Proceedings of the Fifth International Conference on Machine Learning and Cybernetics, Dalian, 13-16 August 2006

DESIGN AND IMPLEMENTATION OF SECURITY OPERATING SYSTEM BASED ON TRUSTED COMPUTING

XIAO-WEI NIE1, DENG-GUO FENG1, JIAN-JUN CHE2 , XIN-PU WANG3
1

State Key Laboratory of Information Security of Graduate School of Chinese Academy of Science 100049 2 Immensity & Foison Technology Inc. 100039 3 China Internet Network Information Center. 100080 E-MAIL: [email protected]

Abstract:
According to analyzing and researching the concept and structure of trusted computing, this paper reviews the relative work of security operating system based on trusted computing. Then a security model based on trusted computing IBLP is advanced through the improvement of a classical security model BLP. The overall design scheme and modularized implementation of a secure operating system for trusted computing is presented on the base of the above work. Finally, the experiment result indicates the effectiveness and feasibility of our system.

Keywords:
Trusted computing; security operating system; security model; access control

1.

Introduction

orthogonal to that required for trusted computing. To meet the demands of implementing a trusted platform, we establish a security model based on the trusted computing, outline the design plan of security operating system based on the trusted platform and implement it based on the modularization In the next section, we review the trusted computing organizations, then describe trusted system structure and security requirement for trusted computing. In section 3, we discuss a security model BLP and improve it based on trusted computing concept. In section 4, we advance the overall design of the security operating system based on trusted computing and describe its main module. Section 5 describes experiments that highlight the security function and performance of our system. The paper is concluded in section 6 by a summary and outlook of our work. 2. Trusted computing platform

Anderson proposed the concept of trusted computing first, which is mainly applied to fault-tolerant calculating, failure detection and redundant backup technology, already widely applied to aspects like trusted hardware platform, trusted software system, trusted network and so on at present. According to the ISO/IEC 15408, the so-called trusted computing is: A trusted component, operation, or process is one whose behavior is predictable under almost any operating condition and which is highly resistant to subversion by application software, viruses and a given level of physical interference. According to the above definition, the trusted computing will become the infinite trusted concept. Trusted platforms will allow systems to extend trust to clients running on these platforms, thus providing the benefits of open platforms: wide availability, diverse hardware types, and the ability to run many applications from many mutually distrusting sources while still retaining trust in clients. The vision of trusted platforms can not be achieved with most of todays operating systems which offer poor assurance and implement a security model that is largely 1-4244-0060-0/06/$20.00 2006 IEEE

From October 1999,Trusted Computing Platform Alliance (TCPA), which is originated by HP, IBM, Intel and Microsoft and other companies, has expanded more than the 200 members, covering all major manufacturers worldwide [1]. TCPA concentrates to strengthen the security of the computing platform system framework and releases TPM main standard (v1.1) on January 2001. TCPA is reorganized to Trusted Computing Group (TCG) on March 2003, releasing TPM main standard (v1.2). The TCPA/TCG system structure is illustrated in Figure 1. The TCPA/TCG structure contains 4 essential factors: 1.TPM (Trusted Platform Module). It is the core of hardware level security framework, which generates encryption key, achieves high-speed data encryption and decryption, secondarily protects BIOS and the OS from being malicious modified. 2.CRTM (Core Root Trust Module). It initializes entire system and authenticates BIOS.

2776

Proceedings of the Fifth International Conference on Machine Learning and Cybernetics, Dalian, 13-16 August 2006 3.TCPA OS. TCPA operating system supports hardware modules and application. On the TCPA platform, the TCPA control function must launch through the operating system, including authentication to exterior entity, differentiation between different applications. 4.Compatibility. TCPA allows the existing computer system hardware foundation to exist continuously. Comparing with NGSCB, TCPA is an opener system, which permits more widespread trusted computing realization based on it. state-switch, while constitutes a set of security axioms for restricting state switching between system states [8,9]. In BLP, there are 4 access attributes: e access (execute with neither observe nor alter) r access(observe with no alter) a access(alter with no observe) w access (both observe and alter) At the same time, BLP uses a triple B ( S , O, A ) to denote the current access state set. In BLP, S denotes the set of subject, O denotes the set of object, and A denotes the access attribute and A consists of e access, r access, a access and w access. Any access state b ( s, o, x) B . The basic two important and basal axiom are simple security property (ss-property) and * property (star property): 1.Simple security (ss-property). The ss-property is satisfied if: ( s, o, x) B , (s, o, r) (Se(s) Se(o)) Every "observation" access triple b ( s, o, r ) in the current access set has the property that the security level of subject dominates the security level of object. 2. * Property (star property). The star property is satisfied if ( s, o, x ) B (s, o, a) (Se(s) Se(o)) and (s, o, w) (Se(s) = Se(o)) Every alteration access triple b ( s, o, a) has the property that the security level of object dominates the security level of subject. Every alteration and observation triple b ( s, o, w) has the property that the security level of the subject equals the level of the object. BLP also uses trusted subject concept to indicate the subject not constrained by star property in actual system, in order to ensure system normally operated and managed. However, BLP model does not fully meet the security requirement of the trusted computing, as there are the problems following: 1.In BLP model, the trusted subject does not have star property constraint, getting a too large access privilege, which does not match minimum privileges principle, so the operation privilege and application scope of trusted subject should be improved. 2.The BLP model focuses primarily on confidentiality control, which controls information being transferred from higher security level to lower security level, and has lack of integrity control over "alteration upward" operation, which fails to effectively limit hidden channels.

