My undergraduate thesis on a capability based security system for a data-centric operating system.
sec cts
+19
-18
+19
-18
4-secctx.typ
+19
-18
4-secctx.typ
···
2
2
3
3
#mol-chapter("Security Contexts")
4
4
5
-
Security Contexts are objects that threads attach to in-order to inherit the
6
-
permissions inside the context. The contexts store capabilities, allowing for userspace
7
-
programs to add capabilities to contexts, and kernel space to efficiently search
8
-
through them to determine whether a process has the permissions to perform a memory access.
5
+
Security Contexts are objects that threads attach to in-order to inherit access
6
+
rights, represented as capabilities, inside the context. Additionally, a thread
7
+
can attach to multiple security contexts, but can only utilize the permissions
8
+
granted by one unless they switch @twizzler. The contexts store capabilities,
9
+
allowing for userspace programs to add capabilities to contexts, and kernel
10
+
space to efficiently search through them to determine whether a process has the
11
+
permissions to perform a memory access.
9
12
10
13
== Base
11
14
···
24
27
```
25
28
26
29
=== Map
27
-
The map holds positions to Capabilities relevant to some target object, which
28
-
the relevant security context implementations for kernel and userspace to
29
-
parse security context objects. Implicitly, the kernel uses
30
-
this map for lookup while the user interacts with this map to indicate the insertion, removal, or modification of
31
-
a capability. The `Map` type here and for `masks` is a flat data-structure, and stores
32
-
offsets into the object where capabilities can be found for a target object.
30
+
The map contains positions of capabilities related to a target object, enabling
31
+
kernel and userspace to look for capabilities inside security contexts.
32
+
Implicitly, the kernel uses this map for lookup while the user interacts with
33
+
this map to indicate the insertion, removal, or modification of a capability.
34
+
The `Map` type here and for `masks` is a flat data-structure, and stores offsets
35
+
into the object where capabilities can be found for a target object.
33
36
34
37
35
38
=== Masks
36
-
Masks act as a restraint on the permissions this context can provide for some targeted object.
39
+
Masks act as a restraint on the permissions a context can provide for some target object.
37
40
This allows for more expressive security policy, such as being able to quickly restrict
38
41
permissions for an object, without having to remove a capability and recreating one with the
39
42
dersired restricted permissions.
···
55
58
56
59
All enforcement happens inside the kernel, which has a seperate view into Security Contexts
57
60
than userspace. The kernel keeps track of all security contexts that threads in Twizzler
58
-
attach to, instantiating a cache inside each one. Additionally, a thread can attach
59
-
to multiple security contexts, but can only utilize the permissions granted by one unless
60
-
they switch @twizzler. To manage these threads, the kernel assigns a Security Context Manager,
61
+
attach to, instantiating a cache in each one. To manage these threads, the kernel assigns a Security Context Manager,
61
62
which holds onto security context references that a thread has.
62
63
63
64
There exists only 1 point of enforcement for security policy if we wish
64
65
to keep the kernel out of the access path; the creation of the path itself!
65
-
On page fault, the point in which a process requests the kernel to map an object in is
66
+
On page fault, the point in which a process requests the kernel to map in an object, is
66
67
when we have access to the security policy we seek to enforce (the signed capabilities inside the security context), the
67
68
target object, and most importantly, kernel execution! Its the only time
68
-
we can program the mmu according to the desired protections, and transfer control
69
+
we can program the MMU according to the desired protections, and transfer control
69
70
of enforcement to the hardware @twizzler.
70
71
71
72
Upon page fault, the kernel inspects the target object and identifies the
72
73
default permissions of that object. Then the kernel checks if the currently active
73
74
security context for the accessing thread has either cached or capabilities that provide
74
-
permissions. If default permissions + the active context permissions arent enough to
75
-
permit the access, the kernel then checks each of the inactive contexts to see if they
75
+
permissions. If default permissions plus the active context permissions arent enough to
76
+
permit the access and the security context isn't a jail, the kernel then checks each of the inactive contexts to see if they
76
77
have any relevant permissions. If there exists such permissions, then the kernel will
77
78
switch the active context of that process to the previously inactive context where the permission
78
79
was found. If it fails all of these, then the kernel terminates the process, citing inadequate
thesis.pdf
thesis.pdf
This is a binary file and will not be displayed.