1. UNIT-2
PART-1:- OPERATING SYSTEM SECURITY
Introduction to OS SECURITY
An operating system is a fundamental component of most modern computer systems,
operating system are close to the hardware; it masks the details of the underlying
hardware from the programmer and provides lower layer of software visible to users. It
can be viewed as a Resource Manager, responsible for fair Resource Sharing between
different processes in the system. On the other hand, operating system control access to
application memory and scheduling of the processors. Application must be run like OS-
level services and the developer of these applications does not know the level of details
needed to develop secure applications on their win, if OS is not doing these things
securely, it generally comprise all security at higher levels ,so the OS is a very logical
place to enforce and support security.
OS resolves around the application protection of four elements:-
1. Confidentiality- is the protection of transmitted data from passive attacks i.e.
protection of data from unauthorized disclosure.
2. Authentication- This mechanism help establish proof of identities. The
authentication process ensures that the origin of an electronic message or
document is correctly identified.
3. Integrity: when the contents of message are changed after the sender sends it, but
before it reaches the intended recipients, we say that integrity of the message is
lost.
4. Availability: It states that resources should be available to authorized parties at
all times.
Protection Mechanisms:-
The concept of multiprogramming introduces the sharing resources among users. This
sharing involves memory, I/O devices programs and data. The ability to share their
resources introduces the need for protection .An OS may affect protection along the
following spectrum:-
No Protection:- This is appropriate when sensitive procedures are being run at
separate times.
Isolation: -This approach implies that each process operates separately from other
processes, with no sharing. Each process has its awn address space, files and other
objects.
Share ALL or share NOTHING:- In this method, the owner of an object declares
it to be public or private , in other hand, only the owner’s process may access the
object.
Share via access limitation:- The OS checks the permissibility of each access by a
specific user to specific object, the OS therefore act as a guard between users and
objects, ensuring that only authorized accesses occur.
Share via dynamic capabilities:- This extends the concept of access control to
allow dynamic creation of sharing rights of objects.
Limit use of an object:- This form of protection limits not just access to an object
but use to which that object may be put.
2. A given OS may provide different degree of protection for different objects, users and
applications. The OS needs to balance the need to allow sharing, with the need to protect
the resources of individual users.
PROTECTION OF MEMORY:-
In a multiprogramming environment, protection of main memory is essential. The
concern here is not just security but the correct functioning of the various processes that
are active. The separation of the memory space of various processes is easily
accomplished with a virtual memory scheme. Segmentation or paging or two in
combination, provides an effective tools of managing main memory. The measures taken
to control access in data processing systems fall into two categories:-
Access control
User oriented Data oriented
MAC-Mandatory access control
DAC-Discretionary Access control
TOPIC -1:- LOW LEVEL PROTECTION MECHANISM
LOMAC:-
LOMAC is dynamically loadable security module for free UNIX kernels that use low
watermark mandatory access control to protect the integrity of processes and data
from viruses, Trojan hoarse, malicious remote virus and compromised network server
daemons. LOMAC is designed for compatibility and ease of use to be a form of Mac
typically users can live with.
LOMAC implements a simple form of integrity protection based on Biba’s low water
mark model in Loadable kernel Module (LKM). LOMAC provides useful integrity
protection against viruses, Trojan hoarse, malicious remote virus and compromised
network servers without modifications to the kernel, applications or their existing
configuration. LOMAC is designed to be easy to use. Its default configuration is
intended to provide useful protection without being adjusted for the specific users,
servers or other software present on the system. LOMAC may be used to harden
currently deployed systems simply by loading the LKM into the kernel shortly after
boot time.
Protection:-
LOMAC provides the protection by dividing a system into two integrity levels:-
High level
Low level
3. High
Init, kernel daemons
etc.
Network servers, clie
downloads
Low l
LOMAC 2-level partitioning of a system.
High levels:-Contains critical system components that must be protected such as
the init process, kernel daemons, system binaries, libraries and configuration
files.
4. Low levels:- Contains the remaining components such as client and server
processes that read from the network, local user processes and their files.
One LOMAC assigns a file to one level or the other, its level never changes. This is
not so for processes LOMAC can “Demote” high level processing by reducing their
levels to low during runtime. LOMAC never increases the level of a process.
