Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Operating Systems Security Dr. Ronald Pose Faculty of Information Technology Monash University Melbourne, Australia [email protected] http://www.csse.monash.edu.au/~rdp 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 1 Abstract • Security is of increasing concern in the modern world. Not only is our physical security becoming more difficult to maintain, even in the developed world, but with the advent of the information age, our information and the infrastructure via which it is stored, processed and communicated, is increasingly important to control. The security of our information and its supporting infrastructure is the focus of this conference. One of the key aspects of keeping computerized information secure is keeping the computer system secure and vital to that is the operating system. 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 2 Abstract - 2 • Operating system security is itself paramount if we are to secure the information it controls. In order to have a secure operating system it must be supported by a suitable computer architecture, and the implementation of the computer architecture must of course itself be appropriately engineered. If the underlying technology from which the operating system is built and on which it is supported is not secure, then one can have no confidence in the security of the operating system and of the information it maintains for the users. 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 3 Abstract - 3 • Even should the operating system and its supporting infrastructure potentially be secure, it is essential to follow appropriate rules so as not to allow the users to compromise their own security. 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 4 Abstract - 4 • Thus, in this short overview of operating systems security we will delve into the requirements for the supporting computer and communication system, look at the design, operation and function of the operating system, investigate the implementation of a secure operating system, discuss security policies that can be supported by the system, and attempt to bring this complex structure together in a way that provides some insight into the design, construction and operation of a secure operating system. 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 5 Acknowledgements This is primarily a personal view of the current state of operating systems security. At the end I include some references but this is not a complete survey. This presentation also contains material taken from the background chapters of Dan Mossop’s PhD thesis. 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 6 Biographical Sketch Ronald Pose completed his B.Sc.(Hons) degree and his Ph.D. at Monash University, Melbourne, Australia. He majored in both Chemistry and in Computer Science, with a minor in Mathematical Statistics. His Ph.D. involved the design and implementation of a novel capability-based operating system kernel, the Password-Capability System, and the design and construction of tightly-coupled multiprocessor hardware with novel addressing mechanisms to support it. In 1987 Ronald Pose was employed as a Research Scientist at Telecom Australia Research Laboratories where he worked on the application of public key cryptography and authentication and certification techniques. He joined the faculty of Monash University in 1988. There he has supervised a number of research students with whom he has worked on a wide variety of research projects including neural networks, genetic algorithm function optimization, network routing, low latency virtual reality address recalculation pipeline display system, and selfreconfigurable computer systems. Dr. Pose's current research interests include virtual reality and telerobotics technology, computer architecture, parallel and distributed computer systems architecture, secure operating systems, reconfigurable computer systems architecture, multiprocessor interconnection networks, wireless ad hoc networks and spread-spectrum microwave communication technology, computer system security. He currently has Ph.D. students working on computer security analysis, multi-user virtual reality, and wireless ad-hoc networking. 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 7 Presentation Overview • • • • • • Security – General Definitions – Role of the Operating System – Security Policies • Access Matrix Style • Role Based – Confinement of Information – Principle of Least Authority Operating System Security – Requirements for Implementing a Secure Operating System • Supporting Hardware • Computer System Environment – What Security Services are Provided by the Operating System • Resource Security • Service Security • Communication Security • Other Security Operating System Design Options – Access Control Lists – Capabilities • Capability Implementations – Tagged, Segregated, Encrypted, Password – Support for Object-Orientation Analysis of Operating System Security Impact of Operating Systems Design on Users The Future of Operating Systems 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 8 Background • I will assume that the audience has used a computer and has some familiarity with a popular operating system such as Microsoft Windows XP, Unix, or MacOS. While each of these has the characteristics of an operating system, none of them could be considered very secure. That is not to say that the world is necessarily at great peril in terms of its information systems given that the vast majority of computer systems use such operating systems, however computer systems security can never be extremely strong while we continue with current systems and practices. 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 9 Setting the scene • An important issue is how important is security, and how much are we willing to pay for it, in financial, convenience, performance and other terms. A perfectly secure system is unlikely to be popular since it will by necessity, omit many of the popular but highly insecure features to which people have become accustomed. Interestingly many of the emerging problems that are now plaguing us as computer users, like junk e-mail, computer viruses and worms, and loss of privacy, are largely self-inflicted, through use of insecure technologies. E-mail was ‘safe’ before the advent of attachments, especially executable attachments. Web surfing was ‘safe’ before executable applets and other active sites became possible and popular. However operating systems have never really been secure in themselves. They have tended to rely on skilled users and administrators to cooperate in maintaining security. Now that the end user and administrator is likely to be technically naïve, it is more important to design and produce systems that give the lay users some hope of maintaining their information security. This requires good operating systems security infrastructure provided in a form that is easy to use and understand. 