SCOMP ARCHITECTURE SECURE COMMUNICATIONS PROCESSOR
6.2. SECURE COMMUNICATIONS PROCESSOR 81
CPU Virtual Memory Unit CPU Bus Logic IO Bus Security Protection Module IO Controller Memory Figure 6.2: The Scomp security protection module SPM mediates all accesses to IO controllers and memory by mediating the IO bus.The SPM also translates virtual addresses to physical segment addresses for authorization. switches. Second, drivers have been shown to be the source of many kernel errors [ 82 ], so the ability to remove them from the trusted computing base would improve software correctness. Further, in this architecture, new IO devices can be added without modifying the kernel or the SPM, so the system’s extensibility does not suffer from this approach. Modern hardware, such as the x86 architecture, adopted the four-ring architecture of Scomp, but not the IO mediation provided by the SPM. As a result, such systems are vulnerable to DMA devices. Buggy or malicious drivers can configure a DMA device to write at any physical memory location, so kernel memory may be overwritten. Since DMA bypasses the CPU, the kernel cannot prevent such writes in software. Recently, both Intel and AMD have released processors with IO memory protection, called an IO MMU [ 141 , 8 ]. An IO MMU also mediates an IO bus the 82 CHAPTER 6. SECURITY KERNELS PCI bus, but the devices communicate using virtual addresses rather than IO descriptors. The IO MMU translates these virtual IO addresses to physical addresses, authorizing access to the resultant physical address. The IO MMU approach provides the advantages envisioned by the SPM architecture. For example, passthrough IO built on IO MMUs enables IO to be conveyed directly from the device to untrusted processes. The use of virtual IO addresses rather than the IO descriptors as in Scomp reflects the change from segmented protection of early systems to page protection of modern systems. While segmentation is still supported, modern operating systems use address spaces based on sets of pages managed by page tables rather than by managing memory segments.6.2.3 SCOMP TRUSTED OPERATING PROGRAM
Technically, the Scomp Trusted Operating Program STOP consists of three components: 1 a security kernel; 2 a set of trusted software; and 3 a Scomp kernel interface package for user applications. We describe the first two in this subsection, and discuss user applications and the interface package in the following subsection. Security Kernel The Scomp security kernel provides fundamental system processing in ring 0. The security kernel provides memory management, process scheduling, interrupt management, auditing, and reference monitoring functions. Consistent with the idea of a security kernel, the function of the Scomp security kernel is minimized to reduce the amount of trusted code. As a result, the Scomp security kernel is only 10K source lines of code, mostly written in Pascal. Kernel objects consist of processes, segments, and devices. Each are identified by a globally- unique, immutable 64-bit identifier. The kernel maintains access control information and status data for each object. The Scomp access control model is essentially the same as the Multics approach, see Chapter 3, consisting of multilevel security i.e., Bell-LaPadula sensitivity levels and category sets [ 23 ], ring bracket policies, and discretionary policies.The ring bracket representation is modified to describe access based