1. When LOMAC is running a process’s level determines how much power
has to modify other parts o the system. Given the above division of the
system into the levels, LOMAC provides integrity protection with two main
mechanisms:-
A. First LOMAC prevents low level processes from modifying high level
files or signaling high level processes. Since no administrative users,
their n/w clients and all n/w servers run at the low level, these
restrictions protect the high level part of the system from direct attacks
by malicious remote users and compromised servers.
B. Second LOMAC ensures that data does not flow from low level files to
high level files.
2. A process attempt to cause suite a flow by reading from a low level file and
subsequently writing to a high level file. LOMAC prevents such flows
through demotion: whenever a high process reads from a low level file,
LOMAC reduces the processes level to low. ONE at the low in integrity
level, LOMAC’s first mechanism prevents the process from modifying high
level as described above. This combination of mechanisms prevents indirect
attacks by viruses, worms and Trojan hoarses.
LOMAC cannot distinguish when a program that has read low integrity data but is still
sunning properly and one that has read-low integrity data and has been compromised.
LOMAC can ensure that processes which read potentially. Dangerous low-level data
during run time are demoted to the low integrity level. Once at that low level, LOMAC’s
other mechanism prevent there from Harming high integrity processes or files.
IMPLEMENTATION:-
There are two main problems in implementing kernel resident MAC:-
Gaining supervisory control over kernel operations
Mapping security attributes to files
For these problems LOMAC provides low cost capabilities. Fig. shows the
architecture of the LOMC LKM. The diagram shows horizontal split b/w upper and
lower halves. The upper half implements high level LOMAC functionality in kernel
independent manner and consist of approximately 1000 times of C code. The lower
half implements a kernel specific interface to the Linux 2.2 series of kernels and
consists of approximately 1500 lines of C code.
5. Monitor PLM(path level map) Mediate
Wrappers and utility functions
(LOMAC loadable kernel module architecture)
More on gaining control:-
At initialization time, LOMAC traverses an array of function pointers through which
the kernel provides services to user process. LOMAC with the address of security
relevant system calls with the addresses of the corresponding wrappers. Once done,
calls made through the system call vector will call the wrappers, rather than the
kernel’s corresponding call functions.
More on attribute mapping:-
The basic algorithm is given a target path. Its level can be found by searching linearly
through the list of records until a record is found whose path is a prefix of the target
path. For example, the level of “/home/httpd/html” is high, because it maps the record
for prefix “/home/httpd”. If during a search through the record list, the target path
matches a record’s path exactly; the flag field is checked. If the child of flag is set, the
match ignored and search continues. Consequents the level “/home/httpd” is high
because it exactly matches the record for prefix “/home/httpd” which has no child of
flag. The level of “/home/tfraser” is low because it matches record for prefix”/home”
with the child of flag and the level of “/home” is high because of skips the child of
“/home” records and matches the record for prefix.
Gaining Control:-
LOMAC achieve the control by interposing itself b/w processes and the kernel system
call interface. LOMAC’s kernel interface contains a series of functions called
“wrappers”. Each wrapper takes the same parameter as its corresponding system cart.
Wrapper algo:-
Wrapper (arguments)
{
Mediate: decide to allow or deny the operation;
Call kernel’s original system all function;
Monitor: update LOMAC’s shape on successful completion;
}
Attribute Mapping:-
In addition to gaining supervisory control, LOMAC must also assign integrity levels to
files in a manner that is persistent access reboots. LOMAC maintains a persistent
6. mapping b/w levels and absolute canonical path names in its path level map (PLM)
module.
Level Flags PATH
High “/home/httpd”
Low CHILD-OF “home”
High “/”
Whenever the kernel opens a file, LOMAC labels it’s in memory Data structure with the
integrity level indicated by PLM. These are based on the longest path first .Child-of is a
extra flag indicating low positioning of “/home”.
Application of LOMAC:-
In order to apply this protection scheme, it must be able to determine the appropriate
level for every process file in the system.
