AN APPROACH TO INFORMATION SYSTEM A SHARED FACILITY

advertisement
AN APPROACH TO INFORMATION SYSTEM
ISOLATION AND SECURITY IN A
SHARED FACILITY
by
Stuart E. Madnick
John J. Donovan
March 1973
648-73
* This paper is based upon a paper entitled "Application and Analysis
of the Virtual Machine Approach to Information System Security and
Isolation" that was presented at the ACM Workshop on Virtual Computer
Systems, March 26-27, 1973, Harvard University, Cambridge, Massachusetts.
An Approach to Information System
Isolation and Security in a
Shared Facility
ABSTRACT
Security Is an
Important factor
If the
programs of
Independent and possibly malicious users are to coexist on the
same computer system.
In this paper we show that a combined
virtual machine monitor/operating system (VMM/OS) approach to
Information system
Isolation provides
substantially better
software security than a conventional multiprogramming operating
system approach. This added protection s derived from redundant
security using Independent mechanisms that are Inherent In the
design of most VMM/OS systems.
I.
INTRODUCTION
During
(i.e.,
the
on the
the past
decade the
concurrent execution of several
same computer
advantage of medium-
system) has
and redundancy, etc.).
shared
multiprogramming
Independent programs
been developed
to take
full
and large-scale computer systems (e.g., cost
economics, flexibility,
Isolated
technique of
ease of operation,
Unfortunately,
Information systems
nformation systems
(see
hardware reliability
In transferring physically
Figure
(a)) to
(see Figure 1(b)),
we
physically
must cope with
the problems of: operating system compatibility, reliability, and
security. In this paper we show that the Virtual Machine approach
provides effective solutions to these problems.
* Assistant Professor, Project MAC and Sloan School of Management.
** Associate Professor, Project MAC and Department of Electrical
Engineering.
Work reported herein was supported In part by Project MAC, an M.I.T.
research project sponsored by the Advanced Research Projects Agency,
Department of Defense, under Office of Naval Research Contract Nonr4102(01)
and in part by the MIT-IBM Security Study Project.
___ ______1_1____1__1__I____
_i------·
1
-_1_11
-2System SI
*
Term ina Ils
System S2
Storage
Devices
r
System S3
Central
D.tr,
I
I I
J
t)
(n
/"' __._,
,---
~
" *"
CJ ^ W
,l -:]:~lil,
I
Memory
P31
P32
~"
P 33
4cz
(a) Physically Isolated Information Systems
Te
Storage
Devices
als include
ntional I /O units, such as
'eaders, printers, TTY, etc.
(b) Physically Shared Information System
Figure
.
Isolated and Shared Information
Systems
-3-
II.
VIRTUAL MACHINE APPROACH TO ISOLATION AND COMPATIBILITY
Since
virtual machines
descr bed
extensively
Parmelee(6)) ,
we will
virtual machi ne
computer
by
a
were
It
the
as depicted
controlling
In a
key points.
Machine Monitor
of a Virtual
hardware support.
IBM
It
were
In Figure
to
the
multiple
multiplexing
manner analogous
company multiplexes
appear
System/370's
VMM can
2. A
(See
For example, the
System/370
Thus, a
A
real computer
multiple independent
as if
been
(Madnick(5),
a. replica of a
ssingle
function
hardware resources
telephone
briefly review
"virtual mach ines").
Isolated sys5tems
feat
literature
a more pre;cise definition).
as If
sy'stem
applications have
and aippropriate
enables
syst :em
(i.e., multi ple
this
only
by a comblna tlion
Goldberg (3, 4) for
functional y
the
in
sof tvrare program
VM/370
their
may be define:d as
system smul ated
(VMM)
and
make one
physically
VMM accomplishes
of
to the
the
physical
way that
communications enabling
the
separate
and, hopefully, isolated conversations over the same wires.
a conventional operating system.
