Unit 2 nms


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Unit 2 nms

  1. 1. UNIT-2 PART-1:- OPERATING SYSTEM SECURITYIntroduction to OS SECURITYAn operating system is a fundamental component of most modern computer systems,operating system are close to the hardware; it masks the details of the underlyinghardware from the programmer and provides lower layer of software visible to users. Itcan be viewed as a Resource Manager, responsible for fair Resource Sharing betweendifferent processes in the system. On the other hand, operating system control access toapplication memory and scheduling of the processors. Application must be run like OS-level services and the developer of these applications does not know the level of detailsneeded to develop secure applications on their win, if OS is not doing these thingssecurely, it generally comprise all security at higher levels ,so the OS is a very logicalplace to enforce and support security. OS resolves around the application protection of four elements:- 1. Confidentiality- is the protection of transmitted data from passive attacks i.e. protection of data from unauthorized disclosure. 2. Authentication- This mechanism help establish proof of identities. The authentication process ensures that the origin of an electronic message or document is correctly identified. 3. Integrity: when the contents of message are changed after the sender sends it, but before it reaches the intended recipients, we say that integrity of the message is lost. 4. Availability: It states that resources should be available to authorized parties at all times.Protection Mechanisms:-The concept of multiprogramming introduces the sharing resources among users. Thissharing involves memory, I/O devices programs and data. The ability to share theirresources introduces the need for protection .An OS may affect protection along thefollowing spectrum:-  No Protection:- This is appropriate when sensitive procedures are being run at separate times.  Isolation: -This approach implies that each process operates separately from other processes, with no sharing. Each process has its awn address space, files and other objects.  Share ALL or share NOTHING:- In this method, the owner of an object declares it to be public or private , in other hand, only the owner’s process may access the object.  Share via access limitation:- The OS checks the permissibility of each access by a specific user to specific object, the OS therefore act as a guard between users and objects, ensuring that only authorized accesses occur.  Share via dynamic capabilities:- This extends the concept of access control to allow dynamic creation of sharing rights of objects.  Limit use of an object:- This form of protection limits not just access to an object but use to which that object may be put.
  2. 2. A given OS may provide different degree of protection for different objects, users andapplications. The OS needs to balance the need to allow sharing, with the need to protectthe resources of individual users.PROTECTION OF MEMORY:-In a multiprogramming environment, protection of main memory is essential. Theconcern here is not just security but the correct functioning of the various processes thatare active. The separation of the memory space of various processes is easilyaccomplished with a virtual memory scheme. Segmentation or paging or two incombination, provides an effective tools of managing main memory. The measures takento control access in data processing systems fall into two categories:- Access control User oriented Data oriented MAC-Mandatory access control DAC-Discretionary Access controlTOPIC -1:- LOW LEVEL PROTECTION MECHANISM LOMAC:- LOMAC is dynamically loadable security module for free UNIX kernels that use low watermark mandatory access control to protect the integrity of processes and data from viruses, Trojan hoarse, malicious remote virus and compromised network server daemons. LOMAC is designed for compatibility and ease of use to be a form of Mac typically users can live with. LOMAC implements a simple form of integrity protection based on Biba’s low water mark model in Loadable kernel Module (LKM). LOMAC provides useful integrity protection against viruses, Trojan hoarse, malicious remote virus and compromised network servers without modifications to the kernel, applications or their existing configuration. LOMAC is designed to be easy to use. Its default configuration is intended to provide useful protection without being adjusted for the specific users, servers or other software present on the system. LOMAC may be used to harden currently deployed systems simply by loading the LKM into the kernel shortly after boot time. Protection:- LOMAC provides the protection by dividing a system into two integrity levels:-  High level  Low level
  3. 3. High Init, kernel daemons etc. Network servers, clie downloads Low l LOMAC 2-level partitioning of a system. High levels:-Contains critical system components that must be protected such as the init process, kernel daemons, system binaries, libraries and configuration files.
