SlideShare uma empresa Scribd logo

Unit 2 nms

Transferir como DOC, PDF
Sid Chaudhary
Sid Chaudhary
1 de 19
UNIT-2 PART-1:- OPERATING SYSTEM SECURITY Introduction to OS SECURITY An operating system is a fundamental component of most modern computer systems, operating system are close to the hardware; it masks the details of the underlying hardware from the programmer and provides lower layer of software visible to users. It can be viewed as a Resource Manager, responsible for fair Resource Sharing between different processes in the system. On the other hand, operating system control access to application memory and scheduling of the processors. Application must be run like OS- level services and the developer of these applications does not know the level of details needed to develop secure applications on their win, if OS is not doing these things securely, it generally comprise all security at higher levels ,so the OS is a very logical place to enforce and support security. OS resolves around the application protection of four elements:- 1. Confidentiality- is the protection of transmitted data from passive attacks i.e. protection of data from unauthorized disclosure. 2. Authentication- This mechanism help establish proof of identities. The authentication process ensures that the origin of an electronic message or document is correctly identified. 3. Integrity: when the contents of message are changed after the sender sends it, but before it reaches the intended recipients, we say that integrity of the message is lost. 4. Availability: It states that resources should be available to authorized parties at all times. Protection Mechanisms:- The concept of multiprogramming introduces the sharing resources among users. This sharing involves memory, I/O devices programs and data. The ability to share their resources introduces the need for protection .An OS may affect protection along the following spectrum:-  No Protection:- This is appropriate when sensitive procedures are being run at separate times.  Isolation: -This approach implies that each process operates separately from other processes, with no sharing. Each process has its awn address space, files and other objects.  Share ALL or share NOTHING:- In this method, the owner of an object declares it to be public or private , in other hand, only the owner’s process may access the object.  Share via access limitation:- The OS checks the permissibility of each access by a specific user to specific object, the OS therefore act as a guard between users and objects, ensuring that only authorized accesses occur.  Share via dynamic capabilities:- This extends the concept of access control to allow dynamic creation of sharing rights of objects.  Limit use of an object:- This form of protection limits not just access to an object but use to which that object may be put.
A given OS may provide different degree of protection for different objects, users and applications. The OS needs to balance the need to allow sharing, with the need to protect the resources of individual users. PROTECTION OF MEMORY:- In a multiprogramming environment, protection of main memory is essential. The concern here is not just security but the correct functioning of the various processes that are active. The separation of the memory space of various processes is easily accomplished with a virtual memory scheme. Segmentation or paging or two in combination, provides an effective tools of managing main memory. The measures taken to control access in data processing systems fall into two categories:- Access control User oriented Data oriented MAC-Mandatory access control DAC-Discretionary Access control TOPIC -1:- LOW LEVEL PROTECTION MECHANISM  LOMAC:- LOMAC is dynamically loadable security module for free UNIX kernels that use low watermark mandatory access control to protect the integrity of processes and data from viruses, Trojan hoarse, malicious remote virus and compromised network server daemons. LOMAC is designed for compatibility and ease of use to be a form of Mac typically users can live with. LOMAC implements a simple form of integrity protection based on Biba’s low water mark model in Loadable kernel Module (LKM). LOMAC provides useful integrity protection against viruses, Trojan hoarse, malicious remote virus and compromised network servers without modifications to the kernel, applications or their existing configuration. LOMAC is designed to be easy to use. Its default configuration is intended to provide useful protection without being adjusted for the specific users, servers or other software present on the system. LOMAC may be used to harden currently deployed systems simply by loading the LKM into the kernel shortly after boot time. Protection:- LOMAC provides the protection by dividing a system into two integrity levels:-  High level  Low level
High Init, kernel daemons etc. Network servers, clie downloads Low l LOMAC 2-level partitioning of a system.  High levels:-Contains critical system components that must be protected such as the init process, kernel daemons, system binaries, libraries and configuration files.
 Low levels:- Contains the remaining components such as client and server processes that read from the network, local user processes and their files. One LOMAC assigns a file to one level or the other, its level never changes. This is not so for processes LOMAC can “Demote” high level processing by reducing their levels to low during runtime. LOMAC never increases the level of a process. 1. When LOMAC is running a process’s level determines how much power has to modify other parts o the system. Given the above division of the system into the levels, LOMAC provides integrity protection with two main mechanisms:- A. First LOMAC prevents low level processes from modifying high level files or signaling high level processes. Since no administrative users, their n/w clients and all n/w servers run at the low level, these restrictions protect the high level part of the system from direct attacks by malicious remote users and compromised servers. B. Second LOMAC ensures that data does not flow from low level files to high level files. 2. A process attempt to cause suite a flow by reading from a low level file and subsequently writing to a high level file. LOMAC prevents such flows through demotion: whenever a high process reads from a low level file, LOMAC reduces the processes level to low. ONE at the low in integrity level, LOMAC’s first mechanism prevents the process from modifying high level as described above. This combination of mechanisms prevents indirect attacks by viruses, worms and Trojan hoarses. LOMAC cannot distinguish when a program that has read low integrity data but is still sunning properly and one that has read-low integrity data and has been compromised. LOMAC can ensure that processes which read potentially. Dangerous low-level data during run time are demoted to the low integrity level. Once at that low level, LOMAC’s other mechanism prevent there from Harming high integrity processes or files.  IMPLEMENTATION:- There are two main problems in implementing kernel resident MAC:- Gaining supervisory control over kernel operations  Mapping security attributes to files For these problems LOMAC provides low cost capabilities. Fig. shows the architecture of the LOMC LKM. The diagram shows horizontal split b/w upper and lower halves. The upper half implements high level LOMAC functionality in kernel independent manner and consist of approximately 1000 times of C code. The lower half implements a kernel specific interface to the Linux 2.2 series of kernels and consists of approximately 1500 lines of C code.
Monitor PLM(path level map) Mediate Wrappers and utility functions (LOMAC loadable kernel module architecture) More on gaining control:- At initialization time, LOMAC traverses an array of function pointers through which the kernel provides services to user process. LOMAC with the address of security relevant system calls with the addresses of the corresponding wrappers. Once done, calls made through the system call vector will call the wrappers, rather than the kernel’s corresponding call functions. More on attribute mapping:- The basic algorithm is given a target path. Its level can be found by searching linearly through the list of records until a record is found whose path is a prefix of the target path. For example, the level of “/home/httpd/html” is high, because it maps the record for prefix “/home/httpd”. If during a search through the record list, the target path matches a record’s path exactly; the flag field is checked. If the child of flag is set, the match ignored and search continues. Consequents the level “/home/httpd” is high because it exactly matches the record for prefix “/home/httpd” which has no child of flag. The level of “/home/tfraser” is low because it matches record for prefix”/home” with the child of flag and the level of “/home” is high because of skips the child of “/home” records and matches the record for prefix. Gaining Control:- LOMAC achieve the control by interposing itself b/w processes and the kernel system call interface. LOMAC’s kernel interface contains a series of functions called “wrappers”. Each wrapper takes the same parameter as its corresponding system cart. Wrapper algo:- Wrapper (arguments) { Mediate: decide to allow or deny the operation; Call kernel’s original system all function; Monitor: update LOMAC’s shape on successful completion; } Attribute Mapping:- In addition to gaining supervisory control, LOMAC must also assign integrity levels to files in a manner that is persistent access reboots. LOMAC maintains a persistent
