160 likes | 204 Views
Trusted Operating Systems. What is a trusted operating system. Four aspects of a trusted OS Information compartmentalization Role compartmentalization Least privilege Kernel level enforcement “if it’s easy to administer, it’s probably easy to break into”. Pros Difficult to compromise
E N D
What is a trusted operating system • Four aspects of a trusted OS • Information compartmentalization • Role compartmentalization • Least privilege • Kernel level enforcement • “if it’s easy to administer, it’s probably easy to break into”
Pros Difficult to compromise One compromise will not lead to another Useful for mission critical applications Protects against inside attacks Cons Software compatibility Difficulty in administration Performance overhead More cumbersome for users Pros and cons
Information Compartmentalization • Information restricted without regard to user ID or “owner” • No user, even administrators, can see or modify information they are not cleared to see • Compromised applications cannot be used for further access, since they cannot see information unrelated to their task
Mandatory Access Control • In DAC (Discretionary Access Control), users own files • User can determine if a file is readable, writable, executable, etc, and by whom • In MAC, restrictions are based on the sensitivity of information • All objects have Sensitivity Labels which define a level or range of levels encompassing the information • SLs cannot be overruled by the owner of a file or even a system administrator
Sensitivity Labels • Two components • Classification • Compartment • Dominant • Top Secret SL can read but not write Confidential SL • Equal • Only time modification is permitted • Disjoint • Prevents equal classifications from accessing other compartments • Top Secret A cannot read Secret A B, since Top Secret A does not have access to the B compartment
Role Compartmentalization • No user can perform all system tasks • There is no “root”, administrators are limited in their privileges • Important system actions must be confirmed by multiple administrators • Execution of a privileged program is still limited by privilege of user
Least Privilege • Processes only have access to the minimum amount of information and privilege required to perform their task • Mail server cannot modify web pages • Web server cannot send email • Even if running as an administrator • Permissions are strictly limited in scope and type
Kernel Level Enforcement • Security related operations happen in kernel mode, where they cannot be circumvented by any amount of user level action • However, operations happen at the highest level possible, limiting potential damage as much as possible • Application cannot override kernel decisions
Trusted OS Implementations • Trusted Solaris • Password generator enforces strong passwords • MAC • Trusted symbol prevents spoofing • Full system auditing • Trusted IRIX • MAC • Mandatory Integrity • Trusted Networking • MAC labeling of input and output
Trusted OS Implementations • Trusted BSD • Based on FreeBSD • Fine grained auditing • Fine grained policy • SELinux • Patches to Linux published by the NSA • Argus Pitbull LX • Trusted environment that runs on top of Linux, Solaris, or AIX • Domain Based Access Control • Has root, but restricted • Allows trusted applications to be run in alongside non-trusted applications, providing flexibility
“Orange Book” standards • Levels of security policies and accountability mechanisms • Certification to use in given situations • C2: Controlled Access Protection (5) • B1: Labeled Security Protection (7) • B2: Structured Protection (1) • B3: Security Domains (1) • A1: Verified Design (0)
Audit Cryptographic support Communications User Data Protection Identification and Authentication Security Management Privacy Protection of the TOE Security Functions Resource Utilization TOE Access Trusted Path/Channels Common Criteria • Supercedes “Orange Book” • Worldwide effort, combines international criteria • Broken into functional requirements:
Common Criteria Assurance Levels • EAL1: Functionally tested • EAL2: Structurally tested • EAL3: Methodically tested and checked • EAL4: Methodically designed, tested, and reviewed • EAL5: Semiformally designed and tested • EAL6: Semiformally verified design and tested • EAL7: Formally verified design and tested
References • http://www.argus-systems.com/product/white_paper/pitbull/oss/2.shtml • http://rr.sans.org/securitybasics/trusted_OS.php • http://www.sei.cmu.edu/str/descriptions/trusted_body.html • http://www.computerworld.com/cwi/story/0,1199,NAV47_STO53293,00.html • http://www.commoncriteria.org • http://www.securityhorizon.com/whitepapers/archives/tos.html • http://rr.sans.org/securitybasics/trusted_OS.php • http://www.nsa.gov/selinux/index.html • http://wwws.sun.com/software/solaris/trustedsolaris/ts_tech_faq/