CSE 543 - Computer Security Lecture 12 - MAC Security October 4, - - PowerPoint PPT Presentation

cse 543 computer security
SMART_READER_LITE
LIVE PREVIEW

CSE 543 - Computer Security Lecture 12 - MAC Security October 4, - - PowerPoint PPT Presentation

Jun 18, 2023 268 likes •463 views

CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mandatory Access Control Is about administration

slide-1
SLIDE 1

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

CSE 543 - Computer Security

Lecture 12 - MAC Security October 4, 2007

URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/

1

slide-2
SLIDE 2

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Mandatory Access Control

  • Is about administration
  • Policy is defined and fixed for the system
  • Users cannot modify policy
  • More importantly, users’ processes cannot modify policy
  • So, what should the policy be?

2

slide-3
SLIDE 3

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Security Goals

  • Secrecy
  • Do not leak data to unauthorized subjects
  • Integrity
  • Do not depend on input from lower integrity subjects
  • Invocation, inputs, files, etc.

3

slide-4
SLIDE 4

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

MAC Systems

  • Major Effort: Multics
  • Multiprocessing system -- developed many

OS concepts

  • Including security
  • Begun in 1965
  • Development continued into the mid-70s
  • Used until 2000
  • Initial partners: MIT, Bell Labs, GE/Honeywell
  • Subsequent proprietary system,

SCOMP, became the basis for secure

  • perating systems design

4

slide-5
SLIDE 5

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Multics Goals

  • Secrecy
  • Multilevel security
  • Integrity
  • Rings of protection
  • Reference Monitoring
  • Mediate segment access, ring

crossing

  • Resulting system is

considered a high point in secure system design

5

slide-6
SLIDE 6

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page

Multilevel Security

  • A multi-level security system tags all object and

subject with security tags classifying them in terms of sensitivity/access level.

– We formulate an access control policy based on these levels – We can also add other dimensions, called categories which horizontally partition the rights space (in a way similar to that as was done by roles) security levels categories

slide-7
SLIDE 7

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page

Evaluating Policy

Access is allowed if

subject clearance level >= object sensitivity level and

  • bject categories ⊇ subject categories (read down)

Q: What would write-up be?

Hence,

Bob: CONF., {INTEL}) Charlie: TS, {CRYPTO, NUC, INTEL}) Alice: (SEC., {CRYTPO, NUC}) DocA: (CONFIDENTIAL, {INTEL}) DocB: (SECRET, {CRYPTO}) DocC: (UNCLASSIFIED , {NUC})

slide-8
SLIDE 8

Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Protection Rings

  • Successively less-privileged

“domains”

  • Example: Multics (64 rings in

theory, 8 in practice)

  • Modern CPUs support 4 rings

– Use 2 mainly: Kernel and user

  • Intel x86 rings

– Ring 0 has kernel – Ring 3 has application code

8

Kernel

slide-9
SLIDE 9

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

What Are Protection Rings?

  • Coarse-grained, Hardware Protection Mechanism
  • Boundary between Levels of Authority
  • Most privileged -- ring 0
  • Monotonically less privileged above
  • Fundamental Purpose
  • Protect system integrity
  • Protect kernel from services
  • Protect services from applications
  • So on...

9

slide-10
SLIDE 10

Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Intel Protection Ring Rules

  • Each Memory Segment has a

privilege level (ring number)

  • The CPU has a Current Protection

Level (CPL)

– Level of the segment where instructions are being read

  • Program can read/write in

segments of lower level than CPL

– kernel can read/write user space – user cannot read/write kernel

  • why not?

