Académique Documents
Professionnel Documents
Culture Documents
• Functional correctness
• Enforcement of integrity
• Limited privilege
Restricted
Confidential
Secret
Top
Secret
• <rank; compartments>
– clearance of a subject
Lower bound
o3
Write s2 Subject
Write
s1 o2
Read
Read
o1 Low
S1 control Owner
read
S2 control Owner read Owner
Read execute
write
S3 control read read execute
• Command
– Conditions and primitive operations
•CS 450/650 Lecture 21: Trusted Operating
•12
System
HRU Model (cont.)
• HRU allows state of the protection system to be
changed by a well defined set of commands:
– Add subject s to M
– Add object o to M
– Delete subject s from M
– Delete object o from M
– Add right r to M[s,o]
– Delete right r from M[s,o]
– Owner can change rights of an object
S2
read
O2
execute
read Read, write
O1
O3
S1
read
execute
S3
OS
OS Kernel
Hardware
• Compactness
– relatively small
• Verifiability
– formal methods , all situations are covered
•CS 450/650 Lecture 22: Trusted Operating
•26
System
Reference Monitor
• portion of a security kernel that controls accesses
to objects
• Collection of access controls for
– Devices, Files, Memory, Interprocess communication,
O O O
Other objects
Gate
• It must be S S S
– Always invoked when any object is accessed
– Small enough
• analysis, testing
– Tamperproof
•CS 450/650 Lecture 22: Trusted Operating
•27
System
Trusted Computing Base (TCB)
• Everything in the trusted OS necessary to
enforce security policy
• System element on which security
enforcement depends:
– Hardware
• processors, memory, registers, and I/O devices
– Processes
• separate and protect security-critical processes
Utilities
Non-TCB
User request interpreter
…
Segmentation, paging, memory management
Primitive I/O
Basic Operations
Clocks, timing TCB
Interrupt handling
Hardware:registers memory
Capabilities
•CS 450/650 Lecture 22: Trusted Operating
•30
System
TCB monitors basic interactions
• Process activation
• Memory Protection
• I/O operation
OS Kernel:
User tasks
- HW interactions
- Access control OS
OS Kernel
Hardware
OS:
- Resource allocation
- Sharing
- Access control
Security activity
- Authentication functions
•CS 450/650 Lecture 22: Trusted Operating
•32
System
Separate Security Kernel
Security Kernel:
User tasks
-Access control
-Authentication functions OS
Security Kernel
Hardware
OS:
- Resource allocation
- Sharing
- Hardware interactions
•CS 450/650 Lecture 22: Trusted Operating
•33
System
Separation
• Physical Separation
• Temporal Separation
• Cryptographic Separation
Real OS
• Paging System
– Each user’s virtual memory space can be as large
as the total addressable space
Compilers, database
OS Utility functions
Scheduling, sharing, MM
Synchronization, allocation
OS kernel
Security kernel Security functions
Hardware
Most
trusted code
Data update
Data comparison
User ID lookup
User interface
User Authentication module
•CS 450/650 Lecture 22: Trusted Operating
•39
System
Assurance
• Testing
– based on the actual product being evaluated,
• not on abstraction
• Verification
– each of the system’s functions works correctly
• Validation
– developer is building the right product
• according to the specification
• Proving a Theorem
– Time consuming
– Complex process
min A[1]
i1
ii+1
yes
i>n Exit
no
yes
min < A[i]
no
min A[i]