ENFORCING THE ⋆-PROPERTY BUILDING SECURE CAPABILITY SYSTEMS
10.4. BUILDING SECURE CAPABILITY SYSTEMS 149
2. It is a read-only, weak capability, or 3. It is a capability to a constructor that recursively generates confined products i.e., environ- ments. These capabilities preserve confinement because they do not change the protection state by adding rights 1 and 2 or they only add rights by generated new confined environments. These requirements for a confined environment are very restrictive, so EROS includes a fall- back position that is similar to that of SCAP. If a process has some capabilities that are not safe, EROS checks whether these capabilities are authorized. That is, it checks whether the capabilities that the confined environment may ultimately obtain are a subset of the authorized capabilities that define confinement. If so, the process may be executed. Determining all the capabilities that a process may need in advance is nontrivial undertaking, so in some cases, we envision that runtime checking similar to SCAP, but using authorized capabilities to define confinement would be necessary. Since EROS also mediates capability loads to enforce weak capabilities, this would be feasible. The SCAP design also considers the impact of covert channels on confinement carefully. SCAP prevents storage channels by eliminating system-wide views of system state. For example, domains are limited to storage quotas and page tables are unshared. Addressing timing channels is a more ad hoc procedure, but is a consideration throughout the design.10.4.3 REVOKING CAPABILITIES
Redell defined the first comprehensive approach to revocation in capability systems [ 252 ]. In this system, the owner of an object has a choice whether to grant normal capabilities i.e., with no hope of revocation or grant capabilities that are associated with a special revoker capability. A revoker capability is a level of indirection that enables the owner to revoke all the capabilities that reference the object through that revoker capability. Simply by deleting the revoker capability, the other capabilities lose access to the object. This is because the object is only available via the revoker capability. The idea is shown in Figure 10.2. An owner creates a revoker capability and grants a capability that points to that revoker capability to Process 1. Revoker capabilities may be used by other subjects as well. Process 1 can also create a revoker capability and create a capability that points to it for Process 2. Thus, the owner will revoke both Process 1 and Process 2’s access should she delete her revoker capability. However, Process 1 can only revoke access from Process 2. Note that the capability for Process 3 cannot be revoked i.e., without examining Process 3’s memory because it points directly to the object. Redell’s scheme could result in a deep nesting of revoker capabilities, so SCAP defines two different schemes, called revocation with eventcounts and revocation by chaining. Revocation with eventcounts is appropriate for systems that use the same page table for each shared object. In re- vocation by eventcounts, an event, such as revoking a capability, causes an eventcount to change. Eventcount values are stored with capabilities as well, so that should a revocation occur, the event- 150 CHAPTER 10. SECURE CAPABILITY SYSTEMS Figure 10.2: Redell’s revoker capability approach: When the revoker capability is revoked all the capa- bilities that were based on it are also