  4. 4.  Low levels:- Contains the remaining components such as client and server processes that read from the network, local user processes and their files. One LOMAC assigns a file to one level or the other, its level never changes. This is not so for processes LOMAC can “Demote” high level processing by reducing their levels to low during runtime. LOMAC never increases the level of a process. 1. When LOMAC is running a process’s level determines how much power has to modify other parts o the system. Given the above division of the system into the levels, LOMAC provides integrity protection with two main mechanisms:- A. First LOMAC prevents low level processes from modifying high level files or signaling high level processes. Since no administrative users, their n/w clients and all n/w servers run at the low level, these restrictions protect the high level part of the system from direct attacks by malicious remote users and compromised servers. B. Second LOMAC ensures that data does not flow from low level files to high level files. 2. A process attempt to cause suite a flow by reading from a low level file and subsequently writing to a high level file. LOMAC prevents such flows through demotion: whenever a high process reads from a low level file, LOMAC reduces the processes level to low. ONE at the low in integrity level, LOMAC’s first mechanism prevents the process from modifying high level as described above. This combination of mechanisms prevents indirect attacks by viruses, worms and Trojan hoarses.LOMAC cannot distinguish when a program that has read low integrity data but is stillsunning properly and one that has read-low integrity data and has been compromised.LOMAC can ensure that processes which read potentially. Dangerous low-level dataduring run time are demoted to the low integrity level. Once at that low level, LOMAC’sother mechanism prevent there from Harming high integrity processes or files.  IMPLEMENTATION:- There are two main problems in implementing kernel resident MAC:- Gaining supervisory control over kernel operations  Mapping security attributes to files For these problems LOMAC provides low cost capabilities. Fig. shows the architecture of the LOMC LKM. The diagram shows horizontal split b/w upper and lower halves. The upper half implements high level LOMAC functionality in kernel independent manner and consist of approximately 1000 times of C code. The lower half implements a kernel specific interface to the Linux 2.2 series of kernels and consists of approximately 1500 lines of C code.
  5. 5. Monitor PLM(path level map) Mediate Wrappers and utility functions (LOMAC loadable kernel module architecture) More on gaining control:- At initialization time, LOMAC traverses an array of function pointers through which the kernel provides services to user process. LOMAC with the address of security relevant system calls with the addresses of the corresponding wrappers. Once done, calls made through the system call vector will call the wrappers, rather than the kernel’s corresponding call functions. More on attribute mapping:- The basic algorithm is given a target path. Its level can be found by searching linearly through the list of records until a record is found whose path is a prefix of the target path. For example, the level of “/home/httpd/html” is high, because it maps the record for prefix “/home/httpd”. If during a search through the record list, the target path matches a record’s path exactly; the flag field is checked. If the child of flag is set, the match ignored and search continues. Consequents the level “/home/httpd” is high because it exactly matches the record for prefix “/home/httpd” which has no child of flag. The level of “/home/tfraser” is low because it matches record for prefix”/home” with the child of flag and the level of “/home” is high because of skips the child of “/home” records and matches the record for prefix.Gaining Control:-LOMAC achieve the control by interposing itself b/w processes and the kernel systemcall interface. LOMAC’s kernel interface contains a series of functions called“wrappers”. Each wrapper takes the same parameter as its corresponding system cart. Wrapper algo:- Wrapper (arguments) { Mediate: decide to allow or deny the operation; Call kernel’s original system all function; Monitor: update LOMAC’s shape on successful completion; }Attribute Mapping:-In addition to gaining supervisory control, LOMAC must also assign integrity levels tofiles in a manner that is persistent access reboots. LOMAC maintains a persistent