1) Dividing the file system: - Rules are explained in attribute mapping to
determine which parts of the file system are at the higher integrity level and
which are at low level. These rules are presently set at compile time. Although
future versions of LOMAC may provide a more configurable rule set, the goal
of the present implementation is to deliver a single generic configuration that
provides at least some protection on a wide variety of system. The division
described by the current rule set reflects the tension b/w two compensating
goals:-the maximum amount of protection and maintaining the max. Amount of
app. Compatibility.
2) Monitoring process: - While file levels are static, process level can decrease
during run time. In general, LOMAC assigns a new process the same level as
the process that created it. At initialization time, LOMAC assigns the high
integrity level to the fir t process, which initializes the system by creating a new
high level process to handle various system tasks. These processes continue by
creating ore high level children. As individual process read from low level files,
LOMAC demotes then to the low integrity level. From that point, all their
children begin life at low level.
3) Exceptions for compatibility:- LOMAC must make an exception to allow some
critical program such as client side DHCP agent pump and system log daemon
for transfer data from low level to high level. For this it maintains a list of
trusted program. But if a high level process running a trusted program were
compromised LOMAC would not prevent it from harming the high integrity
levels or part of the system. Hence presence of trusted programs represents
some risk so it should operate properly.
TOPIC-2 ACCESS CONTROL MODELS
Introduction to access control: - Foundation of information and security can be done n
three ways:-
Authentication
Access control
Audit
7. Authentication:-Establishes the identity of one party to another. Most commonly
authentication establishes the identity of a user to some part of the system, typically by
mean of a password. More generally authentication establishes can be computer-to-
computer or process-to-process and mutual in both directions.
Access Control:- Determine what one party will allow another to do with respect to
resources and objects mediated by the former. Access Control usually requires
authentication as a prerequisite.
Audit:- The audit process gathers data about activity in the system and analyzes it to
discover security violations or diagnose their cause. Analysts can occur offline after the
fact or online in real time. In the latter case, the process is usually called Intrusion
Detection.
Access control usually apply authentication has been established. Access control
can take several forms:-
Discretionary Access Control (DAC) is based on the idea that the owner of data should
determine who has access it. DAC allows data to be freely copied from object to object,
so even if access to original data is denied, access to a copy can be obtained.
Lattice based access control also known as mandatory access control (MAC), confine
the transfer of information to one direction in a lattice of security labels. MAC emerged
from confidentiality requirements of the military but has broad applications for integrity
and separation objects.
Role based access control (RBAC) requires that access rights be assigned to roles
rather than to individual users. Users obtain these rights by virtue of being assigned
membership in appropriate roles. This simple idea greatly eases the administration of
authorization.
Access control:-
Access control refers to controlling access to resources on a computer or
network system. Without it, everyone would be able to access everything.
Employees would be able to view their manager’s salary information, read
each other’s email and malicious individual such as competitors would be
able to dial into your remote access server and read your company’s strategy
plans for the next five years. With access controlling place, users are
identified, authenticated and authorized before they can actually access.
Access controls control which objects a subject can access. These are
the two key terms used in access control models. A subject someone or
something for eg,users applications or system program to which access to an
object is granted or denied eg of objects are files,printers,application and
system process. Access control model provide a model for developers who
need to implement access control functionality in these software and
devices. An access control model defines a computer and for network
system’s role for user access to information resources. Access control
models provide confidentially, integrity and also provide accountability
through audit trails.
8. Access Control Models
User Oriented Data Oriented
Hybrid Models
Access control Access
control
Bell La Padula
BIBA Authentication DAC
CHINESE WALL HAC
ORIGINATED CONTROLLED
ACCESS CONTROL MODEL
ROLE BASED ACCESS CONTROL
CLARK WILSON MODEL
Data Oriented Access Control:- Following successful log on, the user has
been granted access to one or set of hosts and applications. At this time we
need data access control. In this legand real world OS protection models fall
basically into one of the two types:-
MAC
DAC
In computer security passive resources are called objects and active
entities that utilize the resources are called subjects. Typical objects
include:-files, directories, memory, printers and typical subjects includes:-
user, processes. The roles depend upon situation: for ex, a process can
request access to some resource (act as subject) and later be a target if
request (act as an abject).
