1.

UNIT-2s

2. PART-1:- OPERATING SYSTEM SECURITY

3.

Introduction to OS SECURITY
An operating system is a fundamental component of most modern computer systems, operating
system are close to the hardware; it masks the details of the underlying hardware from the
programmer and provides lower layer of software visible to users. It can be viewed as a Resource
Manager, responsible for fair Resource Sharing between different processes in the system. On the
other hand, operating system control access to application memory and scheduling of the processors.
Application must be run like OS-level services and the developer of these applications does not
know the level of details needed to develop secure applications on their win, if OS is not doing these
things securely, it generally comprise all security at higher levels ,so the OS is a very logical place to
enforce and support security.
OS resolves around the application protection of four elements:1. Confidentiality- is the protection of transmitted data from passive attacks i.e. protection of
data from unauthorized disclosure.
2. Authentication- This mechanism help establish proof of identities. The authentication
process ensures that the origin of an electronic message or document is correctly identified.
3. Integrity: when the contents of message are changed after the sender sends it, but before it
reaches the intended recipients, we say that integrity of the message is lost.
4. Availability: It states that resources should be available to authorized parties at all times.
Protection Mechanisms:The concept of multiprogramming introduces the sharing resources among users. This sharing
involves memory, I/O devices programs and data. The ability to share their resources introduces the
need for protection. An OS may affect protection along the following spectrum: No Protection:- This is appropriate when sensitive procedures are being run at separate
times.
Isolation: -This approach implies that each process operates separately from other processes,
with no sharing. Each process has its awn address space, files and other objects.
Share ALL or share NOTHING:- In this method, the owner of an object declares it to be
public or private , in other hand, only the owners process may access the object.
Share via access limitation:- The OS checks the permissibility of each access by a specific
user to specific object, the OS therefore act as a guard between users and objects, ensuring
that only authorized accesses occur.
Share via dynamic capabilities:- This extends the concept of access control to allow dynamic
creation of sharing rights of objects.

 Limit use of an object:- This form of protection limits not just access to an object but use to
which that object may be put.
A given OS may provide different degree of protection for different objects, users and applications.
The OS needs to balance the need to allow sharing, with the need to protect the resources of
individual users.
PROTECTION OF MEMORY:In a multiprogramming environment, protection of main memory is essential. The concern here is
not just security but the correct functioning of the various processes that are active. The separation of
the memory space of various processes is easily accomplished with a virtual memory scheme.
Segmentation or paging or two in combination, provides an effective tools of managing main
memory. The measures taken to control access in data processing systems fall into two categories:Access control

User oriented

Data oriented
MAC-Mandatory access control
DAC-Discretionary Access control

TOPIC -1:LOW LEVEL PROTECTION MECHANISM

LOMAC:LOMAC is dynamically loadable security module for free UNIX kernels that use low watermark
mandatory access control to protect the integrity of processes and data from viruses, Trojan
hoarse, malicious remote virus and compromised network server daemons. LOMAC is designed
for compatibility and ease of use to be a form of Mac typically users can live with.
LOMAC implements a simple form of integrity protection based on Bibas low water mark
model in Loadable kernel Module (LKM). LOMAC provides useful integrity protection against
viruses, Trojan hoarse, malicious remote virus and compromised network servers without
modifications to the kernel, applications or their existing configuration. LOMAC is designed to
be easy to use. Its default configuration is intended to provide useful protection without being
adjusted for the specific users, servers or other software present on the system. LOMAC may be
used to harden currently deployed systems simply by loading the LKM into the kernel shortly
after boot time.
Protection:LOMAC provides the protection by dividing a system into two integrity levels: High level

 Low level

High level

Init, kernel daemons, system

etc.

Network servers, clients use

downloads
Low level

LOMAC 2-level partitioning of a system.

