separation kernel protection profile revisited choices
play

Separation Kernel Protection Profile Revisited: Choices and - PowerPoint PPT Presentation

Jul 18, 2023 •204 likes •383 views

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop 2010 Austin, Texas Timothy Levin, Thuy Nguyen, Cynthia Irvine, Michael McEvilley LAW 2010 Overview Purpose Help users of SKPP understand

  1. Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop 2010 Austin, Texas Timothy Levin, Thuy Nguyen, Cynthia Irvine, Michael McEvilley LAW 2010

  2. Overview • Purpose • Help users of SKPP understand intent of requirements • Explain critical decisions in SKPP development • Describe several errata • Content • SKPP Accomplishments • Separation Kernels • Compound Security Policy • Evolution of Security Policy Semantics • Acyclic Partition Flow Requirement • SKPP‐based Assurance Level • SKPP Errata T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 2

  3. SKPP Accomplishments • First high robustness product protection profile sanctioned by the U.S. Government. • Specified new requirements for Target of Evaluation (TOE) hardware. • Developed a new abstraction and related requirements for least privilege in separation kernels • Developed a means by which a TOE could ensure the adequacy of its trusted subjects • Developed configuration vector concepts • Multiple vectors allow pre‐vetted policy options • Developed specifications for a configuration tool • used by security administrators to prepare configuration vectors . • Developed concepts and requirements for dynamic, runtime changes to the TOE configuration • Finished T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 3

  4. Separation Kernel • Controls all physical resources • Exports subset of resources • Kernel partitions exported resources - Every resource bound to exactly one partition • Compound Policy: S2R p and P2P p - Controls flow between subjects and resources • Flow = [s: subject, r: resource, m: mode] • Allowed flows: S2R {flow} // Policy structure - Controls flows between partitions • Pflow = [subj_p: partition, res_p: partition, m: mode] • Allowed flows: P2P {pflow} // Policy structure T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 4

  5. Compound Security Policy: Engineering Choices • Reduce dual policies with trusted initialization function: - allowed (s: subject, r: resource m: mode) means that • flow(s, r, m) is allowed by S2R and P2P // details later - Cache all legal accesses in hardware during initialization: ∀ s: subject, r: resource m: mode: allowed (s, r, m) -> cache(s,r,m) = valid export (s, cache(s,r,m)) - Cached accesses checked by hardware during runtime • subject s reads resource r using hardware token, cache(s,r,m) - No need for kernel to access P2P or S2R during runtime • Except for encapsulated objects w.o. hw descriptors T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 5

  6. SKPP Policy Semantics: Original Policy • Original Policy ALLOWED([s: subject, r:resource, m:mode]) = [s, r, m] ∈ S2R ∧ [s.p, r.p, m] ∈ P2P • Bipartite Policy ALLOWED([s: subject, r:resource, m:mode]) = S2R p ∈ sys.policy → [s, r, m] ∈ S2R ∧ P2P p ∈ sys.policy → [s.p, r.p, m] ∈ P2P where sys.policy indicates which policies are configured to be active T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 6

  7. SKPP Policy Semantics: Ordered Policy • Ordered Policy - Includes three‐value logic: allow , deny and don’t care (null) ALLOWED?([s: subject, r:resource, m:mode]) = If S2R(s,r).m = deny then false else if S2R(s, r).m = allow then true else if P2P(s.p, r.p).m = deny // null S2R(s, r).m then false else if P2P(s.p, r.p).m = allow then true // null P2P(s.p, r.p).m else false • This policy enables an override of the P2P p policy by including anything other than null in the S2R entry. T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 7

  8. SKPP Policy Semantics: Final Policy • Final (Published) Policy S2R p ∈ sys.policy → ( S2R(s, r). m = allow ∨ (S2R(s,r).m = null ∧ P2P(s.p, r.p).m = allow ) ) ∧ P2P p ∈ sys.policy → P2P(s.p, r.p).m = allow • Note that the S2R p policy references the P2P values, regardless of whether the P2P p policy itself is active. T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 8

  9. SKPP Policy Semantics: Engineering Choices • Formal security policy model required - Vendor can select from variety of noninterference and other models - NSA seems to have encouraged GWV model • Policy implementation for SKPP compliance - Implement original policy or final policy? • Evaluators may require final policy be available as a configuration option • Original policy is at least as restrictive - Lack of policy override means that there are fewer reachable states in the original policy than in the final policy T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 9

