Partitions and Principles for Secure Operating Systems - Report Example

The paper discusses modern operating systems in the light of system administration activities to determine that whether the need to write scripts to assist in administering or investigating computer systems has been significantly reduced or even eliminated with the improvements made in the tools provided with or available for modern operating systems. 1. Modern Operating Systems Modern Operating System is collection of synergistic components working together for making the computer productive and accessible to its user. The software component of the operating system (OS) basically controls, operates and supports the prime resources of the computer system such as the CPU and peripheral hardware application programs, network services, short-term program, time required for program execution, data storage for use during program execution and overall access to the system. In other words, the operating system serves as an intermediary component between the user and the application-programs as well as between the application-programs and the hardware of the computer system. Thus, being an intermediary between the users of computer applications and the resources of the computer systems, the OS offers the following three fundamental services to the users: 1. Accepts user requests and processes them from the user’s program-applications and generates or displays the desired output results. 2. Loads, manages, as well as executes programs. 3. Manages the computer hardware resources such as the interfaces to networks and to other peripheral components of the computer system. The figure 1 given below schematically shows the correlation that exists among the various components of a computer system. Figure 1: The relationship of the Modern Operation System to other integrated components of the computer system. Operating System also provides information and tools for the user/administrator for the purpose of tailoring, controlling and tuning the system so as to achieve optimum performance. An OS comprises of the following ten fundamental building blocks, not all operating systems necessarily include all of these components: ¦ The Command Processor, User Interface (UI) and Application Program Interface (API) ¦ The I/O Control System ¦ The File Management System (FMS) ¦ Memory Management ¦ Process Control Management and Inter-process Communication ¦ Scheduling and Dispatching ¦ Communication Support, Network Management, and Communication Interfaces ¦ Secondary Storage Management ¦ Support for System Administration ¦ System Protection Management and Security Some OS also offer a program called system manager that is also commonly referred as a monitor or supervisor that not only deals with the competing requests or conflicts but also serves as a general controller and arbiter for the overall computer system. Although some other system functions are oftentimes handled as separate blocks, such as the accounting and error handling, however they are more likely to appear under the blocks already listed. Many modern operating systems offer some features that combine computer commands into pseudo-programs that are known as shell scripts. Moreover, the batch-oriented systems possibly combine the individual commands into a set of control statements that are to be executed and interpreted without user intervention one at a time for the purpose of controlling the process of a multi-step ‘‘task.’’ Every step in the task executes an individual job. As for instance, on large IBM systems, the sequence of commands employed for this purpose, developed a language called Job Control Language (JCL). Furthermore to the standard OS commands, the shell scripting languages are conventionally used for providing branch and loop commands as well as for providing other features of the computer language. Shell scripts are used as if they were actual programs. It provides the following common features: ¦ A way to redirect input/output data to a device that is different from the one used normally such as a disk file rather than the screen. ¦ A means for combining the commands with the help of a technique known as piping in order to automatically use the output from one command as the input for another command. ¦ A way to offer additional parameters to the script to be provided by the user during the time of the program execution. The command languages that are more sophisticated offer larger command sets accompanied by more extensive and profound set of options as well as by some more extensive control structures enabling the shell scripts to be developed with more flexibility not only in terms of the design but also in relation to run-time execution. Even some of the command languages have the capability of providing some special strong commands that can minimize the normal programming effort. In this context, the UNIX and Linux operating systems are specifically notable, which offer the commands that can select, search, sort, edit, process and enumerate data from files in a manner that challenges many programming languages. The Windows scripts in their simplest form are based on a set of commands that derived from MS-DOS. Such forms of scripts are commonly referred as .BAT files. Previous versions of the Operating System Windows also offer a very profound scripting facility that is known as Windows PowerShell. The foundation of the Windows PowerShell has been laid on an object-oriented language that is quite close to C# and it has the ability to manipulate not only text but also graphical objects. Many scripting languages are there which have been developed in order to work independently of the specific OS in use, out which the most famous are: perl, PHP, python, JavaScript and Ruby. The power and flexibility of the OS can be extended through the command and scripting languages. Moreover, for the less sophisticated users, the command and scripting languages also simplify the use of the computer system. 