mapping b/w levels and absolute canonical path names in its path level map (PLM) module. Level Flags PATH High “/home/httpd” Low CHILD-OF “home” High “/” Whenever the kernel opens a file, LOMAC labels it’s in memory Data structure with the integrity level indicated by PLM. These are based on the longest path first .Child-of is a extra flag indicating low positioning of “/home”. Application of LOMAC:- In order to apply this protection scheme, it must be able to determine the appropriate level for every process file in the system. 1) Dividing the file system: - Rules are explained in attribute mapping to determine which parts of the file system are at the higher integrity level and which are at low level. These rules are presently set at compile time. Although future versions of LOMAC may provide a more configurable rule set, the goal of the present implementation is to deliver a single generic configuration that provides at least some protection on a wide variety of system. The division described by the current rule set reflects the tension b/w two compensating goals:-the maximum amount of protection and maintaining the max. Amount of app. Compatibility. 2) Monitoring process: - While file levels are static, process level can decrease during run time. In general, LOMAC assigns a new process the same level as the process that created it. At initialization time, LOMAC assigns the high integrity level to the fir t process, which initializes the system by creating a new high level process to handle various system tasks. These processes continue by creating ore high level children. As individual process read from low level files, LOMAC demotes then to the low integrity level. From that point, all their children begin life at low level. 3) Exceptions for compatibility:- LOMAC must make an exception to allow some critical program such as client side DHCP agent pump and system log daemon for transfer data from low level to high level. For this it maintains a list of trusted program. But if a high level process running a trusted program were compromised LOMAC would not prevent it from harming the high integrity levels or part of the system. Hence presence of trusted programs represents some risk so it should operate properly. TOPIC-2 ACCESS CONTROL MODELS Introduction to access control: - Foundation of information and security can be done n three ways:-  Authentication  Access control  Audit
Authentication:-Establishes the identity of one party to another. Most commonly authentication establishes the identity of a user to some part of the system, typically by mean of a password. More generally authentication establishes can be computer-to- computer or process-to-process and mutual in both directions. Access Control:- Determine what one party will allow another to do with respect to resources and objects mediated by the former. Access Control usually requires authentication as a prerequisite. Audit:- The audit process gathers data about activity in the system and analyzes it to discover security violations or diagnose their cause. Analysts can occur offline after the fact or online in real time. In the latter case, the process is usually called Intrusion Detection. Access control usually apply authentication has been established. Access control can take several forms:- Discretionary Access Control (DAC) is based on the idea that the owner of data should determine who has access it. DAC allows data to be freely copied from object to object, so even if access to original data is denied, access to a copy can be obtained. Lattice based access control also known as mandatory access control (MAC), confine the transfer of information to one direction in a lattice of security labels. MAC emerged from confidentiality requirements of the military but has broad applications for integrity and separation objects. Role based access control (RBAC) requires that access rights be assigned to roles rather than to individual users. Users obtain these rights by virtue of being assigned membership in appropriate roles. This simple idea greatly eases the administration of authorization. Access control:- Access control refers to controlling access to resources on a computer or network system. Without it, everyone would be able to access everything. Employees would be able to view their manager’s salary information, read each other’s email and malicious individual such as competitors would be able to dial into your remote access server and read your company’s strategy plans for the next five years. With access controlling place, users are identified, authenticated and authorized before they can actually access. Access controls control which objects a subject can access. These are the two key terms used in access control models. A subject someone or something for eg,users applications or system program to which access to an object is granted or denied eg of objects are files,printers,application and system process. Access control model provide a model for developers who need to implement access control functionality in these software and devices. An access control model defines a computer and for network system’s role for user access to information resources. Access control models provide confidentially, integrity and also provide accountability through audit trails.
Access Control Models User Oriented Data Oriented Hybrid Models Access control Access control Bell La Padula BIBA Authentication DAC CHINESE WALL HAC ORIGINATED CONTROLLED ACCESS CONTROL MODEL ROLE BASED ACCESS CONTROL CLARK WILSON MODEL Data Oriented Access Control:- Following successful log on, the user has been granted access to one or set of hosts and applications. At this time we need data access control. In this legand real world OS protection models fall basically into one of the two types:-  MAC  DAC In computer security passive resources are called objects and active entities that utilize the resources are called subjects. Typical objects include:-files, directories, memory, printers and typical subjects includes:- user, processes. The roles depend upon situation: for ex, a process can request access to some resource (act as subject) and later be a target if request (act as an abject). MAC:- In mandatory access controls, also called multilevel access control, objects(information) are classified on hierarchical levels of security sensitivity(typically top secret, confidential). Subjects (users) are assigned their security cleanence. Access of a subject to an object is granted or denied
depending on the relation between the cleanance on the subject and the security classification of the object. Lattice model and Bell-La Padula model are based on MAC. DAC:- In Discretionary Access model each object has its unique owner. The owner exercises it Discretion even the assignment of access permissions. Lampeon introduces the access matrix model for DAC. The core of this model is a matrix whose rows are indexed by subjects and columns by objects. Doc-1 passwd Progr_1 Alice Rw R X Bob R R _ Ronald Rw Rw rwx Fig1: Access Matrix In Real systems, however access control matrices are not very practical, because the matrix usually sparse and there is a lot of redundancy and subjects and objects can be added or removed easily but the centralized matrix could become a bottleneck. The matrix may be decomposed by columns, yielding access control list in fig (2). Thus for each object, an ACL details users and their permitted access rights. ACL may contain a default or public entry. Decomposition by row yield capability tickets fig(3). A capability ticket specifies authorized objects and operations for a user. Each user has a no of tickets and may be authorized to lend or give them to others. Because tickets may be dispensed accessed the system, they present a greater security problem than act. To accomplish such problems or hold all. Ticket on behalf of the users. These tickets would have to be held in a region of memory inaccessible to users. File 1 A B C OWN R R R W W BA B C OWN FILE 2 R W R W
FILE 3 B C FILE 4 OWN R R W Fig (2): ACL User ‘A’ File 1 File3 OWN OWN R R W User ‘B’ File 1 File2 File 3 File4 OWN R R W R W
User ‘C’ File 1 File2 File 4 OWN R R R W W Fig (3):- Capability Lists So in DAC model we have:-  Individual user may determine the access controls  Eg Unix file system implement DAC  This model works well in commercial and academic environments not so well in the military, hospitals, private web sites etc. In MAC model we have:-  Site wide security policy is enforced by the system in addition to the DAC  Better suited to environment with rigid information access restrictions Example of DAC:- USER A Accessing A’s file B My doc.doc A decided to which control is given. It is based on “need to know” basis.
Example of MAC:- Administrator  Level 65360 A Level  100 B  1 Two files  file1.doc2 File2.doc200 Access rights are granted access to numeric access level. Access level of user has to be equal or higher then object which they want to access. A can access file 1 B cant access both files. Administrator can access both MAC v/s DAC:- 1) MAC is best for military and highly sensitive information systems. 2) All models such as Bell La Padula, chines wall, And LOMAC are based on MAC rather than DAC. 3) Provide multi targeting capability BELL-LA-PADULA MODEL(BLP):- BLP is formal(mathematical)description of MAC.These are three properties:- 1) DS property(Discretionary Security) 2) SS property(Simple security- no “Read Up”) 3) * property(Stac property-no”write down”) A secure system satisfies all of thse properties. BLP includes mathematical proof that if a system is secure and a transaction satisfies all of the properties,then the system will remain secure. Now I give some description about BLP:-  BLP is a state machine model capturing confidientiality aspects of acces control.  Access permissions are defined through an “Access control Matrix” and through a partial ordering of “security levels”.