  10. Acyclic Partition Flow Requirement • Environment Security Objectives - OE.TRUSTED_FLOWS • For each configuration of the TOE, a partial order of the flows that are allowed between policy equivalence classes will be identified. • Any subject allowed by the configuration data to cause information flow that is contrary to the partial order will be trusted at least with assurance commensurate with the value of the IT assets in all equivalence classes to which it has access. T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 10

  11. Acyclic Partition Flow Requirement • OE.TRUSTED_FLOWS requires that the TSF be presented with a representation of the strict policy of the system - Subset of flows allowed by P2P rules - Only trusted subjects may bypass strict policy - Legend • Strict P2P Policy • Trusted Subject • Relaxed flows T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 11

  12. Alternative Policy Model • Other models for P2P, S2R and PAS resolution are possible. • One is where P2P (P2P’) would be required to be acyclic - Flows allowed by S2R but not by P2P’ would be denied • unless the calling subject was a trusted subject. • This simplifies the policy and also allows S2R to override P2P for trusted subjects ALLOWED([s: subject, r:resource, m:mode]) = [s, r, m] ∈ S2R’ ∧ ([s.p, r.p, m] ∈ P2P’ # either the flow is in P2P’ ⋁ s ∈ trusted_subjects # or the flow is caused by trusted subject ) T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 12

  13. Assurance level of SKPP • To extend robustness a protection profile may use: - A ugmentation • Unmodified assurance components drawn from the CC‐ defined family of assurance requirements - Extended requirements • modifications of existing CC requirements or • completely new requirements • SKPP used both • SKPP made no EAL claim - Many extended requirements • E.g., ATE_DPT.3, ADV_ARC.1.3C - Lack of an standard for how extended requirements equate to augmentation of EAL6 T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 13

  14. Eratta: Miscellaneous • EAL - A.COVERT_CHANNEL mentions EAL6+. This was an editorial oversight and should be removed so as not be construed to assert an EAL6+ claim for the SKPP. • External vs. Exported - Figure 2‐7 contains a typographical error occurs in. The term e xternal should read, exported , instead. • “Resources” include internal resources and resources that the kernel exports. There are no “external” resources. T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 14

  15. Eratta: Acyclic vs. Partital Order • In the SKPP, the acyclic concept is described as a partial order . - partial order is sufficient, but too strong. - Change SKPP to use acyclic • not be desirable to require SKPP systems to include all of the transitive relationships (flows) that its basic flows imply. T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 15

  16. Eratta: Inconsistencies from Policy Change • Areas of the SKPP that are inconsistent with respect to the final policy are: - Rationale Section, e.g. AVA_CCA_EXP.2 assumes P2P p and S2R p are equally enforced - Error from Section 2: The least privilege abstraction requires that both partition‐pair and subject‐exported resource pair authorizations are used to determine if a flow mode is allowed. • Whereas, in fact, either policy can be left out through configuration choice. T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 16

  17. Separation Kernel Protection Profile Revisited: Choices and Rationale Timothy E. Levin, levin@nps.edu Thuy D. Nguyen, tdnguyen@nps.edu Cynthia E. Irvine, PhD, irvine@nps.edu Michael McEvilley, mcevilley@mitre.org Center for Information Systems Security Studies and Research Department of Computer Science Naval Postgraduate School, Monterey, CA 93943 U.S.A http://cisr.nps.edu T. E. Levin, T. D. Nguyen, C. E. Irvine, M. McEvilley LAW 2010 17

Recommend

Text/Graphics Separation Revisited Karl Tombre, Salvatore Tabbone, Loc Plissier, Bart

Text/Graphics Separation Revisited Karl Tombre, Salvatore Tabbone, Loc Plissier, Bart

' $ Text/Graphics Separation Revisited Karl Tombre, Salvatore Tabbone, Loc Plissier, Bart Lamiroy, Philippe Dosch August 2002 & % ' $ Text/Graphics Separation Revisited Text/Graphics Separation Text/Graphics Separation XY

735 views • 19 slides
Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Data Separation x 2 x 2 Class #13: Support Vector Machines (SVMs) and Kernel Functions x 1 x 1 Machine Learning (COMP 135): M. Allen, 02 Mar. 20 Linear classification with a perceptron or logistic function look for a dividing line in } the

