now, as we mentioned, I want to talk just a little bit about one of the protection mechanisms that an operating system used uses. And that's the concept of layering operating systems air generally developed based on a layered model.
Windows used to be based on a four window on a four layer model units was based on a three layer.
Ah, and that's evolved over time. But the concept is still the same. And the ideas this layered architecture is driven by the need toe. Isolate out mechanisms based on trust. Your most trusted resource is air here, ring zero in the middle.
And as you go out from the middle as you go out 123
you decrease trust. So your operating system colonel, for instance, has to be trusted. You have to trust your operating system kernel, or you have no faith in the system. That's it. Ring zero
your ram. Your system bios the processor thes air ring zero elements. Now, as we go out to ring one, you're going to see, you know, honestly, file system drivers is what you're going to see here. Those filing system NT F s drivers, those elements like
Executive Service is the memory manager.
Those air Ring one as we go out to ring to our device drivers and then out of the ring three. The least trusted elements are our applications, and that makes sense. We can't trust applications because we haven't been involved in the testing process and documentation process. We don't trust applications,
So the whole purpose of this ring architecture is we have different elements that have different layers of trust or different levels of trust.
And even though elements in Ring zero can access outer level elements, we never let outer elements access inner level. Basically, we don't allow untrusted toe access trusted. And in a little while, we're gonna talk about the Clark Wilson security model that says
separate untrusted from trusted.
And if you need to allow an application to access memory, which you will
force it through an interface, give trust to your interface, not to your less trusted
when we move on, this is just sort of an illustration spelling it out a little bit. And the idea there, once again being outer layer, cannot access inner layer without an interface. But inner layer can access whatever it wants. And that's all that spelled out on this slide. Is just understanding that float
All right, so protection mechanisms, domains. Basically, we're not necessarily talking about logical domains of a network structure. We're really talking about security domains, of isolation,
the way I tell people to think about it. I always think of processes like Children
and kids want to think they're the only child out there. They're the only person in the room there, the only person that needs attention. Um, if you've ever taken two kids, you know, I think I took my niece and my nephew to the swimming pool and they're on separate ends of the swimming pool, both yelling. Look at me, Look at me, Look at me
And I have limited amount
off attention that I can pay
Same thing with processes. They want all the attention out there. Ah, friend of mine for Christmas got her two Children, one iPad, and I just laughed. And I'm just waiting to hear how that's working out because my vision for that is not a really cooperative environment.
Processes don't play nicely together.
So what can she do if she wants to give herself a chance of that being successful. Well, what she could do, she could do time slicing. For instance, child number one gets the iPad from 4 to 5 in the afternoon. Child to gets from 5 to 6.
So time slicing might be a way to provide isolation.
Um, another thing. In addition to just isolation, she probably wants to do hiding as well, meaning while child is on the iPad, go to your room. So you're not there tormenting child, be eso hiding of processes,
making one process oblivious that other processes air running Whether we do that through virtual machines or more realistically or more commonly
through isolation of ram Um, logical memory addressing rather than, uh, virtual memory addressing, You know, whatever techniques that we use, we want to make sure that each process has its own domain and that domain is a collection of resource. Is time with the process or through time, slicing
ram configuration files, whatever is necessary. OK, so we want to do that. Isolation.
Um, now the elements within a system that are designed to protect it, the two main areas are the reference monitor and the security Colonel.
These elements are part of what's called the trusted computer base or you may hear trusted computing base. Either way is fine, but the trusted computer base comes from the Orange Book, and
it's there to describe the elements that are most trusted within a system. And these would be the elements that have to enforce system policy and cannot violate it.
So when we talk about the trusted computer base, what we would be looking at once again would be theirs. Ring zero items like Colonel of the operating system memory processor bios in those elements. So part of the trusted computer based specifically part of the operating system kernel are too
elements that garner or protect
access control. And they are the security colonel in the reference monitor.
If you'll think of the reference monitor as the law
and think of the security colonel as the police, that's a good way to keep them separate.
So when a subject access is an object we have to be, our system has to be able to verify whether or not that access should be allowed. So many systems and discretionary access control environments check the access control list. That's a rule set and that's part of the reference monitor.
However, based on what's determined by checking the reference monitor, there needs to be some sort of enforcement.
So the actual software code that allows access work denies access. That's the security, Colonel. Okay, so these two elements work together. The laws are no good without the police. The police have no job without the law. So all the rules that go into saying a subject can access an object or part of the reference monitor
and then the actual code or hardware that enables or blocks the access attempt
That is the security, Colonel.
And again, these air part of the operating system kernel, which is part of the trusted computer base, the trusted computer basis separated from the rest of the system by a virtual boundary called the security perimeter. Everything inside the security perimeter is trusted. Everything outside is not
from there. You know the reference. Monitoring the security, Colonel, what we're looking for them to enforce, we're looking to them to enforce the C I A triad and really here with system architecture. This focus is going to be more on the sea and eyepiece confidentiality and integrity.
and the way we're gonna implement these two elements
is through formal security models.
So these formal security pot models
provide us the structure on which operating systems were designed.
So ultimately, if we look at some of the more common models, we would look at Bella Padula, Biba, Clark Wilson and Brewer Nash. And then we have a couple of other models will mention they could come up on the exam. But I'll tell you, if you've done in the reading there many other models, there's Grand Denning. There's take Grand. There's the
result. Almond there. There are a lot of different models out there.
These would be the ones that I would be concerned about for the exam. And if I had to just focus on to Bella Padula and Biba, for sure.
So let's. Even before we get the Bell Apostle and Biba, I want to mention a security model called the State
Machine Mud or the secure state model You could hear it is the secure state model. And what this essentially says is that a system must be secure in all of its states of operation.
Sorry, losing my my side control there with the state machine model. Specifically, the secure state model says, is a system must be secure in all states of operation. It must start shipped securely. It must function securely, and it must shut down securely. Otherwise, the system is not secure.
Now I know that sounds like a little bit of a no brainer, but the bottom line is these other models, like Bella Pa. Jalin, Biba, are all concerned with securing a system once it's running. If you don't have the state machine model in place where the system is secured from, start up on,
then none of these other models
matter. So ultimately, your security models like Bimba Bella Padula Clark was in Bern, Ash required the state machine model to be in place.