Implementation of the Reference Monitor

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security Overview

OpenVMS Security Model

Structure of a Secure Operating System

Summary: System Security Design

Implementation ofthe Reference Monitor

While the OpenVMS operating system does not implement thereference monitor as a security-related subset, or security kernel,its interface to users and system managers does mirror the basicstructure dictated by the reference monitor concept. Experienceshows that incorporating such a structure is the best way to builda system resistant to probing and to most attempts at penetration.

The following sections describe the OpenVMS operating system'simplementation of the reference monitor model.

Subjects

Subjects are the users or user agents (the user processes)that access information and, in some cases, may be prevented fromaccessing information. Subjects can be interactive processes, networkprocesses, or batch jobs, and:

Must pass security controls
During process creation

During information access

Require identification
User names

Passwords

User identification codes

Rights identifiers

When a user logs in to use the operating system interactivelyor when a batch or network job starts, the operating system createsa process that includes the identity of the user. That process gainsaccess to information as the agent for the user, as described in Protecting Data.

Processes are vulnerable to security breaches while they arebeing created and while they are accessing information. The systemmanages process access to information by using its authorizationdata and internal mechanisms, such as hardware controls. Becauseprocess creation has many areas of security vulnerability, manyoperating security features concentrate on the area of process (orsubject) creation.

When a user attempts to log in to a system, the user providesa username (a name that will be given to the resulting process)and a password. The password servesas an authenticator that should be known only to the user and tothe operating system.

Because a short or obvious password is likely to fail thisrequirement, the system incorporates many password protection mechanismsthat can be invoked by the user or required by the security administrator (see Managing System Access). The operating systemis also capable of limiting the number of attempts that an intrudercan make to guess a password.

The file of users' passwords is part of the security databasethat must be protected from unauthorized observation and modification.The system meets this requirement by storing the passwords in afile protected from general access, the system user authorizationfile (SYSUAF.DAT). The system takesthe additional precaution of storing passwords inan encoded form that is hard to use if stolen.

Once the operating system creates a process for a user, itassigns a user identification code or UIC from theuser authorization record to that process. The UICcorresponds to the name of the user who created the process (asauthenticated by the user's password). In addition, the UIC indicatesthe user's membership in a group that can correspond to the user'sdepartment, project, or function. The system can also attach additionalinformation to the process regarding the creation of the processand the affiliation of the process owner with other groups. Thisadditional information plays a part in the application of the authorization database.(Both Protecting Data and Controlling Access to System Data and Resources discuss UICs.)

Objects

In the reference monitor concept, objects are passive repositoriesof information. In the OpenVMS system, there are many objects, suchas files and devices, that are subject to protection, as describedin Objects Protected by Security Controls. The operatingsystem protects objects from unauthorized access and provides avariety of mechanisms (described in Protecting Data and Descriptions of Object Classes )for sharing them in a controlled manner. These mechanisms are alsoused to control access to system resources.

Table 1 Objects Protected by Security Controls
Class Name Definition

Capability
A resource to which thesystem controls access; currently, the only defined capability isthe vector processor.

Common eventflag cluster
A set of 32 event flagsthat enable cooperating processes to post event notifications toeach other.

Device
A class of peripherals connectedto a processor that are capable of receiving, storing, or transmittingdata.

File
Files-11 On-Disk StructureLevel 2 or 5 (ODS-2 or ODS-5) files and directories.

Group globalsection
A shareable memory sectionpotentially available to all processes in the same group.

Logical nametable
A shareable table of logicalnames and their equivalence names for the system or a particulargroup.

Queue
A set of jobs to be processedin a batch, terminal, server, or print job queue.

Resource domain
A namespace controllingaccess to the lock manager's resources.

Security class
A data structure containingthe elements and management routines for all members of the securityclass.

System globalsection
A shareable memory sectionpotentially available to all processes in the system.

Volume
A mass storage medium, such as a diskor tape, that is in ODS-2 or ODS-5 format. Volumes contain filesand may be mounted on devices.

