Trusted Operating Systems: How TOS Works

Roamer - 11/18/00

This paper is designed to present a technical overview of Trusted Operating Systems (TOS). It is assumed that readers have a basic understanding of Unix operating systems and System Administration.

The problems associated with a Super User or root account are that privileged access to the system is either on or off, only one user has this access. This creates a single point of attack for intruders. This opens the OS to buffer overflow attacks, misdirection of root programs and access to files.

Jeff Thompson of Argus, developers of the PitBull TOS claims that "a buffer overflow attack places new programmatic code on a process' stack and causes the process to execute this code when returning from a function. This code is executed with the same rights as the running process, allowing the attacker to force the program to perform nefarious attacks." The intruder attacks setuid 0 programs and any daemons running as root.

Discretionary Access Control allows the owner of the file to determine who has access to it. It also prohibits a user with read access from granting access to unauthorized users. On the other hand, a user with write access can give access to other users by making a setuid program granting that access. The problem is that the owner of the file cannot stop individuals with write access from giving access to other users, nor can the owner know if that has happened.

DAC Ramifications:
· The owner of a file can modify it regardless of permissions
· Gaining root grants access to most system files
· Gaining root provides a path to gaining ongoing access
· For an attacker to access a file, he must gain ownership of the file
· Root access also gives access to all files regardless of permissions

It is important to remember that all systems have vulnerabilities. If an attacker wants to gain unauthorized access to a system, it is only a matter of time before he does. Trusted Operating Systems attempt to mitigate these inherent vulnerabilities.

According to Thompson, a TOS is characterized by the following:
· Least privilege
· Authorizations
· Mandatory Access Control
· Network Labeling
· Security Gate
· CGI Daemon

Least privilege requires that each subject be granted only those privileges needed to perform authorized tasks. This limits the damage that can result from accident, error, or unauthorized use.

With TOS, each process has three privilege sets associated with it:
· Limiting-maximum possible privilege set a process can ever have
· Maximum-set of process control privileges
· Effective-privileges that override system restrictions

With these sets in mind, a process can access and/or modify its effective privilege set only as outlined by its maximum privilege set. The effective privilege set is a subset of the maximum privilege set. The maximum privilege set is a subset of the limiting privilege set. A maximum privilege set can be lowered, and with the exception of a few processes, never raised. The limiting privilege set may only be lowered. The index node of each file contains the privilege information.

Privilege information is ignored for directories and three sets are associated with each file: innate, proxy, and authorized privileges. Innate privileges are those that are guaranteed to be in a processes privilege vector at startup. Proxy privileges are those granted only if they are within the maximum privilege set prior to execution. Authorized privileges are those granted only when a user has a minimum of one of the authorizations in the Privileged Authorization Set of the file.

The fork() system call is used to create new processes. This copies the parent's privileges to the child process. Executables are executed with exec(). This calculates the privileges of the new process based on rules of the privileges in the old process and on the executable.

Mandatory Access Control (MAC) is the way access to objects is restricted based on the sensitivity of the information. This means that the owner of a file can't change a MAC setting unless he is authorized to do so. The owner is also restricted from granting another user access to a file unless that user is already authorized to have access to that class of data. Regardless of the method in which a copy of a file is created, the copy will automatically be protected at least as well as the original.

A sensitivity label has one class and multiple compartments or categories. A sensitivity label is written with the class and components as a separator.

Classes are treated as if they have numerical values and can be greater than, less than, or equal to other classes. Compartments can be a subset, superset, equal, or disjoint. One label dominates another only if its class is greater than the other and it's compartment is a superset of or equals the other. If two labels dominate each other, they are equal.

Sensitivity label inheritance
· Every process and file on the system has a sensitivity label
· When a file is created, it has the sensitivity label of the parent process
· All processes inherit the sensitivity label at system boot time
· Each account has a default sensitivity label

Every process has two additional sensitivity labels, maximum and minimum clearance. These are used to monitor and control a process attempting to change a sensitivity label. Directories and devices can have a maximum sensitivity label that is used for sensitivity control.

Process label information is stored in the proc of each process. Each process has three sensitivity labels associated with it: effective sensitivity label, minimum and maximum clearance. The clearance range is the range from minimum to maximum.

Each user is assigned a default login sensitivity label, a minimum clearance, and a maximum clearance. These are stored in /etc/ security/clear. Barring a specific request for a sensitivity label, when a user logs in, his default login sensitivity label is assigned. User login can only be accomplished within the user's clearance range.

Network Labeling data is labeled based on interface, host, and port. A process or service is unable to communicate with external hosts unless the process dominates the data. Outgoing data is checked against a range of allowable data based on network rules

A security gateway is a trusted program that allows communication between processes with separate sensitivity labels. Additionally, it only allows communication between individual hosts.

The CGI daemon is a secure daemon that removes the functionality of the web server from the actual web server. This provides a secure way to execute CGI programs. The web server and the CGI program communicate securely.

Trusted Operating Systems have addressed many failings. If there is a buffer overflow attack, least privilege allows programs to run with minimal abilities. Privileges are also dropped when no longer needed. If root programs are misdirected, least privilege will reduce the damage. These attacks rely on root user privileges to be successful. Because most programs to not need this ability, the number of attacks is reduced. These privileges are extended only for the needed time. With TOS, the root user is no longer a special user. Privileges or authorizations are required that allow access to a privileged program in order to gain special abilities. This implies that programs running as root are no different than those run by any other user. Network rules limit the access of a user to a specific effective sensitivity label.

Trusted Operating Systems offer a viable alternative to traditional OS implementations. There are currently several TOS products on the market including PitBull by Argus and Trusted Solaris 7 from Sun Microsystems.