Secure Systems Research Group - FAU Security Patterns for Operating Systems by Ed Fernandez and Tami...

Secure Systems Research Group - FAU

Security Patterns for Operating Systems

by Ed Fernandez and Tami Sorgente


Security and operating systems (OS)

• OS act as an intermediary between the user of a computer and its hardware

• OS supports the execution of all the applications • The OS architecture is fundamental in the

organization its components and for utilization of these component services in a given application

• It is the most critical of the software layers because compromise can affect all applications and persistent data

• Most reported attacks occur through the OS • Security Patterns for Operating Systems


Security Patterns for Operating Systems

• Published Patterns:– File access control– Controlled Virtual Address Space– Reference Monitor– Controlled Execution Environment– Authenticator– Controlled-Process Creator– Controlled-Object Factory– Controlled-Object Monitor– OS Architecture Patterns

• Future Pattern Ideas:– Process structure – Thread structure – Administration roles – Execution Rings – Secure process communication – Protected entry points – Distributed directory – Isolated execution environments – Virtual Address Space Structure


O.S. Access Control Pattern Language


Patterns for Operating Systems Access Control

• File access control. How do you control access to files in an operating system? Apply the Authorization pattern to describe access to files by subjects. The protection object is now a file component that may be a

directory or a file.

• Controlled Virtual Address Space. How to control access by processes to specific areas of their virtual address space (VAS) according to a set of predefined access types? Divide the VAS into segments that correspond to logical units in the programs. Use special words (descriptors) to represent access rights for these segments.

• Reference Monitor. How to enforce authorizations when a process requests access to an object? Define an abstract process that intercepts all requests for resources and checks them for compliance with authorizations.

• Controlled Execution Environment. How to define an execution environment for processes? Attach to each process a set of descriptors that represent the rights of the process. Use the Reference Monitor to enforce access.

[Fer02] E.B.Fernandez, "Patterns for operating systems access control", Procs. of PLoP

2002, http://jerry.cs.uiuc.edu/~plop/plop2002/proceedings.html


The Authorization pattern

Subject

ID

ProtectionObject

ID

Right

accessTypepredicatecopyFlag

checkRights ( )

AuthorizationRule* *


The File Authorization pattern

Authorizationpriorityprivileges startSession ( )

WorkstationID

AuthorizedOn*

*

FileComponent

ACLEaccessMode

AuthorizedFor

Directoryname

FilenamesizecreateFile ( )save ( )

HasHomeDirectory

SubjectID

*


Virtual Address Space Access Control pattern

Process

Descriptor

baselimitaccess_type

*

VAS

Segment

addresssize

*

* 1Accesses


The Execution Domain pattern

*

*

*Domain

IDcreate( )enter( )delete( )

Executes In

Descriptor

base

1Process

ID

CompositeDomain

SimpleDomain

*

limitaccess_type


Reference Monitor pattern

ProcessReference Monitor

Authorization Rules

MakesRequestTo

* * * *

Exists

ConcreteReferenceMonitor

Authorization

*

Request

resourceaccess_type


Controlled Execution Environment pattern

*

*

*

*

*

1

Resource {A}nameaddressamount

DomainIDcreate( )enter ( )delete( )

ProtectionObject

IDcreate ( )close( )delete( )

Executes In

ConcreteResource

Authorization

right

*

Activates

1

User

ID

Process

ID

CompositeDomain

SimpleDomain

*

Descriptor1 0..1Uses

Reference Monitor

Request*

1

*

1


More patterns for operating systems access control

• Authenticator. How to verify that a subject is who it says it is? Use a single point of access to receive the interactions of a subject with the system and apply a protocol to verify the identity of the subject.

• Controlled-Process Creator. How to define the rights to be given to a new process? Define their rights as part of their creation.

• Controlled-Object Factory. How to specify rights of processes with respect to a new object? When a process creates a new object through a Factory, the request includes the features of the new object. Among these features include a list of rights to access the object.

• Controlled-Object Monitor. How to control access by a subject to an object? Use a reference monitor to intercept access requests from processes. The reference monitor checks if the process has the requested type of access to the object.

[Fer03] E. B. Fernandez and J. C. Sinibaldi, “More patterns for operating system access control”, Proc. of the 8th European conference on Pattern Languages of Programs, EuroPLoP 2003, http://hillside.net/europlop, 381-398.