  6. 6. mapping b/w levels and absolute canonical path names in its path level map (PLM)module. Level Flags PATH High “/home/httpd” Low CHILD-OF “home” High “/”Whenever the kernel opens a file, LOMAC labels it’s in memory Data structure with theintegrity level indicated by PLM. These are based on the longest path first .Child-of is aextra flag indicating low positioning of “/home”.Application of LOMAC:-In order to apply this protection scheme, it must be able to determine the appropriatelevel for every process file in the system. 1) Dividing the file system: - Rules are explained in attribute mapping to determine which parts of the file system are at the higher integrity level and which are at low level. These rules are presently set at compile time. Although future versions of LOMAC may provide a more configurable rule set, the goal of the present implementation is to deliver a single generic configuration that provides at least some protection on a wide variety of system. The division described by the current rule set reflects the tension b/w two compensating goals:-the maximum amount of protection and maintaining the max. Amount of app. Compatibility. 2) Monitoring process: - While file levels are static, process level can decrease during run time. In general, LOMAC assigns a new process the same level as the process that created it. At initialization time, LOMAC assigns the high integrity level to the fir t process, which initializes the system by creating a new high level process to handle various system tasks. These processes continue by creating ore high level children. As individual process read from low level files, LOMAC demotes then to the low integrity level. From that point, all their children begin life at low level. 3) Exceptions for compatibility:- LOMAC must make an exception to allow some critical program such as client side DHCP agent pump and system log daemon for transfer data from low level to high level. For this it maintains a list of trusted program. But if a high level process running a trusted program were compromised LOMAC would not prevent it from harming the high integrity levels or part of the system. Hence presence of trusted programs represents some risk so it should operate properly.TOPIC-2 ACCESS CONTROL MODELSIntroduction to access control: - Foundation of information and security can be done nthree ways:-  Authentication  Access control  Audit
  7. 7. Authentication:-Establishes the identity of one party to another. Most commonlyauthentication establishes the identity of a user to some part of the system, typically bymean of a password. More generally authentication establishes can be computer-to-computer or process-to-process and mutual in both directions.Access Control:- Determine what one party will allow another to do with respect toresources and objects mediated by the former. Access Control usually requiresauthentication as a prerequisite.Audit:- The audit process gathers data about activity in the system and analyzes it todiscover security violations or diagnose their cause. Analysts can occur offline after thefact or online in real time. In the latter case, the process is usually called IntrusionDetection. Access control usually apply authentication has been established. Access controlcan take several forms:-Discretionary Access Control (DAC) is based on the idea that the owner of data should determine who has access it. DAC allows data to be freely copied from object to object, so even if access to original data is denied, access to a copy can be obtained.Lattice based access control also known as mandatory access control (MAC), confine the transfer of information to one direction in a lattice of security labels. MAC emerged from confidentiality requirements of the military but has broad applications for integrity and separation objects.Role based access control (RBAC) requires that access rights be assigned to roles rather than to individual users. Users obtain these rights by virtue of being assigned membership in appropriate roles. This simple idea greatly eases the administration of authorization.Access control:-Access control refers to controlling access to resources on a computer ornetwork system. Without it, everyone would be able to access everything.Employees would be able to view their manager’s salary information, readeach other’s email and malicious individual such as competitors would beable to dial into your remote access server and read your company’s strategyplans for the next five years. With access controlling place, users areidentified, authenticated and authorized before they can actually access. Access controls control which objects a subject can access. These arethe two key terms used in access control models. A subject someone orsomething for eg,users applications or system program to which access to anobject is granted or denied eg of objects are files,printers,application andsystem process. Access control model provide a model for developers whoneed to implement access control functionality in these software anddevices. An access control model defines a computer and for networksystem’s role for user access to information resources. Access controlmodels provide confidentially, integrity and also provide accountabilitythrough audit trails.
