Software: Operating Systems Architecture
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now after talking about hardware,
00:00
let's move into looking at software.
00:00
Generally, when we talk about software,
00:00
we're concerned with operating systems and then
00:00
we have to consider applications as well.
00:00
In talking about operating system architecture,
00:00
we're going to talk about how architecture or
00:00
how operating systems are designed to
00:00
identify different levels of trust and
00:00
make decisions on access based on the trust levels.
00:00
Then we'll also talk about elements built into
00:00
the operating systems called
00:00
the reference monitor and the security kernel,
00:00
and what role those elements play.
00:00
When we look at our protection rings,
00:00
the idea is this:
00:00
application developers for the
00:00
>> Windows operating system,
00:00
>> for instance, said,
00:00
when we look at all of
00:00
the different components that may need
00:00
access or that may need to be accessed,
00:00
we can think about four different levels of trust.
00:00
Our most privileged components are in ring 0.
00:00
That's going to be the operating system kernel.
00:00
We can think about that layer inside
00:00
the ring 0 is the trusted computing base:
00:00
a operating system, kernel,
00:00
RAM, processor, and so on.
00:00
Then as we go out from most trusted,
00:00
we go to ring 1, where we talk about
00:00
other operating systems services
00:00
like operating device drivers,
00:00
>> NTLM, and some of those others.
00:00
>> Those are executive services of operating system.
00:00
Then we continue to go out,
00:00
we have device drivers that
00:00
enable the system to communicate with the hardware.
00:00
Then at the very least trusted level, our applications.
00:00
We don't know who wrote an application,
00:00
we don't know what processes they went through,
00:00
we don't know how secure, applications are untrusted.
00:00
I'm not going to allow
00:00
an untrusted entity to access a trusted resource.
00:00
The Clark-Wilson security model reminds me of that.
00:00
Then you say, "Yeah, but an application will need to
00:00
access the memory to communicate with,
00:00
to store data in memory,
00:00
or to communicate with the processor."
00:00
That's fine, but we won't allow it directly.
00:00
We will force application to
00:00
make those requests through something called an API,
00:00
an application programming interface.
00:00
A trusted interface that allows an untrusted entity
00:00
>> to access a trusted resource.
00:00
>> All operating systems are built on this model of trust.
00:00
What's funny is with Windows 95,
00:00
>> the original developers or the developers originally
00:00
>> wanted a 64 level ring of trust.
00:00
>> Wow. Now, Windows simply has a two level ring of trust.
00:00
You're either totally trusted and
00:00
everything else is totally untrusted.
00:00
That just tells you the evolution throughout the years
00:00
rather than having the subtle levels and
00:00
your trusted and you're little more
00:00
and you're little less, you're just
00:00
either trusted or you're not.
00:00
That makes a lot of sense from a security standpoint.
00:00
Now, with the operating system and with
00:00
this idea of the operating system kernel
00:00
from a security perspective,
00:00
there are two main elements of
00:00
the OS kernel that we have to think about.
00:00
They are the reference monitor and the security kernel.
00:00
The reference monitor, you can think of like the law.
00:00
This is the set of rules that
00:00
determine how a subject can access an object.
00:00
Can Kelly Handerhan print to a printer?
00:00
Can I delete a file?
00:00
The reference monitor is the rules that say,
00:00
this is what can happen.
00:00
But the law is no good without enforcement.
00:00
The security kernel is
00:00
the actual software code and/or
00:00
hardware that enforces the reference monitor.
00:00
If I go to access a printer
00:00
and the access control list is verified and says,
00:00
"Wait, Kelly can't print to this printer."
00:00
Then the actual software that
00:00
terminates that connection
00:00
>> doesn't allow that connection.
00:00
>> That's the security kernel.
00:00
You may read, and I've
00:00
seen this in one book specifically
00:00
where it indicates that
00:00
the reference monitor is the same thing as
00:00
the security kernel.
00:00
>> That's not accurate.
00:00
>> I can see where they're going with
00:00
that concept, but that's not right.
00:00
There are two sides of the same coin,
00:00
but that's like saying the police
00:00
is the same thing as the law,
00:00
and that's not true.
00:00
The security kernel enforces the reference monitor.
00:00
The police enforce the law.
00:00
Now, if you want a secure system,
00:00
then of course, your reference
00:00
monitor and security kernel have to be secure.
00:00
Some of the three basic requirements.
00:00
First of all, processes need to
00:00
be able to be isolated from each other.
00:00
So I'm able to evaluate one process,
00:00
that process has its own resources,
00:00
like its own stack of memory,
00:00
its own time with the processor,
00:00
and I can isolate individual misbehaving processes\
00:00
>> and terminate them.
00:00
>> The next piece, the reference monitor must
00:00
be invoked at every access attempt.
00:00
Every time a subject tries to access an object,
00:00
then the reference monitor needs to be verified.
00:00
Anytime I access a resource,
00:00
the rule set has to be checked to
00:00
determine is this allowed access?
00:00
If not, the security kernel blocks that access.
00:00
Then the last piece,
00:00
the security kernel and reference monitor must be
00:00
small enough to be tested and verified.
00:00
If you'd look at some Windows operating systems,
00:00
they have tens of millions of lines of code.
00:00
It's no wonder that operating systems
00:00
are released with errors in them,
00:00
but the security kernel should be small and
00:00
concise enough so that it can be truly vetted,
00:00
tested, verified in order
00:00
to understand the degree of security for system.
00:00
I said those are the requirements
00:00
for the reference monitor.
00:00
Just to wrap up,
00:00
we talked about the ideas of
00:00
trust in an operating system and we talked
00:00
about the security kernel
00:00
and how the operating system has
00:00
multiple layers of trust, and that untrusted
00:00
can't access trusted resources without going
00:00
through some form of interface, usually an API.
00:00
We also mentioned that
00:00
the operating system kernel
00:00
has two very relevant pieces for us:
00:00
the security kernel and the reference monitor.
Up Next
Instructed By
Similar Content