A VMM Is totally unlike
VMM restricts Itself
the
to the task of
physical hardware,
it presents
Identical to a "bare machine".
a
conventional operating
order to accomplish, useful work.
basis
for the
problem.
solution to
Each virtual
the
multiplexing and allocating
an
Interface that
In fact,
system
nto
each
virtual machine
This latter
in
fact provides the
operating system
___
appears
t is necessary to load
machine Is controlled by
___111_____1_11__1__I____·____I___
A
compatibility
a separate, and
-4-
r Central
1
." Processor
I
- Memory
TVP2----
r?"L -.PL-'
- ~~
1
r Central
Processor
-
I<
Mernor r
10
L
2
-
rI
I
_J
c--
K:31.
KV~-
p~f
(a)
Real Information
System Hardware
Figure
2.
l
(b)
Virtual Information
System Hardware
Real and Virtual Information Systems
_·_ 1__1___1_1___11·_1_11_1__1-__11__
Ir
I..-=7
-
Ca
rr
--_·_.__I_ICI_----------_I-
_LI-ll__
·r
-5-
If necessary different,
operating system. !
The feasibility
of
this solution has been demonstrated on
the VM/370 system and the
earlier CP-67
software and
system.
Introduce
additlonal
operation,
but
The
extra VMM
In
overhead
this overhead
can
Information
the
be
kept rather
10-15%). Depending upon
the precise economics and
large-scale system,
VMM approach Is often
the
hardware do
system
low
(e.g.,
benefits of a
preferable to the
operation of the multiple physically Isolated real' systems.
III.
SECURITY AND RELIABILITY IN A VIRTUAL MACHINE ENVIRONMENT
In
the preceeding
section
t
was shown
that the
v Irtual
machine approach solves the OS compatibility problems by al lowing
dlfferen t
computer
at the
security and
Is
same time.
much
and
coexist on
thIs secti on
suscepti ble
less
and
reliability
system
to
cease
"crashes"), a securlty
that allows one
to
such
qul te
are
____1__. _-----111··--
correct
failure
ope ration
s a form
(e.g.,
than
a
problems of
simillar.
A
"s tops "
or
of reliability fall ure
problem has
_I.I__I^CI_
We
program that cau ses
Isolated user or gain control
The reliability
anal yze
n a sys tem
failures
operat Ing syst em. The
security
same
environment.
user's program to access or destroy
programs of another
computer system.
we wl.ll
vlrtu.al machi ne
reliabillty fallure Is any action of a user's
the
the
the vir tual machine aipproach results
conventional multiprogr amming
software
run
In
rellabill ty In a
will show that
that
sy stems to
operating
I1I1-
the data or
of the entire
been studied
---
by
-6-
Buzen, Chen,
j
and Goldberg (1).
Contem.norary Operat i n
Most
Systelm Envi ronment
contemporary operating
appropriate
hardware
support,
systems,
provide
reliability and security falL res (e.g..,
modes of operation,
about
complete
access
to
solation
any
generalized
etc.).
other
restrictive access
difficult but,
security
(i.e.,
the
state modes further
Thus,
on the same
a security
were
operating
violation
with
Is
allowed
much more
OS/360,
for example,
uses the
to Insulate users from each
system.
The
supervisor/problem
control" of the
solate users.
Illustrates the coexistence of multiple programs
f
Typical
the
Such
a sngl e
modern
thousands, possibly millions, of
interface
Is
of
s not needed for the
prevent users from "gaining
nformation system.
to occur.
problem
current operating systems
It should be possible to
Figure 3(a)
user
allowed
n Figure 1.
Isolation security.
and from
s
The
a
fortunately, such a facility
System/360's lock and key protection
system.
no user
information)
Under "ldeal" circumstances, most
other
prevent
are only concerned
information).
access
to
wl th
supervisor/problem state
(.e.,
to another user's
environment illustrated
can provide
mechanisms
In this paper we
user's
controlled
In conjunction
operating
____1_1_1_
a system
s susceptible to
hardware or
software failure
operating systems
Instructions.
system
consist
of
The user programs
through
hundreds
of
-7-
SI
S3
S2
All concurrent
programs required
.for all
installations.
(a) Conventional Operating System Approach
SI
Programs run
concurrent ly
on each
instal la t ion.