 Security policy prevent information flowing downwards from a high security level to a low security level.  BLP only considers the information flow that occurs when a subject observes or attends an object. What is in the model or What we have to model:- 1) All “current access operations”:-  An access operation is described by a tuple(s,o,a), S belongs to S(ubjects),o belongs to O(bjects), a belongs to A(ccess_operations)  The set of all current access operation is an element of p(SXOXA)  We use B has shorthand for P(SXOXA)  We use b to denote a particular set of access 2) The current permissions as defined by the Access control Matrices M:- • ‘M’ is the set of access control metrices. 3) The “current Assignment of security levels” :- 1. • Maximal security level :- fs SL(L..Labels) • Current security level :- fc SL • Classification : fo OL 2. The security level of a user is the user’s “clearance”. 3. The current security level allow subjects to be downgraded temporairily. 4. F is a subset of Ls  Ls L o is the set of security level assignments 5. f = (fs,fc,fo) denotes an element of F. 6. The ‘state set’ of BLP :- V = BMF 7. A “state” is denoted by (b,M,f) POLICIES OF BLP :- 1. Prevent information flow from high security levels to low security levels. 2. In BLP, information flow can only occur directly through access operations.
3. Simple Security Property(SS):- No Red-up : fs(s) ≥ fo(o) if access is in observe mode 4. Information flow is still possible • A Low subject could create a high level “ Trojan Horse program” that reads a high level document and copies its contents to its low level file. • This would constitute an improper declassification of the Trojan horse Copy Create Read 5. * property (Stac property) :- No write down:- fc(s) ≤ fo(o) if access is in alter mode, also, if subject s has access to an object o in alter mode, then fo(o’) ≤ fo(o) for all objects o’ accessed by s in observe mode. 6. The very first version of BLP did not consider the * property 7. The ss and * are the Mandatory BLP policies. 8. Discretionary Security property(DS property):- Access must be permitted by the access control matrix:-
WO – WRITE DOWN :- 1) The * property implies that a high level subject is not able to sent messages to a low level subject 2) There are two ways to escape from this restriction:- a) Temporary Downgrade a High level subject. This is the reason for the current security level fc. BLP assures that subjects have no memory of their own. b) Identify a set of trusted subjects which are permitted to violate the * property. 3) We redefine the * property and demand it only for subjects, which are not trusted. Trusted subjects may violate security policies. BASIC SECURITY THEOREM OF BLP :- 1. A “state is secure “if all current access tuples (s,o,a) are permitted by the ss,*, Ds property. 2. A “State transition is secure” if it goes from a secure state to a secure state. Theorem:- “if the initial state of the system is secure and if all state transitions are secure then the system will always be secure.” LIMITATIONS OF BLP:- 1) Restricted to confidentiality. 2) No policies for changing access rights; a general and complete downgrade is secure, BLP is intended for systems with static security levels. 3) BLP contains convert channel (communication channel that allow transfer of information in a manner that violates the system security policy):- A low subject can detect the existence of high objects when it is denied access.
Topic 4:- BIBA MODEL:- Introduction:- Biba model is similar to BLP but focus is on integrity not on confidentiality. The main aim was to turn the BLP model upside down. It follows the following model:  High integrity subject can’t read lower integrity objects (No “Read down”)  Subject can’t move low integrity data to high integrity environment (No “write up”) The Biba model is a formal state Transition System of computer security policy that describes a set of Access Control rules designed to ensure that data are not contaminated. The following point should be noted carefully:-  Biba is a state machine model similar to BLP capturing integrity aspects of access control  Integrity means here “prevention of unauthorized information”  Integrity levels are assigned to Subjects and objects Properties of Biba model: 1) Simple Integrity property: No Write up:- If subject ‘s’ can modify(alert) object ‘o’ Then fs(s)>=fo(o) 2) Integrity ‘*’ property: If subject ‘s’ can read (observe) object ‘o’, then s can have write access to some other object ‘o’ only if fo(o)>=fo(o’) Some other policy of Biba:- 1)Low water mark policy(LOMAC) : automatically adjust integrity level. It is of two types: A) Subject Low Water mark policy:- Subject ‘s’ can read an object at any integrity level. The new integrity level of‘s’ is g.1.b (fs(s),fo (o)) B) Object Low water mark policy:- Subject ‘s’ can modify an object ‘o’ at any integrity level. The new integrity level of ‘o’ is g.1.b. (fs (s),fo (o)). *Policy for invoke:- Invoke is access operation between subjects.  Invoke Property:- Subject s1 can invoke s2 only if fs(s1)>=fs(s2) Acc. to MAC policy of integrity a “Dirty subject s1 can not touch a “clean” object indirectly by invoking s2.  Ring Property:- subject s1 can read objects at all integrity levels, modify abject ‘o’ with fs(s1)>=fo(o) and invoke a subject s2 only if fs(s1)<=fo(s2) A ‘Dirty’ subject s1 can invoke a ‘clean’ boal s2 to touch a ‘clean’ object. The Ring property is the opposite of invoke property Features of BIBA:- 1) This security model is directed toward Data integrity (Rather than security) and is characterized by the phrase:- “No write up, no Read down”
2) With BIBA user can only relate content as or below their own security level (a mouk may write a prayer book that can be read by commoners but a high priest would not be allowed to view the work of the less pious of mouk) Conversely users can only view content at or above their own security level (a mouk may read a book written by the high priest but may not read a pamplelet written by a lowly commoner) * Comparison of BIBA with BLP:- As with BLP, BIBA model defines a simple security (ss) property and * property. In this case they are sort of reversed to BLP:- 1) the ss property stated that a subject at a given level of integrity may not read an object at a lower integrity level (No Read Down) 2) the * property states that a subject at a given level of integrity must not write to any object at a higher level of integrity(No write up) Topic 5: CHINESE WALL MODEL: * Introduction:- The Chinese wall policy combines commercial discretion with legally enforceable mandatory controls. It is required in the operation of many financial services organization and is therefore perhaps as significant to the financial world as Bell La Radula policy are to the military. * What is in this Model? In this model focus is on the Conflicts of Interest Principle: User should not access the confidential information of both a client organization and one or more of its competition. How it Works:- • Users have no “wall” initially. • Once any given file is accessed ,files with competitor information become in-accessible • The following points should be noted carefully:- 1) In financial institution analyst deals with a no of clients and have to avoid conflicts of interests 2) The model has the following component:-  Subject : Analyst  Object : Data item for a single client  Company Data Set: o->c gives for each object its company data set.  Conflict of interest classes: companies that are competitors X : o->c gives for each object ‘o’. The companies with a conflict on interest on ‘o’.  Labels : Companies data set t conflict of interest class  Sanitized information : No access Restrictions Policies of CHINESE WALL model:
1) Simple security property (SS) :-Access is only granted if object requested:-  is the same company data set as an object already accessed by that object  belongs not to any of the interest classes of objects already accessed by that subject Formally:-  N=(Nso) s belongs S, o belongs O , Boolean matrix , Nso=true if s has accessed o.  SS-property:- Subject ‘s’ gets access to object ‘o’ only if for all objects ‘o’ with Nso = true, y(o) belongs x(o’) or y(o)=y(o’). Indirect information flow:- Two Competitors A and B have their account with the same bank. Analyst-A, dealing with A and the bank, updates the bank portfolio with sensitive information about A. Analyst-B, dealing with B and the bank, now has access to information about the competitor. 2) Property:- A subject ‘s’ will be permitted write access to an object only if ‘s’ has no read access to any object ‘o’ which is in a different company data set and is unsanitized.  Formally:- Subject ‘s’ gets write access to object ‘o’ only if ‘s’ has no read access to an object ‘o’ with y(o)!=y(o’) or x(o’)!={}  Access Rights of subjects change dynamically with every An Implementation of CHINESE WALL security Model using ConSA: A new Architecture ConSA, allow security models to be developed separately from the system. They will protect and still be integrated seamlessly into the system. Any system using ConSA could then also replace the security model at any time , while retaining the same operating system and applications . Advantages of ConSA: 1) It is flexible enough so that even a Non conventional security model such as the Chinese Wall security model when access control is based on previously accessed entities, can be implemented using ConSA with ease. 2) In order to present a now security model with needless clutter, the final details of implementation on a system can be replaced by simply implementing it using ConSA. Figure below shows the outline of ConSA, as it will typically be used in object oriented OS. The label modules define the label classes. The information flow module handles the flow control and authorization control module (ACM) controls subject access to entities. The subject mgmt. module, used by the security manager, is not really required for the Chinese Wall model used here, since the primary subject access restriction and modification are automatically handled by the ACM module.
ConSA consist of a number of methods which have to be defined for a particular security model, with certain conditions which must apply after their execution to present a consistent security.