**Table 1** **Objects Protected by Security Controls**
Class Name	Definition
Capability	A resource to which thesystem controls access; currently, the only defined capability isthe vector processor.
Common eventflag cluster	A set of 32 event flagsthat enable cooperating processes to post event notifications toeach other.
Device	A class of peripherals connectedto a processor that are capable of receiving, storing, or transmittingdata.
File	Files-11 On-Disk StructureLevel 2 or 5 (ODS-2 or ODS-5) files and directories.
Group globalsection	A shareable memory sectionpotentially available to all processes in the same group.
Logical nametable	A shareable table of logicalnames and their equivalence names for the system or a particulargroup.
Queue	A set of jobs to be processedin a batch, terminal, server, or print job queue.
Resource domain	A namespace controllingaccess to the lock manager's resources.
Security class	A data structure containingthe elements and management routines for all members of the securityclass.
System globalsection	A shareable memory sectionpotentially available to all processes in the system.
Volume	A mass storage medium, such as a diskor tape, that is in ODS-2 or ODS-5 format. Volumes contain filesand may be mounted on devices.

Authorization Database

According to the reference monitor model, each subject's authorizationto gain access to an object is based on an abstract authorizationdatabase. This database is a set of dynamic security attributesthat govern a subject's access to an object at any given time. Inthe OpenVMS system, the database is distributed and stored in associationwith the objects that must be protected. For example, the authorizationdata for a file or directory is stored in the file header for thatfile or directory. The following table summarizes the information storedin the authorization database.

File Contents Data Used to Interpret

#SYSUAF.DAT
User names
Logins

Passwords
Logins

UICs
Access control checks

#NETPROXY.DAT
User names
Logins

#NET$PROXY.DAT
User names
Logins

#RIGHTSLIST.DAT
Rights identifiers
Access control checks

#VMS$OBJECTS.DAT
UICs
Access control checks

Protectioncodes
Access control checks

Access controllists
Access control checks

#VMS$AUDIT_ #SERVER.DAT
Auditable events
Reporting of events

File	Contents	Data Used to Interpret
#SYSUAF.DAT	User names	Logins
	Passwords	Logins
	UICs	Access control checks
#NETPROXY.DAT	User names	Logins
#NET$PROXY.DAT	User names	Logins
#RIGHTSLIST.DAT	Rights identifiers	Access control checks
#VMS$OBJECTS.DAT	UICs	Access control checks
	Protectioncodes	Access control checks
	Access controllists	Access control checks
#VMS$AUDIT_ #SERVER.DAT	Auditable events	Reporting of events

As Objects suggests,different objects in the OpenVMS system can be shared with differinglevels of flexibility. Protected objects are subject to a protectioncode. This code specifieswhether access is allowed or denied to processes run on behalf ofsystem users, the user who is owner of the object, other membersof the UIC group of the owner, and all other users.

In addition to the protection code, objects can be sharedunder control of access control lists (ACLs).ACLs provide a finer granularity of access control than UIC-basedprotection, especially for user groups or subsets of groups. ACLslist individual users or groups of users who are to be allowed ordenied particular types of access to the object. ACLs specify sharingon the basis of UIC identification as well as other groupings or identifiers thatcan be associated with a process. For example, it is possible tospecify that a file should never be read by a process connectedto a terminal on a dialup line. Authorization Database Represented as an Access Matrix uses an access matrix to explain the conceptof an ACL. Controlling Access with ACLs givesa general discussion of ACLs and identifiers, and Controlling Access to System Data and Resources explains how you, as security administrators,can create identifiers and construct ACLs for system resources.

Audit Trail

All security-relevant events can be recorded in an audit logfile, sent to an operator terminal, or both. A terminal can be designatedas a security operator terminal where all auditable events can bedisplayed. An audit log file provides a permanent record of securityevents. Many times a security administrator can find a pattern ofactivity, called an audit trail, by studying the log file.

The operating system audits the classes of security eventsshown in Security Auditing Overview by default.You can select other events for auditing, such as volume mountsor changes to system time.

Table 2 Security Auditing Overview
Destination Events Audited by Default

Log file orterminal display
Authorization database changes

Intrusion attempts

Login failures

Use of DCL command SET AUDIT

Events triggered by Audit or Alarm ACEs

**Table 2** **Security Auditing Overview**
Destination	Events Audited by Default
Log file orterminal display	Authorization database changes
	Intrusion attempts
	Login failures
	Use of DCL command SET AUDIT
	Events triggered by Audit or Alarm ACEs

The audit log allows users and security administrators torecord many events. Because it is time-consuming to examine everyevent, it is most efficient to audit events that will contributethe most information to your security picture. See Security Auditing for a description of securityauditing.