  8. 8. Access Control Models User Oriented Data Oriented Hybrid Models Access control Access control Bell La Padula BIBA Authentication DAC CHINESE WALL HAC ORIGINATED CONTROLLED ACCESS CONTROL MODEL ROLE BASED ACCESS CONTROL CLARK WILSON MODELData Oriented Access Control:- Following successful log on, the user hasbeen granted access to one or set of hosts and applications. At this time weneed data access control. In this legand real world OS protection models fallbasically into one of the two types:-  MAC  DAC In computer security passive resources are called objects and activeentities that utilize the resources are called subjects. Typical objectsinclude:-files, directories, memory, printers and typical subjects includes:-user, processes. The roles depend upon situation: for ex, a process canrequest access to some resource (act as subject) and later be a target ifrequest (act as an abject).MAC:- In mandatory access controls, also called multilevel access control,objects(information) are classified on hierarchical levels of securitysensitivity(typically top secret, confidential). Subjects (users) are assignedtheir security cleanence. Access of a subject to an object is granted or denied
  9. 9. depending on the relation between the cleanance on the subject and thesecurity classification of the object. Lattice model and Bell-La Padula modelare based on MAC.DAC:- In Discretionary Access model each object has its unique owner.The owner exercises it Discretion even the assignment of accesspermissions. Lampeon introduces the access matrix model for DAC. Thecore of this model is a matrix whose rows are indexed by subjects andcolumns by objects. Doc-1 passwd Progr_1Alice Rw R XBob R R _Ronald Rw Rw rwx Fig1: Access Matrix In Real systems, however access control matrices are not verypractical, because the matrix usually sparse and there is a lot of redundancyand subjects and objects can be added or removed easily but the centralizedmatrix could become a bottleneck. The matrix may be decomposed bycolumns, yielding access control list in fig (2). Thus for each object, an ACLdetails users and their permitted access rights. ACL may contain a default orpublic entry. Decomposition by row yield capability tickets fig(3). Acapability ticket specifies authorized objects and operations for a user. Eachuser has a no of tickets and may be authorized to lend or give them to others.Because tickets may be dispensed accessed the system, they present agreater security problem than act. To accomplish such problems or hold all.Ticket on behalf of the users. These tickets would have to be held in a regionof memory inaccessible to users.File 1 A B C OWN R R R W W BA B C OWNFILE 2 R W R W
  10. 10. FILE 3 B CFILE 4 OWN R R W Fig (2): ACL User ‘A’ File 1 File3 OWN OWN R R WUser ‘B’ File 1 File2 File 3 File4 OWN R R W R W
  11. 11. User ‘C’ File 1 File2 File 4 OWN R R R W W Fig (3):- Capability ListsSo in DAC model we have:-  Individual user may determine the access controls  Eg Unix file system implement DAC  This model works well in commercial and academic environments not so well in the military, hospitals, private web sites etc. In MAC model we have:-  Site wide security policy is enforced by the system in addition to the DAC  Better suited to environment with rigid information access restrictions Example of DAC:- USER A Accessing A’s file B My doc.doc A decided to which control is given. It is based on “need to know” basis.
  12. 12. Example of MAC:- Administrator  Level 65360 A Level  100 B  1 Two files  file1.doc2 File2.doc200Access rights are granted access to numeric access level. Access level ofuser has to be equal or higher then object which they want to access. A can access file 1 B cant access both files. Administrator can access bothMAC v/s DAC:-1) MAC is best for military and highly sensitive information systems.2) All models such as Bell La Padula, chines wall, And LOMAC are based on MAC rather than DAC.3) Provide multi targeting capabilityBELL-LA-PADULA MODEL(BLP):- BLP is formal(mathematical)description of MAC.These arethree properties:- 1) DS property(Discretionary Security) 2) SS property(Simple security- no “Read Up”) 3) * property(Stac property-no”write down”) A secure system satisfies all of thse properties. BLP includes mathematical proof that if a system is secure and a transaction satisfies all of the properties,then the system will remain secure. Now I give some description about BLP:-  BLP is a state machine model capturing confidientiality aspects of acces control.  Access permissions are defined through an “Access control Matrix” and through a partial ordering of “security levels”.
  13. 13.  Security policy prevent information flowing downwards from a high security level to a low security level.  BLP only considers the information flow that occurs when a subject observes or attends an object.What is in the model or What we have to model:- 1) All “current access operations”:-  An access operation is described by a tuple(s,o,a), S belongs to S(ubjects),o belongs to O(bjects), a belongs to A(ccess_operations)  The set of all current access operation is an element of p(SXOXA)  We use B has shorthand for P(SXOXA)  We use b to denote a particular set of access 2) The current permissions as defined by the Access control Matrices M:- • ‘M’ is the set of access control metrices. 3) The “current Assignment of security levels” :- 1. • Maximal security level :- fs SL(L..Labels) • Current security level :- fc SL • Classification : fo OL 2. The security level of a user is the user’s “clearance”. 3. The current security level allow subjects to be downgraded temporairily. 4. F is a subset of Ls  Ls L o is the set of security level assignments 5. f = (fs,fc,fo) denotes an element of F. 6. The ‘state set’ of BLP :- V = BMF 7. A “state” is denoted by (b,M,f) POLICIES OF BLP :- 1. Prevent information flow from high security levels to low security levels. 2. In BLP, information flow can only occur directly through access operations.