 High levels:-Contains critical system components that must be protected such as the init
process, kernel daemons, system binaries, libraries and configuration files.
Low levels:- Contains the remaining components such as client and server processes that
read from the network, local user processes and their files.
One LOMAC assigns a file to one level or the other, its level never changes. This is not so for
processes LOMAC can Demote high level processing by reducing their levels to low during
runtime. LOMAC never increases the level of a process.
1. When LOMAC is running a processs level determines how much power has to modify
other parts o the system. Given the above division of the system into the levels,
LOMAC provides integrity protection with two main mechanisms:A. First LOMAC prevents low level processes from modifying high level files or
signaling high level processes. Since no administrative users, their n/w clients and
all n/w servers run at the low level, these restrictions protect the high level part of
the system from direct attacks by malicious remote users and compromised servers.
B. Second LOMAC ensures that data does not flow from low level files to high level
files.
2.

A process attempt to cause suite a flow by reading from a low level file and
subsequently writing to a high level file. LOMAC prevents such flows through
demotion: whenever a high process reads from a low level file, LOMAC reduces the
processes level to low. ONE at the low in integrity level, LOMACs first mechanism
prevents the process from modifying high level as described above. This combination
of mechanisms prevents indirect attacks by viruses, worms and Trojan hoarses.

LOMAC cannot distinguish when a program that has read low integrity data but is still sunning
properly and one that has read-low integrity data and has been compromised. LOMAC can ensure
that processes which read potentially. Dangerous low-level data during run time are demoted to the
low integrity level. Once at that low level, LOMACs other mechanism prevent there from Harming
high integrity processes or files.

IMPLEMENTATION:There are two main problems in implementing kernel resident MAC:Gaining supervisory control over kernel operations

 Mapping security attributes to files

For these problems LOMAC provides low cost capabilities. Fig. shows the architecture of the
LOMC LKM. The diagram shows horizontal split b/w upper and lower halves. The upper half
implements high level LOMAC functionality in kernel independent manner and consist of
approximately 1000 times of C code. The lower half implements a kernel specific interface to the
Linux 2.2 series of kernels and consists of approximately 1500 lines of C code.

Monitor

PLM(path level map)

Mediate

Wrappers and utility functions

(LOMAC loadable kernel module architecture)

More on gaining control:At initialization time, LOMAC traverses an array of function pointers through which the kernel
provides services to user process. LOMAC with the address of security relevant system calls
with the addresses of the corresponding wrappers. Once done, calls made through the system call
vector will call the wrappers, rather than the kernels corresponding call functions.
More on attribute mapping:The basic algorithm is given a target path. Its level can be found by searching linearly through
the list of records until a record is found whose path is a prefix of the target path. For example,
the level of /home/httpd/html is high, because it maps the record for prefix /home/httpd. If
during a search through the record list, the target path matches a records path exactly; the flag
field is checked. If the child of flag is set, the match ignored and search continues. Consequents
the level /home/httpd is high because it exactly matches the record for prefix /home/httpd
which has no child of flag. The level of /home/tfraser is low because it matches record for
prefix/home with the child of flag and the level of /home is high because of skips the child
of /home records and matches the record for prefix.
Gaining Control:-

LOMAC achieve the control by interposing itself b/w processes and the kernel
system call interface. LOMACs kernel interface contains a series of functions called wrappers.
Each wrapper takes the same parameter as its corresponding system cart.
Wrapper algo:Wrapper (arguments)
{
Mediate: decide to allow or deny the operation;
Call kernels original system all function;
Monitor: update LOMACs shape on successful completion;
}
Attribute Mapping:In addition to gaining supervisory control, LOMAC must also assign integrity levels to files in a
manner that is persistent access reboots. LOMAC maintains a persistent mapping b/w levels and
absolute canonical path names in its path level map (PLM) module.
Level

Flags

High
Low
High

PATH
/home/httpd

CHILD-OF

home
/

Whenever the kernel opens a file, LOMAC labels its in memory Data structure with the integrity
level indicated by PLM. These are based on the longest path first .Child-of is a extra flag indicating
low positioning of /home.
Application of LOMAC:In order to apply this protection scheme, it must be able to determine the appropriate level for every
process file in the system.
1) Dividing the file system: - Rules are explained in attribute mapping to determine which
parts of the file system are at the higher integrity level and which are at low level. These
rules are presently set at compile time. Although future versions of LOMAC may provide a
more configurable rule set, the goal of the present implementation is to deliver a single
generic configuration that provides at least some protection on a wide variety of system.
The division described by the current rule set reflects the tension b/w two compensating
goals:-the maximum amount of protection and maintaining the max. Amount of app.
Compatibility.

