IEEE Transaction on Software Engineering, March 1995, pp.181-199 (building security kernels with Intel 80x86 processors) • Wahbe, R., Lucco, S., Anderson, T.E. and Graham, S.L.: Efficient Software-Based Fault Isolation, Proceedings of the Symposium on Operating System Principles, 1993 (address sandboxing and related techniques) • http://www.qnx.com/literature/nto_sysarch/nto_sysarch.html (QNX web page with practical material on memory management) • Saltzer, J.H.: Protection and the Control of Information Sharing in Multics, Communications of the ACM, 17, pp. 388-402, 1974 • Comments on Multics security also at http://www.lilli.com/multics.html MT5104 - Computer Security - Security Mechanisms

More Related