Skip to main content

Reference Monitors

Reference Monitor

An access control concept that refers to an abstract machine that mediates all access to objects by subjects

  • Must be tamper proof/resistant
  • Must always be invoked when access to an object is required
  • Must be small enough to be verifiable/subject to analysis to ensure correctness

Can be placed anywhere within a system - Hardware, OS kernel, OS, service layer

Lower is better - Can assure a higher degree of security, simple structures to implement. Reduced performance overheads. Fewer layer below attack possibilities. However, access control decisions are far removed from applications

OS Integrity

Arbitrates access requests Is itself a resource that must be accessed

Users must not be able to modify the operating systems

Modes of operation - Defines which actions are permitted in which mode e.g. system calls, machine instructions, I/O Controlled Invocation - Allow us to execute privileged instructions safety, before returning to user code.

Modes of Operation

  • Distinguish between computations done on behalf of:
    • The OS
    • The User
  • A status flag within the CPU allows the OS to operate in different mode

Controlled Invocation

  • Many functions are held at kernel level, but are quite reasonably called from within user level code
    • Network and File IO
    • Memory allocation
    • Privileged instructions
  • Need a mechanism to transfer between kernel mode (ring 0) and user mode (ring 3)

Interrupts - Called various things. Handled by an interrupt handler which resolves the issue and returns to the original code Given an interrupt, the CPU will switch execution to the location given in an interrupt descriptor table

Descriptors and Selectors

  • Descriptors hold information on crucial system objects like kernel structure locations
  • Descriptors are held in descriptor tables - Contain a Descriptor Privilege Level (DPL)
  • Descriptors are indexed by selectors - Loaded when required
  • The CPU protects the kernel by checking the Current Privilege Level (CPL) when a selector is loaded

Interrupt Gates

  • The code segment (CS) register in x86 CPUs has 2 bits reserved for the (CPL)
  • Descriptors that have a privilege level higher than where they point are called gates
  • Since these descriptors are created by the kernel, they offer a secure means of entry into ring 0

Privilege Elevation

x86 Linux initialises its IDT to handle syscalls at vector 0x80 Modern Kernels - Intel introduced the sysenter and sysexit operations with the Pentium II - much less overhead Patching the Kernel - If you can run customer PL 0 code (compromised driver?). you can insert your own handler - Rootkit

Process and Threads

  • A process is a program being executed
  • Important unit of control:
    • Exists in its own address space
    • Communicates with other processes via the OS
    • Separation for security
  • A Thread is a strand of execution within a process
    • Share a common address space

Memory Protection

Segmentation - divides data into logical units

  • Good for security
  • Challenging memory management
  • Not used much in modern OSs Paging - divides memory into pages of equal size
  • Efficient memory management
  • Less good for access control
  • Extremely common in modern OSs

Page Tables

  • All processes see an individual linear address space
  • Page tables map from a linear address space to the physical address space

Meltdown and Spectre

Meltdown

  • In most OS, the entire kernel is stored in the upper address space
  • Pages in this area are flagged as supervisor, and cannot be accessed outside of ring 0
  • Meltdown is an exploit that allows us to read this privileged memory
    • Do this using a side-channel
  • Attempts to read a value from kernel memory
    • Read from kernel
    • Mask out a single bit
    • Access user memory at that location

Side-Channels and Cache Timing

Intel CPUs, its common to speculatively evaluate code prior to reaching it

  • Conditionals
  • Significant speed up
  • No harm done! Changes are rolled back
  • But, the cache isn't rolled back

Spectre

Very similar to meltdown

  • Speculative evaluation to side-step application bounds check
  • Mask out a single bit
  • Access suer memory at that location