F1
P2
rL
Operating
system f or
each
installation
S3
S2
Operating
System I
P2 1
P3 1
Operat ing
System 2
P33
P3 2
Operating
System 3
Virtual Machine Monitor
(b) Virtual
Figure
-----
3.
Machine Approach
Comparison of OS and VMM/OS
~111-"-
---------------I--~---I`--'
Approaaches
1-~-
-----'-
-I------^-"-I--
-8-
parame ter I zed
entries
(e.g.,
Interrupts,
requests
and
I/0
supervisor
cal ls,
At
nterrupts, etc.).
program
the present
time there Is no known way to systematically val Idate the correct
functioning of the
operating system for all
poss ble parameters
for
In fact,
tend to
all
entries.
vulnerable to
sabotage
(e.g.,
s to
Issue
certain
systems
data-returning supervisor
Is t?" request) providing
parameter.
be
highly
For example, a popular form of
nvalid'parameters.
"what time
as a
most
The operating
system,
calls
an Invalid address
running
with protection
disabled and assuming that the address parameter corresponds to a
user's data area, transfers the return data to that location.
If
the address provided actually corresponds to locations within the
the system can be
operating system,
made to destroy
or disable
systems, of course, attempt to detect this
I tself.
Most "secure"
kind of
error but there are
techniques and
many other sabotage
complete security Is unlikely.
Referring back to Figure 3(a) we can see some of the factors
contributing
to the
functionality
problem.
to be
In order
heterogeneous
programs, the operating system
must be quite
comprehensive and, thus, more vulnerable to error.
In general, a
single
software
logical
Invalidate
the
error
entire
In the
for
operating
security
depicted In Figure 3(a), there is
programs of
a large
sufficient
and
collection of user
effective
to provide
differing user groups
system
mechanism,
Furthermore,
can
as
no more protection between the
or the operating
system than
there is between the application programs of a single user group.
_____1~1_______~_____I~l·~_ll_------ ___
-9The
security
of
such
conventional
operating
the military has strict
sufficiently weak that
appear to forbid the use of
systems
is
regulations that
the same information system for both
SECRET and TOP SECRET use - even though using separate systems Is
more costly.
In the
Even Industrial
same company
competitors or different functions
(e.g., payroll
and engineering)
are often
reluctant to share the same computer.
2, VYrtual Machl ne Evironment
Figure 3(b)
Illustrates the virtual
physically shared system. This
advantages.
If we define
to a
arrangement has numerous security
Ps(P) to
given run of program P will
machine approach
be the
probability that
a
cause a security violation to occur,
the following conditions would be expected to hold:
Ps(PIOS(n)) < Ps(PIOS(m))
A.
OS(I) refers to a
at
level
I
for n<m
conventional operating system multiprogramming
(I.e.,
I
supporting
concurrent
probability of system failure tends to
the
operating system
Issued,
the variety
requests, etc.).
tends
to
be much
multiprogramming
(.e.,
of
large.
/-EU-··LIIII·I-LI-
functions
The
ncrease with the load on
of different
provided, the
requests
frequency
of
In particular, a monoprogramming system, OS(1),
simpler
apd
system.
multiprogramming system
support the
number
the
programs).
Furthermore,
of the
These problems have been
m users,
a
comprehensive
the
often requires Intricate
special needs
--_1I-I_--_I·_.11-_..-11__1---
reliable 'than
m-degree
alterations to
especially If m Is
experienced In most large-scale
-10multiprogramming systems.
environment
since
each
operating system.
error-prone
These problems are
virtual
machine
Each operating system
than
a
single
diminished in a VM
may
run
a
separate
may be simpler and less
comprehensive
all-encompassing
operating system.
B.
VMH(I)
Ps(OSIVMM(k)) < Ps(PIOS(m))
means a virtual machine monitor, VM, supporting I virtual
machines.