revoked. count between the capability and the page table will differ, triggering a verification whether the capability is still valid. If there are multiple page table entries that point to the same physical page because it is shared by multiple processes, the revocation by eventcounts cannot be used. Revocation by chaining creates a ring of capability records for the same page by adding a pointer field to each capability. Thus, the revocation of any capability in the chain enables triggers a reassessment of the validity of the remaining capabilities in the chain. All such capabilities are accessible because they are chained together. Both the revocation by eventcounts and revocation by chaining approaches are rather com- plex and potentially expensive to implement, so the later EROS system reverted to an indirection mechanism similar to Redell [ 252 ] to revoke capabilities. An indirect revoker capability may be obtained that enables later revocation, as described above [ 288 ]. The memory usage problems cited by SCAP as a reason for seeking alternative revocation schemes had become less of an issue by the late 1990s.Parts
» SECURE OPERATING SYSTEMS 3 Operating Systerm Security
» SECURE OPERATING SYSTEMS Operating Systerm Security
» SECURITY GOALS Operating Systerm Security
» SECURITY GOALS 5 Operating Systerm Security
» TRUST MODEL Operating Systerm Security
» THREAT MODEL 7 Operating Systerm Security
» THREAT MODEL Operating Systerm Security
» SUMMARY Operating Systerm Security
» MANDATORY PROTECTION SYSTEMS PROTECTION SYSTEM 11
» PROTECTION SYSTEM 13 Operating Systerm Security
» REFERENCE MONITOR Operating Systerm Security
» REFERENCE MONITOR 15 Operating Systerm Security
» SECURE OPERATING SYSTEM DEFINITION
» SECURE OPERATING SYSTEM DEFINITION 17
» ASSESSMENT CRITERIA 19 ASSESSMENT CRITERIA
» SUMMARY 21 Operating Systerm Security
» MULTICS HISTORY THE MULTICS SYSTEM
» MULTICS FUNDAMENTALS THE MULTICS SYSTEM 25
» MULTICS SECURITY FUNDAMENTALS THE MULTICS SYSTEM 25
» MULTICS PROTECTION SYSTEM MODELS
» MULTICS PROTECTION SYSTEM THE MULTICS SYSTEM 29
» MULTICS REFERENCE MONITOR THE MULTICS SYSTEM 31
» MULTICS SECURITY 33 Operating Systerm Security
» MULTICS SECURITY Operating Systerm Security
» MULTICS SECURITY 35 Operating Systerm Security
» MULTICS VULNERABILITY ANALYSIS Operating Systerm Security
» SUMMARY 37 Operating Systerm Security
» UNIX HISTORY SYSTEM HISTORIES
» WINDOWS HISTORY SYSTEM HISTORIES
» UNIX SECURITY 41 Operating Systerm Security
» UNIX PROTECTION SYSTEM UNIX SECURITY
» UNIX AUTHORIZATION UNIX SECURITY 43
» Complete Mediation: How does the reference monitor interface ensure that all security-
» Complete Mediation: Does the reference monitor interface mediate security-sensitive oper-
» Complete Mediation: How do we verify that the reference monitor interface provides com-
» Tamperproof: How does the system protect the reference monitor, including its protection
» Tamperproof: Does the system’s protection system protect the trusted computing base pro-
» UNIX VULNERABILITIES UNIX SECURITY 47
» WINDOWS SECURITY 49 Operating Systerm Security
» WINDOWS PROTECTION SYSTEM WINDOWS SECURITY
» WINDOWS AUTHORIZATION WINDOWS SECURITY 51
» Verifiable: What is basis for the correctness of the system’s trusted computing base?
» WINDOWS VULNERABILITIES WINDOWS SECURITY 55
» INFORMATION FLOW Operating Systerm Security
» INFORMATION FLOW SECRECY MODELS 59
» INFORMATION FLOW SECRECY MODELS
» BELL-LAPADULA MODEL INFORMATION FLOW SECRECY MODELS 61