Authentication Pattern


Class model for PKI authentication


Controlled-Process Creator


Controlled Object Creator


Controlled Object Monitor


OS architectures

• Patterns representing an abstract view of the four basic architectures of operating systems:

1) Modular Operating System Architecture2) Layered Operating System Architecture3) Microkernel Operating System

Architecture4) Virtual Machine (VM) Operating System

Architecture


Operating System Architectures


The Modular Operating System Architecture pattern

• An object oriented approach is used to dynamically load and link loadable modules to the core component of the OS


Modular Operating System Architecture

• Known uses – Solaris version 10 – ExtremeWare from Extreme Networks

[Ext]. • Related patterns

– The Controlled Execution Environment pattern [Fer0] can be used to isolate executing modules.


Layered Operating System Architecture

• Separate the OS into layers • OS has more control over separation of

concerns • Overall features and functionality are

separated into layers• Clearly defined interfaces between each

kernel section of the OS and between user applications and the OS functions


Layered Operating System Architecture Pattern

• Define a hierarchical set of layers and assign components to each layer. Each layer presents an abstract machine to the layer above it.


Layered Operating System Architecture Pattern

LayerN-1

Layer2

Layer1

LayerN

.

.

.

Client

1

1

1

<<uses>>


Layered Operating System Architecture Pattern Dynamics

• Sequence diagram for opening and reading a disk file

•A user sends an openFile( ) request to the OSInterface•The OSInterface interprets the openFile( ) request•The openFile( ) request is sent from the OSInterface to the FileManager•The FileManager sends readDisk( ) request to the DiskDriver


OS Layered Architecture


Layered Operating System Architecture

• Known uses – OS/2 of IBM, Symbian OS [Sym01]

• Related patterns – specialization of the Layers architectural

pattern [Bus96]. – A security version of the layers pattern is

presented in [Fer02] and in [Som05].


Microkernel Operating System Architecture

• Move as much of the OS functionality from the kernel space

• Very basic set of functions in microkernel• Use external and internal servers


Microkernel Operating System Architecture pattern

Microkernel

execute mechanisminit communicationfind receivercall internal serversend messagecreate handle (unique ID)

ExternalServer

receive requestdispatch requestexecute service

1* calls

InternalServer

receive requestdispatch requestexecute service

*

1

Adapter

1

1

calls servicecreates request

Client

do task11

*

sends request 1

calls service

activates

Initializescommunication


Microkernel Operating System Architecture

• Known uses– PalmOS [PalmOS], QNX [QNX]

• Related patterns – specialization of the microkernel pattern

[Bus96].


Virtual Machine Operating System Architecture

• Provides a set of replicas of the hardware architecture to separate operating systems

• Strong isolation between each OS


Virtual Machine Operating System Architecture pattern

• Define an architectural layer that is in control of the hardware and supervises and coordinates the execution of each OS environment.

• This extra layer, usually called a Virtual machine Monitor (VMM) or Hypervisor presents to each operating system a replica of the hardware.

• The VMM intercepts all system calls and interprets them according to the OS from where they came.


Virtual Machine Operating System Architecture pattern


Virtual Machine Operating System Architecture example resolved

• Two companies using Unix and Linux in different virtual machines


OS Pattern Ideas/ Future Work

• Process structure • Thread structure • Administration roles • Execution Rings • Secure process communication • Protected entry points • Distributed directory • Isolated execution environments • Virtual Address Space Structure


Process structure

• Process Control Block (PCB), – a data structure containing its id, a reference to its

code, program counter, stack, registers, status, and references to its resources (domain).

• A process receives a separate address space for its execution. – Some architectures, e.g., the Intel X86 series,

have hardware support for the type of PCB used by common operating systems (this accelerates context switching, changing execution from one process to another).


Thread structure

• Lightweight process • Faster context switching than a process• shares its address space with other threads. • Typically, a thread includes a program counter, a

register set, and a stack. • Because of its shared address space, an error or

attack from another thread can corrupt its memory.

• Thread stacks can be protected if they are kept in the system address space using separated segments or pages.


Thread structure

• Most modern operating systems, e.g., Solaris, allow several threads to be bundled in one process; this protects the thread group as a whole from other processes.

• User processes and threads can be created with special packages, e.g., Posix in Unix, or through the language, as in Java or Ada.

• The operating system defines kernel threads as units of concurrent execution.

• Kernel threads usually don’t have any protection against each other.


Administration roles • AIX reduces the privileges of the system administrator by defining five

partially-ordered roles: Superuser, Security Administrator, Auditor, Resource Administrator, and Operator.

• Windows Windows NT uses four roles for administrative privileges: standard, administrator, guest, and operator. A User Manager has procedures for managing user accounts, groups, and authorization rules.

