Chapter 6 Flashcards
Define Trusted Computing Base (TCB).
The totality of protection mechanisms within a computer system - including hardware, firmware, and software - the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of the TCB to correctly enforce a security policy depends solely on the mechanisms within the TCB and in the correct input by system administrative personnel of parameters related to the security policy.
Define Security Kernel.
The Hardware, firmware, and software elements of a trusted computing base that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct.
Where could the Reference Monitor be placed?
1) hardware: access control mechanisms in microprocessors.
2) operating system kernel: (example, hypervisor; a virtual machine that emulates the host computer it is running on)
3) operating system: (example, access control in Unix and Windows 2000)
4) services layer: access control in database systems, java virtual machine, .NET common language runtime,…
5) application: security checks in the application code to address application specific requirements.
List the Reference monitor design choices.
1) RM in kernel: program and RM are separated.
2) interpreter: program inside the RM.
3) In-line RM (modified application): RM inside program.
What are the two requirements that have to be addressed when securing an operating system ?
1) users should be able to use (invoke) the OS.
2) users should not be able to misuse the OS.
What are the concepts used to achieve the requirements to secure the operating system? Where can they be used?
1) modes of operation.
2) controlled invocation, also called restricted privilege.
These concepts can be used in any layer of a computing system, be it application software, operating system, or hardware. However, these mechanisms an be disabled if the attacker gets access to a lower layer.
Between what should the OS distinguish in order to protect it self in modes of operation?
To protect itself, an OS must be able to distinguish computations ‘on behalf’ of the OS from computations ‘on behalf’ of a user.
Define mode of operation.
Mode of operation defines which actions (example, machine instructions) may be performed on a system.
How does a system work in dual-mode operation?
In dual-mode operation a system can work in:
- user mode (protected mode), here instructions that are not critical for security may be performed, or in
- supervisor mode (kernel, monitor, root, system mode);
Define privileged instructions.
privileged instructions are instructions that can only be executed in supervisor mode.
What does the status flag do?
Status flag allows system to work in different modes:
- intel 80x86: two status bits and four modes.
- unix distinguish between user and superuser.
What are the reasons for placing security in the core?
1) it may be possible to evaluate security to a higher level of assurance.
2) putting security mechanisms into the core of the system reduces the performance overheads caused by security checks.
What information is stored in the descriptors?
Information about system objects such as memory segments, access control tables, and gates.
Where are descriptors stored? And how are they accessed?
Descriptors are stored in the descriptor table and accessed via selectors.
What is a selector?
A selector is a 16-bit field containing an index pointing to the object’s entry in the descriptor table and also a requested privilege level (RPL) field. Only the OS has access to selectors.
What is a gate?
System object pointing to a procedure, where the gate has a privilege level different from that of the procedure it points to. Allow execute-only access to procedures in an inner ring.
What does create a loophole (confused deputy problem)?
Allowing out-ring procedures to invoke inner-ring procedures creates a potential security loophole. The outer-ring process may ask the inner-ring procedure to copy an inner ring object to the outer ring; this will not be prevented by any of the mechanisms, nor does it violate the states security policy. Known as luring attack.
How can the loophole (confused deputy problem) is solved?
We should take into account the level of the calling process, use the adjust requested privilege level (ARPL) instruction. This instruction changes the RPL fields of all selectors to the CPL of the calling process. The system then compares the RPL (in the selector) and the DPL (in the descriptor) of an object and refuse to complete the requested operation if they differ.
How is the integrity of the OS itself is preserved?
OS manages access to data and resources. Multitasking OS interleaves execution of processes belonging to different users. I has to:
- separate user space from OS space,
- logically separate users,
- restrict the memory objects a process can access.
What does the logical separation of users prevent?
Logical separation of users prevents accidental and intentional interference between users.
Where does logical separation of users take place?
- file management, dealing with logical memory objects.
- memory management, deals with physical memory objects.
What are the two main ways of structuring memory?
1) segmentation, divides memory into logical units of variable lengths
+ a division into logical units is a good basis for enforcing a security policy
- units of variable length make memory management more difficult.
2) paging, divides memory into pages of equal length.
+ fixed length units allow efficient memory management.
- paging is not a good basis for access control as pages are not logical units. One page may contain objects requiring different protection. Page faults can create covert channel.
When does page fault occur?
When a process accesses a logical object stored on more than one page, a page fault occurs whenever a new page is requested.
When does covert channels exists?
Covert channel exists if page faults are observable.