The operating
machine
has the
program,
P, has
system,
OS(m).
system, OS,
same relationship
to
a
Using
smaller the degree
the
for k<m
the VMM
the VMM(k)
the same
rationale
a
security
than conventional
violation,
user's
operating
as in A above,
k<m),
the
the smaller
Furthermore,
since
be shorter, simpler, and easier
multiprogramming operating
the VMM Is less error-prone,
s defined
virtual
as a
conventional multiprogramming
virtual machine monitors tend to
even when k=m,
to
a particular
of multiprogramming (i.e.,
probability of
to debug
on
by the hardware
systems,
For example, since
specifications of
the real
machine, the field engineer's hardware diagnostic software can be
used to checkout the correctness of the VMM.
We can define the probability of
machine violating the
a program P on one virtual
security of another concurrent
program on
another virtual machine as:
C.
Ps(PiOS(n)IVMM(k))
= Ps(PIOS(n))xPs(OSIVMM(k))
Based on the Inequalities of A and B above and the multiplicative
dependency In C, we arrive at the conclusion:
-11D.
Ps(PIOS(n)IVMM(k))
Ps(PIOS(n)IVMM(k))
Is
<<((
Ps(PIOS(m))
the
probability
security failure of P's operating
monitor.
if a single operating
Isolates this
failure from
VMM's security
for n,k<m
of
the
simultaneous
system and the virtual machine
system's security falls, the VMM
the other
virtual machines.
fails, It exposes Information
of other
virtual
machines to the operating system of one virtual machine.
functioning
correctly,
P's
operating
advantage
of
the
security
designers
of
the
Individual
collusion with
breach.
This
operating
malicious users,
hypothesis; otherwise,
system
assumes
systems
this seems
using the
will
to be
same collusion,
If the
But, If
not
that
are
not
take
the
in
a reasonable
Ps(PIOS(m))=1
could be attained by subverting the common operating system.
We
security,
are
parti cularly
that
occurs due to
s,
concerned about
the probability
any program
that
n the system.
the
overal 1. system
a security
This
violation
situati on can be
computed by:
E.
Ps(P11, P12 2,...,P33) = Ps(P11)x(1-Ps(P12))x... x( 1-Ps(P33))
+ (1-Ps(Pll))xPs(P12)x...x( I-Ps(P33))
+
0..
+ Ps(Pll)xPs(P12)x...xPs(P33)
Alternately, It can be represented as:
Ps(P11,P12,...,P33) = 1 - (1-Ps(P11))x(1-Ps(P12))x...x(1-Ps(P33))
We note that Ps(P11,P12,...,P33) Is minimized when the Individual
Ps's
are
minimized.
multiplicative nature of
The
effect Is accentuated
Equation E. Thus, from
due
to
the
the Inequality
-12-
of D, we conclude:
F. Ps(Pll, P12,...,P3310S(n)IVMM(k)) <<< Ps(P11, P12,...,P3310S(m))
for n,k<m.
That is, the security In a
much
better than
system
In a
environmenti.
probabilistic
following
virtual machine environment
conventional multiprogramming
This
conclusion
Independence of
section
we
show
the
that
depends
security
the
Is very
operating
upon
failures.
Independence
the
In the
condition
applies.
_L Redundant Security Mechanisms
If the
machine
systems, OS,
Individual operating
monitor, VMM,
used
Identical
algorithms, then any user action
security mechanisms
s
and
That Is, first take control
of the OS and then, using the same technique,
This
virtual
that resulted In penetration of
one could also penetrate the other.
VMM.
and the
logically analogous
take control of the
to placing
one safe
Inside
another safe - but having the same combination on both safes.
combat this danger,
the OS and VMM must
based upon Independent
taken In the
the
mechanisms.
A similar approach
of
Californla, Berkeley.
dvnamic verification to mean "that every
there
Is a
have redundant security
PRIME modular computer system
University
consistency check
To
has been
being constructed at
They
use
the
term
time a decision Is made
performed on
the decision
using
Independent hardware and software" (Fabry(2)).
Table 1
Illustrates redundant security
mechanisms possible
-13-
In
a
VMM/OS environment
systems.
uses
Let
using
us consider
the System/360-370
VM/370
main memory
lock and
and OS/360
as
example
security first.
OS/360
key hardware
to Isolate
one
user's memory area from invalid access by another user's program.