  14. 14. 3. Simple Security Property(SS):- No Red-up : fs(s) ≥ fo(o) if access is in observe mode 4. Information flow is still possible • A Low subject could create a high level “ Trojan Horse program” that reads a high level document and copies its contents to its low level file. • This would constitute an improper declassification of the Trojan horse Copy Create Read 5. * property (Stac property) :-No write down:- fc(s) ≤ fo(o) if access is in alter mode, also, ifsubject s has access to an object o in alter mode, then fo(o’) ≤fo(o) for all objects o’ accessed by s in observe mode. 6. The very first version of BLP did not consider the * property 7. The ss and * are the Mandatory BLP policies. 8. Discretionary Security property(DS property):- Access must be permitted by the access control matrix:-
  15. 15. WO – WRITE DOWN :-1) The * property implies that a high level subject is not able to sent messages to a low level subject2) There are two ways to escape from this restriction:- a) Temporary Downgrade a High level subject. This is the reason for the current security level fc. BLP assures that subjects have no memory of their own. b) Identify a set of trusted subjects which are permitted to violate the * property.3) We redefine the * property and demand it only for subjects, which are not trusted. Trusted subjects may violate security policies. BASIC SECURITY THEOREM OF BLP :- 1. A “state is secure “if all current access tuples (s,o,a) are permitted by the ss,*, Ds property. 2. A “State transition is secure” if it goes from a secure state to a secure state. Theorem:- “if the initial state of the system is secure and if all state transitions are secure then the system will always be secure.” LIMITATIONS OF BLP:- 1) Restricted to confidentiality. 2) No policies for changing access rights; a general and complete downgrade is secure, BLP is intended for systems with static security levels. 3) BLP contains convert channel (communication channel that allow transfer of information in a manner that violates the system security policy):- A low subject can detect the existence of high objects when it is denied access.
  16. 16. Topic 4:-BIBA MODEL:-Introduction:- Biba model is similar to BLP but focus is on integrity not onconfidentiality. The main aim was to turn the BLP model upside down. It follows thefollowing model:  High integrity subject can’t read lower integrity objects (No “Read down”)  Subject can’t move low integrity data to high integrity environment (No “write up”) The Biba model is a formal state Transition System of computersecurity policy that describes a set of Access Control rules designed to ensure that dataare not contaminated. The following point should be noted carefully:-  Biba is a state machine model similar to BLP capturing integrity aspects of access control  Integrity means here “prevention of unauthorized information”  Integrity levels are assigned to Subjects and objectsProperties of Biba model:1) Simple Integrity property: No Write up:- If subject ‘s’ can modify(alert) object ‘o’Then fs(s)>=fo(o)2) Integrity ‘*’ property: If subject ‘s’ can read (observe) object ‘o’, then s can havewrite access to some other object ‘o’ only if fo(o)>=fo(o’)Some other policy of Biba:-1)Low water mark policy(LOMAC) : automatically adjust integrity level. It is of twotypes: A) Subject Low Water mark policy:- Subject ‘s’ can read an object at anyintegrity level. The new integrity level of‘s’ is g.1.b (fs(s),fo (o)) B) Object Low water mark policy:- Subject ‘s’ can modify an object ‘o’ at anyintegrity level. The new integrity level of ‘o’ is g.1.b. (fs (s),fo (o)).*Policy for invoke:- Invoke is access operation between subjects. Invoke Property:- Subject s1 can invoke s2 only if fs(s1)>=fs(s2)Acc. to MAC policy of integrity a “Dirty subject s1 can not touch a “clean” objectindirectly by invoking s2. Ring Property:- subject s1 can read objects at all integrity levels, modify abject ‘o’with fs(s1)>=fo(o) and invoke a subject s2 only if fs(s1)<=fo(s2) A ‘Dirty’ subject s1 can invoke a ‘clean’ boal s2 to touch a ‘clean’ object. TheRing property is the opposite of invoke propertyFeatures of BIBA:-1) This security model is directed toward Data integrity (Rather than security) and ischaracterized by the phrase:- “No write up, no Read down”
