ecs 289m lecture 20
play

ECS 289M Lecture 20 May 17, 2006 Multiple Levels of Privilege - PDF document

Aug 29, 2022 •108 likes •233 views

ECS 289M Lecture 20 May 17, 2006 Multiple Levels of Privilege Hardware supports n levels of privilege So each VM must appear to do this also But only VMM can run at highest level So n 1 levels available to each VM VMs

  1. ECS 289M Lecture 20 May 17, 2006 Multiple Levels of Privilege • Hardware supports n levels of privilege – So each VM must appear to do this also • But only VMM can run at highest level – So n –1 levels available to each VM • VMs must virtualize levels of privilege – Technique called ring compression May 17, 2006 ECS 289M, Foundations of Computer Slide 2 and Information Security

  2. Example: VAX/VMM • VMM must emulate 4 levels of privilege – Cannot allow any VM to enter kernel mode, and thereby bypass VMM – But VAX/VMS requires all four levels! • Virtualize executive, kernel privilege levels – Conceptually, map both to physical executive level – Add VM bit to PSL; if set, current process is on VM – VMPSL register records PSL of running VM – All sensitive instructions obtain info from VMPSL or trap to VMM, which emulates instruction May 17, 2006 ECS 289M, Foundations of Computer Slide 3 and Information Security Another Approach • Divide users into different classes – Control access to system by limiting access of each class • Example: IBM VM/370 associates various commands with users – Each command associated with user privilege classes • Class G (“general user”) can start VM • Class A (“primary system operator”) can control system accounting, availability of VMs, etc. • Class “Any” can access, relinquish access, to VM May 17, 2006 ECS 289M, Foundations of Computer Slide 4 and Information Security

  3. Physical Resources and VMs • VMM distributes these among VMs as appropriate • Example: minidisks – System to run 10 VMs using one disk – Split disk into 10 minidisks – VMM handles mapping from (virtual) minidisk address to physical disk address May 17, 2006 ECS 289M, Foundations of Computer Slide 5 and Information Security Example • VM’s OS tries to write to a disk – Privileged I/O instruction causes trap to VMM – VMM translates address in I/O instruction to address in physical disk – VMM checks that physical address in area of disk allocated to the VM making request • If not, request fails; error returned to VM – VMM services request, returns control to VM May 17, 2006 ECS 289M, Foundations of Computer Slide 6 and Information Security

  4. Paging and VM • Paging on ordinary machines is at highest privilege level • Paging on VM is at highest virtual level – Handled like any other disk I/O • Two problems: – On some machines, some pages available only from highest privilege level, but VM runs at next-to-highest level – Performance May 17, 2006 ECS 289M, Foundations of Computer Slide 7 and Information Security First Problem • VM must change protection level of pages available only from highest privilege level to appropriate level • Example: – On VAX/VMS, kernel mode needed for some pages – But VM runs at executive mode, so must ensure only virtual kernel level processes can read those pages – In practice, VMS system allows executive mode processes to elevate to kernel mode; no security issue – But … executive mode processes on non-VM system cannot read pages, so loss of reliability May 17, 2006 ECS 289M, Foundations of Computer Slide 8 and Information Security

  5. Second Problem • VMM pages: transparent to VMs • VMs page: VMM handles it as above – If lots of VM paging, this may cause significant delay • Example: IBM VM/370 – OS/MFT, OS/MVT access disk storage • If jobs depend on timings, delays caused by VMM may affect results – MVS does that and pages, too • Jobs depending on timings could fail under VM/370 that would succeed if run under MVS directly May 17, 2006 ECS 289M, Foundations of Computer Slide 9 and Information Security VMM as Security Kernel • VMM deals with subjects (the VMs) – Knows nothing about the processes within the VM • VMM applies security checks to subjects – By transitivity, these controls apply to processes on VMs • Thus, satisfies rule of transitive confinement May 17, 2006 ECS 289M, Foundations of Computer Slide 10 and Information Security