Reference Monitor

In the OpenVMS operating system, the executive performs therole of the reference monitor. All system programs that run in kerneland executive mode help implement the reference monitor, as do thecommand line interpreter and certain user-mode images that run withprivilege. While the volume of code comprising the executive islarge, HP attempts to ensure that none of the code can be used tobypass system security.

Some privileges can grant a user the authority to modify orsubvert the reference monitor. For example, a process with the CMKRNLprivilege can execute code of its own within the system kernel,gaining access to the reference monitor's internal data and theinternal representation of protected objects. Clearly, granting suchcritical privileges should be severely limited.

Similarly, give privileges such as SYSPRV and SECURITY onlyto users whose processes help maintain the reference monitor andauthorization database.

Authorization Database Represented as anAccess Matrix

The reference monitor model specifies an authorization database,which describes all access authorizations in the system for allsubjects and all objects. This database is often represented asan access matrix, which lists subjects onone axis and objects on the other (see Authorization Access Matrix). Each crosspoint in the matrix thus representsthe access that one subject has to one object.

Figure 2 Authorization Access Matrix
tbs

In this access matrix, an asterisk (*) denotes that the subjecthas access to that object. (Different types of access, such as readand write, are omitted from this example for simplicity.) Thus,subjects B, C, and D all have access to objects W, X, and Y. Inaddition, subject A has access to objects W and Z, subject D toobject V, and subject E to object V.

Breaking up the access matrix by rows yields a capability-basedmodel, inwhich each subject carries a list of the objects that it can access.Thus, a capability representation of this access matrix would appearas follows:

A: W, Z B: W, X, Y C: W, X, Y D: V, W, X, Y E: V

It is also possible to break up the access matrix by columns,listing for each object the subjects that have access to it. Thisresults in an authority-based model, implemented in the OpenVMSsystem by ACLs (see Protecting Data). The ACL representationappears as follows:

V: D, E W: A, B, C, D X: B, C, D Y: B, C, D Z: A

The ACL and identifier controls used by the operating systemcombine the properties of both the capability- and authority-basedsystems. In OpenVMS systems, both subjects and objects carry identifiers.Subjects can access objects if they have matching identifiers andif the objects' access statements grant the requested access.

The result of combining properties of the capability- andauthority-based systems is an extremely powerful and flexible systemcapable of representing complex access matrixes in a compact andconvenient manner. Consider what happens to the previous exampleof an access matrix when some of the cross-points have labels, asshown in Authorization Access Matrix with Labeled Cross-Points.

Figure 3 Authorization Access Matrix with LabeledCross-Points
tbs

Some labeled cross-points can be grouped and treated as asingle entity. Thus, the points that are labeled Q in Authorization Access Matrix with Labeled Cross-Points represent the accessthat subjects B, C, and D have to objects W, X, and Y. All the Qpoints can be considered as a single area of interest. The systemprovides the concept of identifiers to take practical advantageof this grouping of areas of interest.

You can define identifiers to represent the two groups ofaccess, P and Q, in Authorization Access Matrix with Labeled Cross-Points. Note that two of the cross-points in the matrix remainunlabeled. Identifiers can also represent individual subjects andthus allow the traditional ACL facility.

To represent the access matrix, the OpenVMS operating systemuses two structures, one for each dimension:

The rights list (RIGHTSLIST.DAT) representsthe rows of the access matrix and thus corresponds to the capability-basedmodel. For the matrix in Authorization Access Matrix with Labeled Cross-Points, you would need the following rights list:

B: Q C: Q D: P, Q E: P

ACLs for the protected objects represent the columnsof the access matrix. For this example, you would need the followingACLs:

V: P W: A, Q X: Q Y: Q Z: A

Note that the system structures required to represent theaccess matrix are simpler than either the traditional capability-or authority-based model and require fewer terms in total. In theexample, the difference is slight. However, complexity of the accessmatrix increases with the square of its size.

Structure of a Secure Operating System

Summary: System Security Design