Security Engineering

Trusted System
• Trusted Systems:
• Those that are built with security as one of the fundamental core of the
operating System
• Have specific functions
• Expensive
• Difficult to manage
• Commonly used in Government and Military Environments

Security is best if it is designed and built into the foundation of the

OS [Architecture and Design phase]
 Architecture
• Architecture:
• A tool used to understand the structure and behavior of a complex system through
different views;
• It provides a representation of the concerns of each stakeholder
• Describes the major components of the system and how they interact with each
other
• Think of a house architecture [House plan/electricity plan/plumbing plan/kitchen]
• Highest/First level in the development process
• Architecture Description:
• A formal description and representation of the system; its relationships,
interactions, dependencies between components
System Architecture
• Describes the major components of a system, how they interact with each other, with the users
and with other systems
• A disciplined approach to system architecture helps in
• Quality
• Interoperability
• Portability
• Security
• Extensibility

• Security goals have to be defined before the architecture of a system is created – “baked-in”
concept
• Security being addressed late in development phase is called – “baked-on” concept
• ISO/ISEC 42010 is the systems and software engineering Architecture description
• It is important to understand the scope of the target system before we can develop or architect or
evaluate it
 Computer
Architecture
CPU
• It is also known as microprocessor or processor
• A CPU is brain of a computer
• It is responsible for all functions and processes
• It fetches instruction from memory and executes them
• The CPU consists of thin layers of thousands of transistors
• Each transistor receives a set of inputs and produces output
• Transistors hold a key role in functioning of CPU as they make computer able to count and
perform logical operations which is called processing
• Computers use two types of storage: Primary storage and secondary storage.
• The CPU mainly interacts with primary storage or main memory, referring to it for both
instructions and data. 
• There are four important functions of CPU,
• Fetch
• Decode
• Execute
• Write back (Store)
 Main Components of CPU:
• The three components of the CPU are following,
• Arithmetic Logic Unit
• Control Unit 
• Registers
 CPU Components
• Arithmetic Logic Unit:
• Actual execution of the instructions happen here
• Performs all arithmetic and logical operations.
• There cannot be more than one Arithmetic logic unit in a CPU

• Control Unit: [Traffic cop]

• It controls and co-ordinates computer components for carrying out or executing, already stored program
instructions
• It directs the flow of data between the Central Processing Unit (CPU) and the other devices.
• It controls when instructions are executed and in what priority/time slice
• All computer resources are managed by the CU
• It does not actually process the data

• Register/Memory Unit:
• Temporary storage areas which are responsible for holding the data that is to be processed
• Provides the fastest way to access data
• They store the instructions and data in a processor. This data is used by ALU
CPU Registers
• General Purpose Registers:
• Hold intermediate results and frequently needed data items for the ALU to execute
• Used only by currently executing program
• Implemented within the CPU; contents can be read or written quickly
• Special Register (Dedicated Register)
• Holds information such as
• Program counter
• Stack pointer
• Program status word [PSW]
• Program counter
• Contains memory address of the next instruction to be fetched
• Program Status word [PSW]
• Status of CPU and currently executing program
• Flags (one bit Boolean variable) to track condition like arithmetic carry and
overflow, power failure, internal computer error
• One bit indicates CPU modes
• User mode [problem state]
• Privileged mode [supervisor or kernel mode]
CPU Modes
• User Mode
• When an application needs the CPU to carry out its instructions, CPU
operates in USER mode
• This mode has lower privilege level
• Many of CPU instructions and functions would not be available
• Privileged Mode
• Trusted processes operate in this mode
• Has all available functions at its disposal
• This mode has higher privilege level
 Memory Bus
• Address Bus:
• A collection of wires connecting the CPU with main memory that is used to
identify particular locations (addresses) in main memory
• Used by CPU to indicate the location of the instructions to be processed
• Data bus:
• Memory or I/O devices respond by sending data through data bus
Address/data bus can be 8,16,32 or 64 bits wide. – meaning system can move data between
components of this size
 Multiprocessing
• More than 1 CPU for increased performance
• Symmetric mode:
• Processors are handled work as needed
• Like load-balancing
• A scheduler decides which processor should
handle the instructions
• Asymmetric mode:
• When a processor is dedicated it is called
Asymmetric mode
• One CPU is dedicated while other[s] are used
as general purpose

cse.csusb.edu
Processor – Key Security features
• Key features processor should have to address security concerns are
• Tamper detection sensors
• Crypto acceleration
• Battery backed logic with a physical mesh
• Ability to customize a device with secure boot capabilities
• Secure memory access controller with on-the-fly encrypt and decrypt
capabilities
• Static and differential power analysis
• Smart card UART controllers
Memory Types
System Performance Components