  6. Example 1: KVM/370 • KVM/370 is security-enhanced version of VM/370 VMM – Goal: prevent communications between VMs of different security classes – Like VM/370, provides VMs with minidisks, sharing some portions of those disks – Unlike VM/370, mediates access to shared areas to limit communication in accordance with security policy May 17, 2006 ECS 289M, Foundations of Computer Slide 11 and Information Security Example 2: VAX/VMM • Can run either VMS or Ultrix • 4 privilege levels for VM system – VM user, VM supervisor, VM executive, VM kernel (both physical executive) • VMM runs in physical kernel mode – Only it can access certain resources • VMM subjects: users and VMs May 17, 2006 ECS 289M, Foundations of Computer Slide 12 and Information Security

  7. Example 2 • VMM has flat file system for itself – Rest of disk partitioned among VMs – VMs can use any file system structure • Each VM has its own set of file systems – Subjects, objects have security, integrity classes • Called access classes – VMM has sophisticated auditing mechanism May 17, 2006 ECS 289M, Foundations of Computer Slide 13 and Information Security Problem • Physical resources shared – System CPU, disks, etc. • May share logical resources – Depends on how system is implemented • Allows covert channels May 17, 2006 ECS 289M, Foundations of Computer Slide 14 and Information Security

  8. Sandboxes • An environment in which actions are restricted in accordance with security policy – Limit execution environment as needed • Program not modified • Libraries, kernel modified to restrict actions – Modify program to check, restrict actions • Like dynamic debuggers, profilers May 17, 2006 ECS 289M, Foundations of Computer Slide 15 and Information Security Examples Limiting Environment • Java virtual machine – Security manager limits access of downloaded programs as policy dictates • Sidewinder firewall – Type enforcement limits access – Policy fixed in kernel by vendor • Domain Type Enforcement – Enforcement mechanism for DTEL – Kernel enforces sandbox defined by system administrator May 17, 2006 ECS 289M, Foundations of Computer Slide 16 and Information Security

  9. Modifying Programs • Add breakpoints or special instructions to source, binary code – On trap or execution of special instructions, analyze state of process • Variant: software fault isolation – Add instructions checking memory accesses, other security issues – Any attempt to violate policy causes trap May 17, 2006 ECS 289M, Foundations of Computer Slide 17 and Information Security Example: Janus • Implements sandbox in which system calls checked – Framework does runtime checking – Modules determine which accesses allowed • Configuration file – Instructs loading of modules – Also lists constraints May 17, 2006 ECS 289M, Foundations of Computer Slide 18 and Information Security

  10. Configuration File # basic module basic # define subprocess environment variables putenv IFS=”\t\n “ PATH=/sbin:/bin:/usr/bin TZ=PST8PDT # deny access to everything except files under /usr path deny read,write * path allow read,write /usr/* # allow subprocess to read files in library directories # needed for dynamic loading path allow read /lib/* /usr/lib/* /usr/local/lib/* # needed so child can execute programs path allow read,exec /sbin/* /bin/* /usr/bin/* May 17, 2006 ECS 289M, Foundations of Computer Slide 19 and Information Security How It Works • Framework builds list of relevant system calls – Then marks each with allowed, disallowed actions • When monitored system call executed – Framework checks arguments, validates that call is allowed for those arguments • If not, returns failure • Otherwise, give control back to child, so normal system call proceeds May 17, 2006 ECS 289M, Foundations of Computer Slide 20 and Information Security

  11. Use • Reading MIME Mail: fear is user sets mail reader to display attachment using Postscript engine – Has mechanism to execute system-level commands – Embed a file deletion command in attachment … • Janus configured to disallow execution of any subcommands by Postscript engine – Above attempt fails May 17, 2006 ECS 289M, Foundations of Computer Slide 21 and Information Security Sandboxes, VMs, and TCB • Sandboxes, VMs part of trusted computing bases – Failure: less protection than security officers, users believe – “False sense of security” • Must ensure confinement mechanism correctly implements desired security policy May 17, 2006 ECS 289M, Foundations of Computer Slide 22 and Information Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ECS 289M Lecture 3 April 5, 2006 Overview Safety Question HRU Model Take-Grant

ECS 289M Lecture 3 April 5, 2006 Overview Safety Question HRU Model Take-Grant

ECS 289M Lecture 3 April 5, 2006 Overview Safety Question HRU Model Take-Grant Protection Model April 5, 2006 ECS 289M, Foundations of Computer Slide 2 and Information Security What Is Secure? Adding a generic right r