• Trusted Solaris ---This is an extension of Solaris 8. RBAC is used to restrict the rights of administrators, there is no superuser with all power.

• Argus Pitbull [Arg]—Least privilege applied to all processes, including the superuser. The superuser is implemented using three roles: Systems Security Officer, System Administrator, and System Operator.

[Arg] Argus Systems Group, “Trusted OS security: Principles and practice”, http://www.argus-systems.com/products/white_paper/pitbull

[Cam90] N.A.Camillone , D.H.Steves, and K.C.Witte, “AIX operating system: A trustworthy computing system”, in IBM RISC System/6000 Technology, SA23-2619, IBM Corp., 1990, 168-172.


Execution Rings• Some hardware architectures define a set of

protection rings (typically 4 to 32) with hierarchical levels of trust.

• Rings are a generalization of the concept of mode of operation and define finer domains of execution.

• They have been used in Multics and the Intel processors among others.

• A combination (process, domain) corresponds to a row of the access matrix.

• Crossing of rings is done through gates that check the rights of the crossing process. A process calling a segment in a higher ring must go through a gate.


Execution Rings

01

2

3

0 = kernel1 = OS functions2 = safe applications3 = untrusted applications

- Calls upward (higher privilege)- Data access toward less privilege- Gate crossings- Protected entry points


Execution Rings• In this case, processes are assigned to rings

based on their level of trust; for example, if we had four rings we could assign them in decreasing order of privilege to: supervisor, utilities, trusted user programs, untrusted user programs. The Intel X86 architecture applies two rules:

– Calls are allowed only in a more privileged direction, with possible restriction of a minimum calling level.

– Data in a segment at level p can be accessed only by a program executing at a more privileged level (<= p).


Execution Rings • The Program Status word of the process indicates its current ring and data

descriptors also indicate their assigned rings. These values are compared to apply the transfer rules.

• Ring crossing applies protected entry points. A process calling a higher-privilege

process can only enter this process at pre-designed entry points with controlled parameters.

• Jumping many rings is suspicious. Multics defined a call bracket, where calls are

allowed only within rings in the bracket. More precisely, for a call from procedure i to a procedure with bracket (n1, n2, n3) the following rules apply: if n2<i<=n3 the call is allowed to specific entry points; if i>n3 the call is not allowed, if i < n1 any entry point is valid. This extension only makes sense for systems that have many rings.

• Rings don’t need to be strictly hierarchic, partial orders are possible and

convenient for some applications. For example, a system including a secure database system could assign a level to this database equal but separated from system utilities; the highest level is for the kernel and the lowest level is for user programs. This was done in a design involving an IBM 370 [Fer78].


Secure process communication

• Process communication also has an effect on security.

• Systems that use explicit message passing have the possibility of checking each message to see if it complies with system policies.


Protected entry points • Process communication also has an effect on security. • Systems that use explicit message passing have the

possibility of checking each message to see if it complies with system policies.

• For example, a security feature that can be applied when calling another process is protected entry points.

• A process calling another process can only enter this process at pre-designed entry points. This prevents bypassing entry checks.

• The number and size of arguments in a gate crossing can also be controlled (this may protect against some types of buffer overflow attacks).


Distributed directory

• Windows 2000 introduced the concept of Active Directory (AD) that provides an administrative structure for distributed domains.

• The AD is a tree that acts as a repository or registry for all resource information. A domain is a group of systems that share the same directory; in this sense the AD is a directory of directories (the Composite pattern again !).

• Each domain has a unique name and provides centralized administration for user and group accounts. Users can cross domains after being properly authenticated.


Distributed directory

• The AD introduces the concept of dynamic inheritance of rights along the tree. This is a direct application of the concept of implied authorization that we proposed in 1975 [Fer75].

• Implied access rights are very convenient for system administration because the administrator can understand better the structure of rights in the system.

• W2000 also improved and expanded the use of groups for security and introduced the use of Kerberos for distributed authentication


Isolated execution environments

• Virtual machines• Tagged storage• Capabilities• Separation by encryption

[Dal01] C. Dalton and T.H. Choo, “An operating system approach to securing services”, Comm. of the ACM, vol. 44, No. 2, February 2001, 58-64.

Date post:	26-Dec-2015
Category:	Documents
Upload:	jason-carpenter
View:	216 times
Download:	0 times

Secure Systems Research Group - FAU Security Patterns for Operating Systems by Ed Fernandez and Tami...

Documents