• Processor
• Memory type and size
• Memory addressing size
• Data bus size
Random Access Memory (RAM)
• Temporary storage facility for data and program instructions
• It is used for read/write activities of the OS and applications
• RAM directly affects the speed of the computer
• RAM is made up of Transistors and Capacitors
• Capacitors:
• It where the actual charge is stored
• It is represented as binary value 1 ~ several electrons are stored ; binary
value 0 ~ no electrons are stored
• Memory controllers are used to energize (read and refresh) the capacitors.
This is needed to ensure capacitors do not loose charge and erase the
values
• Transistor:
• acts as a switch that lets the Memory controller on the chip to read the
capacitor or change its state
• It is volatile meaning if the CPU power is lost, the data in RAM gets wiped
 Memory Types
Memory Type Description
Dynamic RAM (DRAM) Capacitors loose electrons quickly; hence memory controls constantly
refreshes the electrons; slower RAM used in general RAM chips

Static RAM (SRAM) Bits are held in memory cells without the use of capacitors; hence the bits
do not require to be refreshed; but needs more transistors than DRAM;
very fast and is used in Cache
Extended Data out DRAM (EDO Can capture the next block of data while the first block is sent across to
DRAM) CPU for processing; hence faster than DRAM.
Burst EDO DRAM Similar to EDODRAM, but sends more data to CPU; it can send up to 4
(BEDO DRAM) memory address in a smaller number of clock cycles

Synchronous DRAM (SDRAM) Synchronizes itself with the CPU clock. SDRAM is about five percent
faster than EDO RAM and is the most common form in desktops today

Double Data Rate SDRAM Instead of carrying out one operation per clock cycle, it carries out two
(DDR SDRAM) operations and hence can deliver twice the throughput of SDRAM.
 Read-Only Memory
• Non-Volatile memory type
• Data once written cannot be modified
• Software that is stored within ROM is called
• Firmware

• Programmable Read-only memory [PROM]

• Can be programmed only one time; the instructions are burned-into PROM
• Commonly used for hardware applications where some custom functionality is necessary

• Erasable programmable read-only memory (EPROM)

• can be electrically erased, modified, and upgraded
• UV light device that provides the right energy can be used to erase data on the chip
• To erase the chip must be removed ~ key point, all data will be erased

• Electrically erasable programmable read-only memory (EEPROM)

• Similar to EPROM, but its data storage can be erased and modified electrically by onboard programming circuitry and signals.
• Erases only one byte at a time, hence it is slow
• Motherboard BIOS is stored to facilitate version updates
Read-Only Memory
• Flash Memory
• Solid state technology
• Does not have moving parts
• Acts more like a ROM than a RAM
• It is used more as a type of Hard drive than memory
• Erasing function takes place in blocks or entire chip instead of one byte
at a time
• Its smaller, faster and lighter
Chace Memory
• Type of memory used for high-speed writing and reading activities
• Can be described as a high-speed RAM on the same chip as the
processor
• Improves overall speed of the computer
• Different motherboards have different types of cache.
• Level 1 (L1) is faster than Level 2 (L2),
• L2 is faster than L3
• L1 and L2 are usually built into the processors and the controllers
Memory Mapping
• CPU, the most trusted component in the system, has direct
access to memory
• It is connected physically to the memory chips
• Software/Applications do not have physical connection to
memory segments; they are connected logically
• Memory manager is used to connect an application to the
memory segment on need basis
• Memory manager allows application to access memory via index
tables and pointers.
 Memory Address types
• Immediate Address
• Way of referring to data that is supplied to CPU as part of an instruction; not a memory addressing scheme per se.