MAC:- In mandatory access controls, also called multilevel access control,
objects(information) are classified on hierarchical levels of security
sensitivity(typically top secret, confidential). Subjects (users) are assigned
their security cleanence. Access of a subject to an object is granted or denied
9. depending on the relation between the cleanance on the subject and the
security classification of the object. Lattice model and Bell-La Padula model
are based on MAC.
DAC:- In Discretionary Access model each object has its unique owner.
The owner exercises it Discretion even the assignment of access
permissions. Lampeon introduces the access matrix model for DAC. The
core of this model is a matrix whose rows are indexed by subjects and
columns by objects.
Doc-1 passwd Progr_1
Alice Rw R X
Bob R R _
Ronald Rw Rw rwx
Fig1: Access Matrix
In Real systems, however access control matrices are not very
practical, because the matrix usually sparse and there is a lot of redundancy
and subjects and objects can be added or removed easily but the centralized
matrix could become a bottleneck. The matrix may be decomposed by
columns, yielding access control list in fig (2). Thus for each object, an ACL
details users and their permitted access rights. ACL may contain a default or
public entry. Decomposition by row yield capability tickets fig(3). A
capability ticket specifies authorized objects and operations for a user. Each
user has a no of tickets and may be authorized to lend or give them to others.
Because tickets may be dispensed accessed the system, they present a
greater security problem than act. To accomplish such problems or hold all.
Ticket on behalf of the users. These tickets would have to be held in a region
of memory inaccessible to users.
File 1 A B C
OWN
R R R
W W
BA B
C
OWN
FILE 2 R W
R
W
10. FILE 3
B C
FILE 4 OWN
R R
W
Fig (2): ACL
User ‘A’ File 1 File3
OWN OWN
R R
W
User ‘B’ File 1 File2 File 3 File4
OWN
R R W R
W
11. User ‘C’ File 1 File2 File 4
OWN
R
R R
W
W
Fig (3):- Capability Lists
So in DAC model we have:-
Individual user may determine the access controls
Eg Unix file system implement DAC
This model works well in commercial and academic environments not
so well in the military, hospitals, private web sites etc.
In MAC model we have:-
Site wide security policy is enforced by the system in addition to
the DAC
Better suited to environment with rigid information access
restrictions
Example of DAC:-
USER A Accessing A’s file B
My doc.doc
A decided to which control is given.
It is based on “need to know” basis.
12. Example of MAC:-
Administrator Level
65360
A Level 100
B 1
Two files file1.doc2
File2.doc200
Access rights are granted access to numeric access level. Access level of
user has to be equal or higher then object which they want to access.
A can access file 1
B cant access both files.
Administrator can access both
MAC v/s DAC:-
1) MAC is best for military and highly sensitive information systems.
2) All models such as Bell La Padula, chines wall, And LOMAC are based
on MAC rather than DAC.
3) Provide multi targeting capability
BELL-LA-PADULA MODEL(BLP):-
BLP is formal(mathematical)description of MAC.These are
three properties:-
1) DS property(Discretionary Security)
2) SS property(Simple security- no “Read Up”)
3) * property(Stac property-no”write down”)
A secure system satisfies all of thse properties. BLP includes
mathematical proof that if a system is secure and a transaction
satisfies all of the properties,then the system will remain secure.
Now I give some description about BLP:-
BLP is a state machine model capturing confidientiality aspects
of acces control.
Access permissions are defined through an “Access control
Matrix” and through a partial ordering of “security levels”.
13. Security policy prevent information flowing downwards from a
high security level to a low security level.
BLP only considers the information flow that occurs when a
subject observes or attends an object.
What is in the model or What we have to model:-
1) All “current access operations”:-
An access operation is described by a tuple(s,o,a),
S belongs to S(ubjects),o belongs to O(bjects),
a belongs to A(ccess_operations)
The set of all current access operation is an element of
p(SXOXA)
We use B has shorthand for P(SXOXA)
We use b to denote a particular set of access
2) The current permissions as defined by the Access control Matrices
M:-
• ‘M’ is the set of access control metrices.
3) The “current Assignment of security levels” :-
1.
• Maximal security level :- fs SL(L..Labels)
• Current security level :- fc SL
• Classification : fo OL
2. The security level of a user is the user’s “clearance”.
3. The current security level allow subjects to be downgraded
temporairily.