2) Monitoring process: - While file levels are static, process level can decrease during run
time. In general, LOMAC assigns a new process the same level as the process that created
it. At initialization time, LOMAC assigns the high integrity level to the fir t process, which
initializes the system by creating a new high level process to handle various system tasks.
These processes continue by creating ore high level children. As individual process read
from low level files, LOMAC demotes then to the low integrity level. From that point, all
their children begin life at low level.

3) Exceptions for compatibility:- LOMAC must make an exception to allow some critical
program such as client side DHCP agent pump and system log daemon for transfer data
from low level to high level. For this it maintains a list of trusted program. But if a high
level process running a trusted program were compromised LOMAC would not prevent it
from harming the high integrity levels or part of the system. Hence presence of trusted
programs represents some risk so it should operate properly.
TOPIC-2

ACCESS CONTROL MODELS

Introduction to access control: - Foundation of information and security can be done n three ways: Authentication
Access control
Audit
Authentication:-Establishes the identity of one party to another. Most commonly authentication
establishes the identity of a user to some part of the system, typically by mean of a password. More
generally authentication establishes can be computer-to-computer or process-to-process and mutual
in both directions.
Access Control:- Determine what one party will allow another to do with respect to resources and
objects mediated by the former. Access Control usually requires authentication as a prerequisite.
Audit:- The audit process gathers data about activity in the system and analyzes it to discover
security violations or diagnose their cause. Analysts can occur offline after the fact or online in real
time. In the latter case, the process is usually called Intrusion Detection.
Access control usually apply authentication has been established. Access control can take
several forms:-

Discretionary Access Control (DAC) is based on the idea that the owner of data should determine
who has access it. DAC allows data to be freely copied from object to object, so even if access to
original data is denied, access to a copy can be obtained.
Lattice based access control also known as mandatory access control (MAC), confine the transfer
of information to one direction in a lattice of security labels. MAC emerged from confidentiality
requirements of the military but has broad applications for integrity and separation objects.
Role based access control (RBAC) requires that access rights be assigned to roles rather than to
individual users. Users obtain these rights by virtue of being assigned membership in appropriate
roles. This simple idea greatly eases the administration of authorization.

Access control:Access control refers to controlling access to resources on a computer or network system. Without it,
everyone would be able to access everything. Employees would be able to view their managers
salary information, read each others email and malicious individual such as competitors would be
able to dial into your remote access server and read your companys strategy plans for the next five
years. With access controlling place, users are identified, authenticated and authorized before they
can actually access.
Access controls control which objects a subject can access. These are the two key terms used
in access control models. A subject someone or something for e.g., users applications or system
program to which access to an object is granted or denied e.g. of objects are files, printers,
application and system process. Access control model provide a model for developers who need to
implement access control functionality in these software and devices. An access control model
defines a computer and for network systems role for user access to information resources. Access
control models provide confidentially, integrity and also provide accountability through audit trails.

Access Control Models

Hybrid Models

User Oriented
Access control

Bell La Padula
BIBA
Authentication
CHINESE WALL
ORIGINATED CONTROLLED
ACCESS CONTROL MODEL
ROLE BASED ACCESS CONTROL
CLARK WILSON MODEL

Data Oriented
Access
control

DAC
HAC

Data Oriented Access Control:- Following successful log on, the user has been granted
access to one or set of hosts and applications. At this time we need data access control. In this legand
real world OS protection models fall basically into one of the two types :-

MAC
DAC
In computer security passive resources are called objects and active entities that utilize the
resources are called subjects. Typical objects include:-files, directories, memory, printers and typical
subjects includes:-user, processes. The roles depend upon situation: for ex, a process can request
access to some resource (act as subject) and later be a target if request (act as an abject).