447 views • 15 slides
ECS 289M Lecture 6 April 12, 2006 Safety Result If the scheme is acyclic and attenuating,

ECS 289M Lecture 6 April 12, 2006 Safety Result If the scheme is acyclic and attenuating,

ECS 289M Lecture 6 April 12, 2006 Safety Result If the scheme is acyclic and attenuating, the safety question is decidable April 12, 2006 ECS 289M, Foundations of Computer Slide 2 and Information Security Expressive Power How do

278 views • 24 slides
ECS 289M Lecture 24 May 26, 2006 Computer Virus Program that inserts itself into one or more

ECS 289M Lecture 24 May 26, 2006 Computer Virus Program that inserts itself into one or more

ECS 289M Lecture 24 May 26, 2006 Computer Virus Program that inserts itself into one or more files and performs some action Insertion phase is inserting itself into file Execution phase is performing some (possibly null) action

586 views • 22 slides
ECS 289M Lecture 23 May 24, 2006 Measuring Capacity Intuitively, difference between

ECS 289M Lecture 23 May 24, 2006 Measuring Capacity Intuitively, difference between

ECS 289M Lecture 23 May 24, 2006 Measuring Capacity Intuitively, difference between unmodulated, modulated channel Normal uncertainty in channel is 8 bits Attacker modulates channel to send information, reducing uncertainty to 5

611 views • 20 slides
ECS 289M Lecture 5 April 10, 2006 Safety Analysis Goal: identify types of policies with

ECS 289M Lecture 5 April 10, 2006 Safety Analysis Goal: identify types of policies with

ECS 289M Lecture 5 April 10, 2006 Safety Analysis Goal: identify types of policies with tractable safety analyses Approach: derive a state in which additional entries, rights do not affect the analysis; then analyze this state

642 views • 16 slides
ECS 289M Lecture 4 April 7, 2006 can steal Predicate Definition: can steal ( r , x ,

ECS 289M Lecture 4 April 7, 2006 can steal Predicate Definition: can steal ( r , x ,

ECS 289M Lecture 4 April 7, 2006 can steal Predicate Definition: can steal ( r , x , y , G 0 ) if, and only if, there is no edge from x to y labeled r in G 0 , and the following hold simultaneously: There is edge from x to y

397 views • 16 slides
ECS 289M Lecture 8 April 17, 2006 Bell-LaPadula Model, Step 2 Expand notion of security

ECS 289M Lecture 8 April 17, 2006 Bell-LaPadula Model, Step 2 Expand notion of security

ECS 289M Lecture 8 April 17, 2006 Bell-LaPadula Model, Step 2 Expand notion of security level to include categories Security level is ( clearance , category set ) Examples ( Top Secret, { NUC, EUR, ASI } ) ( Confidential,

304 views • 18 slides
Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then reviewed the final point of lecture #3: Hennigs logical approach to tree inference is valid as logic, but we have a hard time using it because our data

660 views • 7 slides
Full Year 2017 Results Presentation 8 March 2018 ] 2 2 Olivier Brousse Chief Executive

Full Year 2017 Results Presentation 8 March 2018 ] 2 2 Olivier Brousse Chief Executive

1 Full Year 2017 Results Presentation 8 March 2018 ] 2 2 Olivier Brousse Chief Executive Officer www.laing.com 3 2017 results highlights strong growth 10.5% increase in NAV to Realisations of 289m 1,123.9m (13.5% including

484 views • 29 slides
Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

TU/e Algorithms (2IL15) Lecture 13 Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13 Part I of the course: Optimization Problems we want to find valid solution minimizing cost (or maximizing

904 views • 20 slides
In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken

In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken

In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken Birman LEAVE NO TRACE BEHIND Spring, 2020 HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2020SP 1 THE PRIVACY PUZZLE FOR I O T We have sensors

1.04k views • 65 slides
Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface

Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface

Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface Removal Sort polygons in depth. Use the farthest vertex in each polygon as the sorting key. Efficient Painter - binary space partition (BSP)

563 views • 6 slides
Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 -

Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 -

Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 - Resource-sensitive algebraic theories Lecture 3 - Interacting Hopf monoids and graphical linear algebra Lecture 4 - Signal Flow Graphs and recurrence

1.2k views • 61 slides
Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A Threatens Privacy Threatens Try to achieve Lecture 2B: Network threats Lecture 3A: Attacks on Lecture 6A: Security Protocols Web servers, malware

381 views • 25 slides
Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

ISDS & Digital Business Skills Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture actually do? What happens before a lecture? What happens during a lecture? What does the button do?

