Building a trusted computing base
Table of Contents
1.
Introduction
2.
The Importance of Secure Hosts
3.
Principles, Patterns and Technical Layers of a Secure System
4.
Goals
5.
Principles, Patterns and Mechanisms
6.
Ambient Authority
7.
Authority vs. Permission
8.
POLA
9.
confused deputy problems and why designation separated from permission
10.
Isolation
11.
Interposition, Interception
12.
Communicating sequential processes
13.
Trusted Path
14.
Powerbox, interactive right delegation
15.
Sandboxing
16.
Restricting Code
17.
Malicious Code
18.
Viruses and Trojans
19.
The Sandbox Concept
20.
Hardware based Security
21.
22.
Digital Rights/Restriction Management (DRM)
23.
Protected Media Path (PMP)
24.
Kernel and Operating System Security
25.
Modes
26.
Monolithic Kernel
27.
Microkernel
28.
Pros and Cons of Microkernels: Thorvalds vs. Tanenbaum
29.
Armored Monolithic Kernel
30.
Taming with VM Approaches
31.
Access Control Mechanism: Access Matrix
32.
Access Decision Tuple (from IBM book)
33.
Access Control Lists
34.
What Capabilities are NOT
35.
Object Capabilities
36.
Environment
37.
Symlinks
38.
File Handling
39.
SetUID Programs as a classic example of "confused deputy"
40.
Shatter Attacks: Why Services under Windows should not use GUIs
41.
Symbian OS
42.
Administration
43.
Headless vs. local Administration
44.
Users and Identities
45.
Credentials and their storage
46.
Should "su" ask for the root password?
47.
Securing a Complete System Environment: SELinux
48.
Introduction
49.
The root of the problem: Discretionary access control
50.
Ways to control authority.
51.
SELinux core concepts
52.
User roles and transitions
53.
Roles and Granularity of Protection
54.
SELinux Domains and Types
55.
Security Descriptors and IDs (SIDs)
56.
SELinx Objects and access methods
57.
SELinux Implementation of a policy
58.
General Definitions
59.
Type Enforcement and File Context Definitions
60.
Macros and Processing, Compilation
61.
Adding a new program
62.
Conclusion
63.
Languages and Virtual Machines
64.
Para(Virtualization)
65.
The Importance of Type Safety
66.
Side-effects
67.
Concurrency Risks
68.
Closures
69.
Code Verification
70.
Java Examples
71.
OSGI Security
72.
Security Libraries and Middleware
73.
Portable Interceptor
74.
Application and Server Security
75.
Securing Servers
76.
Server Architecture Examples
77.
GRID Examples with small setuid programs
82.
Polaris - an ACL restricting Sandbox
83.
Application Structure and Modularity
84.
Browser Security
85.
Skynet Virus Talk by Mark Stiegler
86.
Darpa Browser Results
87.
Mozilla/Firefox Investigation
88.
Access Control: Role/Identity based
89.
Policy Enforcement
90.
Policy Definition Problems
91.
Identity based vs. code based policies
92.
Code Signing
93.
Privilege Elevation - the problems of setUID programs and services
94.
A simple example
95.
Mandatory vs. Discretionary Access Control - Multi-Level Security (MLS)
96.
Who can do what? DAC vs. MAC
97.
Discretionary Access Control (DAC)
98.
DAC and ACLs
99.
Mandatory Access Control
100.
Multi-level Security (MLS)
101.
Definition
102.
Example: Internet vs. Intranet
103.
Example: Putting a security label on content
104.
Security Labels
105.
Dominance and Equivalence
106.
Rule example
107.
Design Tips
108.
MLS across Systems
109.
Network Data Flow in MLS
110.
Common Access Policy across Zones
111.
Attacks on MLS
112.
Usability and Human Aspects
113.
trusted Path
114.
Resources
115.
Papers
116.
Literature