• It is the fastest method of addressing

• Absolute address
• Physical memory address that CPU uses
• Also called direct addressing; direct addressing is flexible than immediate addressing
• The address must be located in the same memory page as the instruction being executed

• Logical Address (Indirect address)

• Indexed memory address that software/application use

• Relative Address
• are based on a known address with an offset value applied
• Relative address means an address specified by indicating its distance from another address, called the base address.
• Memory manager uses the value stored in one of the CPUs registers as the base location from which to begin counting.
• Relative addressing is always in bytes
 Buffer Overflow
• Buffer:
• An allocated segment of memory
• Buffers make up the stack
• Stack
• A segment in memory that allows for communication between the requesting application and
the procedure or subroutine.
• An important issue in stack is that it grows downward
• Stack pointer keeps track of where the CPU is in the stack. It tells the CPU where the next
piece of data/instruction is located
• Procedure is a code that carries out specific function on the data and returns the
result to the requesting application
• Procedure takes the data off the stack starting at the top, so they are First In, Last out (FILO)
• Return Pointer is a pointer to the requesting application memory address
 Buffer Overflow
• Buffer overflow takes place when too much data is input to a specific process
• For Buffer overflow use, the attacker must insert code that must be of specific length
and followed up by command(s) the attacker wants to execute
• Proper bounds checking to ensure input data is of an acceptable length helps
prevent BO
• Secure programming practice and code reviews can help identify and prevent Buffer
overflow attacks
• Some other techniques to prevent BO are:
• Black-box testing
• Mark stack as non-executable
• Randomize stack location or encrypt return address on stack
• Run-time checking of array and buffer bounds
• Static analysis of source code to find overflows
 Memory Leak
• It is caused when the operating system does not release the memory after
the use of an application
• Memory leaks can take place in OS, Applications, and software drivers
• It is also known as space leak
• Two fundamental countermeasures to memory leak are:
• Programming:
• Secure coding practices that ensure these memory releases are properly handled
• Implement garbage collector
• Software that runs an algorithm to identify unused committed memory and instructs
OS to mark that memory as available
• Different types of garbage collectors work with different OS and Programming
languages
 Operating Systems

• It provides an environment for applications and users to work

within
• It is made up of various layers of functionality
• Responsibilities
• Process management
• Memory management
• I/O management
• CPU management
Process Management
 Process:
 A set of instructions that are actually running
 Applications work as individual units called process
 A program is not considered a process unless it is loaded and
allocated resources by OS
 The collection of the instructions and the assigned resources is
referred to process.
 Operating system gives a process necessary tools it needs and
loads it into memory
Multiprogramming vs Multitasking
Multiprogramming Multitasking
More than one program is loaded into More than one program is loaded into
memory memory

Only one process can be executed at Request from more than one
one time application will be processed at the
same time
Usually takes place on large-scale Maintains processes in various
systems, such as mainframes execution states

Requires specially written software OS coordinates the processing

that coordinates its own activities and
execution through the OS
 Processing Type

• Single State Systems:

• Requires the use of security policy to manage information at different
security levels
• Security administrators have control over approving processor and
system to handle only one security level at a time
• Multistate System:
• They are capable of implementing a much higher level of security
• Certified to handle multiple security levels simultaneously
• They are designed to prevent information from crossing between
security levels
 Multitasking Types
Type Description

Cooperative Multitasking • Legacy type

• The application decides on releasing the resource
• One application can negatively impact the system

Pre-emptive multitasking • OS controls how long a process can use the resource
• Uses time sharing to allocate resources to the applications
• No one application can negatively impact the system

• Spawning
• function that loads and executes a new child process.
• Forking:
• when a process forks, it creates a copy of itself. The original process that calls fork() is
the parent process, and the newly created process is the child process. Both processes
return from the system call and execute the next instruction.
 Both the parent and child processes possess the same code segments, but execute
independently of each other.
Process states
• Process can be in
• Ready state
• Waiting to send instructions to the CPU
• Running state
• CPU is executing its instructions and data
• Blocked (waiting) state
• Waiting for input data
• Supervisory state
• Process must perform actions that requires privileges greater
than the current state’s privilege
• Stopped state
• Process is finished or terminated
Process Table
• Operating System maintains a table having one
entry per process
• It contains each individual process’s
• State
• Stack pointer
• Memory allocation
• Program counter
• Program status word
Thread Management
• When a process needs to send something to the CPU for processing, it generates a
thread.
• A thread is made up of an individual instruction set and the data that must be
worked on by the CPU.
• Threads are dynamically created and destroyed as needed
• A thread is contained inside a process
• Each thread shares the same resources of the process that created it.

• Multithreaded application:
• A program that is capable of running several different threads, within a single process,
simultaneously.
• Often used in applications where frequent context switching between active processes
consumes excessive overhead
Process Scheduling
• Schedulers are algorithms that controls the time sharing of the CPU
• A scheduling policy is created to govern how threads will interact
with each other
• Operating System performs the following
• Creates and deletes processes as needed
• Oversees them changing state
• Responsible for controlling deadlocks
• Uses Interrupts to provide time slicing
• Requires the application to have all resources it needs before it actually starts
executing
Process Isolation

• Required for preemptive multi-tasking

• Methods used to enforce Process Isolation
• Encapsulation of objects
• Time multiplexing of shared resources
• Naming distinctions
• Virtual address memory mapping
Process Isolation
• Encapsulation
• When a process is encapsulated no other process understands or interacts with its
internal programming code
• An interface defines how communication must take place between two processes.
• The interfaces dictate the type of requests a process will accept and the type of
output that will be provided
• Encapsulation provides
• Data hiding
• Integrity mechanism
• Modularity in programming code

[Modular Programming: is a software design technique that emphasizes separating the functionality of a
program into independent, interchangeable modules, such that each contains everything necessary to execute
only one aspect of the desired functionality]
Process Isolation
• Time Multiplexing
• is a technology that allows processes to use the same resources
• Multiplexing means there are several data sources and the individual data pieces are piped into one
communication channel.
• Helps in resource sharing

• Naming Distinctions
• Processes are usually assigned process identification (PID) values, which the operating system and
other processes use to call upon them
• If each process is isolated, that means each process has its own unique PID value.

• Virtual memory mapping

• Virtual memory makes application programming easier by hiding fragmentation of physical memory; 
• when processes are given separate address spaces, the technique offers protection to applications by
isolating memory from other processes.
• Provides Integrity and confidentiality of individual processes
Security Protection Mechanisms
• Layering
• Applying a structure similar to Ring model applied to each operating process
• Top layers have higher protection, while lower layers have comparatively lower protection
• Communication between layers takes place only via the use of well-defined, specific interfaces to provide
necessary security

• Abstraction
• Fundamental principle behind object-oriented programming
• Subjects do not need to know the details of how the object works; they need to know just the proper syntax for
using the object
• Access control/rights are applied to groups of objects than on a per-object basis

• Data Hiding
• Important characteristic of a multilevel system
• Ensures the data existing in one level of security is not visible to processes running at different security levels

• Hardware Segmentation
• It enforces isolation requirements through the use of physical hardware.
Memory Management

• Goals
• Provide an abstraction level for programmers
• Abstraction means that the details of something are hidden

• Maximize performance with limited memory available

• Protect the OS and applications loaded into memory
Memory Manager

• A portion of OS that keeps track of how different types are

memory are used

• It allocates and deallocates different memory segments

• Enforces access control

• Swaps memory contents from RAM to the Hard drive

Memory Manager Responsibility
• Relocation
• Swap contents from RAM to the hard drive as needed
• Provide pointers for applications if their instructions and memory segment have been moved to a different
location in main memory
• Protection
• Limit processes to interact only with the memory segments assigned to them [Access control]
• Sharing
• Allow many users with different levels of access to interact with the same application running in one memory
segment
• Logical organization
• Segment all memory types and provide an addressing scheme for each at an abstraction level
• Allow for the sharing of specific software modules, like DLLs
• Physical organization
• Segment the physical memory space for application and operating system processes
• Uses two registers:
• Base register: contains the beginning address that was assigned to the process
• Limit register: contains the length of the address space
Memory Protection Methods
• Segmentation
• Dividing the memory into segments
• A reference to memory segment includes the value to the segment and a offset within
that segment
• Paging
• Divides memory address space into equal-sized blocks called pages
• Page table maps virtual memory into physical memory
• Protection Key
• Divides physical memory into blocks of particular size, each having a numerical value
called protection key
• Each process also has a protection key value associated with it
• When memory is accessed, manager checks the process protection key value with the
associated memory key value matches before allowing access.
Cont
• Address Space Layout Randomization (ASLR)
• Randomly arranges the positions of key data areas of the program
• Is based upon the low chance of an attacker guessing the locations of
randomly placed areas

