2. Chapter Overview
• Protection Systems
• Mandatory Protection Systems
• Reference Monitors
• Definition of a Secure Operating System
• Assessment criteria to be used against
each operating system.
3. Protection Systems
• Recall the concepts of subjects, objects and
permissions from the previous chapter.
• The most complete description, at given point in
time, of what is allowed within a given computer
system is given by a function which tells us, for a
given subject and object, what the subject may
do with the object.
• The best way to represent this function is by
means of a matrix called an access matrix.
5. So, what is a protection system?
• Informally, a protection system is a description of
what is allowed in a computer system, together
with a set of rules that allow us to modify a
description.
• Formally:
– A protection system consists of a protection
state, and a set of protection state
operations which enable modifications to
that state.
6. More Formal Definitions:
• An access matrix consists of a set of subjects S
a set of objects O a set of operations OP and a
function ops(s,o)⊂OP, which determines the
operations that subject s can perform on object
o.
• A protection domain specifies the set of
resources (objects) that a process can access
and the operations that a process may use to
access such resources.
7. Alternate representations for the
access matrix
• Instead of storing the whole matrix, which
is usually occupied mostly by empty
permissions, other representations are
often used:
– Each object with its associated column,
called its access control list or ACL.
– By rows, with each subject: called a
capability list or C-List
9. Mandatory Protection Systems
• A mandatory protection system is a protection system that can
only be modified by trusted administrators via trusted software,
consisting of the following state representations:
– A mandatory protection state is a state where subjects
and objects are represented by labels where the state
describes the operations that subject labels may take
upon object labels.
– A labeling state for mapping processes and system
resource objects to labels.
– A transition state that describes the legal ways that
processes and system resource objects may be
relabeled.
10. How it works
• The labels are fixed and define the access
relations.
• Subjects and objects are assigned different
labels according to need.
• When circumstances changes, labels may
change also.
• However, permissions are constrained to those
defined by the labels
• In addition, label assignment/reassignment is a
“privileged operation”.
12. Reference Monitors
• A reference monitor is the classical access
enforcement mechanism. It takes a
request as input and returns a positive or
negative response (authorization).
• Three components:
– Interface
– Authorization module
– Policy store
13.
14. What is a Secure Operating
System?
• A secure operating system is an operating
system where its access enforcement
mechanism satisfies the reference monitor
concept:
– Complete mediation: all security security-
sensitive operations are checked.
– Tamper-proof: Cannot be modified by
untrusted processes
– Verifiable.
15. Assessment Criteria
• Complete Mediation
– Correctness of subjects/objects
– Completeness
– Formal verification
• Tamperproof
– Protection of reference monitor.
– Protection of the Trusted Computing Base
• Verifiable
– Basis for the correctness of the TCB.
– Enforcement of the system's security goals?