2. System Administration Support The person who has the obligation to maintain the computer system(s) is referred as the system administrator, also known as sysadmin for short. The system administrator, in a large organization, may look after a wide number of computer systems that include the systems of the employees. In general, the system administrator manages the following most important administrative tasks: ¦ Configuring computer systems and setting up the group configuration policies ¦ Creating, modifying and controlling user privileges in accordance to the changing requirements of the users ¦ Adding and deleting users ¦ Mounting, un-mounting and managing file systems ¦ Establishing and monitoring appropriate security ¦ Managing, maintaining, and upgrading computer networks ¦ Providing, installing, upgrading and controlling software as per the requirements ¦ Recovering lost data ¦ Ensuring secure and reliable backups ¦ Tuning the computer system in order to attain optimum availability and performance ¦ Patching and upgrading the OS as well as the other system software ¦ Monitoring system performance ¦ Recommending system upgrades and modifications when required to fulfill the demands of the user Other important tasks along with the ones mentioned above must be employed not only on the central server systems but also on the client machines and other computer systems on the network in order to ensure coordination and maintenance of a reliable and effective system. These tasks are simplified through the software provided by the modern operating systems. The user is usually the system administrator as well in case of small personal computers. Thus, in such systems, the most vital administrative tasks for the user include the installation and up-gradation of the software, the reconfiguration of the computer system on timely basis, the maintenance of the network connections when needed, disk maintenance and disk defragmentation as well as to perform regular file backup. Simple tools are sufficient for such a type of user administration. In fact, the objective of a desktop OS might be to hide or protect the more sophisticated tools from the conventional user. As for instance, the OS of Windows maintains the system configuration within a registry which is under normal circumstances kept hidden from the user, and the Windows provides a range of simple tools particularly to perform maintenance tasks and to modify the system according to the user preferences. The operating system of Windows provides default configuration parameters for performing numerous tasks in accordance to the requirements of most users, along with the tools for modifying or customizing the parameters to fulfill the requirements of a given user. The simplest tools sufficiently enable most of the users to achieve routine system administration. Advance users can even manipulate the system registry directly, if required. Central administration tools, in computer systems connected to a larger network within an organization, enable the application of group policies and the configuration to individual systems without the involvement of the user. However, the administration in larger networks is much more important and intricate. The management of hardware and software is far more extensive, and there are many users that require the accounts and services. It is quite common to install new equipments on large networks and sometimes the systems or the network itself need to be reconfigured so as to use the newly installed equipments. This process is referred as system generation or sysgen (IBM). Sysgen is one of the most crucial tasks of system administration on large computer networks. Modern operating systems offers software to simplify the common tasks related to system administration whereas the operating systems of large mainframe systems offers tools to perform all the requirements or tasks of system administration. Furthermore, these operating systems also offer tools that enable the system administrator to modify the machine for the purpose of optimizing its performance, as for instance, for optimizing the throughput or for better utilization of the system resources. For doing this, the system parameters are modified and specific algorithms are selected for scheduling and memory management tasks. The various parameters for adjusting different systems include: user disk space allocation, the amount of memory allocated to a given program, the assignments of files to different disks, priorities, the maximum number of programs to be run concurrently, as well as the scheduling method used by the systems. The IBM z/OS provides a Workload Manager as well, which endeavors for optimizing system resources automatically without requiring any intervention from the system administrator. As for instance, on a traditional UNIX/Linux system, the system administrator is able to log in to the system as a super-user by having the privileges overriding all the security measures and the restrictions employed into the system. The system administrator as a super-user enjoys the liberty to modify any file in the system. Nevertheless, the new security techniques stated above might make it very hard to override the security and thus, prevents a system from an attack by the hacker who infiltrates to the kernel. Also, the UNIX operating system importantly offers tools for simplifying the system administration tasks, which take the form of commands to be performed by the super-user only and the text-based configuration files to be modified through any text editor. As for instance, the UNIX/Linux operating systems conventionally include a menu-driven or graphical adduser program, in order to administer the accounts of the users, offering