Figure 1.TCPA/TCG system structure As shown in the Figure 1, Operating System based on TCPA is one of the most important parts, which offers security link between trusted hardware and application. Now there are lots of work on operating system based on TCPA such as integrity mechanism developed by IBM T. J. Watson Research Center[2];AEGIS system structure for integrity examination developed by University of Pennsylvania[3];Bear platform as a security box advanced by Dartmouth College[4];Terra, based on virtual machine technology developed by Computer Science Department, Stanford University[5,6]; Xen system for hardware share in a safe mode developed by University of Cambridge Computer Laboratory [7]. While most of them focus on the security box and application for trusted computing, we mainly discuss the whole security operating system based on trusted computing platform. 3. Security model for trusted computing

3.1. BLP model BLP model is a security model that simulates a computer system accord with military security policy, advanced by David Bell and Leonard La Padula, and is the earliest, most frequently used model. It is a state machine model, which formalized defines rules of system states and

2777

Proceedings of the Fifth International Conference on Machine Learning and Cybernetics, Dalian, 13-16 August 2006 3.2. Design of IBLP security model For the security requirement of trusted computing, we design a security model based on trusted computing through the improvement of BLP and call it IBLP.
S T ((s, o, w) (Si(s) Si(o) Ca(S) Ca(o) )) (8) Formula (5) and (6) means that the common subject can only alter information of the object on the same confidentiality and integrity level, and can not leak information to unrelated objects. Formula (7) and (8) means that the trusted subject on the lower integrity level can not alter information of object on the higher integrity level but can alter information of object on the lower confidentiality level and is trusted that has the ability to not leak information on the higher confidentiality level to the objects on the lower confidentiality level and the information to the unrelated objects.

3.2.1. Definition of IBLP

1.Security attribute. We will make an integrated consideration about the confidentiality, integrity of every subject and object [9]. Every subject and object has a security attribute that includes three components: confidentiality level Sc , integrity level Si and access category sets Ca . 2.Security domain. The security domain of subject S can be classified as common subject C and trusted subject T . Trusted security attributes of trusted subject are their trusted level.

3.2.3. Analysis of IBLP

1.IBLP is consistent with the basic security feature of BLP. The ss-property of IBLP is consistent with the ss-property of BLP. The star-property of IBLP can be seen a special case of the starproperty of BLP. 2.IBLP meets the principle of minimum privilege. IBLP establishes the access rule for every subject, which limits its privilege to finish its own work. 3.IBLP prevents the occurrence of covert channel. Based on confidentiality protection, IBLP adds on integrity protection and limit alteration operation to the same security level between subject and object in star property, to achieve the control of the covert channel of the operating system. 4.IBLP meets the security requirement of trusted computing in a more flexible way. Firstly, IBLP makes an integrated consideration about the confidentiality and integrity of every subject and object. Then it classifies the domain of subject and access category of every subject and object. Finally, it establishes the access control principle on them, to achieve the security requirement of trusted computing. 4. Security operating system for trusted computing

3.2.2. Axiom of IBLP

1. Simple security property (Ss-property). Ss-property is satisfied if: ( s, o, x ) B
s C ((s, o, r) (Sc(s) Sc(o) Si(s) Si(o) Ca(S) Ca(o)));(1)

s C ((s, o, e) (Sc(s) Sc(o) Si(s) Si(o) Ca(S) Ca(o)) ;(2)

s T (( s, o, r ) ( Sc( s)) Sc(o) Ca( S ) Ca(o))) ;(3)

and
s T ((s, o, e) ( Sc( s)) Sc(o) Ca( S ) Ca(o))) (4) Formula (1) and (2) means that the common subject can neither observe nor execute information of the object on the higher confidentiality level, and can neither observe nor execute information of the object on the lower integrity level in order to prevent integrity from damaged, also can not access unrelated information illegally. Formula (3) and (4) means that the trusted subject on the lower confidentiality level can neither observe nor execute information of the object on the higher confidentiality level and unrelated information but can observe and execute information of the object on the lower integrity level, and is trusted that has the ability to guarantee the integrity of the information. 2. Star-property Star-property can be satisfied if: ( s, o, x ) B s C ((s, o, a) (Sc(s) = Sc(o) Si(s) = Si(o) Ca(S) Ca(o))) ; (5) s C ((s, o, w) (Sc(s) = Sc(o) Si(s) = Si(o) Ca(S) Ca(o))) ; (6)

4.1. Overall design According to the security requirement of trusted computing and the security model IBLP established in the section 3, we proposed the integral design for security operating system based on trusted computing, as is shown in Figure 2.

S T ((s, o, a) (Si(s) Si(o) Ca(S) Ca(o) )) ; (7)

and

2778

Proceedings of the Fifth International Conference on Machine Learning and Cybernetics, Dalian, 13-16 August 2006 is modularly developed and implemented on an open code Linux environment.
Common user

Trusted software Application Login programme Privilege user

4.2.1. Trusted identification Trusted identification is used to ensure that only legitimate users can access the system resources. It identifies the true identity of each user, and makes a name for each user a unique identifier. The unique identifier must not be forged so that an user can not imitate another user. The action associating the only identifier with the user is called identification, to identify the true identity of users. On the other hand, in order to maintain normal operation of the system, some process that exceeds access control mechanism need to be a privileged process, and the trusted identification need to identify which process is a privileged process. 4.2.2. Privileged access control The privileged access control based on IBLP ensures that a trusted process only gets the security privilege that meets the requirement of its task. When a particular trusted process accesses resources, the mechanism based on IBLP implements the resources access control to ensure that a trusted process meet the security requirement of minimum privilege. 4.2.3. Discretionary access control Discretionary Access Control (DAC) uses access control list (ACL) defined by user to implement access control of resources. A typical ACL mechanism shows as follows: < Type, Id, Perm >, in which type means the process type, Id is user id or group Id and Perm means access privilege. 4.2.4. Mandatory access control Mandatory access control (MAC) mainly manages system resources by classifying them according to their security level. According to the requirement of the security model IBLP in section 3, the system needs to assign to each process, document and IPC object (message queue, signal set and shared storage area) the corresponding security level. When a process accesses an object (a file for example), according to the security mark (security level, etc.) of the process and access mode, MAC mechanism based on IBLP compares the security level between the process and the object, to determine whether the process can access the object.

System call interface Discretionary access control /Mandatory access control Security kernel Trusted identification Security audit Kernel programme Trusted hardware Hardware Integrity measurement

Privileged access control

Figure 2. The overall design Security operating system is an important link mechanism between hardware and applications, which is mainly responsible for certificating processes and distinguishing applications. Security mechanism of the operating system consists of discretionary access control, mandatory access control, integrity measurement, trusted identification, privileged access control and security audit. The discretionary access control makes access controls to system resources primarily based on the needs of users. The mandatory access control classifies information systems resources according to the security level, and controls user access resources according to different security levels. The integrity measurement makes use of TPM to protect the content loaded of the operating system from being malicious modified. The trusted identification mechanism mainly inspects the credibility of the software according to the security policy of the security model IBLP established. The privileged access control makes sure that every process gets the appropriate privilege. The security audit can record all the behaviors related to the security of the system, offering the actual security data for security management. 4.2. Modular implementation The trusted computing based security operating system

2779

Proceedings of the Fifth International Conference on Machine Learning and Cybernetics, Dalian, 13-16 August 2006 4.2.5. Integrity Measurement The integrity measurement mainly protects the content continuously loaded by OS after secure boot of TPM. Our integrity measurement architecture consists of measurement mechanism, integrity challenge mechanism and integrity validation mechanism. The measurement mechanism determines which part of the run-time environment to measure, when to measure, and how to securely maintain the measurements. The integrity challenge mechanism allows authorized challengers to retrieve measurement lists of a computing platform and verify their freshness and completeness. The integrity validation mechanism validate that the measurement list is non-tampered and fresh as well as validating that all individual measurement entries of runtime components describe trustworthy code or configuration files. Figure 3 shows how our integrity measurement mechanism enables integrity attestation. Measurement list is initiated by measurement mechanism, which induce a measurement of a file, store the measurement in an ordered list in the kernel, and report the extension of the measurement list to the TPM. The integrity challenge mechanism allows integrity validation to request the measurement list together with the TPM- signed aggregate of the measurement list (step 1 in Fig 3). Receiving such a challenge, the integrity challenge mechanism first retrieves the signed aggregate from the TPM (steps 2 and 3 in Fig 3) and afterwards the measurement list from the kernel (step 4 in Fig 3). Both are then returned to the attesting party in step 5. Finally, the integrity validation mechanism can validate the information and reason about the trustworthiness of the attesting systems run-time integrity in step 6. 4.2.6. Security audit The security audit mainly audits any security related events, generate and reveal secret or sensitive information for the purpose that system manager can better understand and control the security situation of the system. We divide security related events into register event and system events. As Linux has achieved the security audits against register events, our security audit here focuses on the system events. In order to ensure every security related system event is audited, the security audit against the only interface of user applications and the system calls is implemented. At the same time, for some system privileged instructions which usually use system call and may have an impact on the system security, considering the audit against every system calls used by privileged instruction will make audit too complex and difficult to understand for auditor to judge the situation of instruction being used, we add our audit against privileged instruction.
Integrity Validation Mechanism 6. Validate Response Store 1.Integrity Challenge 5.Integrity Responce 4.Retrieve Measurement list Integrity Challenge Mechanism

