Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Operating Systems Security Considerations


{LANG_NAVORIGIN} Operating System
Mohammad Heidari 07/16/2005



Data-Oriented Access Control



Following successful log on , the user has been granted access to one or set of hosts and applications. At this time we need Data access control. In this regard real world operating system protection models fall basically into one of two types:
  1. Mandatory access controls (MAC)
  2. Discretionary access controls (DAC)
In computer security passive resources are called objects and active entities that utilize the resources are called subjects. Typical objects include: files, directories, memory, printers … And typical subjects include: users, processes… The roles depend on situation: For example, a Process can request access to some resource (act as a subject) and later be a target of access request (act as an object)

Mandatory access controls (MAC)


In Mandatory access controls, also called multilevel access control, Objects (information) are classified on hierarchical levels of security sensitivity (typically, top secrets, secret, confidential) Subjects (Users) are assigned their security clearance. Access of a subject to an object is granted or denied depending on the relation between the clearance of the subject and the security classification of the object. Lattice model and Bell-LaPadula model are based on MAC

Discretionary access controls (DAC)


Each object has its unique owner. The owner exercises its discretion over the assignment of access permissions. Lampson introduced the access matrix model for DAC. The core of this model is a matrix whose rows are indexed by subjects and columns by objects.


Figure 1 Access Matrix

In real systems, however, access control matrices are not very practical, because the matrix is usually sparse and there is a lot of redundancy and new subjects and objects can be added or removed easily, but the centralized matrix could become a bottleneck. The matrix may be decomposed by columns, yielding Access Control List (ACL). (Figure 2) Thus for each object, an ACL details users and their permitted access rights. ACL may contain a default or public entry. Decomposition by rows yields capability tickets (Figure 3). A capability ticket specifies authorized objects and operations for a user. Each user has a number of tickets and may be authorized to lend or give them to others. Because tickets may be dispersed around the system, they present a greater security problem than ACL. To accomplish this problem, OS hold all tickets on behalf of the users. These tickets would have to be held in a region of memory inaccessible to users.


Figure 2 ACL



Figure 3 Capability lists


Protection Based on an OS mode



Most processor supports at least two modes of operations: 1- User mode 2- Kernel mode. The reason for using two modes should be clear. It is necessary to protect the OS and the key OS table such as process control blocks, from interference by user programs in kernel mode. This level of control is not necessary for user mode.


File Sharing



Multi user systems almost always require that files can be shared among a number of users. We have several access rights such as Reading, Appending, Updating, Changing protection… these Access rights can be provided to different classes of users such as Specific user (with user ID), user groups and all users. When access is granted to more than one user to append or update a file The OS must enforce discipline. A brute-force approach is to allow a user to lock the entire file when it is to be updated.


Operating Systems Vulnerabilities



Vulnerabilities will probably always exist in large and complex software systems. At least with today's software methods, techniques, and tools, it seems to be impossible to completely eliminate all flaws. Operating systems are examples of software components that are large, very complex, and vulnerable. At the same time, these components play an important role in the achievement of overall system security, since many protection mechanisms and facilities, such as authentication and access control, are provided by the operating system. Vulnerability is defined as a place at which the probability of a breach exceeds a predefined threshold. You can see one of the taxonomy that was presented in Categorization of Security Vulnerabilities in the figure 4 [3]


Figure 4 Taxonomy of security faults

Observations on common operating system vulnerabilities indicate that similar vulnerabilities have been grouped together in a heuristic manner rather than according to some formal model. A collection of five common security problems has been identified and will be further described below. These are: The first four of these have a technical or system-related basis, while the latter is related to Organizational problems or management. This implies that they are not orthogonal, specific vulnerability may belong to more than one group. Not all vulnerabilities originate from the operating system itself. A badly chosen password, for example, is not an operating system vulnerability, but rather a user related weakness, caused by the fact that the user is either unaware of the possible consequences or just careless.

Improper input validation: In general, it is essential to carefully check the input to software routines, i.e., to perform an input validation. The check may be with regard to the number of parameters provided, the type of each parameter, or to simply ensure that the amount of input data is not larger than the buffer allocated to store the data. Improper or non-existent input validation is a well-known and serious problem in operating systems.

Weak cryptographic algorithms: Overly weak algorithms in cryptographic systems are, in our opinion, another security problem. In operating systems, cryptographic algorithms have long been used to encrypt passwords. However, if the algorithm in use is not sufficiently strong, an attacker may manage to derive plaintext passwords from its corresponding encrypted representation. Note that a strong cryptographic algorithm can suddenly become weak as a result of a research break through in, for example, number theory.

Weak authentication protocols: Before a user gains permissions to access resources, he must prove his identity. This process is called authentication. Most authentication systems are based on a secret common to the parties involved. The authentication mechanism is most often simply a password, a secret word known to the system and the user only. However, accomplishing a secure authentication procedure is a complex task, especially in a distributed environment.

Insecure bootstrapping: From our security analyses it is apparent that system initialization is a major security problem in today’s operating systems. All studied systems were vulnerable during bootstrapping. For example, many attackers discovered that the SunOS was easily rebooted in single-user mode. Commands entered in that mode run with root privileges, and it was possible to extend these privileges to the server, or. A Windows NT system executing on a PC can most often be rebooted with a foreign operating system, such as MS-DOS. Once a foreign system is booted on the PC, the NTFS volume may be mounted. Access to files on the newly mounted volume will bypass the access control mechanism enforced when Windows NT is operating.

Configuration mistakes: In current operating systems, security features and mechanisms are seldom activated by default. A secure “out-of-the-box” installation is the exception rather than the rule. To achieve an acceptable security level, the system owner must, after he has completed installation, spend quite some time in securing the system. However, securing a system is not a trivial task, since operating systems are large and complex. In addition, the number of skilled practitioners in computer security is very small.

Malicious codes are important threats (such as Trojan Horses…) that are mentioned in “Malicious Codes in Depth” [4]


Conclusion



This paper explains main aspects in OS security. Much of the work in security and protection as it relates to OSs can be roughly grouped into three elements:
  1. Access Control: Concerned with regulating user access to the total system, subsystems, and regulating process access to various resources and objects within the system.
  2. Information Flow Control: regulates the flow of data within the system and it’s delivery to users.
  3. Certification: relates to proving that access and flow control mechanism perform according to their specifications and that they enforce desired protection and security policies.

References



[1] Pfleeger,c. Security in computing upper saddle River, NJ: Prentice-Hall PTR, 1997
[2] William Stallings “Security“, school of Info technology, Griffith University, 2001
[3] C.R. Attanasio, P. Markstein and R.J Philips, Penetrating on OS, IBM system Journal, 1996
[4] Mohammad Heidari, “Malicious Codes in Depth”, Securitydocs.com, 2004













E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
11816 Views
4.33/5 Rating
15 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact