TDT09 Topic 5

Protect yourself! Different approaches for security

In many operating systems such as Unix [1], access rights to resources such as files are governed by a simple approach. Accourdingly, workarounds have been created to elevate permissions for users (su/sudo) or the setuid bit to run a certain program with superuser privileges [2]. All these approaches are workarounds for flaws in the original design, which were necessitated by the restricted resources available on the original PDP11 systems Unix was developed on. In systems research, a number of approaches have been implemented such as Clans and chiefs [3] in L4, which are considered complex to handle and were moderately successful.

A model that is more flexible are capabilities [4], which are implemented in research operating systems such as EROS [4] and L4 [5]. However, capabilities also come with a set of problems in concept and implementation, discussed in [6]. An orthogonal approach to system security is the formal verification of the correctness of an operating system. This is a complex endeavour; so far, only the L4 microkernel has been formally verified in the form of the seL$ kernel [7].

The OS kernel needs to build security models based on security features the hardware provides and create additional abstractions based on these. It is important for the security and performance of a system to match these well. Still, this is not a fail-proof way to build secure systens, as the hardware itself may show unexpected problems, such as side-channel effects resulting in the recent Meltdown and Spectre attacks [9].

References

  1. F. T. Grampp and R. H. Morris. The UNIX System: UNIX Operating System Security. Bell Labs Technical Journal Volume 63, Issue 8, 1984 pdf
  2. Robert Napier. Secure Automation: Achieving Least Privilege with SSH, Sudo and Setuid. Proc. of Usenix LISA XVIII, 2004 pdf
  3. Kevin Elphinstone and Gernot Heiser. 2013. From L3 to seL4 what have we learnt in 20 years of L4 microkernels? In Proceedings of SOSP '13 link
  4. R. S. Fabry (1974). "Capability-based addressing". Communications of the ACM. 17 (7): 403–412 link
  5. Jonathan S. Shapiro, Jonathan M. Smith, and David J. Farber. 1999. EROS: a fast capability system. In Proceedings of SOSP '99 link
  6. Adam Lackorzynski and Alexander Warg. 2009. Taming subsystems: capabilities as universal resource access control in L4. In Proceedings of IIES '09 link
  7. Mark S. Miller, Ka-Ping Yee, and Jonathan Shapiro. Capability Myths Demolished. SRL2003 pdf
  8. Gerwin Klein et al. SeL4: formal verification of an OS kernel. In Proceedings of SOSP '09 pdf
  9. N. Abu-Ghazaleh, D. Ponomarev and D. Evtyushkin, "How the spectre and meltdown hacks really worked, in IEEE Spectrum, vol. 56, no. 3, pp. 42-49, March 2019 link