Notes 1

solidseniorServers

Dec 9, 2013 (3 years and 8 months ago)

108 views

Trusted Operating
Systems

What is a trusted
operating system


Four aspects of a trusted OS


Information compartmentalization


Role compartmentalization


Least privilege


Kernel level enforcement


“if it’s easy to administer, it’s probably
easy to break into”

Pros and cons

Pros


Difficult to
compromise


One compromise
will not lead to
another


Useful for mission
critical applications


Protects against
inside attacks


Cons


Software
compatibility


Difficulty in
administration


Performance
overhead


More cumbersome
for users

Information
Compartmentalization


Information restricted without regard
to user ID or “owner”


No user, even administrators, can see
or modify information they are not
cleared to see


Compromised applications cannot be
used for further access, since they
cannot see information unrelated to
their task

Mandatory Access Control


In DAC (Discretionary Access Control), users
own files


User can determine if a file is readable, writable,
executable, etc, and by whom


In MAC, restrictions are based on the
sensitivity of information


All objects have Sensitivity Labels which define a
level or range of levels encompassing the
information


SLs cannot be overruled by the owner of a file or
even a system administrator

Sensitivity Labels


Two components


Classification


Compartment


Dominant


Top Secret SL can read but not write Confidential SL


Equal


Only time modification is permitted


Disjoint


Prevents equal classifications from accessing other
compartments


Top Secret A cannot read Secret A B, since Top Secret A
does not have access to the B compartment

Role
Compartmentalization


No user can perform all system tasks


There is no “root”, administrators are
limited in their privileges


Important system actions must be
confirmed by multiple administrators


Execution of a privileged program is
still limited by privilege of user

Least Privilege


Processes only have access to the
minimum amount of information and
privilege required to perform their task


Mail server cannot modify web pages


Web server cannot send email


Even if running as an administrator


Permissions are strictly limited in
scope and type


Kernel Level Enforcement


Security related operations happen in
kernel mode, where they cannot be
circumvented by any amount of user
level action


However, operations happen at the
highest level possible, limiting
potential damage as much as possible


Application cannot override kernel
decisions

Trusted OS
Implementations


Trusted Solaris


Password generator enforces strong passwords


MAC


Trusted symbol prevents spoofing


Full system auditing


Trusted IRIX


MAC


Mandatory Integrity


Trusted Networking


MAC labeling of input and output

Trusted OS
Implementations


Trusted BSD


Based on FreeBSD


Fine grained auditing


Fine grained policy


SELinux


Patches to Linux published by the NSA


Argus Pitbull LX


Trusted environment that runs on top of Linux, Solaris, or
AIX


Domain Based Access Control


Has root, but restricted


Allows trusted applications to be run in alongside non
-
trusted applications, providing flexibility

“Orange Book” standards


Levels of security policies and
accountability mechanisms


Certification to use in given situations


C2: Controlled Access Protection (5)


B1: Labeled Security Protection (7)


B2: Structured Protection (1)


B3: Security Domains (1)


A1: Verified Design (0)

Common Criteria


Audit


Cryptographic support


Communications


User Data Protection


Identification and
Authentication


Security Management


Privacy


Protection of the TOE
Security Functions


Resource Utilization


TOE Access


Trusted
Path/Channels


Supercedes “Orange Book”


Worldwide effort, combines international criteria


Broken into functional requirements:

Common Criteria
Assurance Levels


EAL1: Functionally tested


EAL2: Structurally tested


EAL3: Methodically tested and checked


EAL4: Methodically designed, tested, and
reviewed


EAL5: Semiformally designed and tested


EAL6: Semiformally verified design and
tested


EAL7: Formally verified design and tested

References


http://www.argus
-
systems.com/product/white_paper/pitbull/oss/2.shtml


http://rr.sans.org/securitybasics/trusted_OS.php


http://www.sei.cmu.edu/str/descriptions/trusted_body.html


http://www.computerworld.com/cwi/story/0,1199,NAV47_STO53293,00.html


http://www.commoncriteria.org


http://www.securityhorizon.com/whitepapers/archives/tos.html


http://rr.sans.org/securitybasics/trusted_OS.php


http://www.nsa.gov/selinux/index.html


http://wwws.sun.com/software/solaris/trustedsolaris/ts_tech_faq/