VM/370, on
the other hand,
Translation (DAT)
hardware
(i.e., address space)
the
locks
uses the System/370
Dynamic Address
to provide a separate
virtual memory
for each virtual machine
and keys.
Thus,
a
malicious
- Independent of
user would
have
to
overwhelm both the lock and key and the DAT mechanisms to violate
the Isolation security
of another coexisting program
virtual machine.
The software
OS/360 and V/370
for memory
the
mechanisms that
highly unlikely that
are used
algorithms, of
ecurity are
are
on another
course,
used
by
quite different since
so different.
Thus,
they would both be susceptible
It
Is
to the same
penetration techniques.
We find the
same kind of redundant security In
secondary storage devices.
Securt y
System
(RSS)
OS/360,
the area of
especially with the Resource
option, provides
an
elaborate
mechanisms to restrict access to data sets (files).
set
of
Each storage
volume has a recorded label that Is read by OS/360 to verify that
It
correct volume
Is the
Recognition,
sets on
the volume
password codes
the other
AVR).
be used
Furthermore,
may be
or user
hand, may
to
(i.e.,
under RSS,
Automatic
the specific
ndividually protected
volumes assigned
machines by the computer operator or
data
by means
of
VM/370,
on
authorization restrictions.
have the
Volume
to the
virtual
a directory on the basis of
-
_XIIIXI11__
_
_
_
-14-
I OS Mechanism
I (e.g., OS/360)
FUNCTION
11 VMM Mechanism
II (e.g., VM/370)
Main Memory
Security
II Dynamic Address I LQcks and Keys
11 Translation (DAT)I
…
.
44.........
ii Device Address
II Mapping
II
...................
++.
Process Allocation
Security
.
……4--4.
+
..............-----------------++
Storage Device
Security
......
-
--.
II
II
II
II
++
I Volume Label
II
i Verification and II
I Data Set Passwordsll
---
-----------------
++
II Clock Comparator I Priority Interruptil
II and Tlme-Slicing I (and, optionally, Ii
I interval Timer)
Ii
II
Table 1.
Examples of Redundant Security Mechanisms In
a VNMM/OS Environment
the physical storage device address
logical mapping of OS/360
of VM/370.
These
s
being used.
Once again, the
Independent of the physical mapping
redundant security mechanisms can
be found In
many other areas.
Although most existing VMMIs
to provide such comprehensive
substantial redundant
the needed
were not designed specifically
Isolation,
they frequently
security mechanisms.
In order
nclude
to provide
solation, future VMM's may be designed with Increased
redundant secur ty.
IV. CONCLUSIONS
In this
Information
paper we
system
have shown
Isolation
that the
provides
VMM/OS approach
substantially
to
better
-15-
reliability
software
and
multiprogramming OS approach.
through
the
use
of
security
This
redundant
than
a
conventional
added protection Is obtained
security
mechanisms
Inherent in the design of most VMM/OS systems.
REFERENCES
Buzen, J. P., Peter P. Chen, and Robert P.
1.
Goldberg, "Virtual Machine Techniques for Improving
System Reliability", Proceedings of the ACH klorksho on
Virtual Cmputer Systems, (March 26-27, 197,).
2.
Fabry, R. S., "Dynamic Verification of Operating
System Decisions", submitted for publication in the
(February 23, 1972).
Communications aof the A,
3.
Goldberg, R. P., "Virtual Machines: Semantics and
Examples",
ProceedLnz$ of
IEEE Com2utr
Society
Conference, (September 1971), 141-142.
4.
Goldberg, R. S., Architectural PrinciPles for
Virtual ComDuter Systems, PhD dissertation, Harvard
University, (November 1972).
5.
Madnick, S. E., "Time-Sharing Systems: Virtual
Machine Concept vs Conventional Approach", Modern Data
2, 3 (March 1969), 34-36.
6.
Parmelee, R. P., T. I. Peterson, C. C. Tillman,
and D. J. Hatfie ld, "Virtual Storage and Virtual
Machine Concepts", IBM Systems Journal 11,
2 (1972),
99-130.
that
are
Download