4. F is a subset of Ls Ls L o is the set of security level
assignments
5. f = (fs,fc,fo) denotes an element of F.
6. The ‘state set’ of BLP :- V = BMF
7. A “state” is denoted by (b,M,f)
POLICIES OF BLP :-
1. Prevent information flow from high security levels to low
security levels.
2. In BLP, information flow can only occur directly through
access operations.
14. 3. Simple Security Property(SS):-
No Red-up : fs(s) ≥ fo(o) if access is in observe mode
4. Information flow is still possible
• A Low subject could create a high level “ Trojan Horse
program” that reads a high level document and copies its
contents to its low level file.
• This would constitute an improper declassification of the
Trojan horse Copy
Create
Read
5. * property (Stac property) :-
No write down:- fc(s) ≤ fo(o) if access is in alter mode, also, if
subject s has access to an object o in alter mode, then fo(o’) ≤
fo(o) for all objects o’ accessed by s in observe mode.
6. The very first version of BLP did not consider the * property
7. The ss and * are the Mandatory BLP policies.
8. Discretionary Security property(DS property):-
Access must be permitted by the access control matrix:-
15. WO – WRITE DOWN :-
1) The * property implies that a high level subject is not able to sent
messages to a low level subject
2) There are two ways to escape from this restriction:-
a) Temporary Downgrade a High level subject. This is the reason
for the current security level fc. BLP assures that subjects have
no memory of their own.
b) Identify a set of trusted subjects which are permitted to violate
the * property.
3) We redefine the * property and demand it only for subjects, which are
not trusted. Trusted subjects may violate security policies.
BASIC SECURITY THEOREM OF BLP :-
1. A “state is secure “if all current access tuples (s,o,a) are
permitted by the ss,*, Ds property.
2. A “State transition is secure” if it goes from a secure state to a
secure state.
Theorem:-
“if the initial state of the system is secure and if all
state transitions are secure then the system will always be
secure.”
LIMITATIONS OF BLP:-
1) Restricted to confidentiality.
2) No policies for changing access rights; a general and complete
downgrade is secure, BLP is intended for systems with static
security levels.
3) BLP contains convert channel (communication channel that allow
transfer of information in a manner that violates the system
security policy):- A low subject can detect the existence of high
objects when it is denied access.
16. Topic 4:-
BIBA MODEL:-
Introduction:- Biba model is similar to BLP but focus is on integrity not on
confidentiality. The main aim was to turn the BLP model upside down. It follows the
following model:
High integrity subject can’t read lower integrity objects (No “Read down”)
Subject can’t move low integrity data to high integrity environment (No “write
up”)
The Biba model is a formal state Transition System of computer
security policy that describes a set of Access Control rules designed to ensure that data
are not contaminated. The following point should be noted carefully:-
Biba is a state machine model similar to BLP capturing integrity aspects of access
control
Integrity means here “prevention of unauthorized information”
Integrity levels are assigned to Subjects and objects
Properties of Biba model:
1) Simple Integrity property: No Write up:- If subject ‘s’ can modify(alert) object ‘o’
Then fs(s)>=fo(o)
2) Integrity ‘*’ property: If subject ‘s’ can read (observe) object ‘o’, then s can have
write access to some other object ‘o’ only if fo(o)>=fo(o’)
Some other policy of Biba:-
1)Low water mark policy(LOMAC) : automatically adjust integrity level. It is of two
types:
A) Subject Low Water mark policy:- Subject ‘s’ can read an object at any
integrity level. The new integrity level of‘s’ is g.1.b (fs(s),fo (o))
B) Object Low water mark policy:- Subject ‘s’ can modify an object ‘o’ at any
integrity level. The new integrity level of ‘o’ is g.1.b. (fs (s),fo (o)).
*Policy for invoke:- Invoke is access operation between subjects.
Invoke Property:- Subject s1 can invoke s2 only if fs(s1)>=fs(s2)
Acc. to MAC policy of integrity a “Dirty subject s1 can not touch a “clean” object
indirectly by invoking s2.