MAC:- In mandatory access controls, also called multilevel access control, objects(information)
are classified on hierarchical levels of security sensitivity(typically top secret, confidential). Subjects
(users) are assigned their security cleanence. Access of a subject to an object is granted or denied
depending on the relation between the cleanance on the subject and the security classification of the
object. Lattice model and Bell-La Padula model are based on MAC.
DAC:- In Discretionary Access model each object has its unique owner. The owner exercises it
Discretion even the assignment of access permissions. Lampeon introduces the access matrix model
for DAC. The core of this model is a matrix whose rows are indexed by subjects and columns by
objects.

Doc-1
Rw
R
Rw

Alice
Bob
Ronald

Passwd
R
R
Rw

Progr_1
X
_
rwx

Fig1: Access Matrix

In Real systems, however access control matrices are not very practical, because the
matrix usually sparse and there is a lot of redundancy and subjects and objects can be added or
removed easily but the centralized matrix could become a bottleneck. The matrix may be
decomposed by columns, yielding access control list in fig (2). Thus for each object, an ACL details
users and their permitted access rights. ACL may contain a default or public entry. Decomposition by
row yield capability tickets fig(3). A capability ticket specifies authorized objects and operations for
a user. Each user has a no of tickets and may be authorized to lend or give them to others. Because
tickets may be dispensed accessed the system, they present a greater security problem than act. To
accomplish such problems or hold all. Ticket on behalf of the users. These tickets would have to be
held in a region of memory inaccessible to users.

File 1

B
AA
OWN
OWN
R
R
W
W

BBC
W
R

C
R
W

FILE 2

FILE 3

FILE 4

C
OWN
R
W

User A

File 1
OWN
R
W

Fig (2): ACL

File3
OWN
R

User B

File 1

File2
OWN
R

File 3

File4

User C

File 1

File2

File 4
OWN

R
R

Fig (3):- Capability Lists

So in DAC model we have: Individual user may determine the access controls
Eg Unix file system implement DAC
This model works well in commercial and academic environments not so well in the military,
hospitals, private web sites etc.
In MAC model we have: Site wide security policy is enforced by the system in addition to the DAC
Better suited to environment with rigid information access restrictions
Example of DAC:-

Accessing As file

USER
My doc.doc
A decided to which control is given.
It is based on need to know basis.

Example of MAC:Administrator
A Level
B

Two files

Level
65360
100
1
file1.doc2
File2.doc200

Access rights are granted access to numeric access level. Access level of user has to be equal or
higher then object which they want to access.
A can access file 1
B cant access both files.
Administrator can access both
MAC v/s DAC:1) MAC is best for military and highly sensitive information systems.
2) All models such as Bell La Padula, chines wall, And LOMAC are based on MAC rather than
DAC.
3) Provide multi targeting capability
BELL-LA-PADULA MODEL(BLP):BLP is formal(mathematical)description of MAC.These are three properties:1) DS property(Discretionary Security)
2) SS property(Simple security- no Read Up)
3) * property(Stac property-nowrite down)
A secure system satisfies all of thse properties. BLP includes mathematical proof that if a
system is secure and a transaction satisfies all of the properties,then the system will remain
secure. Now I give some description about BLP:-

 BLP is a state machine model capturing confidientiality aspects of acces control.

Access permissions are defined through an Access control Matrix and through a
partial ordering of security levels.
Security policy prevent information flowing downwards from a high security level to
a low security level.
BLP only considers the information flow that occurs when a subject observes or
attends an object.
What is in the model or What we have to model:1) All current access operations:
An access operation is described by a tuple(s,o,a),
S belongs to S(ubjects),o belongs to O(bjects), a belongs to A(ccess_operations)

The set of all current access operation is an element of p(SXOXA)

We use B has shorthand for P(SXOXA)
We use b to denote a particular set of access

2) The current permissions as defined by the Access control Matrices M: M is the set of access control metrices.
3) The current Assignment of security levels :1.

