210 likes | 361 Views
Secure Operating Systems. Lesson 9: Multics. Where are we?. We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very much Multics is pretty much the poster child for “proper” system design And we did it years ago. A Little History: 1963.
E N D
Secure Operating Systems Lesson 9: Multics
Where are we? • We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very much • Multics is pretty much the poster child for “proper” system design • And we did it years ago
A Little History: 1963 • Cuba transactions made illegal • Debut of Iron Man!!! • Beatles release their first album… • First James Bond movie • UCF founded • ZIP codes introduced • IEEE founded, ASCII introduced • Kevin Mitnick born ;)
In the Midst… • The Multics project begins • The move from batch systems to timesharing • Released as a commercial project in 1973… that’s a 10 year development cycle
Processes • We’re very comfortable with this idea, but it was newer then • Processes are the things that execute stuff in Multics • All the things the process accesses are stored as “segments” • The “protection domain” determines the segments a process can access
Segments • These are created hierarchically • This became the roadmap to things like the Unix file system • The process has a descriptor segment which contains a set of segment descriptor words (SDWs) that refer to all the segments the process can access directly
Security • Three primary parts: the supervisor, protection rings, and SDWs • The supervisor is the ultimate arbiter – it decides if a process can have a SDW • This is isolated from other processes by protection rings (64 possible) • The basic idea was to protect the supervisor from unauthorized changes
Segment Access Control • Simple ACL • Segments: read, write, execute • Directories: status, modify, append • However. The SDW also includes rings and brackets – this can be a little tricky • To grant access, the ACL and Access brackets must both allow…
Rings/Brackets • Imagine we have code running in Ring r. • Access brackets define access – range of rings is r1, r2 where r1 < r2 • If r < r1, the process has full access (r/w) • If r1 ≤ r ≤ r2, the process can read the segment only • If r2 < r, then the process has no access
Call Brackets • Imagine we have code running in Ring r, trying to invoke a code segment • Call brackets define access – range of rings is(r2,r3)where r2 ≤ r3 • If r < r1, the process can execute, but there is a loss of privilege, where r changes to r_prime • If r1 ≤ r ≤ r2, the process executes with its current privilege • If r2 ≤ r ≤ r3, the process executes with higher privilege IF the location is authorized by the gates • If r3 < r, then the process has no access
MLS • Multilevel Security was pioneered by Multics – the policy prevents a subject from reading data that is “more secret” than itself, or writing to objects that are “less secret” • This is part and parcel of the way the Multics protection system worked • MLS is MAC, ACL and Ring Brackets are DAC • Think about performance for a minute…
The Gatekeeper • Multics tries hard to prevent the confused deputy problem… • The gatekeeper carefully (!) checks the parameters passed when privilege increases • The gatekeeper sometimes copies code to avoid giving a whole segment of the caller to the callee • The kernel is split between Ring 0 and 1 – the gatekeeper is Ring 0
Security Eval • Need: complete mediation, tamper proofing, and verifiability • How does Multics do?
Discussion • How does the reference monitor interface ensure that all security-sensitive operations are mediated correctly? • Does the reference monitor interface mediate security-sensitive operations on all system resources? • How do we verify that the reference monitor interface provides complete mediation?
Discussion • How does the system protect the reference monitor from modification? • Does the protection system protect all of the TCB? • What is the basis for the correctness of the system’s TCB? • Does the protection system enforce the system’s goals?
Multics Vulnerabilities • Karger and Schell’s analysis is very interesting • Primarily looks at implementation errors in the system • Actually included a hardware error that allowed instructions to bypass the SDW
Master Mode • To me, this is a classic • For performance, it’s ugly to have all traps dealt with by Ring 0 • However, to handle that, we need a user level trap handler… which requires access to some privileged instructions • And the trap handler used a register to determine where to go… and thus, disaster
Lots to do! • 2 weeks, large project • Write an essay that compares Multics with the modern OS of your choice: Linux, Windows or iOS. Look at the trajectory of your chosen OS, not just how it is today, but how it was • How does the modern OS handle the things that Multics already had? • You’re aiming at 10-20 pages
Resources • You should read “Protection and the Control of Information Sharing in Multics” and “Thirty Years Later: Lessons from the Multics Security Evaluation” • Resource (long): Final Report of the Multics Kernel Design Project • We will discuss these papers a week Thursday, be ready to share your ideas
Questions & Comments • What do you want to know?