Scribe Notes on ECS 235A: Confinement and Reference Monitors with Focus on Janus - Prof. H, Study notes of Computer Science

These scribe notes from ecs 235a, dated october 19, 2007, by paul congdon, discuss confinement, a security approach to prevent programs from violating system security properties. The notes cover the janus paper, early multi-tasking oses, and the properties of reference monitors as mechanisms for confinement. The document also includes a discussion on janus' threat model, strengths, and weaknesses, as well as a comparison between janus and firewalls.

Typology: Study notes

Pre 2010

Uploaded on 07/30/2009

koofers-user-y0r
koofers-user-y0r ๐Ÿ‡บ๐Ÿ‡ธ

9 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ECS 235A โ€“ Scribe Notes โ€“ 10/19/2007
Paul Congdon
Confinement:
1. How to confine a program so it will not violate security properties of the system
or other programs?
2. The Janus paper addresses the confinement problem.
3. Early Multi-tasking OSes had a similar problem.
4. The goal of confinement is to uphold
a. Confidentiality
b. Integrity
c. (and to a lesser degree) Availability
5. Confidentiality โ€“ prevent the leak of confidential information
6. Integrity โ€“ prevent an untrusted program from harming the system
7. Availability โ€“ assure an untrusted program doesnโ€™t use too many resources
Reference Monitors
1. An abstract mechanism for confinement approaches
2. Mediates access to objects and resources
3. Must posses the following properties:
a. Always invoked
b. Easily verifiable
Mechanisms for Confinement
1. OS Sandbox
a. Always invoked โ€“ yes โ€“ Janus can be always invoked
b. Easily verifiable โ€“ yes, if implementation is simple and small such as
Janus
2. Virtual Machines
a. Always invoked โ€“ yes
b. Easily verifiable โ€“ more complex than sandboxes, but less complex than
the OS itself
3. Inline Reference Monitors โ€“ can be applied selectively
a. Always invoked โ€“ yes, but only on those applications or resources being
monitored
b. Easily verifiable โ€“ may be circumvented because executing programs are
not type safe
Janus Paper Discussion
1. What is the threat model of Janus? What is trusted and untrusted?
a. Trusted elements
i. OS
pf2

Partial preview of the text

Download Scribe Notes on ECS 235A: Confinement and Reference Monitors with Focus on Janus - Prof. H and more Study notes Computer Science in PDF only on Docsity!

ECS 235A โ€“ Scribe Notes โ€“ 10/19/ Paul Congdon Confinement:

  1. How to confine a program so it will not violate security properties of the system or other programs?
  2. The Janus paper addresses the confinement problem.
  3. Early Multi-tasking OSes had a similar problem.
  4. The goal of confinement is to uphold a. Confidentiality b. Integrity c. (and to a lesser degree) Availability
  5. Confidentiality โ€“ prevent the leak of confidential information
  6. Integrity โ€“ prevent an untrusted program from harming the system
  7. Availability โ€“ assure an untrusted program doesnโ€™t use too many resources Reference Monitors
  8. An abstract mechanism for confinement approaches
  9. Mediates access to objects and resources
  10. Must posses the following properties: a. Always invoked b. Easily verifiable Mechanisms for Confinement
  11. OS Sandbox a. Always invoked โ€“ yes โ€“ Janus can be always invoked b. Easily verifiable โ€“ yes, if implementation is simple and small such as Janus
  12. Virtual Machines a. Always invoked โ€“ yes b. Easily verifiable โ€“ more complex than sandboxes, but less complex than the OS itself
  13. Inline Reference Monitors โ€“ can be applied selectively a. Always invoked โ€“ yes, but only on those applications or resources being monitored b. Easily verifiable โ€“ may be circumvented because executing programs are not type safe Janus Paper Discussion
  14. What is the threat model of Janus? What is trusted and untrusted? a. Trusted elements i. OS

ii. System Call tracing facility b. Untrusted elements i. Helper applications ii. Input data to helper applications

  1. System call interposition approach a. The assumption is that an application canโ€™t do harm without making system calls. b. This assertion, of course, depends upon the definition of โ€˜harmโ€™ c. If โ€˜harmโ€™ are threats to confidentiality, integrity and availability, then yes, Janus provides protection
  2. Janus in action a. Reads the configuration file b. Loads appropriate monitoring modules c. Sets up the monitoring mechanism / syscall trace utility d. Starts the application to be monitored.
  3. Strengths of the approach a. Very simple
  4. Weaknesses of the approach a. Can not easily support applications that require privileges b. Does not consider the relationship among system calls c. Does not do a taint flow analysis on the data. It can not track data flow. d. Has issues with portability in the implementation e. Difficult to write configurations for Janus Comparing Janus and Firewalls
  5. A firewall is a kind of reference monitor
  6. It should be easier to write rules for a firewall than Janus because firewalls are typically looking at a more constrained environment
  7. Janus deals with application semantics better than firewalls.
  8. There are more advanced firewalls, application proxies/gateways, that are more application semantic aware.
  9. Firewall reference monitor has the advantage in being separate from the OS and is therefore easier to deploy
  10. Application gateways can recognize more complex payloads, but have issues operating in the presence of end-to-end encryption such as SSL.