Recomendados

Microkernel
MicrokernelMicrokernel
MicrokernelSuraj Mehta
 
MELJUN CORTES operating_system_structure
MELJUN CORTES operating_system_structureMELJUN CORTES operating_system_structure
MELJUN CORTES operating_system_structureMELJUN CORTES
 
Ch3 OS
Ch3 OSCh3 OS
Ch3 OSC.U
 
Windows Architecture Explained by Stacksol
Windows Architecture Explained by StacksolWindows Architecture Explained by Stacksol
Windows Architecture Explained by StacksolStacksol
 
2. microkernel new
2. microkernel new2. microkernel new
2. microkernel newAbDul ThaYyal
 
Distributed Operating System_1
Distributed Operating System_1Distributed Operating System_1
Distributed Operating System_1Dr Sandeep Kumar Poonia
 
OS Components and Structure
OS Components and StructureOS Components and Structure
OS Components and Structuresathish sak
 
OSCh20
OSCh20OSCh20
OSCh20Joe Christensen
 

Recomendados

Microkernel
MicrokernelMicrokernel
MicrokernelSuraj Mehta
 
MELJUN CORTES operating_system_structure
MELJUN CORTES operating_system_structureMELJUN CORTES operating_system_structure
MELJUN CORTES operating_system_structureMELJUN CORTES
 
Ch3 OS
Ch3 OSCh3 OS
Ch3 OSC.U
 
Windows Architecture Explained by Stacksol
Windows Architecture Explained by StacksolWindows Architecture Explained by Stacksol
Windows Architecture Explained by StacksolStacksol
 
2. microkernel new
2. microkernel new2. microkernel new
2. microkernel newAbDul ThaYyal
 
Distributed Operating System_1
Distributed Operating System_1Distributed Operating System_1
Distributed Operating System_1Dr Sandeep Kumar Poonia
 
OS Components and Structure
OS Components and StructureOS Components and Structure
OS Components and Structuresathish sak
 
OSCh20
OSCh20OSCh20
OSCh20Joe Christensen
 
App A
App AApp A
App AWayne Jones Jnr
 
OSCh19
OSCh19OSCh19
OSCh19Joe Christensen
 
OS_Ch3
OS_Ch3OS_Ch3
OS_Ch3Supriya Shrivastava
 
Advanced Operating System- Introduction
Advanced Operating System- IntroductionAdvanced Operating System- Introduction
Advanced Operating System- IntroductionDebasis Das
 
Kernel (OS)
Kernel (OS)Kernel (OS)
Kernel (OS)عطاءالمنعم اثیل شیخ
 
Distributed computing
Distributed computingDistributed computing
Distributed computingDeepak John
 
lecture 1 (Part 2) kernal and its categories
lecture 1 (Part 2) kernal and its categorieslecture 1 (Part 2) kernal and its categories
lecture 1 (Part 2) kernal and its categoriesWajeehaBaig
 
Network operating systems
Network operating systemsNetwork operating systems
Network operating systemsrahmanitayulia
 
Ch2 operating-system structures
Ch2 operating-system structuresCh2 operating-system structures
Ch2 operating-system structuresWelly Dian Astika
 
1 introduction
1 introduction1 introduction
1 introductionDr. Loganathan R
 
System programs in o.s. for bca and bscit students by hardik nathani
System programs in o.s. for bca and bscit students by hardik nathaniSystem programs in o.s. for bca and bscit students by hardik nathani
System programs in o.s. for bca and bscit students by hardik nathaniHardik Nathani
 
OSCh21
OSCh21OSCh21
OSCh21Joe Christensen
 
Different types of kernels
Different types of kernelsDifferent types of kernels
Different types of kernelsMallikarjun Reddy
 
Operating Systems A-Z
Operating Systems A-ZOperating Systems A-Z
Operating Systems A-ZRavinJ
 
Distributed os
Distributed osDistributed os
Distributed ossidra naz
 
Ch3
Ch3Ch3
Ch3Lokesh Kannaiyan
 
Ch2
Ch2Ch2
Ch2rupalidhir
 
Windows 7 Architecture
Windows 7 ArchitectureWindows 7 Architecture
Windows 7 ArchitectureDaniyal Khan
 
Distributed operating system
Distributed operating systemDistributed operating system
Distributed operating systemPrankit Mishra
 
Distributed Operating System_4
Distributed Operating System_4Distributed Operating System_4
Distributed Operating System_4Dr Sandeep Kumar Poonia
 
Operating system
Operating systemOperating system
Operating systemKinza Razzaq
 
OSCh3
OSCh3OSCh3
OSCh3Joe Christensen
 

Mais conteúdo relacionado

Mais procurados

Advanced Operating System- Introduction
Advanced Operating System- IntroductionAdvanced Operating System- Introduction
Advanced Operating System- IntroductionDebasis Das
 
Distributed computing
Distributed computingDistributed computing
Distributed computingDeepak John
 
lecture 1 (Part 2) kernal and its categories
lecture 1 (Part 2) kernal and its categorieslecture 1 (Part 2) kernal and its categories
lecture 1 (Part 2) kernal and its categoriesWajeehaBaig
 
Network operating systems
Network operating systemsNetwork operating systems
Network operating systemsrahmanitayulia
 
Ch2 operating-system structures
Ch2 operating-system structuresCh2 operating-system structures
Ch2 operating-system structuresWelly Dian Astika
 
System programs in o.s. for bca and bscit students by hardik nathani
System programs in o.s. for bca and bscit students by hardik nathaniSystem programs in o.s. for bca and bscit students by hardik nathani
System programs in o.s. for bca and bscit students by hardik nathaniHardik Nathani
 
Operating Systems A-Z
Operating Systems A-ZOperating Systems A-Z
Operating Systems A-ZRavinJ
 