Measurement Mechanism

2 QuoteReq

3 QuoteRes

Report TPM Platform configuration register ... Platform configuration register Report

Trusted Bios Measurements

Figure 3: TPM-based Integrity Measurement 5. Experiment and Performance

5.1. Security Function To check our systems security function, we establish an experiment environment to implement penetrating test for our security operating system. On the base of known vulnerability of Linux system, we carry out penetrating test for our security operating system. Some typical experiment result can be listed on table1. As is shown in Table 1, our system can detect and defend against most of the attack at present. Table 1. Rate of detection for typical attack of our security operating system Attack IP Buffer Denial of Rootkit type Cheating Overflow Service Rate of detection 80% 85% 87% 95%

5.2. Decline of Performance We mainly examine decline of performance of our

2780

Proceedings of the Fifth International Conference on Machine Learning and Cybernetics, Dalian, 13-16 August 2006 system through the execution efficiency of IPC, Process and the system call of file system. In the course of examination, we execute routine test_ipc, test_fork and test_fs in common Linux and our system respectively. The decline rate of efficiency can be shown in table2. As is shown in table2, the decline rate of efficiency of our system is no more than 10%, which is acceptable by most users. Table 2. Decline rate of efficiency Test project Test_ipc Test_fork Test_fs Decline rate 8% 10% 10% 6. Conclusions Programme) under grant No. 2002AA142151. References [1] Sean W.Smith, Trusted computing platform design and application, Springer, Boston, USA, 2005. [2] Reiner Sailer and Xiaolan Zhang and Trent Jaeger and Leendert van Doorn, Design and Implementation of a TCG-based Integrity Measurement Architecture, Proceedings of the 13th USENIX Security Symposium, San Diego, CA, USA, August 913, 2004. [3] William A Arbaughz, David J Farber, Jonathan M Smith, A Secure and Reliable Bootstrap Architecture, 1997 IEEE Security and Privacy Conference, USA, pp.65-71, 1997. [4] John Marchesini, Sean W. Smith, Omen Wild, Josh Stabiner, Alex Brsamian, Open-Source Applications of TCPA Hardware, 20th Annual Computer Security Applications Conference,Tucson, AZ, USA, 6-10 December, 2004. [5] Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, Dan Boneh, Terra: A Virtual Machine-Based Platform for Trusted Computing, SOSP03, Bolton Landing, New York, USA, October 1922, 2003. [6] Tal Garfinkel Mendel Rosenblum Dan Boneh, Flexible OS Support and Applications for Trusted Computing, In Proceedings of the 9th Workshop on Hot Topics in Operating Systems, Kauai, Hawaii, USA,May 2003. [7] Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Xen and the Art of Virtualization, SOSP'03, Bolton Landing, New York, USA, October 19-22, 2003. [8] D.E. Bell,L. J. La Padula, Secure Computer System: Unified Exposition and Multics Interpretation , Mitre Corp, Technical Report 01730,Bedford MA:Mitre Corp,1976. [9] Xie jun, Xu feng, Huang hao, Trust Degree Based Multilevel Security Policy and Its Model of State Machine, Journal of Software, Vol 15, No.11, pp.1701-1708, 2004.

Security operating system is the key for the implementation of a trusted computing platform. In this article, according to the trusted computing security requirements, through appropriate improving the traditional security model BLP, we design a trusted computing based security model IBLP. Then we presented the design and implementation of a secure operating system for trusted computing platform. The system extends the TCG trust concepts from the BIOS all the way up into the general operating system. The next step of the work primarily is the development of function of the security operating system and improvement of its performance. We will improve our system to be more compatible with the security requirement of trusted computing application. At the same time, we will adopt optimization algorithms to improve the performance of our system to make more optimized balance between the performance and availability of the security operation systems. Acknowledgements This paper is supported by the state key laboratory of information security of Graduate School of Chinese Academy of Science and institute of software of Chinese Academy of Science. This work is supported by the National High Technology Research and Development Programme (863

2781