Lecture 10

Google Fuschia.

Fuchsia is an open-source capability-based operating systemcurrently being developed by Google. It first became known to the public when the project appeared on a self hosted form of git in August 2016 without any official announcement. The name means "Pink + Purple = Fuchsia (a new Operating System)", which is a reference to Pink (Apple's first effort at an object-oriented, microkernel-based operating system) and Purple (the original iPhone's codename).

In contrast to prior Google-developed operating systems such as Chrome OS and Android, which are based on the Linux kernel, Fuchsia is based on a new kernel called Zircon.

• Fuschia website
• Fuscia guides

To prevent trojans, we would remove permissions to write-down, especially for low-integrity options.

• MAC is all about labels. By default, you can assign low-integrity labels for external files, and high-integrity labels for system binaries.

• Linux enforces MAC, while they do implement MAC, they are low-assurance, which means you cannot trust them. They have vulnerabilities which can be exploited to completely bypass any access control.

Vulnerabilities are weaknesses in the system that might be exploited. Vulnerabilities can arise from flaws in design, errors in implementation, or mistakes in operational.

• Threats represent the possible dangers possible by virtue of an existing vulnerability

• Attackers take advantage of vulnerabilities using exploits.

• Security policies are enforced by a security mechanism

Forms of prevention:

• Firewalls
• Encryption
• Access control

Forms of detection:

• Intrusion
• Auditing
• Watermarking

Forms of reaction:

• Automated response
• Forensics
• Restoration from backups

To come up with a good security policy, we perform risk analysis.

Reference Monitor

reference monitor

a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. There are four requirements of the reference validation mechanism. A reference monitor must be:

1. irrefutable (evaluable): i.e., able to be analyzed, possible to test/verify the completeness, otherwise the reference validation mechanism might be flawed in a way that causes the security policy to be unenforced.
2. inexorable (non-bypassable): an attacker cannot bypass the mechanism and violate the security policy.
3. inevitable (always invoked): otherwise it is possible for the reference validation mechanism to not perform in the moment it needs to, which allows an attacker to violate the security policy.
4. invulnerable ( tamper-proof): otherwise an attacker can undermine the reference validation mechanism itself and violate the security policy as a consequence.

Apparently the reference monitor is one of the oldest ideas in cybersecurity, but because of this, it's often a topic missed by those who work in security, and people often "reinvent the wheel" and come up with security policies that try to "be" a reference monitor.

The key components of a reference monitor:

• subjects:
• objects:
• authorization database:
• audit trail

Every object in a UNIX system (nearly all of which are files) have 9 bits associated with it

• 3 bits represent owner-level access rights
• 3 bits represent group-level access rights
• 3 bits represent world-level access

We use reference monitoring to:

• Control access of individuals to information
• Provide evidence that a system is secure and compliant with its stated policies
• Verify the system enforces its access control policies

We must make choices in order to verify that a system satisfies a policy

• What is the interpretation of this abstract policy?
• What is the interpretation of subjects, objects, authorization database, and audit trail

Approaches to designing an operating system

From the 80s, we had systems that were so secure that it made them hard/inconvenient to use.

As that shifted, it became easier to use, more convenient, but also more insecure as a consequence

Defense in depth

placing multiple layers of security controls throughout an information technology system in order to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel , procedural , technical and physical security for the duration of the system's life cycle.

How do we determine trust?

1. security policy: An overall strategy holding everything together, provides a definition of security, outlining what is authorized, and what is not authorized.
2. security mechanisms: methods and tools designed to detect/prevent/recover from a security attack, and enforce a security policy.
3. assurance: Determining how much to trust a system to enforce policy, based on evidence. High assurance systems use formal proofs to ensure that the security policy was properly implemented by providing solid evidence that there is a one-to-one correspondence

Question: Why does defense in depth work in scale, but not when an attacker is attacking a single person?