Distributed os
Distributed osDistributed os
Distributed ossidra naz
 
Windows 7 Architecture
Windows 7 ArchitectureWindows 7 Architecture
Windows 7 ArchitectureDaniyal Khan
 
Distributed operating system
Distributed operating systemDistributed operating system
Distributed operating systemPrankit Mishra
 

Mais procurados (20)

App A
App AApp A
App A
 
OSCh19
OSCh19OSCh19
OSCh19
 
OS_Ch3
OS_Ch3OS_Ch3
OS_Ch3
 
Advanced Operating System- Introduction
Advanced Operating System- IntroductionAdvanced Operating System- Introduction
Advanced Operating System- Introduction
 
Kernel (OS)
Kernel (OS)Kernel (OS)
Kernel (OS)
 
Distributed computing
Distributed computingDistributed computing
Distributed computing
 
lecture 1 (Part 2) kernal and its categories
lecture 1 (Part 2) kernal and its categorieslecture 1 (Part 2) kernal and its categories
lecture 1 (Part 2) kernal and its categories
 
Network operating systems
Network operating systemsNetwork operating systems
Network operating systems
 
Ch2 operating-system structures
Ch2 operating-system structuresCh2 operating-system structures
Ch2 operating-system structures
 
1 introduction
1 introduction1 introduction
1 introduction
 
System programs in o.s. for bca and bscit students by hardik nathani
System programs in o.s. for bca and bscit students by hardik nathaniSystem programs in o.s. for bca and bscit students by hardik nathani
System programs in o.s. for bca and bscit students by hardik nathani
 
OSCh21
OSCh21OSCh21
OSCh21
 
Different types of kernels
Different types of kernelsDifferent types of kernels
Different types of kernels
 
Operating Systems A-Z
Operating Systems A-ZOperating Systems A-Z
Operating Systems A-Z
 
Distributed os
Distributed osDistributed os
Distributed os
 
Ch3
Ch3Ch3
Ch3
 
Ch2
Ch2Ch2
Ch2
 
Windows 7 Architecture
Windows 7 ArchitectureWindows 7 Architecture
Windows 7 Architecture
 
Distributed operating system
Distributed operating systemDistributed operating system
Distributed operating system
 
Distributed Operating System_4
Distributed Operating System_4Distributed Operating System_4
Distributed Operating System_4
 

Semelhante a Unit 2 nms

2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)Felipe Prado
 
Kernel security of Systems
Kernel security of SystemsKernel security of Systems
Kernel security of SystemsJamal Jamali
 
ITT Project Information Technology Basic
ITT Project Information Technology BasicITT Project Information Technology Basic
ITT Project Information Technology BasicMayank Garg
 
Operating System Introduction
Operating System IntroductionOperating System Introduction
Operating System Introductiondipaknandankar
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxZain Abid
 
Driver Programming Report
Driver Programming ReportDriver Programming Report
Driver Programming ReportShivek Khurana
 
Inter-Process-Communication (or IPC for short) are mechanisms provid.pdf
Inter-Process-Communication (or IPC for short) are mechanisms provid.pdfInter-Process-Communication (or IPC for short) are mechanisms provid.pdf
Inter-Process-Communication (or IPC for short) are mechanisms provid.pdfaesalem06
 
Linux Device Driver,LDD,
Linux Device Driver,LDD,Linux Device Driver,LDD,
Linux Device Driver,LDD,Rahul Batra
 
linux device driver
linux device driverlinux device driver
linux device driverRahul Batra
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating SystemKunalKewat1
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Data Sharing: Ensure Accountability Distribution in the Cloud
Data Sharing: Ensure Accountability Distribution in the CloudData Sharing: Ensure Accountability Distribution in the Cloud
Data Sharing: Ensure Accountability Distribution in the CloudSuraj Mehta
 
CN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptxCN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptxsaad504633
 
chapter 1 introduction to operating system
chapter 1 introduction to operating systemchapter 1 introduction to operating system
chapter 1 introduction to operating systemAisyah Rafiuddin
 

Semelhante a Unit 2 nms (20)

Operating system
Operating systemOperating system
Operating system
 
OSCh3
OSCh3OSCh3
OSCh3
 
2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)
 
Kernel security of Systems
Kernel security of SystemsKernel security of Systems
Kernel security of Systems
 
Window architecture
Window architecture Window architecture
Window architecture
 
ITT Project Information Technology Basic
ITT Project Information Technology BasicITT Project Information Technology Basic
ITT Project Information Technology Basic
 
Microkernel
MicrokernelMicrokernel
Microkernel
 
Operating System Introduction
Operating System IntroductionOperating System Introduction
Operating System Introduction
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
 
Driver Programming Report
Driver Programming ReportDriver Programming Report
Driver Programming Report
 
Inter-Process-Communication (or IPC for short) are mechanisms provid.pdf
Inter-Process-Communication (or IPC for short) are mechanisms provid.pdfInter-Process-Communication (or IPC for short) are mechanisms provid.pdf
Inter-Process-Communication (or IPC for short) are mechanisms provid.pdf
 
Ppt linux
Ppt linuxPpt linux
Ppt linux
 
Linux Device Driver,LDD,
Linux Device Driver,LDD,Linux Device Driver,LDD,
Linux Device Driver,LDD,
 
linux device driver
linux device driverlinux device driver
linux device driver
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating System
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
System structure
System structureSystem structure
System structure
 
Data Sharing: Ensure Accountability Distribution in the Cloud
Data Sharing: Ensure Accountability Distribution in the CloudData Sharing: Ensure Accountability Distribution in the Cloud
Data Sharing: Ensure Accountability Distribution in the Cloud
 
CN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptxCN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptx
 
chapter 1 introduction to operating system
chapter 1 introduction to operating systemchapter 1 introduction to operating system
chapter 1 introduction to operating system
 