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 10 Setting the scene - 2 • In this talk I can only outline the basic principles and give pointers to appropriate technologies that can assist us in our search for information security. This is an open field where there is a real need for new ideas, and an even bigger need to question the current practices. We have sold the public a way of dealing with information that is inherently insecure, and have made these unsafe practices and technology ubiquitous. Huge industries have developed based on insecurity of information and in trading information. These could be threatened by widespread use of secure systems. Similarly there are many governments around the world that have vested interests in ensuring that people’s information systems are insecure, so as to allow monitoring of the population are their activities. There are enormous legal questions regarding the safeguarding of information, information privacy, international law, intellectual property etc. Interestingly these issues can all impact on the design, implementation, deployment and use of secure operating systems. 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 11 Security - definitions “a computer is secure if you can depend on it and its software to behave as you expect” Garfinkel et al. (2003) “the ability of a system to protect information and system resources with respect to confidentiality and integrity” Ross (1999) “deals with the prevention and detection of unauthorized actions by users of a computer system” Gollman (1999) 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 12 Security - definitions 2 “a secure system is a system on which enough trust can be put to use it together with sensitive information” Olovsson (1992) “concerned with the protection of valuable assets from harm, which is a significant negative consequence to the asset … security deals with malicious harm, which is harm resulting from attacks or probes by someone or something playing the role of attacker” Firesmith (2004) 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 13 Role of the Operating System • The operating system can be considered in various ways: – an intermediary between the user software and the hardware – an abstraction layer providing an idealized view of the computer hardware – a virtual machine – a set of services 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 14 Security Policies • Mandatory – applied on a system-wide basis – “A means of restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity” - US DoD • Discretionary – it is the users rather than the system restricting access – “A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission on to any other subject (unless restrained by mandatory access control)” - US DoD 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 15 Security Policies - 2 • Access matrix style (Lampson 1974) – Mapping of access of subjects to objects • Role based – Developed to address the needs of civilian rather than military needs – Access is restricted based on the role the individual has in the organization – An individual may have multiple roles – Roles may change over time 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 16 Properties of Security Policies • • • • • • • Confidentiality Integrity Availability Confinement Identity Anonymity Non-repudiation 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 17 Confinement of Information • Lampson (1973) defined confinement as preventing an executing program from transmitting information to any other program except its caller • A related confinement problem is that of ensuring a program can only receive information from its caller • It may be possible for the caller to authorize some communication of information 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 18 Security Policy Examples • Bell-LaPadula (1973) – mandatory policy – designed to preserve confidentiality – each subject and object is assigned a classification public, confidential, secret, top secret. – subjects can only read information at their classification or lower – Subjects can only write information to objects of equal or higher classification 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 19 Security Policy Examples - 2 • Biba (1977) – mandatory – aims to ensure integrity of information – each subject and object is assigned an integrity classification - lowest, low, high, highest – subjects can only read information at their integrity classification or higher – subjects can only write information to objects of equal or lower integrity classification 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 20 Security Policy Examples - 3 • Clark-Wilson (1987) – mandatory – designed to ensure integrity of information – data items in the model are either constrained or unconstrained – Integrity verification procedures determine whether a given data item satisfied integrity constraints – Transformation procedures move data items from one valid state to another – constrained data items may have restrictions specified on allowable transformation procedures – enforces separation of duty - different users must certify integrity and transformation procedures 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 21 Security Policy Examples - 4 • Chinese Wall (Brewer & Nash 1989) – mandatory – role based security policy – corporate information is organized in 3 levels • Lowest level - individual items about a single corporation • Middle level - information grouped by corporation • Highest level - corporations in competition grouped together – highest level groupings form conflict of interest classes – Information may be accessed by a user only if it does bot conflict with any other information he holds 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 22 Principle of Least Authority • It is considered good security practice to allow a subject access to information or authority to do anything, only when it is necessary for his doing the job in question • Ideally this would be enforced by a security policy and by the operating system supporting it 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 23 Operating System Security • What kinds of security policies should be supported? • What security services are required? • Where are the boundaries of the system? • Is it a distributed system? • Are users distributed across time and space? • Is there any concurrency involved? 