• Executable Space Protection

• Marking of memory regions as non-executable, implying that any
attempt to execute machine code in these regions will cause an
exception.
 Virtual Memory
• RAM + Secondary Storage
• Swap Space:
• is the reserved hard drive space used to extend RAM capabilities.
• When a program requests access to the data in swap space, it is
brought from the hard drive back into memory in specific units, called
pages.
• Virtual memory paging
• Virtual memory makes application programming easier by
hiding fragmentation of physical memory; 
• when processes are given separate address spaces, the technique offers
protection to applications by isolating memory from other processes.
• Provides Integrity and confidentiality of individual processes.
 Storage device types
• Random access storage device:
• Allows an OS to read immediately from any point within the device by
using some type of addressing scheme
• Almost all primary storage devices and some secondary storage devices
are random access devices
• Sequential storage device:
• They require that all the data stored prior to the desired location is read
before reaching the location
• Tape drives is a good example
• While slow, it can store vast amount of data at inexpensive media
Input / Output Device Management
• I/O devices are either block or character devices
• Block devices:
• Works with data in fixed blocks, each block with its own unique address
• Eg: disk drive

• Character devices:
• Works with streams of characters; is not addressable
• Eg: printer, NIC, mouse etc

• OS uses device driver to interact with device controllers

• Controller is an electrical component that provides communication
between device and OS
Input / Output Device Security

• TEMPEST:

• Technology that allows the electronic emanations that every I/O device produces to be read from a distance

• CRT monitors are more prone than LCD/LED monitors

• Phlashing:

• Malicious variant of firmware is used to flash the memory that introduces remote control or other malicious

features into a device; an attack commonly targets the BIOS

• Red/Black separation requirements meant installing physical security controls such as shielding

between normal unclassified circuits and classified ones.

 Interrupts
• An interrupt is a signal to the  processor emitted by hardware or software
indicating an event that needs immediate attention.
• Each process has an interrupt assigned to it
• There are two types of interrupts:
• Hardware interrupt
• is an electronic alerting signal sent to the processor from an external device, either a part of the computer
itself such as a disk controller or an external peripheral. For example, pressing a key on the keyboard or
moving the mouse triggers hardware interrupts that cause the processor to read the keystroke or mouse
position. 
• Software interrupt
• is caused either by an exceptional condition in the processor itself, or a special instruction in the instruction
set which causes an interrupt when it is executed. For example, computers often use software interrupt
instructions to communicate with the disk controller to request data be read or written to the disk.
Interrupt categories
• There are two categories of interrupts:
• Maskable interrupt
• an event that may not be overly important and the programmer can
indicate that if that interrupt calls, the program does not stop what it is
doing
• Nonmaskable interrupts
• Nonmaskable interrupts can never be overridden by an application
because the event that has this type of interrupt assigned to it is critical

• Watchdog timer (nonmaskable interrupt)

• This process will reset the system with a warm boot if the
operating system hangs and cannot recover itself.
Interrupt Controller
• I/O device interacts with the CPU via the Interrupt Controller

I/O
I/o I/O Interrupt
I/O
Interrupt Interrupt Vector
I/O

Device controller Interrupt Controller CPU

I/O Procedures
I/O Procedure Description

Programmable I/O CPU sends data to an I/O device and polls the device to see if it is ready to accept more data
This is a slow process and wastes CPU time

Interrupt-driven I/O Works based on Interrupts

CPU sends instructions and carries out other task, the I/O completes the task and sends
interrupt
This also wastes a lot of time in dealing with interrupts

I/O using DMA Transferring data between I/O devices and the system’s memory without using the CPU.
Speeds up data transfer rate
Also called unmapped I/O

Premapped I/O CPU sends the physical address of the requesting process to the I/O device
CPU does not control interactions between I/O and memory
I/O is trusted by CPU

