Design and Analysis of Computer Algorithm, Lecture notes of Computer Science

Design and Analysis of Computer Algorithm

Typology: Lecture notes

2018/2019

Uploaded on 11/26/2019

amjad22
amjad22 🇸🇦

3 documents

1 / 25

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Chapter 6
Security Kernels
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19

Partial preview of the text

Download Design and Analysis of Computer Algorithm and more Lecture notes Computer Science in PDF only on Docsity!

Chapter 6

Security Kernels

Chapter Overview

  • (^) Description
  • (^) Secure Communications Processor (Scomp)
    • Architecture
    • (^) Hardware
    • (^) Trusted Operating Program
    • (^) Kernel Interface Package
    • (^) Applications
    • (^) Evaluation
  • (^) Gemini Secure Operating System
  • (^) Summary

The Security Kernel

  • (^) MITRE, 1974, 20 subroutines, 1000 SLOC
    • (^) Showed the what and the how.
    • (^) Focus became verification
    • (^) Three core principles:
      • (^) Implement a specific security policy
      • (^) Define a verifiable protection behavior of the system as a whole
      • (^) The implementation must be shown to be faithful to the security model's design

Secure Communications

Processor (Scomp)

  • (^) Kernel-based system
  • (^) Designed to implement Multic's MLS requirements.
  • (^) Original idea was to build an emulator to allow execution on an ordinary OS (UNIX).
  • (^) Ended up with new API that provided the necessary security.

Scomp Architecture

SCOMP Architecture notes

  • (^) Accesses to protected resources are mediated using an MLS policy: - (^) App requests hardware descriptor sufficient to access resource. - (^) If granted, security kernel builds the descriptor (object+permissions) and returns a reference
  • (^) Isolation/tamperproofing provided by ring mechanism. Rings and transitions are implemented in hardware.
  • (^) Verification was part of the process.

SCOMP Hardware 2

  • (^) Each process includes a descriptor base root:
    • (^) References memory and I/O descriptors
    • (^) Used for mediating memory and I/O references.
    • (^) DMA is authorized on a per-transaction basis. - (^) I/O descriptors are built by kernel. - (^) Hardware does all authorizations. - (^) Drivers are not part of kernel! (more efficient and secure)

SCOMP Security Protection

Module

SCOMP Trusted Operating

Program Security Kernel

  • (^) Memory management, process scheduling, interrupt management, audit and reference monitor. 10K SLOC mostly in Pascal.
  • (^) Objects consist of processes, segments, devices, identified by a unique 64 bit id.
  • (^) Access control similar to Multics, but ring brackets allow for owner/group/others
  • (^) 38 gates to enter ring 0

SCOMP Trusted Software 1

  • (^) Two types:
    • (^) Trusted not to violate system or integrity goals: e.g. secure loader is trusted to load a process for any subject that ensure correct enforcement of information flows.
    • (^) Trusted to maintain security policy correctly: e.g. user authentication.
    • (^) 23 processes implement trusted functions: 11K SLOC in C

Scomp Kernel Interface Package

(SKIP) 1

  • (^) Uniform interface for user applications to

access trusted functions.

  • (^) Two parts
    • (^) SKIP functions
    • (^) SKIP libraries

Scomp Kernel Interface Package

(SKIP) 2

  • (^) SKIP functions do trusted operations on user level objects - (^) Files via a hierarchical file system - (^) Process management - (^) Concurrent I/O through an event mechanism
  • (^) Allowed to manipulate system state, so trusted not to violate MLS requirements, like trusted software.
  • (^) In ring 2, invoked via gates

Scomp Applications

  • (^) Unix??
  • (^) Mail guard
  • (^) Secure Office Management System

Scomp Evaluation 1: Complete

Mediation

  • (^) How does the reference monitor interface ensure that all security operations are mediated correctly? - (^) All mediation done in hardware
  • (^) Does the reference monitor interface mediate security-sensitive operations on all system resources? - (^) Initial access to file data depends on access to I/O
  • (^) How do we verify that the reference monitor provides complete mediation? - (^) Hardware.