2.3 Safety operating system
All application software of the information system require a running platform, the operating system is responsible for this heavy responsibility. Operate
The security of the system is the basis for the safety of the entire information system software. There is no large operating system without any large operating system in the market.
It is completely correct. In fact, there is no way to run the operating system is perfect, no manufacturers dare.
Ensure that their operating system will not be wrong. The industry has recognized such a fact: any operating system is defective
of.
"We can design idealization, prove is a reliable operating system, but we can't really build these systems.
Let them run safe in the real world. The real world involves the transmodation in the design, there is no variable that meets and does not
Perfect implementation, etc. "
But on the other hand, we can say that most of the operating system is reliable, you can basically complete its design function.
. In addition, from a secure point of view, the configuration of the operating system software is difficult, and a small error is configured.
It can lead to a series of security vulnerabilities, thus making the system's security measures.
2.3.1 Security Threat
Main viruses, Trojans, concealed channels and skylights, etc. for operating system security constitutes.
computer virus
The hazard of the virus has no need to say, the destruction and panic caused by CiH viruses believe that many users still remember
. Taking viruses such as impact waves in the last period of time, they use the Windows series operating system.
Its vulnerability infection is infected with no protection, causing the pendant system to restart, and cannot connect to the network normally, and large
Scan other computers with vulnerabilities, organized infection, occupying a large amount of effective network bandwidth. It is known that the number of viruses is large, no
The latest virus library virus in RTON anti-virus software has reached more than 60,000, which does not include those who do not cause anti-viruses.
The company's attention to the virus. There are many organizations that have special collection, production, and even release of viruses on the Internet. 29A is
The leader, often publishes conceptual viruses in its electronic magazine.
Today, computer viruses have also developed toward deformation and polymorphism, theoretically, a multi-dimensional virus has been proposed.
the concept of. Three-dimensional deformation virus, manifested, after the virus infected a goal, the disease and the disease in each infected target
The poison code has almost no three consecutive bytes; those changed code is also varied.
After you can split, you will hide a few more, and you can self-restore it into a complete disease after being excited.
The spatial position of the virus in the attachment is vary. Four-dimensional variant is based on three-dimensional deformation virus
There is a dynamic change in the deformation characteristics of the three-dimensional deformation virus, although there is no four-dimensional deformable virus, but
The development of technology will bring four-dimensional variant to the world.
The corresponding anti-virus technology is also from the initial characteristic code scanning method to the current behavior detection method of the virtual machine.
Hairstyle sweep, etc. The digital immune system developed by IBM is a high-level comprehensive virus control method. The system uses hard
Part of simulation technology provides a wide range of simulation systems and virus detection systems. The goal of the system is to make a virus
Quickly respond, when there is a new virus into the system, the immune system will automatically capture and analyze it, and remove the virus.
The information is immediately sent to the IBM's anti-virus online system, so that the virus is once again detected again. Various
Advanced anti-virus technology hopes to detect unknown viruses, which depends to a large extent on artificial intelligence of anti-virus software.
Degree, the artificial intelligence level of the anti-virus software is not ideal, making the error and missing phenomena when detecting unknown viruses
weight.
"The problem is focusing on: viruses cannot eliminate. It has been confirmed from mathematics, always write an existing one.
A virus that cannot be blocked by virus software (even the BLP model cannot stop the virus attack). Ignore the fine
Festival, the basic point is that if the virus writer knows what anti-virus software is looking for, he is always able to design an unlessed virus. Of course, the programmer of anti-virus software can always be updated, and after the virus appears
The virus was measured. "
Trojan horse
The Trojan horse is a computer program that performs legal functions, in fact it can have no preparation in the user.
In the case of monitoring the user's keyboard input, capture the user's screen display, then use the user's various passwords and sensitive letters.
The interest is sent to the attacker. Trojm Horse needs to have the following features: intruders want to write a program for illegal operations,
The order of behavioral ways will not cause the user's doubt; a certain strategy must be designed to accept this procedure for deceived;
The deceived runs the program; the invader must have some means to recycle the actual benefits of Troju Ma.