Unit 2 nms

  • 1. UNIT-2 PART-1:- OPERATING SYSTEM SECURITY Introduction to OS SECURITY An operating system is a fundamental component of most modern computer systems, operating system are close to the hardware; it masks the details of the underlying hardware from the programmer and provides lower layer of software visible to users. It can be viewed as a Resource Manager, responsible for fair Resource Sharing between different processes in the system. On the other hand, operating system control access to application memory and scheduling of the processors. Application must be run like OS- level services and the developer of these applications does not know the level of details needed to develop secure applications on their win, if OS is not doing these things securely, it generally comprise all security at higher levels ,so the OS is a very logical place to enforce and support security. OS resolves around the application protection of four elements:- 1. Confidentiality- is the protection of transmitted data from passive attacks i.e. protection of data from unauthorized disclosure. 2. Authentication- This mechanism help establish proof of identities. The authentication process ensures that the origin of an electronic message or document is correctly identified. 3. Integrity: when the contents of message are changed after the sender sends it, but before it reaches the intended recipients, we say that integrity of the message is lost. 4. Availability: It states that resources should be available to authorized parties at all times. Protection Mechanisms:- The concept of multiprogramming introduces the sharing resources among users. This sharing involves memory, I/O devices programs and data. The ability to share their resources introduces the need for protection .An OS may affect protection along the following spectrum:-  No Protection:- This is appropriate when sensitive procedures are being run at separate times.  Isolation: -This approach implies that each process operates separately from other processes, with no sharing. Each process has its awn address space, files and other objects.  Share ALL or share NOTHING:- In this method, the owner of an object declares it to be public or private , in other hand, only the owner’s process may access the object.  Share via access limitation:- The OS checks the permissibility of each access by a specific user to specific object, the OS therefore act as a guard between users and objects, ensuring that only authorized accesses occur.  Share via dynamic capabilities:- This extends the concept of access control to allow dynamic creation of sharing rights of objects.  Limit use of an object:- This form of protection limits not just access to an object but use to which that object may be put.
  • 2. A given OS may provide different degree of protection for different objects, users and applications. The OS needs to balance the need to allow sharing, with the need to protect the resources of individual users. PROTECTION OF MEMORY:- In a multiprogramming environment, protection of main memory is essential. The concern here is not just security but the correct functioning of the various processes that are active. The separation of the memory space of various processes is easily accomplished with a virtual memory scheme. Segmentation or paging or two in combination, provides an effective tools of managing main memory. The measures taken to control access in data processing systems fall into two categories:- Access control User oriented Data oriented MAC-Mandatory access control DAC-Discretionary Access control TOPIC -1:- LOW LEVEL PROTECTION MECHANISM  LOMAC:- LOMAC is dynamically loadable security module for free UNIX kernels that use low watermark mandatory access control to protect the integrity of processes and data from viruses, Trojan hoarse, malicious remote virus and compromised network server daemons. LOMAC is designed for compatibility and ease of use to be a form of Mac typically users can live with. LOMAC implements a simple form of integrity protection based on Biba’s low water mark model in Loadable kernel Module (LKM). LOMAC provides useful integrity protection against viruses, Trojan hoarse, malicious remote virus and compromised network servers without modifications to the kernel, applications or their existing configuration. LOMAC is designed to be easy to use. Its default configuration is intended to provide useful protection without being adjusted for the specific users, servers or other software present on the system. LOMAC may be used to harden currently deployed systems simply by loading the LKM into the kernel shortly after boot time. Protection:- LOMAC provides the protection by dividing a system into two integrity levels:-  High level  Low level
  • 3. High Init, kernel daemons etc. Network servers, clie downloads Low l LOMAC 2-level partitioning of a system.  High levels:-Contains critical system components that must be protected such as the init process, kernel daemons, system binaries, libraries and configuration files.
  • 4.  Low levels:- Contains the remaining components such as client and server processes that read from the network, local user processes and their files. One LOMAC assigns a file to one level or the other, its level never changes. This is not so for processes LOMAC can “Demote” high level processing by reducing their levels to low during runtime. LOMAC never increases the level of a process. 1. When LOMAC is running a process’s level determines how much power has to modify other parts o the system. Given the above division of the system into the levels, LOMAC provides integrity protection with two main mechanisms:- A. First LOMAC prevents low level processes from modifying high level files or signaling high level processes. Since no administrative users, their n/w clients and all n/w servers run at the low level, these restrictions protect the high level part of the system from direct attacks by malicious remote users and compromised servers. B. Second LOMAC ensures that data does not flow from low level files to high level files. 2. A process attempt to cause suite a flow by reading from a low level file and subsequently writing to a high level file. LOMAC prevents such flows through demotion: whenever a high process reads from a low level file, LOMAC reduces the processes level to low. ONE at the low in integrity level, LOMAC’s first mechanism prevents the process from modifying high level as described above. This combination of mechanisms prevents indirect attacks by viruses, worms and Trojan hoarses. LOMAC cannot distinguish when a program that has read low integrity data but is still sunning properly and one that has read-low integrity data and has been compromised. LOMAC can ensure that processes which read potentially. Dangerous low-level data during run time are demoted to the low integrity level. Once at that low level, LOMAC’s other mechanism prevent there from Harming high integrity processes or files.  IMPLEMENTATION:- There are two main problems in implementing kernel resident MAC:- Gaining supervisory control over kernel operations  Mapping security attributes to files For these problems LOMAC provides low cost capabilities. Fig. shows the architecture of the LOMC LKM. The diagram shows horizontal split b/w upper and lower halves. The upper half implements high level LOMAC functionality in kernel independent manner and consist of approximately 1000 times of C code. The lower half implements a kernel specific interface to the Linux 2.2 series of kernels and consists of approximately 1500 lines of C code.
  • 5. Monitor PLM(path level map) Mediate Wrappers and utility functions (LOMAC loadable kernel module architecture) More on gaining control:- At initialization time, LOMAC traverses an array of function pointers through which the kernel provides services to user process. LOMAC with the address of security relevant system calls with the addresses of the corresponding wrappers. Once done, calls made through the system call vector will call the wrappers, rather than the kernel’s corresponding call functions. More on attribute mapping:- The basic algorithm is given a target path. Its level can be found by searching linearly through the list of records until a record is found whose path is a prefix of the target path. For example, the level of “/home/httpd/html” is high, because it maps the record for prefix “/home/httpd”. If during a search through the record list, the target path matches a record’s path exactly; the flag field is checked. If the child of flag is set, the match ignored and search continues. Consequents the level “/home/httpd” is high because it exactly matches the record for prefix “/home/httpd” which has no child of flag. The level of “/home/tfraser” is low because it matches record for prefix”/home” with the child of flag and the level of “/home” is high because of skips the child of “/home” records and matches the record for prefix. Gaining Control:- LOMAC achieve the control by interposing itself b/w processes and the kernel system call interface. LOMAC’s kernel interface contains a series of functions called “wrappers”. Each wrapper takes the same parameter as its corresponding system cart. Wrapper algo:- Wrapper (arguments) { Mediate: decide to allow or deny the operation; Call kernel’s original system all function; Monitor: update LOMAC’s shape on successful completion; } Attribute Mapping:- In addition to gaining supervisory control, LOMAC must also assign integrity levels to files in a manner that is persistent access reboots. LOMAC maintains a persistent