10

slide-11
SLIDE 11

Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Ring 0 Ring 3

Protection Ring Rules

  • Program cannot call code of

higher privilege directly

– Gate is a special memory address where lower-privilege code can call higher

  • Enables OS to control where

applications call it (system calls)

11

Gate

No gate

slide-12
SLIDE 12

Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Multics Interpretation

  • Kernel resides in ring 0
  • Process runs in a ring r

– Access based on current ring

  • Process accesses data (segment)

– Each data segment has an access bracket: (a1, a2)

  • a1 <= a2

– Describes read and write access to segment

  • r is the current ring
  • r <= a1: access permitted
  • a1 < r <= a2: r and x permitted; w denied
  • a2 < r: all access denied

12

slide-13
SLIDE 13

Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Multics Interpretation (con’t)

  • Also different procedure segments

– with call brackets: (c1, c2)

  • c1 <= c2

– and access brackets (a1, a2) – Rights to execute code in a new procedure segment

  • r < a1: access permitted with ring-crossing fault
  • a1 <= r <= a2 = c1: access permitted and no fault
  • a2 < r <= c2: access permitted through a valid gate
  • c2 < r: access denied
  • What’s it mean?

– case 1: ring-crossing fault changes procedure’s ring

  • increases from r to a1

– case 2: keep same ring number – case 3: gate checks args, decreases ring number

  • Target code segment defines the new ring

13

slide-14
SLIDE 14

Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Examples

  • Process in ring 3 accesses data segment

– access bracket: (2, 4) – What operations can be performed?

  • Process in ring 5 accesses same data segment

– What operations can be performed?

  • Process in ring 5 accesses procedure segment

– access bracket (2, 4) – call bracket (4, 6) – Can call be made? – How do we determine the new ring? – Can new procedure segment access the data segment above?

14

slide-15
SLIDE 15

Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Multics Segments

  • Named segments are protected by access control lists

and MLS protections

– Hierarchically arranged – Precursor to hierarchical file systems

  • Memory segment access is controlled by hardware

monitor

– Multics hardware retrieves segment descriptor word

  • Like a file descriptor

– Based on rights in the SDW determines whether can access segment

  • Master mode (like root) can override protections
  • Access a directory or SDW on each instruction!

15

slide-16
SLIDE 16

Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Multics Vulnerability Analysis

  • Detailed security analysis covering

– Hardware – Software – Procedural features (administration)

  • Good news

– Design for security – System language prevents buffer overflows

  • Defined buffer sizes

– Hardware features prevent buffer overflows

  • Addressing off segment is an error
  • Stack grows up

– System is much smaller than current UNIX systems

  • Vulnerability analysis found flaws that were fixed

– Multics attained a B2 evaluation (MAC system)

16

slide-17
SLIDE 17

Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Vulnerabilities Found

  • Not mentioned in this paper
  • Hardware

– Indirect addressing -- incomplete mediation

  • Check direct, but not indirect address

– Mistaken modification introduced the error

  • Software

– Ring protection (done in software)

  • Argument validation was flawed
  • Certain type of pointer was handled incorrectly

– Master mode transfer

  • For performance, run master mode program (signaler) in user ring
  • Development assumed trusted input to signaler -- bad combo
  • Procedural

– Trap door insertion goes undetected

17

slide-18
SLIDE 18

Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Scomp

  • Proprietary product from Honeywell (owners of Multics)
  • Security kernel: minimize TCB

– Custom Hardware

  • Scomp, 4 rings
  • Complete mediation of memory access by bus mediation
  • Even by devices -- consider DMA

– Operating System

  • Scomp Trusted Operating Program (STOP)
  • Essential services only: build memory descriptors, schedule, ...

– Application Programming Interface

  • Scomp Kernel Interface Package (SKIP)
  • Minimal, basic kernel utilities (filesystem, processes, concurrency)
  • Designed to be general purpose

– But used for very limited operations – Guards: Ensure communication contains no secrets

18

slide-19
SLIDE 19

Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Dime-a-Dozen

  • Everyone started building secure operating environments
  • Some from scratch

– GEMSOS (security kernel) – PSOS (design only) – Adept-50 (High water mark) – KSOS (emulate UNIX interface)

  • Many based on the OS’s of the day

– KVM/370 (VM/370) – UCLA Secure UNIX (UNIX) – DEC OS (VAX/VMS)

  • None particularly took hold

– GEMSOS is still in business (Aesec)

19