CS 513 - System Security
Lecture 18
Lecturer: Professor Fred B. Schneider
Notes by: Vicky Weissman
Lecture Date: 4/4/00
Today's Topic
Implementing Complete Mediation with Today's Hardware
- Pros and Cons
- Current Hardware Characteristics
- Reference Monitor Implementation
- Attacks
- Approaches to Protection
Pros and Cons
- Advantage
- Disadvantages
- mechanism is not flexible or clean
- mechanism can only enforce policies on resources that are controlled by the OS
(ex. shared resources generally need to be manipulated through the operating system)
Current Hardware Characteristics
- System has at least 2 modes of operation, supervisor state and problem state. Some instructions can only be run in supervisor state. A sequence of these restricted instructions, however, may be available in problem state. (In other words, a block of restricted instructions can be called, but the individual instructions in the block cannot.)
- Memory architecture provides multiple, distinct regions
- Each process is associated with a shared or exclusive region of memory
- Both users and processes can issue instructions
- Shared state is provided for multiplexing (ex. general purpose registers)
- Operating system can be called
Implementing Complete Mediation
The operating system is a wrapper (see last lecture for details on wrappers). Specifically, instructions that are restricted to the supervisor state are checked by the operating system, while the rest can be executed by the hardware directly. Moving the wrapper into the operating system reduces the cost of checking for policy compliance by a procedure call.
In addition to the protection provided by the wrapper, the memory architecture provides a mechanism for restricting memory access.
Reference Monitor Attacks
A program could compormise the security by:
- overwriting the memory that stores the operating system
- getting a less restricted program to run the attack code. One way to do this involves overwriting the program counter.
The memory architecture is designed to resist both of these attacks, by making areas of the memory inaccessible.
Approaches to Protection
Protection is usually implemented by restricting what operations can be called. Controlling the interpretation of the operand, however, would allow a finer granularity of protection. By manipulating the name to address translation table, the security mechanism could make it impossible for a program to issue a prohibited instruction.