Trojan horse can steal the confidential information of the computer, read and write the controlled end, remote control is infected
Computer, etc.. Domestic Trojan "Ice" believes that many people have heard of it. Trojans generally do not have self-replication capabilities, but it
Like the virus, there is a latent. Trojan horse may also contain worms or virus programs. Trojan is caused by system security
The threat of life. For example, although the user's mail can be encrypted with PGP, the Trojan may intercept the plain text before encryption, so that
A stronger encryption algorithm is also imaginary.
As an example, an advanced Trojan is as follows. Use the modified compiler to the program being compiled
Insert some additional program code, such as system logic, then this Trojan horse is difficult to detect
Come. The designer also designed a trap in this logic program, which enables him to pass a particular way on the network.
Connect the operation of the host, and we cannot find the Trojan from the source code of the logic program.
Just stealing information, there is no more concealment of Trojans to operate, and some Trojans are sent to the email.
Confidential information. Regardless of how much Trojans is hidden, a computer user who is familiar with the general Trojan knowledge can always find the system.
There is a tabble museum in Trojans. One aspect of a problem is that by reviewing the application's connection request, there is
It can make it possible to accept control or outward information, and the anti-virus software is generally correct, even if there is a system in the wood horse.
It is possible to kill in common Trojans; on the one hand, the problem is still about anti-virus software, because they are for the wooden horse
Most of the monitoring of the order or by scanning the feature code, so simple to hand in the case of the wooden horse, you can deceive most anti-
Virus software. For Trojans, integrated anti-virus software, firewall, user observation system abnormal (such as traffic abnormal),
It is time to see a combination of log files and other measures.
Hidden channel
Concealed channels are defined as the information disclosure path of unrelated security policies in the system, and divide the information leakage path of security policies.
Two kinds of concealed channels and time covert channels, and there is currently a reality of hidden channels. Hidden storage channel
The identification technology mainly includes information flow analysis methods, shared resource matrices, no interference analysis, concealed flow trees, and so on.
For time concealed channels, there is no formal technology to find hidden time channels in the system,
There is no common way to detect their usage and review. However, for hackers, time hidden
The shield channel is more difficult to achieve than the hidden storage channel, and the noise of this channel is often large.
The national standard GB17859 has put forward the hard requirements, the United States, and the United States, and the United States.
TCSec, European iOS / IEC15408 also puts a hidden channel analysis as a key finger of evaluating high-level safety information systems
Sign. At present, my country's security information systems can only reach the level 3 level of GB17859 (equivalent to tcsec orange "
B1 level), an important reason is that the concealed channel problem cannot be solved.
The only way to confront the concealed channel is to analyze the overall information flow analysis of the entire system. At present, there are more than 10 large-scale information systems certified by the orange book B2 or higher, from the public published literature, all from the analysis information flow
Start. However, the large-scale operating system is large, the logical relationship is complex, and comprehensive information flow analysis is very difficult. another
In addition, the existence of pseudo-illegal streams makes the system analysis work increase exponentially, it is actually impossible to continue.
Skylight
Skylights refers to an illegal code embedded in the operating system. Permeator uses the method to invade the method provided by this code
The system is not inspected. Skylights are generally activated by specialized orders, not easy to discover. Moreover, the software embedded in the sunroof
There is no privilege without penetrant. Skylights may be loaded by an unstead of operating system manufacturers, install
The skillet technology is like Trojan horse installation technology, but it is more difficult in the operating system. Trojan horse
Unlike the concealed channel, the skylight can only be installed in the development team of the operating system's defects or the development team of the system.
An example of the skylight is the US Air Force "Tiger" (simulated) during the development of the Multics operating system.
The enemy) uses intrusion detection, and one of the strategies used is to send an operating system to a site that is running Multics.
False updates, this update contains programs that can be activated and enable the Tiger team to access access. This threat is so hidden
Make up, making Multics developers difficult to find it, even if they are informed of the threat, they are hard to find it. therefore,
To achieve the control of the operating system is difficult, the security policy must focus on the development and update of the operating system.
Move. Fortunately, it is possible to avoid skylights using conventional technologies for the development of safety operating systems.
