Computer Security CSE 543
Popular in Course
Popular in Computer Science and Engineering
This 0 page Class Notes was uploaded by Libby Kuhlman on Sunday November 1, 2015. The Class Notes belongs to CSE 543 at Pennsylvania State University taught by Staff in Fall. Since its upload, it has received 19 views. For similar materials see /class/233115/cse-543-pennsylvania-state-university in Computer Science and Engineering at Pennsylvania State University.
Reviews for Computer Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 11/01/15
CSE 543 Computer Security Lecture 12 MAC Security October 4 2007 URL httpwwwcsepsuedutiaegercse543f07 PENNSTATE Mandatory Access Control o Is about administration 0 Policy is defined and fixed forthe system 0 Users cannot modify policy 0 More importantly users processes cannot modify policy 0 So what should the policy be I l PENNSTATE Security Goals 0 Secrecy 0 Do not leak data to unauthorized subjects 0 Integrity 0 Do not depend on input from lower integrity subjects 0 Invocation inputs files etc MAC Systems 0 Major Effort Multics 0 Multiprocessing system developed many OS concepts 0 Including security 0 Begun in 1965 0 Development continued into the mid70s 0 Used until 2000 0 Initial partners MIT Bell Labs GEHoneywell Subsequent proprietary system SCOMP became the basis for secure operating systems design PENNSTATE 0 Secrecy g V 2 iii l o Multilevel security iv o Integrity i 0 Rings of protection 0 Reference Monitoring 0 Mediate segment access ring crossing o Resulting system is considered a high point in secure system design CSE543 Computer and Network Security Fall 2007 Professor Jaeger PENNSTATE Multilevel Security A multiIevel security system tags all object and subject with security tags classifying them in terms of sensitivityaccess level We formulate an access control policy based on these levels We can also add other dimensions called categories which horizontally partition the rights space in a way similar to that as was done by roles security levels categories gt Evaluating Policy Access is allowed if subject clearance level gt object sensitivity level and object categories 2 subject categories read down Q What would writeup be Hence Charlie Ts CRYPTQ NUC INTEL Bob CONF INTEL Alice SECCRYTPO NUC DocB SECRET CRYPTO DocA CONFIDENTIAL INTEL DocC UNCLASSIFIED NUCD I J Protection Rings PM Example Multics 64 rings in theory 8 in practice Modern CPUs support 4 rings w Use 2 mainly Kernel and user Intel x86 rings Ring 0 has kernel Ring 3 has application code PENNSTATE What Are Protection Rings 0 Coarsegrained Hardware Protection Mechanism 0 Boundary between Levels of Authority 0 Most privileged ring 0 0 Monotonically less privileged above 0 Fundamental Purpose 0 Protect system integrity 0 Protect kernel from services 0 Protect services from applications 0 Soon CSE543 Computer and Network Security Fall 2007 Professor Jaeger PENNSTATE Intel Protection Ring Rules Each Memory Segment has a privilege level ring number The CPU has a Current Protection Level CPL Level of the segment where instructions are being read Program can readwrite in segments of lower level than CPL kernel can readwrite user space user cannot readwrite kernel why not PENNSTATE Protection Ring Rules Program cannot call code of higher privilege directly Gate is a special memory address where lowerprivilege code can call higher Enables OS to control where applications call it system calls Multics Interpretation Kernel resides in ring 0 Process runs in a ring r Access based on current ring Process accesses data segment Each data segment has an access bracket a1 a2 a1 lt a2 Describes read and write access to segment ris the current ring r lt a1 access permitted a1ltrlt a2 rand x permitted wdenied a2 lt r all access denied Multics Interpretation con t Also different procedure segments with call brackets c1 c2 c1 lt c2 and access brackets a1 a2 Rights to execute code in a new procedure segment rlt a1 access permitted with ringcrossing fault a1 lt rlt a2 c1 access permitted and no fault a2 lt r lt c2 access permitted through a valid gate c2 lt r access denied What s it mean case 1 ringcrossing fault changes procedure s ring increases from rto a1 case 2 keep same ring number case 3 gate checks args decreases ring number Target code segment defines the new ring Examples Process in ring 3 accesses data segment access bracket 2 4 What operations can be performed Process in ring 5 accesses same data segment What operations can be performed Process in ring 5 accesses procedure segment access bracket 2 4 call bracket 4 6 Can call be made How do we determine the new ring Can new procedure segment access the data segment above Multics Segments Named segments are protected by access control lists and MLS protections Hierarchically arranged Precursor to hierarchical file systems Memory segment access is controlled by hardware monitor Multics hardware retrieves segment descriptor word Like a file descriptor Based on rights in the SDW determines whether can access segment Master mode like root can override protections Access a directory or SDW on each instruction I l Multics Vulnerability Analysis Detailed security analysis covering Hardware Software Procedural features administration Good news Design for security System language prevents buffer overflows Defined buffer sizes Hardware features prevent buffer overflows Addressing off segment is an error Stack grows up System is much smaller than current UNIX systems Vulnerability analysis found flaws that were fixed Multics attained a B2 evaluation MAC system I l Vulnerabilities Found Not mentioned in this paper Hardware Indirect addressing incomplete mediation Check direct but not indirect address Mistaken modification introduced the error Software Ring protection done in software Argument validation was flawed Certain type of pointer was handled incorrectly Master mode transfer For performance run master mode program signaler in user ring Development assumed trusted input to signaler bad combo Procedural Trap door insertion goes undetected I l Proprietary product from Honeywell owners of Multics Security kernel minimize TCB Custom Hardware Scomp 4rings Complete mediation of memory access by bus mediation Even by devices consider DMA Operating System Scomp Trusted Operating Program STOP Essential services only build memory descriptors schedule Application Programming Interface Scomp Kernel Inten ace Package SKIP Minimal basic kernel utilities filesystem processes concurrency Designed to be general purpose But used for very limited operations Guards Ensure communication contains no secrets I l S DimeaDozen ma Everyone started building secure operating environments Some from scratch GEMSOS security kernel PSOS design only Adept50 High water mark KSOS emulate UNIX interface Many based on the 08 s of the day KVM370 VM370 UCLA Secure UNIX UNIX DEC 08 VAXVMS None particularly took hold GEMSOS is still in business Aesec
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'