» INFORMATION FLOW SECRECY MODELS 63
» INFORMATION FLOW INTEGRITY MODELS
» BIBA INTEGRITY MODEL INFORMATION FLOW INTEGRITY MODELS 65
» LOW-WATER MARK INTEGRITY INFORMATION FLOW INTEGRITY MODELS 67
» CLARK-WILSON INTEGRITY INFORMATION FLOW INTEGRITY MODELS 67
» THE CHALLENGE OF TRUSTED PROCESSES
» COVERT CHANNELS Operating Systerm Security
» CHANNEL TYPES COVERT CHANNELS 71
» SUMMARY 73 Operating Systerm Security
» THE SECURITY KERNEL Operating Systerm Security
» SECURE COMMUNICATIONS PROCESSOR 77 Operating Systerm Security
» SCOMP ARCHITECTURE SECURE COMMUNICATIONS PROCESSOR
» SCOMP HARDWARE SECURE COMMUNICATIONS PROCESSOR 79
» SCOMP TRUSTED OPERATING PROGRAM
» SCOMP KERNEL INTERFACE PACKAGE
» SECURE COMMUNICATIONS PROCESSOR 85 Operating Systerm Security
» GEMINI SECURE OPERATING SYSTEM
» GEMINI SECURE OPERATING SYSTEM 87
» SUMMARY 89 Operating Systerm Security
» RETROFITTING SECURITY INTO A COMMERCIAL OS
» HISTORY OF RETROFITTING COMMERCIAL OS’S 93
» HISTORY OF RETROFITTING COMMERCIAL OS’S COMMERCIAL ERA
» MICROKERNEL ERA 95 Operating Systerm Security
» MICROKERNEL ERA Operating Systerm Security
» UNIX ERA 97 Operating Systerm Security
» RECENT UNIX SYSTEMS UNIX ERA 99
» SUMMARY 101 Operating Systerm Security
» TRUSTED EXTENSIONS ACCESS CONTROL
» SOLARIS COMPATIBILITY 105 Operating Systerm Security
» SOLARIS COMPATIBILITY Operating Systerm Security
» TRUSTED EXTENSIONS MEDIATION Operating Systerm Security
» TRUSTED EXTENSIONS MEDIATION 107 Operating Systerm Security
» PROCESS RIGHTS MANAGEMENT PRIVILEGES
» PRIVILEGE BRACKETING AND RELINQUISHING
» CONTROLLING PRIVILEGE ESCALATION PROCESS RIGHTS MANAGEMENT PRIVILEGES 111
» ASSIGNED PRIVILEGES AND SAFEGUARDS
» RBAC AUTHORIZATIONS ROLE-BASED ACCESS CONTROL RBAC
» CONVERTING THE SUPERUSER TO A ROLE
» TRUSTED EXTENSIONS NETWORKING 115 Operating Systerm Security
» TRUSTED EXTENSIONS NETWORKING Operating Systerm Security
» TRUSTED EXTENSIONS MULTILEVEL SERVICES TRUSTED EXTENSIONS MULTILEVEL SERVICES 117
» TRUSTED EXTENSIONS ADMINISTRATION Operating Systerm Security
» SUMMARY 119 Operating Systerm Security
» LSM HISTORY LINUX SECURITY MODULES
» LSM IMPLEMENTATION LINUX SECURITY MODULES 123
» LINUX SECURITY MODULES 125 Operating Systerm Security
» SELINUX REFERENCE MONITOR SECURITY-ENHANCED LINUX
» SECURITY-ENHANCED LINUX 127 Operating Systerm Security
» SELINUX PROTECTION STATE SECURITY-ENHANCED LINUX 129
» SELINUX LABELING STATE SECURITY-ENHANCED LINUX 131
» SELINUX TRANSITION STATE SECURITY-ENHANCED LINUX 133
» SELINUX TRUSTED PROGRAMS SECURITY-ENHANCED LINUX 135
» SUMMARY 139 Operating Systerm Security
» CAPABILITY SYSTEM FUNDAMENTALS Operating Systerm Security
» CAPABILITY SECURITY Operating Systerm Security
» CHALLENGES IN SECURE CAPABILITY SYSTEMS 143
» CAPABILITIES AND THE ⋆-PROPERTY
» CAPABILITIES AND CONFINEMENT CHALLENGES IN SECURE CAPABILITY SYSTEMS
» CAPABILITIES AND POLICY CHANGES
» ENFORCING THE ⋆-PROPERTY BUILDING SECURE CAPABILITY SYSTEMS
» ENFORCING CONFINEMENT BUILDING SECURE CAPABILITY SYSTEMS 147
» REVOKING CAPABILITIES BUILDING SECURE CAPABILITY SYSTEMS 149
» SUMMARY 151 SUMMARY Operating Systerm Security
» SEPARATION KERNELS 155 SEPARATION KERNELS
» VAX VMM DESIGN VAX VMM SECURITY KERNEL
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS 163
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS 165
» SUMMARY 167 Operating Systerm Security
» ORANGE BOOK Operating Systerm Security
» ORANGE BOOK 171 Operating Systerm Security
» COMMON CRITERIA CONCEPTS COMMON CRITERIA
Show more