170 views • 6 slides
Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Data Separation x 2 x 2 Class #10: Kernel Functions and Support Vector Machines (SVMs) x 1 x 1 Machine Learning (COMP 135): M. Allen, 07 Oct. 19 Linear classification with a perceptron or logistic function look for a dividing line in } the

162 views • 5 slides
1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

Memory Protection Memory Protection Paging Virtual memory provides protection by: Each process (user or OS) has different virtual memory space. Machines and Virtualization Machines and Virtualization The OS maintain the page tables

83 views • 5 slides
1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

Processes and the Kernel Processes and the Kernel The kernel sets processes up process in private data data execution Processes, Protection and the Kernel: Processes, Protection and the Kernel: virtual contexts to address

540 views • 9 slides
The separation principle in stochastic control, revisited Workshop in honor of Eduardo Sontag on

The separation principle in stochastic control, revisited Workshop in honor of Eduardo Sontag on

The separation principle in stochastic control, revisited Workshop in honor of Eduardo Sontag on the occasion of his 60th birthday Tryphon T. Georgiou joint work with Anders Lindquist w y u linear stochastic system dx = A ( t ) x

383 views • 34 slides
Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and

Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and

Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and Context Mode, Space, and Context Processes and the Kernel Processes and the Kernel The kernel sets processes up process in private data data

614 views • 50 slides
Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2

Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2

Audio separation Spectrogram models Results Conclusion Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2 Derry Fitzgerald 3 , Laurent Daudet 4 1 Inria, Universit e de Lorraine, LORIA, UMR 7503,

197 views • 18 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org

Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org

Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org @kees_cook http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project http://www.openwall.com/lists/kernel-hardening/

494 views • 21 slides
Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks

Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks

Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks Hormuzd Khosravi Shashidhar Lakkavalli Lily Yang 60 th IETF Meeting, San Diego 1 Problem Statement Requirements RFC 3654 Protection against

629 views • 7 slides
Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection

Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection

Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection Memory Protection We share memory with Segmentation Fault devices, scheduler Preemption Sometimes no preemption Scheduling

377 views • 25 slides
The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science Goals

The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science Goals

The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science Goals Develop system for high-confidence (embedded) systems Mixed criticalities (timeliness and safety) Predictable real-time support

547 views • 41 slides
Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger

Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger

Outline Introduction Implementation Analysis Conclusion Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil

784 views • 27 slides
The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/kspp.pdf Kernel Self Protection Project

431 views • 15 slides
Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/kr/kspp.pdf Agenda Background Security in the context of this presentation

800 views • 59 slides
Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode, protected memory, file permissions these mechanisms have generally been focused on protection from accidental misuse (software bugs, novice

463 views • 13 slides
Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve Nested Kernel - Motivation Monoliths have single

398 views • 17 slides
CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

1 CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES & PROTECTION 3 Processes Program/Process Process 1,2,3, (def 1.) Address Space + Threads 0xffff ffff 1 or more threads Kernel

794 views • 35 slides
Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West,

Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West,

Introduction Quest-V Overview Inter-Sandbox Communication Predictable Migration Conclusions Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West, Zhuoqun Cheng, Eric Missimer Boston University 1 / 29

870 views • 29 slides
Making Ma ng the the Ri Righ ght Choices Choices Presen esentati tion on Title Title Helping

Making Ma ng the the Ri Righ ght Choices Choices Presen esentati tion on Title Title Helping

Making Ma ng the the Ri Righ ght Choices Choices Presen esentati tion on Title Title Helping Customers and Partners to Design and Implement a Future Ready Laboratory Com Compan pany Profile ofile Desi Designi gning and and Commi

400 views • 22 slides
Lecture 7: Kernel Density Estimation Applied Statistics 2015 1 / 20 Kernel Density Estimator

Lecture 7: Kernel Density Estimation Applied Statistics 2015 1 / 20 Kernel Density Estimator

Kernel Density Estimator Measures of discrepancy Practical bandwidth choices Assignments Lecture 7: Kernel Density Estimation Applied Statistics 2015 1 / 20 Kernel Density Estimator Measures of discrepancy Practical bandwidth choices

503 views • 23 slides
A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric

A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric

Introduction Architecture Performance Conclusions Ongoing and Future Work A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric Missimer Boston University March 2nd, 2014 Introduction Architecture

449 views • 21 slides
The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel Asynchrony Processes Protection Kernel The software component that controls the hardware directly and implements the core privileged OS

934 views • 62 slides

More recommend