Mandatory Access Control - Computer Security | CSE 543, Study notes of Computer Science

Material Type: Notes; Class: Computer Security; Subject: Computer Science and Engineering; University: Penn State - Main Campus; Term: Fall 2007;

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-2hk
koofers-user-2hk 🇺🇸

10 documents

1 / 19

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
CSE 543 - Computer Security
Lecture 12 - MAC Security
October 4, 2007
URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13

Partial preview of the text

Download Mandatory Access Control - Computer Security | CSE 543 and more Study notes Computer Science in PDF only on Docsity!

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

CSE 543 - Computer Security

Lecture 12 - MAC Security

October 4, 2007

URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/

1

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Mandatory Access Control

Is about administration

Policy is defined and fixed for the system

• Users cannot modify policy

• More importantly, users’ processes cannot modify policy

So, what should the policy be?

2

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

MAC Systems

Major Effort: Multics

Multiprocessing system -- developed many
OS concepts

• Including security

Begun in 1965

• Development continued into the mid-70s

Used until 2000
Initial partners: MIT, Bell Labs, GE/Honeywell

Subsequent proprietary system,

SCOMP , became the basis for secure

operating systems design

4

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Multics Goals

Secrecy

Multilevel security

Integrity

Rings of protection

Reference Monitoring

Mediate segment access, ring
crossing

Resulting system is

considered a high point in

secure system design

5

Evaluating Policy

Access is allowed if

subject clearance level >= object sensitivity level and
object categories ⊇ subject categories ( read down )
Q: What would write-up be?

Hence,

Bob: CONF., {INTEL}) Charlie: TS, {CRYPTO, NUC, INTEL}) Alice: (SEC., {CRYTPO, NUC}) DocA: (CONFIDENTIAL, {INTEL}) DocB: (SECRET, {CRYPTO}) DocC: (UNCLASSIFIED , {NUC})

Protection Rings

  • Successively less-privileged “domains”
  • Example: Multics (64 rings in theory, 8 in practice)
  • Modern CPUs support 4 rings
    • Use 2 mainly: Kernel and user
  • Intel x86 rings
    • Ring 0 has kernel
    • Ring 3 has application code Kernel

Intel Protection Ring Rules

  • Each Memory Segment has a privilege level (ring number)
  • The CPU has a Current Protection Level (CPL) - Level of the segment where instructions are being read
  • Program can read/write in segments of lower level than CPL - kernel can read/write user space - user cannot read/write kernel - why not?

Ring 0 Ring 3 Protection Ring Rules

  • Program cannot call code of higher privilege directly - Gate is a special memory address where lower-privilege code can call higher - Enables OS to control where applications call it (system calls) Gate No gate

Multics Interpretation (con’t)

  • Also different procedure segments
    • with call brackets : (c1, c2)
      • c1 <= c
    • and access brackets (a1, a2)
    • Rights to execute code in a new procedure segment
      • r < a1: access permitted with ring-crossing fault
      • a1 <= r <= a2 = c1: access permitted and no fault
      • a2 < r <= c2: access permitted through a valid gate
      • c2 < r: access denied
  • What’s it mean?
    • case 1: ring-crossing fault changes procedure’s ring
      • increases from r to a
    • case 2: keep same ring number
    • case 3: gate checks args, decreases ring number
  • Target code segment defines the new ring

Examples

  • Process in ring 3 accesses data segment
    • access bracket: (2, 4)
    • What operations can be performed?
  • Process in ring 5 accesses same data segment
    • What operations can be performed?
  • Process in ring 5 accesses procedure segment
    • access bracket (2, 4)
    • call bracket (4, 6)
    • Can call be made?
    • How do we determine the new ring?
    • Can new procedure segment access the data segment above?

Multics Vulnerability Analysis

  • Detailed security analysis covering
    • Hardware
    • Software
    • Procedural features (administration)
  • Good news
    • Design for security
    • System language prevents buffer overflows
      • Defined buffer sizes
    • Hardware features prevent buffer overflows
      • Addressing off segment is an error
      • Stack grows up
    • System is much smaller than current UNIX systems
  • Vulnerability analysis found flaws that were fixed
    • Multics attained a B2 evaluation (MAC system)

Vulnerabilities Found

  • Not mentioned in this paper
  • Hardware
    • Indirect addressing -- incomplete mediation
      • Check direct, but not indirect address
    • Mistaken modification introduced the error
  • Software
    • Ring protection (done in software)
      • Argument validation was flawed
      • Certain type of pointer was handled incorrectly
    • Master mode transfer
      • For performance, run master mode program (signaler) in user ring
      • Development assumed trusted input to signaler -- bad combo
  • Procedural
    • Trap door insertion goes undetected

Dime-a-Dozen

  • Everyone started building secure operating environments
  • Some from scratch
    • GEMSOS (security kernel)
    • PSOS (design only)
    • Adept-50 (High water mark)
    • KSOS (emulate UNIX interface)
  • Many based on the OS’s of the day
    • KVM/370 (VM/370)
    • UCLA Secure UNIX (UNIX)
    • DEC OS (VAX/VMS)
  • None particularly took hold
    • GEMSOS is still in business (Aesec)