a simple procedure to execute all the tasks related to adding a new user in to the network such as creating the user ID and user name, making entries to the relevant user and group tables, assigning login shells, setting up the home directory of the user, and creating user initialization files in relation to the specific terminal hardware of the user, prompt preferences, etc. 3. SYSTEM GENERATION An extremely crucial system administration task is to set up an operating system that has been customized to fulfill the specific requirements of a certain installation. This process of developing an operating system is known as system generation or, in short, sysgen. The outcome of a system generation matches the OS to the features and attributes of the given hardware and includes the features and performance choices of the desired OS. The following two fundamental approaches are used to customize the operating system as per the requirements: ¦ Choose the program modules of OS to be installed. Conventionally, an operating system offers a wide range of modules that might be employed under different scenarios. Only those modules are selected that are appropriate for the installation, for instance: a certain installation with customized selection of input/output devices. The customized operating system will include only those device drivers that are either necessary or best suited for the installed input/output devices. ¦ Assign values to parameters of the operating system. The details of an installation are provided through the parameters, for instance: the devices on a Windows-based PC system are assigned to particular numbered interrupt channels that are called IRQs; memory locations are also specified for each device interrupt driver. Parameter sometimes might be employed for determining whether a module is loaded on demand or is memory resident. Many large networks or systems also include parameters customizing the system scheduling process and adjusting the performance of other resource control modules. The system administrator should be able to determine such parameters along with the remaining others in order to fulfill the requirements of the specific installation. Some systems offer a lot of flexibility, along with other options whereas some other systems may offer just a minimal amount of selection, in fact, nothing more than a selection of input/output device drivers. The operating system includes the method for executing the ‘system generation’ process. Some systems offer the modules of the OS in the form of a source code. The loadable binary OS can be developed by selecting the modules and parameters and by assembling and linking to the operating system. A barebones OS that includes suitable compilation tools may be offered for allowing the ‘system generation’ process to carry out on the target system or the sysgen process may be performed on a different machine. Some OS employ an installation program for determining which modules should be incorporated in the OS system, and the parameters are chosen during the installation. The various modules on such systems are already included in binary form and require only to be linked during the ‘system generation’ process. The ‘system generation’ process on many systems is included as a set of menu selections and parameter entry forms for helping the user throughout the execution of the process while the ‘system generation’ process on some systems entered in the form of a script or batch file. Many systems also provide some level of dynamic configuration that allows modifying the system without rebuilding it completely. For this purpose, Linux configuration script files can be used. 4. Conclusion This paper discussed various essential system administration tasks offered by different operating systems and concludes that with the improvements in the tools available in modern operating systems, the need to write scripts for supporting the administration or investigation of computer systems has been reduced or even eliminated to a great extent. References Andrews, R.G. (1975) Partitions and principles for secure operating systems. Technical report, Cornell University, Ithaca, NY, USA. Bell, E.D. and LaPadula, J.L. (1973) Secure computer systems: Mathematical foundations and model. Technical Report M74-244, The MITRE Corp., Bedford MA. Biba, K. (1977) Integrity considerations for secure computer systems. Technical Report TR-3153, Mitre, Bedford, MA. Bittau, A . et al. (2008) Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, USENIX Association. Branstad, M. and Landauer, J. (1989) Assurance for the Trusted Mach operating system. Proceedings of the Fourth Annual Conference on Computer Assurance. Denning, J.P. (1976) Fault tolerant operating systems. ACM Computing Surveys. Efstathopoulos, P. et al. (2005) Labels and event processes in the asbestos operating system. SIGOPS Oper. Syst. Rev. Fabry, S.R. (1973) The case for capability based computers (extended abstract). In SOSP '73: Proceedings of the fourth ACM Symposium on Operating System Principles, page 120, New York, NY, USA. Fetzer, C. (2008) Switchblade: enforcing dynamic personalized system call models. In Eurosys '08: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems, New York, NY, USA. Ford Aerospace and Communications Corporation (1978) Secure Minicomputer Operating System (KSOS) Executive Summary: Phase I: Design of the Department of Defense Kernelized Secure Operating System. Technical report, 3939 Fabian Way, Palo Alto, CA 94303. Hardy, N (1985) Keykos architecture. SIGOPS Operating Systems Review, 19(4):8. Lampson, W.B. (1974). Protection. SIGOPS Operating Systems Review, 8(1):18. Necula, C.G. and Lee, P (1996) Safe kernel extensions without run-time checking. In OSDI '96: Proceedings of the second USENIX symposium on Operating Systems Design and Implementation, New York, NY, USA. Read More