527 views • 18 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

850 views • 46 slides
Boolean Abstraction for Temporal Logic Satisfiability A. Cimatti 1 , M. Roveri 1 , V. Schuppan 1 ,

Boolean Abstraction for Temporal Logic Satisfiability A. Cimatti 1 , M. Roveri 1 , V. Schuppan 1 ,

Boolean Abstraction for Temporal Logic Satisfiability A. Cimatti 1 , M. Roveri 1 , V. Schuppan 1 , S. Tonetta 2 1 FBK-irst, Trento, Italy 2 University of Lugano, Faculty of Informatics, Lugano, Switzerland CAV07, July 37, 2007, Berlin,

375 views • 36 slides
RANDOM GENERATION IN FINITE GROUPS Mariapia Moscatiello University of Padova Young Researchers

RANDOM GENERATION IN FINITE GROUPS Mariapia Moscatiello University of Padova Young Researchers

RANDOM GENERATION IN FINITE GROUPS Mariapia Moscatiello University of Padova Young Researchers Algebra Conference 2019 Napoli 16th-18th September 2019 M ARIAPIA M OSCATIELLO RANDOM GENERATION IN FINITE GROUPS INTRODUCTION finite group

819 views • 65 slides
Regular maps with a given automorphism group, and on a given surface Jozef Sir a n

Regular maps with a given automorphism group, and on a given surface Jozef Sir a n

Regular maps with a given automorphism group, and on a given surface Jozef Sir a n Open University and Slovak University of Technology AGT 2016 Pilsen Jozef Sir a n Open University and Slovak University of Technology

1.29k views • 118 slides
IterefinE: Iterative KG Refinement Embeddings using Symbolic Knowledge Motivation KGs are

IterefinE: Iterative KG Refinement Embeddings using Symbolic Knowledge Motivation KGs are

IterefinE: Iterative KG Refinement Embeddings using Symbolic Knowledge Motivation KGs are often noisy and incomplete which decreases performance in downstream task Noise refers to various kind of errors in KG like different names for

378 views • 12 slides
EXAMINATIONS AT ATRIUM STUDIO SCHOOL Miss S Harris Examinations Officer Please email

EXAMINATIONS AT ATRIUM STUDIO SCHOOL Miss S Harris Examinations Officer Please email

EXAMINATIONS AT ATRIUM STUDIO SCHOOL Miss S Harris Examinations Officer Please email sharris@southdartmoor.devon.sch.uk if you would like a copy of these slides EXAMINATIONS THROUGH YEAR 11 Formal Mock Examinations Autumn Start Monday

309 views • 12 slides
Applying Framing Theory to Examination of State/Local Government Pension Issues in Public

Applying Framing Theory to Examination of State/Local Government Pension Issues in Public

Applying Framing Theory to Examination of State/Local Government Pension Issues in Public Administration (34 th Annual Teaching Public Administration Conference, Williamsburg, VA, May 17-19, 2011) Richard A. Wandling Political Science Department

270 views • 23 slides
Witness Examination Competition 2020 INFORMATION SESSION OTHER COMPS ON OFFER

Witness Examination Competition 2020 INFORMATION SESSION OTHER COMPS ON OFFER

Witness Examination Competition 2020 INFORMATION SESSION OTHER COMPS ON OFFER Semester 1 Semester 2 - Allens Womens Moot - Herbert Smith Freehills First-Year Moot - International Humanitarian Law Moot - King & Wood

335 views • 15 slides
Test Score Disclosure and Student Performance Braz Camargo 1 Rafael Camelo 1 Sergio Firpo 1

Test Score Disclosure and Student Performance Braz Camargo 1 Rafael Camelo 1 Sergio Firpo 1

Test Score Disclosure and Student Performance Braz Camargo 1 Rafael Camelo 1 Sergio Firpo 1 Vladimir Ponczek 1 1 S ao Paulo School of EconomicsFGV 9th Ita u International Seminar of Economic Evaluation of Social Projects October, 22nd

639 views • 28 slides

More recommend