  • 6. mapping b/w levels and absolute canonical path names in its path level map (PLM) module. Level Flags PATH High “/home/httpd” Low CHILD-OF “home” High “/” Whenever the kernel opens a file, LOMAC labels it’s in memory Data structure with the integrity level indicated by PLM. These are based on the longest path first .Child-of is a extra flag indicating low positioning of “/home”. Application of LOMAC:- In order to apply this protection scheme, it must be able to determine the appropriate level for every process file in the system. 1) Dividing the file system: - Rules are explained in attribute mapping to determine which parts of the file system are at the higher integrity level and which are at low level. These rules are presently set at compile time. Although future versions of LOMAC may provide a more configurable rule set, the goal of the present implementation is to deliver a single generic configuration that provides at least some protection on a wide variety of system. The division described by the current rule set reflects the tension b/w two compensating goals:-the maximum amount of protection and maintaining the max. Amount of app. Compatibility. 2) Monitoring process: - While file levels are static, process level can decrease during run time. In general, LOMAC assigns a new process the same level as the process that created it. At initialization time, LOMAC assigns the high integrity level to the fir t process, which initializes the system by creating a new high level process to handle various system tasks. These processes continue by creating ore high level children. As individual process read from low level files, LOMAC demotes then to the low integrity level. From that point, all their children begin life at low level. 3) Exceptions for compatibility:- LOMAC must make an exception to allow some critical program such as client side DHCP agent pump and system log daemon for transfer data from low level to high level. For this it maintains a list of trusted program. But if a high level process running a trusted program were compromised LOMAC would not prevent it from harming the high integrity levels or part of the system. Hence presence of trusted programs represents some risk so it should operate properly. TOPIC-2 ACCESS CONTROL MODELS Introduction to access control: - Foundation of information and security can be done n three ways:-  Authentication  Access control  Audit
  • 7. Authentication:-Establishes the identity of one party to another. Most commonly authentication establishes the identity of a user to some part of the system, typically by mean of a password. More generally authentication establishes can be computer-to- computer or process-to-process and mutual in both directions. Access Control:- Determine what one party will allow another to do with respect to resources and objects mediated by the former. Access Control usually requires authentication as a prerequisite. Audit:- The audit process gathers data about activity in the system and analyzes it to discover security violations or diagnose their cause. Analysts can occur offline after the fact or online in real time. In the latter case, the process is usually called Intrusion Detection. Access control usually apply authentication has been established. Access control can take several forms:- Discretionary Access Control (DAC) is based on the idea that the owner of data should determine who has access it. DAC allows data to be freely copied from object to object, so even if access to original data is denied, access to a copy can be obtained. Lattice based access control also known as mandatory access control (MAC), confine the transfer of information to one direction in a lattice of security labels. MAC emerged from confidentiality requirements of the military but has broad applications for integrity and separation objects. Role based access control (RBAC) requires that access rights be assigned to roles rather than to individual users. Users obtain these rights by virtue of being assigned membership in appropriate roles. This simple idea greatly eases the administration of authorization. Access control:- Access control refers to controlling access to resources on a computer or network system. Without it, everyone would be able to access everything. Employees would be able to view their manager’s salary information, read each other’s email and malicious individual such as competitors would be able to dial into your remote access server and read your company’s strategy plans for the next five years. With access controlling place, users are identified, authenticated and authorized before they can actually access. Access controls control which objects a subject can access. These are the two key terms used in access control models. A subject someone or something for eg,users applications or system program to which access to an object is granted or denied eg of objects are files,printers,application and system process. Access control model provide a model for developers who need to implement access control functionality in these software and devices. An access control model defines a computer and for network system’s role for user access to information resources. Access control models provide confidentially, integrity and also provide accountability through audit trails.
  • 8. Access Control Models User Oriented Data Oriented Hybrid Models Access control Access control Bell La Padula BIBA Authentication DAC CHINESE WALL HAC ORIGINATED CONTROLLED ACCESS CONTROL MODEL ROLE BASED ACCESS CONTROL CLARK WILSON MODEL Data Oriented Access Control:- Following successful log on, the user has been granted access to one or set of hosts and applications. At this time we need data access control. In this legand real world OS protection models fall basically into one of the two types:-  MAC  DAC In computer security passive resources are called objects and active entities that utilize the resources are called subjects. Typical objects include:-files, directories, memory, printers and typical subjects includes:- user, processes. The roles depend upon situation: for ex, a process can request access to some resource (act as subject) and later be a target if request (act as an abject). MAC:- In mandatory access controls, also called multilevel access control, objects(information) are classified on hierarchical levels of security sensitivity(typically top secret, confidential). Subjects (users) are assigned their security cleanence. Access of a subject to an object is granted or denied
  • 9. depending on the relation between the cleanance on the subject and the security classification of the object. Lattice model and Bell-La Padula model are based on MAC. DAC:- In Discretionary Access model each object has its unique owner. The owner exercises it Discretion even the assignment of access permissions. Lampeon introduces the access matrix model for DAC. The core of this model is a matrix whose rows are indexed by subjects and columns by objects. Doc-1 passwd Progr_1 Alice Rw R X Bob R R _ Ronald Rw Rw rwx Fig1: Access Matrix In Real systems, however access control matrices are not very practical, because the matrix usually sparse and there is a lot of redundancy and subjects and objects can be added or removed easily but the centralized matrix could become a bottleneck. The matrix may be decomposed by columns, yielding access control list in fig (2). Thus for each object, an ACL details users and their permitted access rights. ACL may contain a default or public entry. Decomposition by row yield capability tickets fig(3). A capability ticket specifies authorized objects and operations for a user. Each user has a no of tickets and may be authorized to lend or give them to others. Because tickets may be dispensed accessed the system, they present a greater security problem than act. To accomplish such problems or hold all. Ticket on behalf of the users. These tickets would have to be held in a region of memory inaccessible to users. File 1 A B C OWN R R R W W BA B C OWN FILE 2 R W R W
  • 10. FILE 3 B C FILE 4 OWN R R W Fig (2): ACL User ‘A’ File 1 File3 OWN OWN R R W User ‘B’ File 1 File2 File 3 File4 OWN R R W R W
  • 11. User ‘C’ File 1 File2 File 4 OWN R R R W W Fig (3):- Capability Lists So in DAC model we have:-  Individual user may determine the access controls  Eg Unix file system implement DAC  This model works well in commercial and academic environments not so well in the military, hospitals, private web sites etc. In MAC model we have:-  Site wide security policy is enforced by the system in addition to the DAC  Better suited to environment with rigid information access restrictions Example of DAC:- USER A Accessing A’s file B My doc.doc A decided to which control is given. It is based on “need to know” basis.
  • 12. Example of MAC:- Administrator  Level 65360 A Level  100 B  1 Two files  file1.doc2 File2.doc200 Access rights are granted access to numeric access level. Access level of user has to be equal or higher then object which they want to access. A can access file 1 B cant access both files. Administrator can access both MAC v/s DAC:- 1) MAC is best for military and highly sensitive information systems. 2) All models such as Bell La Padula, chines wall, And LOMAC are based on MAC rather than DAC. 3) Provide multi targeting capability BELL-LA-PADULA MODEL(BLP):- BLP is formal(mathematical)description of MAC.These are three properties:- 1) DS property(Discretionary Security) 2) SS property(Simple security- no “Read Up”) 3) * property(Stac property-no”write down”) A secure system satisfies all of thse properties. BLP includes mathematical proof that if a system is secure and a transaction satisfies all of the properties,then the system will remain secure. Now I give some description about BLP:-  BLP is a state machine model capturing confidientiality aspects of acces control.  Access permissions are defined through an “Access control Matrix” and through a partial ordering of “security levels”.