2.
3.
4.
5.
6.
7.

Maximal security level :- fs SL(L..Labels)

Current security level :- fc SL
Classification : fo OL
The security level of a user is the users clearance.
The current security level allow subjects to be downgraded temporairily.
F is a subset of Ls Ls L o is the set of security level assignments
f = (fs,fc,fo) denotes an element of F.
The state set of BLP :- V = BMF
A state is denoted by (b,M,f)

POLICIES OF BLP:1. Prevent information flow from high security levels to low security levels.
2. In BLP, information flow can only occur directly through access operations.
3. Simple Security Property(SS):-

No Red-up : fs(s) fo(o) if access is in observe mode

4. Information flow is still possible

 A Low subject could create a high level Trojan Horse program that reads a high
level document and copies its contents to its low level file.
This would constitute an improper declassification of the

Trojan horse

Copy

Create
Read

5. * property (Stac property) :-

No write down:- fc(s) fo(o) if access is in alter mode, also, if

subject s has access to an object o in alter mode, then fo(o)
fo(o) for all objects o accessed by s in observe mode.

6. The very first version of BLP did not consider the * property
7. The ss and * are the Mandatory BLP policies.
8. Discretionary Security property(DS property):Access must be permitted by the access control matrix:WO WRITE DOWN :1) The * property implies that a high level subject is not able to sent messages to a low level
subject
2) There are two ways to escape from this restriction:a) Temporary Downgrade a High level subject. This is the reason for the current security
level fc. BLP assures that subjects have no memory of their own.
b) Identify a set of trusted subjects which are permitted to violate the * property.
3) We redefine the * property and demand it only for subjects, which are not trusted. Trusted
subjects may violate security policies.

BASIC SECURITY THEOREM OF BLP :1. A state is secure if all current access tuples (s,o,a) are permitted by the ss,*, Ds
property.
2. A State transition is secure if it goes from a secure state to a secure state.
Theorem:if the initial state of the system is secure and if all state transitions are secure
then the system will always be secure.
LIMITATIONS OF BLP:1) Restricted to confidentiality.
2) No policies for changing access rights; a general and complete downgrade is secure, BLP
is intended for systems with static security levels.
3) BLP contains convert channel (communication channel that allow transfer of information
in a manner that violates the system security policy):- A low subject can detect the
existence of high objects when it is denied access.

Topic 4:BIBA MODEL:Introduction:- Biba model is similar to BLP but focus is on integrity not on confidentiality. The
main aim was to turn the BLP model upside down. It follows the following model:
High integrity subject cant read lower integrity objects (No Read down)
Subject cant move low integrity data to high integrity environment (No write up)
The Biba model is a formal state Transition System of computer security policy
that describes a set of Access Control rules designed to ensure that data are not contaminated. The
following point should be noted carefully: Biba is a state machine model similar to BLP capturing integrity aspects of access control
Integrity means here prevention of unauthorized information
Integrity levels are assigned to Subjects and objects
Properties of Biba model:
1) Simple Integrity property: No Write up:- If subject s can modify(alert) object o
Then
fs(s)>=fo(o)
2) Integrity * property: If subject s can read (observe) object o, then s can have write access
to some other object o only if
fo(o)>=fo(o)