on the owner of the object, groups, or others. Thus, an owner may be allowed to access an object from a different set of rings than an arbitrary user. The security kernel defines 38 gates for processes running outside the kernel to invoke kernel services. Gates are analogous to system calls in modern operating systems, providing function to create objects, map segments, and pin physical memory to virtual addresses. Scomp gates are also analogous to Multics gates in that they provide argument validation to protect the integrity of security kernel. Trusted Software Scomp trusted software runs services that do not require ring 0 privilege, but provide functions that must be trusted to enforce control on user applications properly. There are two types of trusted software. The first type of trusted software is trusted not to violate system secrecy or integrity goals. For example, secure loader is trusted to load a process for any subject that ensures correct enforcement of that subject’s information flows. The second type of trustedParts
» SECURE OPERATING SYSTEMS 3 Operating Systerm Security
» SECURE OPERATING SYSTEMS Operating Systerm Security
» SECURITY GOALS Operating Systerm Security
» SECURITY GOALS 5 Operating Systerm Security
» TRUST MODEL Operating Systerm Security
» THREAT MODEL 7 Operating Systerm Security
» THREAT MODEL Operating Systerm Security
» SUMMARY Operating Systerm Security
» MANDATORY PROTECTION SYSTEMS PROTECTION SYSTEM 11
» PROTECTION SYSTEM 13 Operating Systerm Security
» REFERENCE MONITOR Operating Systerm Security
» REFERENCE MONITOR 15 Operating Systerm Security
» SECURE OPERATING SYSTEM DEFINITION
» SECURE OPERATING SYSTEM DEFINITION 17
» ASSESSMENT CRITERIA 19 ASSESSMENT CRITERIA
» SUMMARY 21 Operating Systerm Security
» MULTICS HISTORY THE MULTICS SYSTEM
» MULTICS FUNDAMENTALS THE MULTICS SYSTEM 25
» MULTICS SECURITY FUNDAMENTALS THE MULTICS SYSTEM 25
» MULTICS PROTECTION SYSTEM MODELS
» MULTICS PROTECTION SYSTEM THE MULTICS SYSTEM 29
» MULTICS REFERENCE MONITOR THE MULTICS SYSTEM 31
» MULTICS SECURITY 33 Operating Systerm Security
» MULTICS SECURITY Operating Systerm Security
» MULTICS SECURITY 35 Operating Systerm Security
» MULTICS VULNERABILITY ANALYSIS Operating Systerm Security
» SUMMARY 37 Operating Systerm Security
» UNIX HISTORY SYSTEM HISTORIES
» WINDOWS HISTORY SYSTEM HISTORIES
» UNIX SECURITY 41 Operating Systerm Security
» UNIX PROTECTION SYSTEM UNIX SECURITY
» UNIX AUTHORIZATION UNIX SECURITY 43
» Complete Mediation: How does the reference monitor interface ensure that all security-
» Complete Mediation: Does the reference monitor interface mediate security-sensitive oper-
» Complete Mediation: How do we verify that the reference monitor interface provides com-
» Tamperproof: How does the system protect the reference monitor, including its protection
» Tamperproof: Does the system’s protection system protect the trusted computing base pro-
» UNIX VULNERABILITIES UNIX SECURITY 47
» WINDOWS SECURITY 49 Operating Systerm Security
» WINDOWS PROTECTION SYSTEM WINDOWS SECURITY
» WINDOWS AUTHORIZATION WINDOWS SECURITY 51
» Verifiable: What is basis for the correctness of the system’s trusted computing base?
» WINDOWS VULNERABILITIES WINDOWS SECURITY 55
» INFORMATION FLOW Operating Systerm Security
» INFORMATION FLOW SECRECY MODELS 59
» INFORMATION FLOW SECRECY MODELS
» BELL-LAPADULA MODEL INFORMATION FLOW SECRECY MODELS 61
» INFORMATION FLOW SECRECY MODELS 63