  • 13.  Security policy prevent information flowing downwards from a high security level to a low security level.  BLP only considers the information flow that occurs when a subject observes or attends an object. What is in the model or What we have to model:- 1) All “current access operations”:-  An access operation is described by a tuple(s,o,a), S belongs to S(ubjects),o belongs to O(bjects), a belongs to A(ccess_operations)  The set of all current access operation is an element of p(SXOXA)  We use B has shorthand for P(SXOXA)  We use b to denote a particular set of access 2) The current permissions as defined by the Access control Matrices M:- • ‘M’ is the set of access control metrices. 3) The “current Assignment of security levels” :- 1. • Maximal security level :- fs SL(L..Labels) • Current security level :- fc SL • Classification : fo OL 2. The security level of a user is the user’s “clearance”. 3. The current security level allow subjects to be downgraded temporairily. 4. F is a subset of Ls  Ls L o is the set of security level assignments 5. f = (fs,fc,fo) denotes an element of F. 6. The ‘state set’ of BLP :- V = BMF 7. A “state” is denoted by (b,M,f) POLICIES OF BLP :- 1. Prevent information flow from high security levels to low security levels. 2. In BLP, information flow can only occur directly through access operations.
  • 14. 3. Simple Security Property(SS):- No Red-up : fs(s) ≥ fo(o) if access is in observe mode 4. Information flow is still possible • A Low subject could create a high level “ Trojan Horse program” that reads a high level document and copies its contents to its low level file. • This would constitute an improper declassification of the Trojan horse Copy Create Read 5. * property (Stac property) :- No write down:- fc(s) ≤ fo(o) if access is in alter mode, also, if subject s has access to an object o in alter mode, then fo(o’) ≤ fo(o) for all objects o’ accessed by s in observe mode. 6. The very first version of BLP did not consider the * property 7. The ss and * are the Mandatory BLP policies. 8. Discretionary Security property(DS property):- Access must be permitted by the access control matrix:-
  • 15. WO – WRITE DOWN :- 1) The * property implies that a high level subject is not able to sent messages to a low level subject 2) There are two ways to escape from this restriction:- a) Temporary Downgrade a High level subject. This is the reason for the current security level fc. BLP assures that subjects have no memory of their own. b) Identify a set of trusted subjects which are permitted to violate the * property. 3) We redefine the * property and demand it only for subjects, which are not trusted. Trusted subjects may violate security policies. BASIC SECURITY THEOREM OF BLP :- 1. A “state is secure “if all current access tuples (s,o,a) are permitted by the ss,*, Ds property. 2. A “State transition is secure” if it goes from a secure state to a secure state. Theorem:- “if the initial state of the system is secure and if all state transitions are secure then the system will always be secure.” LIMITATIONS OF BLP:- 1) Restricted to confidentiality. 2) No policies for changing access rights; a general and complete downgrade is secure, BLP is intended for systems with static security levels. 3) BLP contains convert channel (communication channel that allow transfer of information in a manner that violates the system security policy):- A low subject can detect the existence of high objects when it is denied access.
  • 16. Topic 4:- BIBA MODEL:- Introduction:- Biba model is similar to BLP but focus is on integrity not on confidentiality. The main aim was to turn the BLP model upside down. It follows the following model:  High integrity subject can’t read lower integrity objects (No “Read down”)  Subject can’t move low integrity data to high integrity environment (No “write up”) The Biba model is a formal state Transition System of computer security policy that describes a set of Access Control rules designed to ensure that data are not contaminated. The following point should be noted carefully:-  Biba is a state machine model similar to BLP capturing integrity aspects of access control  Integrity means here “prevention of unauthorized information”  Integrity levels are assigned to Subjects and objects Properties of Biba model: 1) Simple Integrity property: No Write up:- If subject ‘s’ can modify(alert) object ‘o’ Then fs(s)>=fo(o) 2) Integrity ‘*’ property: If subject ‘s’ can read (observe) object ‘o’, then s can have write access to some other object ‘o’ only if fo(o)>=fo(o’) Some other policy of Biba:- 1)Low water mark policy(LOMAC) : automatically adjust integrity level. It is of two types: A) Subject Low Water mark policy:- Subject ‘s’ can read an object at any integrity level. The new integrity level of‘s’ is g.1.b (fs(s),fo (o)) B) Object Low water mark policy:- Subject ‘s’ can modify an object ‘o’ at any integrity level. The new integrity level of ‘o’ is g.1.b. (fs (s),fo (o)). *Policy for invoke:- Invoke is access operation between subjects.  Invoke Property:- Subject s1 can invoke s2 only if fs(s1)>=fs(s2) Acc. to MAC policy of integrity a “Dirty subject s1 can not touch a “clean” object indirectly by invoking s2.  Ring Property:- subject s1 can read objects at all integrity levels, modify abject ‘o’ with fs(s1)>=fo(o) and invoke a subject s2 only if fs(s1)<=fo(s2) A ‘Dirty’ subject s1 can invoke a ‘clean’ boal s2 to touch a ‘clean’ object. The Ring property is the opposite of invoke property Features of BIBA:- 1) This security model is directed toward Data integrity (Rather than security) and is characterized by the phrase:- “No write up, no Read down”
  • 17. 2) With BIBA user can only relate content as or below their own security level (a mouk may write a prayer book that can be read by commoners but a high priest would not be allowed to view the work of the less pious of mouk) Conversely users can only view content at or above their own security level (a mouk may read a book written by the high priest but may not read a pamplelet written by a lowly commoner) * Comparison of BIBA with BLP:- As with BLP, BIBA model defines a simple security (ss) property and * property. In this case they are sort of reversed to BLP:- 1) the ss property stated that a subject at a given level of integrity may not read an object at a lower integrity level (No Read Down) 2) the * property states that a subject at a given level of integrity must not write to any object at a higher level of integrity(No write up) Topic 5: CHINESE WALL MODEL: * Introduction:- The Chinese wall policy combines commercial discretion with legally enforceable mandatory controls. It is required in the operation of many financial services organization and is therefore perhaps as significant to the financial world as Bell La Radula policy are to the military. * What is in this Model? In this model focus is on the Conflicts of Interest Principle: User should not access the confidential information of both a client organization and one or more of its competition. How it Works:- • Users have no “wall” initially. • Once any given file is accessed ,files with competitor information become in-accessible • The following points should be noted carefully:- 1) In financial institution analyst deals with a no of clients and have to avoid conflicts of interests 2) The model has the following component:-  Subject : Analyst  Object : Data item for a single client  Company Data Set: o->c gives for each object its company data set.  Conflict of interest classes: companies that are competitors X : o->c gives for each object ‘o’. The companies with a conflict on interest on ‘o’.  Labels : Companies data set t conflict of interest class  Sanitized information : No access Restrictions Policies of CHINESE WALL model:
  • 18. 1) Simple security property (SS) :-Access is only granted if object requested:-  is the same company data set as an object already accessed by that object  belongs not to any of the interest classes of objects already accessed by that subject Formally:-  N=(Nso) s belongs S, o belongs O , Boolean matrix , Nso=true if s has accessed o.  SS-property:- Subject ‘s’ gets access to object ‘o’ only if for all objects ‘o’ with Nso = true, y(o) belongs x(o’) or y(o)=y(o’). Indirect information flow:- Two Competitors A and B have their account with the same bank. Analyst-A, dealing with A and the bank, updates the bank portfolio with sensitive information about A. Analyst-B, dealing with B and the bank, now has access to information about the competitor. 2) Property:- A subject ‘s’ will be permitted write access to an object only if ‘s’ has no read access to any object ‘o’ which is in a different company data set and is unsanitized.  Formally:- Subject ‘s’ gets write access to object ‘o’ only if ‘s’ has no read access to an object ‘o’ with y(o)!=y(o’) or x(o’)!={}  Access Rights of subjects change dynamically with every An Implementation of CHINESE WALL security Model using ConSA: A new Architecture ConSA, allow security models to be developed separately from the system. They will protect and still be integrated seamlessly into the system. Any system using ConSA could then also replace the security model at any time , while retaining the same operating system and applications . Advantages of ConSA: 1) It is flexible enough so that even a Non conventional security model such as the Chinese Wall security model when access control is based on previously accessed entities, can be implemented using ConSA with ease. 2) In order to present a now security model with needless clutter, the final details of implementation on a system can be replaced by simply implementing it using ConSA. Figure below shows the outline of ConSA, as it will typically be used in object oriented OS. The label modules define the label classes. The information flow module handles the flow control and authorization control module (ACM) controls subject access to entities. The subject mgmt. module, used by the security manager, is not really required for the Chinese Wall model used here, since the primary subject access restriction and modification are automatically handled by the ACM module.
  • 19. ConSA consist of a number of methods which have to be defined for a particular security model, with certain conditions which must apply after their execution to present a consistent security.