Some other policy of Biba:1)Low water mark policy(LOMAC) : automatically adjust integrity level. It is of two types:
A) Subject Low Water mark policy:- Subject s can read an object at any integrity level. The
new integrity level ofs is g.1.b (fs(s),fo (o))
B) Object Low water mark policy:- Subject s can modify an object o at any integrity level.
The new integrity level of o is g.1.b. (fs (s),fo (o)).
*Policy for invoke:- Invoke is access operation between subjects.
Invoke Property:- Subject s1 can invoke s2 only if fs(s1)>=fs(s2)
Acc. to MAC policy of integrity a Dirty subject s1 can not touch a clean object indirectly by
invoking s2.
Ring Property:- subject s1 can read objects at all integrity levels, modify abject o with
fs(s1)>=fo(o) and invoke a subject s2 only if fs(s1)<=fo(s2)
A Dirty subject s1 can invoke a clean boal s2 to touch a clean object. The Ring property
is the opposite of invoke property
Features of BIBA:1) This security model is directed toward Data integrity (Rather than security) and is characterized
by the phrase:No write up, no Read down
2) With BIBA user can only relate content as or below their own security level (a mouk may write a
prayer book that can be read by commoners but a high priest would not be allowed to view the work
of the less pious of mouk)
Conversely users can only view content at or above their own security level (a mouk
may read a book written by the high priest but may not read a pamplelet written by a lowly
commoner)
* Comparison of BIBA with BLP:As with BLP, BIBA model defines a simple security (ss) property and * property.
In this case they are sort of reversed to BLP:1) the ss property stated that a subject at a given level of integrity may not read an object at a lower
integrity level (No Read Down)
2) the * property states that a subject at a given level of integrity must not write to any object at a
higher level of integrity(No write up)
Topic 5: CHINESE WALL MODEL:
* Introduction:- The Chinese wall policy combines commercial discretion with legally enforceable
mandatory controls. It is required in the operation of many financial services organization and is
therefore perhaps as significant to the financial world as Bell La Radula policy are to the military.

* What is in this Model? In this model focus is on the Conflicts of Interest

Principle: User should not access the confidential information of both a client organization and one
or more of its competition.
How it Works: Users have no wall initially.
Once any given file is accessed ,files with competitor information
become in-accessible

The following points should be noted carefully:1) In financial institution analyst deals with a no of clients and have to avoid conflicts of
interests
2) The model has the following component: Subject : Analyst
Object : Data item for a single client
Company Data Set: o->c gives for each object its company data set.
Conflict of interest classes: companies that are competitors X : o->c gives for each
object o. The companies with a conflict on interest on o.
Labels : Companies data set t conflict of interest class
Sanitized information : No access Restrictions
Policies of CHINESE WALL model:
1) Simple security property (SS) :-Access is only granted if object requested: is the same company data set as an object already accessed by that object
belongs not to any of the interest classes of objects already accessed by that subject
Formally: N=(Nso) s belongs S, o belongs O , Boolean matrix , Nso=true if s has accessed o.
SS-property:- Subject s gets access to object o only if for all objects o with Nso =
true, y(o) belongs x(o) or y(o)=y(o).
Indirect information flow:- Two Competitors A and B have their account with the same bank.
Analyst-A, dealing with A and the bank, updates the bank portfolio with sensitive information about
A. Analyst-B, dealing with B and the bank, now has access to information about the competitor.
2) Property:- A subject s will be permitted write access to an object only if s has no read
access to any object o which is in a different company data set and is unsanitized.
Formally:- Subject s gets write access to object o only if s has no read access to
an object o with y(o)!=y(o) or x(o)!={}
Access Rights of subjects change dynamically with every

An Implementation of CHINESE WALL security Model using ConSA:

A new Architecture ConSA, allow security models to be developed separately from

the system. They will protect and still be integrated seamlessly into the system. Any system using
ConSA could then also replace the security model at any time , while retaining the same operating
system and applications.
Advantages of ConSA:
1) It is flexible enough so that even a Non conventional security model such as the Chinese Wall
security model when access control is based on previously accessed entities, can be
implemented using ConSA with ease.
2) In order to present a now security model with needless clutter, the final details of
implementation on a system can be replaced by simply implementing it using ConSA.
Figure below shows the outline of ConSA, as it will typically be used in object
oriented OS. The label modules define the label classes. The information flow module handles the
flow control and authorization control module (ACM) controls subject access to entities. The subject
mgmt. module, used by the security manager, is not really required for the Chinese Wall model used
here, since the primary subject access restriction and modification are automatically handled by the

ACM module.
ConSA consist of a number of methods which have to be defined for a particular security model,
with certain conditions which must apply after their execution to present a consistent security.