Ring Property:- subject s1 can read objects at all integrity levels, modify abject ‘o’
with fs(s1)>=fo(o) and invoke a subject s2 only if fs(s1)<=fo(s2)
A ‘Dirty’ subject s1 can invoke a ‘clean’ boal s2 to touch a ‘clean’ object. The
Ring property is the opposite of invoke property
Features of BIBA:-
1) This security model is directed toward Data integrity (Rather than security) and is
characterized by the phrase:-
“No write up, no Read down”
17. 2) With BIBA user can only relate content as or below their own security level (a mouk
may write a prayer book that can be read by commoners but a high priest would not be
allowed to view the work of the less pious of mouk)
Conversely users can only view content at or above their own security level
(a mouk may read a book written by the high priest but may not read a pamplelet written
by a lowly commoner)
* Comparison of BIBA with BLP:-
As with BLP, BIBA model defines a simple security (ss) property and
* property. In this case they are sort of reversed to BLP:-
1) the ss property stated that a subject at a given level of integrity may not read an object
at a lower integrity level (No Read Down)
2) the * property states that a subject at a given level of integrity must not write to any
object at a higher level of integrity(No write up)
Topic 5: CHINESE WALL MODEL:
* Introduction:- The Chinese wall policy combines commercial discretion with
legally enforceable mandatory controls. It is required in the operation of many financial
services organization and is therefore perhaps as significant to the financial world as Bell
La Radula policy are to the military.
* What is in this Model? In this model focus is on the Conflicts of Interest
Principle: User should not access the confidential information of both a client
organization and one or more of its competition.
How it Works:-
• Users have no “wall” initially.
• Once any given file is accessed ,files with competitor
information become in-accessible
•
The following points should be noted carefully:-
1) In financial institution analyst deals with a no of clients and have to avoid
conflicts of interests
2) The model has the following component:-
Subject : Analyst
Object : Data item for a single client
Company Data Set: o->c gives for each object its company data set.
Conflict of interest classes: companies that are competitors X : o->c gives
for each object ‘o’. The companies with a conflict on interest on ‘o’.
Labels : Companies data set t conflict of interest class
Sanitized information : No access Restrictions
Policies of CHINESE WALL model:
18. 1) Simple security property (SS) :-Access is only granted if object requested:-
is the same company data set as an object already accessed by that object
belongs not to any of the interest classes of objects already accessed by
that subject
Formally:-
N=(Nso) s belongs S, o belongs O , Boolean matrix , Nso=true if s has
accessed o.
SS-property:- Subject ‘s’ gets access to object ‘o’ only if for all objects ‘o’
with Nso = true, y(o) belongs x(o’) or y(o)=y(o’).
Indirect information flow:- Two Competitors A and B have their account with the
same bank. Analyst-A, dealing with A and the bank, updates the bank portfolio with
sensitive information about A. Analyst-B, dealing with B and the bank, now has access to
information about the competitor.
2) Property:- A subject ‘s’ will be permitted write access to an object only if ‘s’ has
no read access to any object ‘o’ which is in a different company data set and is
unsanitized.
Formally:- Subject ‘s’ gets write access to object ‘o’ only if ‘s’ has no
read access to an object ‘o’ with y(o)!=y(o’) or x(o’)!={}
Access Rights of subjects change dynamically with every
An Implementation of CHINESE WALL security Model using ConSA:
A new Architecture ConSA, allow security models to be developed
separately from the system. They will protect and still be integrated seamlessly into the
system. Any system using ConSA could then also replace the security model at any time ,
while retaining the same operating system and applications .
Advantages of ConSA:
1) It is flexible enough so that even a Non conventional security model such as the
Chinese Wall security model when access control is based on previously accessed
entities, can be implemented using ConSA with ease.
2) In order to present a now security model with needless clutter, the final details of
implementation on a system can be replaced by simply implementing it using
ConSA.
Figure below shows the outline of ConSA, as it will typically be used in
object oriented OS. The label modules define the label classes. The information flow
module handles the flow control and authorization control module (ACM) controls
subject access to entities. The subject mgmt. module, used by the security manager, is not
really required for the Chinese Wall model used here, since the primary subject access
restriction and modification are automatically handled by the ACM module.
19. ConSA consist of a number of methods which have to be
defined for a particular security model, with certain conditions which must apply after
their execution to present a consistent security.