» INFORMATION FLOW INTEGRITY MODELS
» BIBA INTEGRITY MODEL INFORMATION FLOW INTEGRITY MODELS 65
» LOW-WATER MARK INTEGRITY INFORMATION FLOW INTEGRITY MODELS 67
» CLARK-WILSON INTEGRITY INFORMATION FLOW INTEGRITY MODELS 67
» THE CHALLENGE OF TRUSTED PROCESSES
» COVERT CHANNELS Operating Systerm Security
» CHANNEL TYPES COVERT CHANNELS 71
» SUMMARY 73 Operating Systerm Security
» THE SECURITY KERNEL Operating Systerm Security
» SECURE COMMUNICATIONS PROCESSOR 77 Operating Systerm Security
» SCOMP ARCHITECTURE SECURE COMMUNICATIONS PROCESSOR
» SCOMP HARDWARE SECURE COMMUNICATIONS PROCESSOR 79
» SCOMP TRUSTED OPERATING PROGRAM
» SCOMP KERNEL INTERFACE PACKAGE
» SECURE COMMUNICATIONS PROCESSOR 85 Operating Systerm Security
» GEMINI SECURE OPERATING SYSTEM
» GEMINI SECURE OPERATING SYSTEM 87
» SUMMARY 89 Operating Systerm Security
» RETROFITTING SECURITY INTO A COMMERCIAL OS
» HISTORY OF RETROFITTING COMMERCIAL OS’S 93
» HISTORY OF RETROFITTING COMMERCIAL OS’S COMMERCIAL ERA
» MICROKERNEL ERA 95 Operating Systerm Security
» MICROKERNEL ERA Operating Systerm Security
» UNIX ERA 97 Operating Systerm Security
» RECENT UNIX SYSTEMS UNIX ERA 99
» SUMMARY 101 Operating Systerm Security
» TRUSTED EXTENSIONS ACCESS CONTROL
» SOLARIS COMPATIBILITY 105 Operating Systerm Security
» SOLARIS COMPATIBILITY Operating Systerm Security
» TRUSTED EXTENSIONS MEDIATION Operating Systerm Security
» TRUSTED EXTENSIONS MEDIATION 107 Operating Systerm Security
» PROCESS RIGHTS MANAGEMENT PRIVILEGES
» PRIVILEGE BRACKETING AND RELINQUISHING
» CONTROLLING PRIVILEGE ESCALATION PROCESS RIGHTS MANAGEMENT PRIVILEGES 111
» ASSIGNED PRIVILEGES AND SAFEGUARDS
» RBAC AUTHORIZATIONS ROLE-BASED ACCESS CONTROL RBAC
» CONVERTING THE SUPERUSER TO A ROLE
» TRUSTED EXTENSIONS NETWORKING 115 Operating Systerm Security
» TRUSTED EXTENSIONS NETWORKING Operating Systerm Security
» TRUSTED EXTENSIONS MULTILEVEL SERVICES TRUSTED EXTENSIONS MULTILEVEL SERVICES 117
» TRUSTED EXTENSIONS ADMINISTRATION Operating Systerm Security
» SUMMARY 119 Operating Systerm Security
» LSM HISTORY LINUX SECURITY MODULES
» LSM IMPLEMENTATION LINUX SECURITY MODULES 123
» LINUX SECURITY MODULES 125 Operating Systerm Security
» SELINUX REFERENCE MONITOR SECURITY-ENHANCED LINUX
» SECURITY-ENHANCED LINUX 127 Operating Systerm Security
» SELINUX PROTECTION STATE SECURITY-ENHANCED LINUX 129
» SELINUX LABELING STATE SECURITY-ENHANCED LINUX 131
» SELINUX TRANSITION STATE SECURITY-ENHANCED LINUX 133
» SELINUX TRUSTED PROGRAMS SECURITY-ENHANCED LINUX 135
» SUMMARY 139 Operating Systerm Security
» CAPABILITY SYSTEM FUNDAMENTALS Operating Systerm Security
» CAPABILITY SECURITY Operating Systerm Security
» CHALLENGES IN SECURE CAPABILITY SYSTEMS 143
» CAPABILITIES AND THE ⋆-PROPERTY
» CAPABILITIES AND CONFINEMENT CHALLENGES IN SECURE CAPABILITY SYSTEMS
» CAPABILITIES AND POLICY CHANGES
» ENFORCING THE ⋆-PROPERTY BUILDING SECURE CAPABILITY SYSTEMS
» ENFORCING CONFINEMENT BUILDING SECURE CAPABILITY SYSTEMS 147
» REVOKING CAPABILITIES BUILDING SECURE CAPABILITY SYSTEMS 149
» SUMMARY 151 SUMMARY Operating Systerm Security
» SEPARATION KERNELS 155 SEPARATION KERNELS
» VAX VMM DESIGN VAX VMM SECURITY KERNEL
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS 163
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS 165
» SUMMARY 167 Operating Systerm Security
» ORANGE BOOK Operating Systerm Security
» ORANGE BOOK 171 Operating Systerm Security
» COMMON CRITERIA CONCEPTS COMMON CRITERIA
Show more