Fully mapped I/O OS does not trust the I/O device

Physical address is not given
I/O works with logical address
CPU acts a broker
 CPU Architecture
• CPU and OS must have to be compatible and share similar
architecture to work together
• OS and CPU communicate via Instruction set
• Ring Based Architecture
• CPU dictates how many rings are available for OS to use
• Ring 0 is for the most trusted component of the OS itself
• Ring 0 is the most privileged and Ring 3 is for the least privileged
• OS components that work at Ring 0 has the most access to memory
locations, peripheral devices, system drivers
• Less trusted process interact with OS using API [guards]
Operating System Architecture

• Monolithic Architecture
• Layered Architecture
• Microkernel Architecture
• Hybrid Microkernel Architecture
Monolithic Architecture
• All OS processes run in Kernel mode
• The services provided by OS is available to all applications via system calls
• The OS acts as one layer between user applications and the hardware level
• Software modules communicate to each other in an ad-hoc manner
• Since functionality is spread through out the system, it is difficult to localize
and fix ~ Security
• Since hardware interfaces are implemented through out the software, it is
difficult to port ~ Portability
• Since they are not modular in nature, difficult to add or remove functionality
~ modularity
• Too many components interact directly with the hardware ~ complexity
• Eg: MS-DOS
Layered Architecture
• Separates System functionality into hierarchical layers
• Still OS was running in Kernel Mode only
• Provides data hiding
• Each layer provides its own security and access control
• Modularizing software allows for functionalities to be added and removed
• Introduced abstraction level that enables portability from one hardware platform to another
• Examples: THE, UNIX
• Disadvantage
• Performance
• Complexity
• security
 Micro Kernel Architecture
• Small subset of critical Kernel Processes are isolated
• Mainly memory management and Message Interpreter
• Goal was to limit the number of processes running in Kernel
mode
• Due to frequent mode transitions this architecture had severe
impact on Performance
Hybrid Micro Kernel Architecture
• Microkernel still exists and carries out memory management and
message interpreter
• All OS services run in Kernel mode and the remaining run in user mode
• The OS services are the servers and the application processes are the
clients
• When clients need to use the services of the OS, they communicate
with the server services using API
• The services that run outside the microkernel are collectively called
executive services
 Virtual Machines
• Virtual instance of an OS is known as Virtual machine
• Creating virtual instances of OS, Application and Storage devices is called
virtualization
• Thunking
• It is the process of converting interface sets (32bit-64bit) and process the request
appropriately
• Virtual machine is commonly referred to as guest machine, and the physical
machine is called the host machine
• Hypervisor is the central program that controls the execution of the various
guest operating systems
Security Modes
• US Government designated 4 approved security modes for systems that
process classified Information
• Dedicated mode
• System High mode
• Compartmented mode
• Multilevel mode
• There are 3 specific elements must exist before security modes themselves be
deployed
• Hierarchical MAC environment
• Total physical control over which subjects can access the computer console
• Total physical control over which subjects can enter into the same room as the computer
console
 Dedicated Mode System High Mode Compartmented Mode Multilevel Mode

Clearance Subject must have Subject must have Subject must have Subject may not have
clearance to access ALL clearance to access ALL clearance to access ALL clearance to access ALL
information processed information processed by information processed by information processed by
by the system the system the system the system; access is
provided if subjects’
clearance level dominates
objects’ classification

Access Must have access Must have access approval Must have access approval Must have access approval
approval approval for ALL for ALL information for ANY information they for ANY information they will
information processed processed by the system will have access to on the have access to on the
by the system system system

Need to know Must have valid need to Must have valid need to Must have valid need to Must have valid need to
know for ALL information know for SOME information know for ANY information know for ANY information
processed by the system processed by the system they will have access to they will have access to on
on the system the system

Comment Equivalent to Single

state system
Compartmented mode workstations

• Subjects with necessary clearance can process data from multiple

compartments simultaneously

• Requires two forms of security label on objects

• Sensitivity Labels:
• Describes the levels at which objects must be protected

• Information Labels:
• Prevents data overclassification and associate additional information with the
objects for proper and accurate data labelling.
Karthikeyan Dhayalan
MD & Chief Security Partner