Answer: If you want to get money because of the ransomware attack you have this exploit right that you prepare so that you can subvert the system and create you know files. And then I asked for mine. Now if you've had an organization who prepared well in advance. For example, they have all kinds of phone, you know, they may make a patch the software. Maybe this will maybe doesn't exist anymore or Suppose there is a whole and softer, but they did suddenly like a backups that particular data and therefore, even though that is encrypted. They can be restored to see they really prepared, which is what most of work is for an attacker. It might be easy. It's who you know target somebody else who are not that will prepare and the result and results will be basically will get mine. It doesn't matter which company gives you money. As long as you get some money.

Question: What is a trusted system?

Answer: When peoople refer to "secure" systems, they usually mean to say "trusted" systems. The word "secure" is too absolute, it either is or it isn't. Trusted has a more flexible definition. A trusted system achieves this "characteristic" if it meets the necessary security requirements, operates on graded degrees of trustworthines, and provides an acceptable justification for the user's confidence.

Trusted Computer System Evaluation Criteria

Known as "The Orange Book," or DoD 5200.28-STD, TCSEC is a US Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was part of the Rainbow Books used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information. In 2005, the TCSEC was replaced by the ISO 154008 Common Criteria for Information Technology Security Evaluation.

Common Criteria

• Part 1: Introduction and General Model
• Part 2: Security Functional Components
• Part 3: Security Assurance Components
• Common Methodology
• Cheatsheet
• Reference Card

Summary

• The security of information flow is enforced solely by the MAC policy
• The tool of choice for a witted adversary is subversion
• It's impossible to build "secure" products without a policy and reference monitor
• The security of the system is defined by the security policy
• Security kernel is the only known verifiable protection technology

Lecture 10 Questions

1. How could a future OS look like?

   I think security will begin to become a larger concern in the future. Despite the popularity of monolithic kernels, I'd say that the robust performance of today's CPUs will help justify a more secure operating system at the cost of maximum possible performance

2. What is the best way to subvert any software?

   The best way to subvert any software is to change it. (Answer from lecture expands on this: modify the compiler used to generate the software, a backdoor attack known as "the Thompson attack", which got its name from Ken Thompson, the UNIX-author Go-author who came up with it, and won the 1983 Turing award for doing so.

3. Interpret the resource monitor components and principles for an old-fashioned library?

   The objects would be books in the library stacks The subjects would be the members of the library (such as students), and the librarian, who could serve as the sysadmin The authorization database could be a "library card", which members could show to check out a book, and the librarian would check if the library card permits the member from checking out more books if they've already checked out too many books. The audit trail would be the stamps on books checked in and checked out of the library, and have these stamps logged somewhere off the book as well.

4. Which approach to securing systems will work better to protect a system: security as an addon, or security by design?

   If the goal is to protect a system, the "security-by-design" approach to securing systems will do a better job than "security as an addon." Security as an add on tends to only get its "add-ons" as a patch over a vulnerability that has already been discovered or exploited. Whereas with a security-by-design system, that exploit may have been designed to never be possible in the first place.

5. When will "defense in depth" work, and when will it fail?

   A layer that is properly allowing good actions to proceed, but is preventing bad actions from proceeding, the "defense in depth" strategy will work. It could fail if it either allows bad actors to bypass the layers, or when it fails to allow good actors to navigate through the layers.

6. Consider a system that implements RM with high assurance. An attacker seeks to gain access to sensitive data managed by the system. An attacker can attempt to either:

   1. subvert the applications that run on the implementation of the reference monitor
   2. subvert the implementation of the reference monitor itself

   For each case, discuss which principles of the reference monitor can help protect the sensitive data:

   The three principles of the reference monitor are that it is tamperproof, non-bypassable, and verifiable

   For (1), your sensitive data could be protected by the reference monitor by the principle of inexorability (non-bypassability), and for (2), the data is protected by the principle of invulnerability (tamper-proofness).