  17. 17. 2) With BIBA user can only relate content as or below their own security level (a moukmay write a prayer book that can be read by commoners but a high priest would not beallowed to view the work of the less pious of mouk) Conversely users can only view content at or above their own security level(a mouk may read a book written by the high priest but may not read a pamplelet writtenby a lowly commoner)* Comparison of BIBA with BLP:- As with BLP, BIBA model defines a simple security (ss) property and* property. In this case they are sort of reversed to BLP:-1) the ss property stated that a subject at a given level of integrity may not read an objectat a lower integrity level (No Read Down)2) the * property states that a subject at a given level of integrity must not write to anyobject at a higher level of integrity(No write up)Topic 5: CHINESE WALL MODEL:* Introduction:- The Chinese wall policy combines commercial discretion withlegally enforceable mandatory controls. It is required in the operation of many financialservices organization and is therefore perhaps as significant to the financial world as BellLa Radula policy are to the military.* What is in this Model? In this model focus is on the Conflicts of InterestPrinciple: User should not access the confidential information of both a clientorganization and one or more of its competition.How it Works:- • Users have no “wall” initially. • Once any given file is accessed ,files with competitor information become in-accessible •The following points should be noted carefully:- 1) In financial institution analyst deals with a no of clients and have to avoid conflicts of interests 2) The model has the following component:-  Subject : Analyst  Object : Data item for a single client  Company Data Set: o->c gives for each object its company data set.  Conflict of interest classes: companies that are competitors X : o->c gives for each object ‘o’. The companies with a conflict on interest on ‘o’.  Labels : Companies data set t conflict of interest class  Sanitized information : No access RestrictionsPolicies of CHINESE WALL model:
  18. 18. 1) Simple security property (SS) :-Access is only granted if object requested:-  is the same company data set as an object already accessed by that object  belongs not to any of the interest classes of objects already accessed by that subjectFormally:-  N=(Nso) s belongs S, o belongs O , Boolean matrix , Nso=true if s has accessed o.  SS-property:- Subject ‘s’ gets access to object ‘o’ only if for all objects ‘o’ with Nso = true, y(o) belongs x(o’) or y(o)=y(o’).Indirect information flow:- Two Competitors A and B have their account with thesame bank. Analyst-A, dealing with A and the bank, updates the bank portfolio withsensitive information about A. Analyst-B, dealing with B and the bank, now has access toinformation about the competitor. 2) Property:- A subject ‘s’ will be permitted write access to an object only if ‘s’ has no read access to any object ‘o’ which is in a different company data set and is unsanitized.  Formally:- Subject ‘s’ gets write access to object ‘o’ only if ‘s’ has no read access to an object ‘o’ with y(o)!=y(o’) or x(o’)!={}  Access Rights of subjects change dynamically with everyAn Implementation of CHINESE WALL security Model using ConSA: A new Architecture ConSA, allow security models to be developedseparately from the system. They will protect and still be integrated seamlessly into thesystem. Any system using ConSA could then also replace the security model at any time ,while retaining the same operating system and applications .Advantages of ConSA: 1) It is flexible enough so that even a Non conventional security model such as the Chinese Wall security model when access control is based on previously accessed entities, can be implemented using ConSA with ease. 2) In order to present a now security model with needless clutter, the final details of implementation on a system can be replaced by simply implementing it using ConSA. Figure below shows the outline of ConSA, as it will typically be used inobject oriented OS. The label modules define the label classes. The information flowmodule handles the flow control and authorization control module (ACM) controlssubject access to entities. The subject mgmt. module, used by the security manager, is notreally required for the Chinese Wall model used here, since the primary subject accessrestriction and modification are automatically handled by the ACM module.
  19. 19. ConSA consist of a number of methods which have to bedefined for a particular security model, with certain conditions which must apply aftertheir execution to present a consistent security.