2.3.2 Safety Model and Formal
An operating system is safe, indicating that it meets a given security policy, and the same, safe operating system
When designing and developing, it is also necessary to circulate around a given security policy. The security model is the security expressed by the security strategy.
Simple, abstract and unambiguous description of full demand. The choice of security model is critical to the development of the security operating system.
. To develop security systems, the system's security model must be established. The currently recognized security model has the following categories.
: State set model, information flow model, non-interference model, uninterrupted model and integrity model. More important and well-known
Examples of security models include BLP models, BIBA models, RBAC models, CLARK WILSON models, DTE models, etc.
The form method contains two sides: one is the form specification, and the other is design verification. Methodological requirements based on form method
First, you must accurately describe the behavior of software pieces, and write it in form specification language, saying that this process is a form specification.
Process; then indicate whether the actual implementation meets this specification, saying this process is the design verification process. Form specification language test
The picture shows the establishment of this representation and formal verification software form. Currently more famous software form specification languages have GYPSY
Words and z language. These languages can represent a system specifications and implementation, and by using a form of logical interpretation
It can prove the important characteristics of the system specification and implementation.
"Of course, the form of model is used by the theory of supply, but it is not useful in practice. They have
On the limitations, only one security model does not explain that you can prove that the system has specific security properties. They can
It can lead to a useless system; forcibly letting a system will comply with a model that will lead to design. it
We will make the design and establishment work never end. Worse, they can't even prove safe. If a system is with a
The formal security model is consistent, and at most proves that it can prevent an attacker in accordance with this model. Need to emphasize
Yes, the attacker who does not act in accordance with the designer model will still destroy safety. "
In order to achieve the modularization of the design, a system structure with a good modular structure is meaningful. Current people
Flask, DTE, GFAC, RBAC and other systems have been proposed, and they are all architectural systems, and there are many deep technical issues in specific implementation. In 1993, the US Department of Defense proposed a new security architecture DGSA in the TAFIM program.
Support for multiple security strategies. But in the security architecture that supports multi-strategy, some of the nature has not been obtained yet.
Solve, such as security issues for synthetic strategies
2.3.3 Evaluation criteria
In 1985, the US Department of Defense proposed a trusted computer system evaluation standard TCSEC (known to the orange book). TCSec
Divide the system into 7 security levels of ABCD. D is the lowest level of security level, such as MS-DOS belongs to the D level; Class C
For the self-protection level; Class B is forced level; Class A is a verification protection class, including a strict design, control and
Verification process. The design of the Class A system must be verified from mathematics, and must be concealed channels and trustworthy points.
The analysis of the cloth, and requires it to have a system-formted top design description (FTDS), and formally verified FTDS and form.
The consistency of the model, requires formal technology to solve hidden channel issues. Boeing's MLSLAN security network suit
Worker has passed the A1 level evaluation of the National Computer Security Center, while Boeing Company's MLSLAN OS
A1 - level evaluation of the US National Security Agency.
The current mainstream operating system security is far from enough, such as UNIX systems, Windows NT can only reach C2, Ann
All sex is improved. Various forms of security enhanced operating systems enhance their security based on ordinary operating systems.
Make the system's security to meet the needs of system actual applications. Examples of this aspect, such as domestic peace of interest operating system 3.
0, as a safe enhanced operating system based on Linux core, the third level of national standard GB17859 is reached. Foreign security
Some new developments in system research include SELINUX and EROS and other secure operating system projects.
"In fact, the orange book is only available for stand-alone systems, and it is completely ignored that the computer networking will occur.
Before the year, Microsoft got the C2 security level for Windows NT. They rarely face this fact, ie
Only in the computer is not connected, there is no NIC, turn it off, and run at Compaq386, this rating is appropriate
use. Solaris's C2 level is also very ridiculous. The latest revisions of the orange book are prepared to process issues related to the networked computer.
"
Each country tries to improve the orange book with a modern approach. Canada proposed a so-called Canadian confident computer production
Evaluation criteria. The EU proposes information technology safety assessment standards, namely ITSEC. Another US proposal is a federal standard
quasi. ISO Standard 15408 hopes to integrate good views and practices in other guidelines, providing a user
Safety concept classification catalog in a protective plan, thereby can be in progress according to the protection planning plan
Test.
