Download Mandatory Access Control - Computer Security | CSE 543 and more Study notes Computer Science in PDF only on Docsity!
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
CSE 543 - Computer Security
Lecture 12 - MAC Security
October 4, 2007
URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/
1
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
Mandatory Access Control
Is about administration
Policy is defined and fixed for the system
• Users cannot modify policy
• More importantly, users’ processes cannot modify policy
So, what should the policy be?
2
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
MAC Systems
Major Effort: Multics
Multiprocessing system -- developed many
OS concepts
• Including security
Begun in 1965
• Development continued into the mid-70s
Used until 2000
Initial partners: MIT, Bell Labs, GE/Honeywell
Subsequent proprietary system,
SCOMP , became the basis for secure
operating systems design
4
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
Multics Goals
Secrecy
Multilevel security
Integrity
Rings of protection
Reference Monitoring
Mediate segment access, ring
crossing
Resulting system is
considered a high point in
secure system design
5
Evaluating Policy
Access is allowed if
subject clearance level >= object sensitivity level and
object categories ⊇ subject categories ( read down )
Q: What would write-up be?
Hence,
Bob: CONF., {INTEL}) Charlie: TS, {CRYPTO, NUC, INTEL}) Alice: (SEC., {CRYTPO, NUC}) DocA: (CONFIDENTIAL, {INTEL}) DocB: (SECRET, {CRYPTO}) DocC: (UNCLASSIFIED , {NUC})
Protection Rings
- Successively less-privileged “domains”
- Example: Multics (64 rings in theory, 8 in practice)
- Modern CPUs support 4 rings
- Use 2 mainly: Kernel and user
- Intel x86 rings
- Ring 0 has kernel
- Ring 3 has application code Kernel
Intel Protection Ring Rules
- Each Memory Segment has a privilege level (ring number)
- The CPU has a Current Protection Level (CPL) - Level of the segment where instructions are being read
- Program can read/write in segments of lower level than CPL - kernel can read/write user space - user cannot read/write kernel - why not?
Ring 0 Ring 3 Protection Ring Rules
- Program cannot call code of higher privilege directly - Gate is a special memory address where lower-privilege code can call higher - Enables OS to control where applications call it (system calls) Gate No gate
Multics Interpretation (con’t)
- Also different procedure segments
- with call brackets : (c1, c2)
- and access brackets (a1, a2)
- Rights to execute code in a new procedure segment
- r < a1: access permitted with ring-crossing fault
- a1 <= r <= a2 = c1: access permitted and no fault
- a2 < r <= c2: access permitted through a valid gate
- c2 < r: access denied
- What’s it mean?
- case 1: ring-crossing fault changes procedure’s ring
- case 2: keep same ring number
- case 3: gate checks args, decreases ring number
- Target code segment defines the new ring
Examples
- Process in ring 3 accesses data segment
- access bracket: (2, 4)
- What operations can be performed?
- Process in ring 5 accesses same data segment
- What operations can be performed?
- Process in ring 5 accesses procedure segment
- access bracket (2, 4)
- call bracket (4, 6)
- Can call be made?
- How do we determine the new ring?
- Can new procedure segment access the data segment above?
Multics Vulnerability Analysis
- Detailed security analysis covering
- Hardware
- Software
- Procedural features (administration)
- Good news
- Design for security
- System language prevents buffer overflows
- Hardware features prevent buffer overflows
- Addressing off segment is an error
- Stack grows up
- System is much smaller than current UNIX systems
- Vulnerability analysis found flaws that were fixed
- Multics attained a B2 evaluation (MAC system)
Vulnerabilities Found
- Not mentioned in this paper
- Hardware
- Indirect addressing -- incomplete mediation
- Check direct, but not indirect address
- Mistaken modification introduced the error
- Software
- Ring protection (done in software)
- Argument validation was flawed
- Certain type of pointer was handled incorrectly
- Master mode transfer
- For performance, run master mode program (signaler) in user ring
- Development assumed trusted input to signaler -- bad combo
- Procedural
- Trap door insertion goes undetected
Dime-a-Dozen
- Everyone started building secure operating environments
- Some from scratch
- GEMSOS (security kernel)
- PSOS (design only)
- Adept-50 (High water mark)
- KSOS (emulate UNIX interface)
- Many based on the OS’s of the day
- KVM/370 (VM/370)
- UCLA Secure UNIX (UNIX)
- DEC OS (VAX/VMS)
- None particularly took hold
- GEMSOS is still in business (Aesec)