Scribd Logo
Upload

Welcome to Scribd!

  • Security Kernel Ensures Reference Monitor Guarantees

    Uploaded by

    something
    35 views4 pages

    Original Title

    7.Security Kernels (1) (1)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    35 views4 pages

    Security Kernel Ensures Reference Monitor Guarantees

    Uploaded by

    something

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Chapitre 07 : Security Kernels

    ❖ OS Kernel
    • The kernel is a computer program that is the core of a computer's operating system which
    takes control over everything in the system.

    • It handles the rest of start-up as well as input/output requests from software, translating
    them into instructions for the CPU. It handles memory as well.

    ❖ Security Kernel
    • A security kernel is defined as the hardware and software necessary to realize the
    reference monitor abstraction
    => Security kernel ensures reference monitor guarantees: tamperproofing, complete
    mediation & verifiability

    example of security policy


    A process p can create an object o and grants access rights as following:

    ▪ Processes with the same level of p or above can be granted reading right

    ▪ Processes with the level of p or lower can be granted writing right

    ❖ Secure Communications Processor (Scomp)


    • Kernel-based system

    • Designed to implement Multic's MLS requirements.

    • Original idea was to build an emulator to allow execution on an ordinary OS (UNIX).

    • Ended up with new API that provided the necessary security.


    SCOMP Architecture

    • Accesses to protected resources are mediated using an MLS policy:

    • Isolation/tamperproofing provided by ring mechanism. Rings and transitions are


    implemented in hardware.

    • Verification was part of the process.

    Rayid Al-Anazi
    1. SCOMP Hardware 1

    Based on Multics design with two key changes:

    • Only four rings, all in hardware.


    o Argument addressing mode prevents confused deputy problem.

    • Hardware includes a security protection module (SPM).


    o It mediates the main system bus (peripherals and memory).

    o Virtual memory interface unit uses SPM to convert between virtual and physical
    addresses

    2. SCOMP Hardware 2

    Each process includes a descriptor base root:

    • References memory and I/O descriptors

    • Used for mediating memory and I/O references.

    • DMA is authorized on a per-transaction basis.

    o I/O descriptors are built by kernel.


    o Hardware does all authorizations.
    o Drivers are not part of kernel! (more efficient and secure)

    Rayid Al-Anazi
    SCOMP Security Protection Module

    Scomp Trusted Operating Program (STOP)


    Three components:
    ▪ A security kernel. (ring 0)
    ▪ A set of trusted software
    ▪ A kernel interface package for user applications.

    SCOMP Trusted Operating Program Security Kernel

    • Memory management, process scheduling, interrupt management, audit and reference


    monitor. 10K SLOC mostly in Pascal.
    • Objects consist of processes, segments, devices, identified by a unique 64 bit id.
    • Access control similar to Multics, but ring brackets allow for owner/group/others
    • 38 gates to enter ring 0
    SCOMP Trusted Software 1
    Two types:

    • Trusted not to violate system or integrity goals: e.g. secure loader is trusted to load a process
    for any subject that ensure correct enforcement of information flows.
    • Trusted to maintain security policy correctly: e.g. user authentication.

    SCOMP Trusted Software 2

    • Three kinds of user processes:


    o Trusted user processes: login, dac management, mandatory level selection, process
    management.
    o Trusted operation services: system management, logging, startup, shutdown, set
    time, etc.
    o Trusted maintenance services: modify system data, install new program versions, etc.
    • Invoked through a secure communications path directly by the user.

    Rayid Al-Anazi
    1. Scomp Kernel Interface Package (SKIP) 1
    • Uniform interface for user applications to access trusted functions.
    • Two parts
    o SKIP functions
    o SKIP libraries

    2. Scomp Kernel Interface Package (SKIP) 2


    • SKIP functions do trusted operations on user level objects
    o Files via a hierarchical file system
    o Process management
    o Concurrent I/O through an event mechanism
    • Allowed to manipulate system state, so trusted not to violate MLS requirements, like trusted
    software.
    3. SCOMP Kernel Interface Package (SKIP) 3
    • SKIP Library runs in level 3, provides interface to SKIP functions.
    • There are applications to access files, modify file contents, manage file hierarchy. File
    operations are authorized based on requester's sensitivity level and ring number, thus
    sensitivity level is nondecreasing from the root.
    • Library also provides I/O, and the device drivers are part of the library. Handlers are also run
    in the library

    ❖ Gemini Secure Operating System

    Rayid Al-Anazi

    You might also like