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 24 Requirements for Implementation of Secure Operating Systems • Supporting hardware – – – – – – – Is virtualization needed? Is there fine enough access control in H/W? Is there adequate control at H/W level? Can H/W ensure O/S cannot be bypassed? Can the H/W support the required resources? Is the H/W scalable adequately? Is there support for multiple levels of privilege? 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 25 Requirements for Implementation of Secure Operating Systems - 2 • Computer System Environment – Is the computer system in a secure environment? – Are there adequate power, cooling, etc.? – Is it networked? • If so, is the networking environment secure? – Are there backup or redundant H/W resources? 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 26 What Security Services are Provided by the Operating System? • • • • • • • • Resource security Service security Communication security Authentication of users Authentication of resources Privacy Anonymity Other security services 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 27 Operating System Design Options • Access Control Lists (ACL) – Common method of implementing access matrices – Each object (resource) has a list of authorized subjects (users) who may obtain specified access rights to that object – Subjects must be authenticated – Unix, Windows XP, and many others 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 28 Operating System Design Options - 2 • Capabilities – Dennis and Van Horn (1966) – An alternative method of implementing access matrices – Each subject (user) has possession of a set of tokens, each granting authorization to gain access to an object – Subjects may be anonymous – Capabilities must be protected from forgery or modifcation to increase access rights 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 29 Capabilities versus ACLs • ACL may be likened to a guard at the door to an object/resource • He checks whether the subject/user is on the authorized list, and only then lets them in • Capabilities may be likened to door keys • Objects/resources are protected by locks, and only those with keys can get in • Possession of a key that works is all that is required 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 30 Capabilities versus ACLs - 2 • ACLs and Capabilities appear to be equivalent ways of expressing the permissions described by the access matrix • There are dynamic and operational differences especially when considering role-based security policies or when there are dynamic changes in authorizations • Capabilities have extra flexibility • Hybrid schemes are possible 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 31 Capability Implementations • Tagged – Each word of memory is tagged by the hardware to indicate whether it is a capability or not • Segregated – Capabilities are stored in separate memory segments or capability-lists protected by the operating system • Encrypted – Capabilities are encrypted to protect them • Password-Capabilities – Capabilities are protected with a random password 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 32 Support for Object-Orientation • Operating system support for objectoriented systems is essential to ensure security of such systems in terms of enforcing the object-orientation methodology • Otherwise the object-orientation is simply a convention 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 33 Analysis of operating system security • A formal requirements analysis • A formal risk analysis • A formal operating system security analysis • All are required to have certifiable confidence in operating systems security 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 34 Requirements for Operating System Security Analysis • Simple conceptual model • Small implementation • Well defined specifications and implementation • Well defined communication paths 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 35 Impact of Operating Systems Design on Users • ACL and Capability paradigms appear quite differently to users – ACLs are more familiar in terms of computing – There is a simple login (authentication) process and then all resources are available – Owners may add others to ACLs as appropriate • Capability systems appear differently – Capabilities must be distributed to the required users – Capabilities may be passed on to third parties depending on security policy – Potentially no login process, but must present a capability for every resource to be accessed 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 36 Future of Operating Systems • • • • Are they a bonus or a liability? Should we have them? We require new paradigms for O/S security How will new hardware designs affect them? • Good topic for a conference session since it affects security, usability, and many other issues. 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 37 References • Anderson, M.S., Pose, R.D. and Wallace,C.S. (1986) – The Password-Capability System, The Computer Journal, 29(1): 1-8 • Wallace, C.S. and Pose, R.D. (1990) – Charging in a Secure Environment, in J. Rosenberg and J. Keedy (eds), Security and Persistence, Bremen, Springer-Verlag, pp.85-97 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 38 References - 2 • Bell, D.E. and LaPadula, L.J. (1973) – Secure computer systems: mathematical foundations. Tech. Rep. 2547 (Volume 1), Mitre Corp, Massachusetts, USA • Biba, K.J. (1977) – Integrity considerations for secure computer systems. Tech. Rep. ESD-TR76-372, USAF Electronic Systems Division, Hanscon Airforce Base, Massachusetts, USA • Clark, D.D. and Wilson, D.R. (1987) – A comparison of commercial and military computer security policies, Proc. IEEE Symp. On Security and Privacy, pp.184-194. • Dennis, J.B. and Van Horn, E.C. (1966) – Programming semantics for multiprogrammed computations, CACM 9(3): 143-155. 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 39 References - 3 • Firesmith, D.G. (2004) – A taxonomy of safety-related requirements. Requirements Engineering 2004 (RE’04), Requirements for High Assurance Systems (RHAS), Kyoto, Japan, IEEE CS. • Garfinkel, S., Spafford, G. and Schwarz, A. (2003) – Practical Unix and Internet Security, 3rd ed., O’Reilly, California, USA. ISBN: 0-596-00323-4 • Gollman, D. (1999) – Computer Security, John Wiley & Sons Ltd., ISBN: 0-471-38922-6 • Lampson, B.W. (1973) – A note on the confinement problem, CACM 16(10): 613-615 • Lampson, B.W. (1974) – Protection, ACM Operating Systems Review 8(1):18-24 • Olovsson, T. (1992) – A structured approach to computer security, Tech. Rep. 122, Chalmers University of Technology, Sweden 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 40 References - 4 • Ross, S.T. (1999) – UNIX System Security Tools, McGraw-Hill, ISBN: 0-079-13788-1 15 Nov 2006 MCIS-2006 OS Security - Dr. Ronald Pose 41