A Framework for Measuring Hardening Capabilities of an Operating System

Abstract

Today, computers are used in all walks of life: they are in homes, in various critical domains such as defense, education, finance, government, health care, and so on. This reliance of the world's infrastructure on computer systems, and the consequent pervasiveness of the latter, makes their "security" an issue of great importance. Communication networks are used to transfer valuable and confidential information for a variety of purposes. As a consequence, they also attract the attention of people who intend to steal or misuse the information, or to destroy the systems storing and communicating it.

Attackers break into a system by exploiting its weakness. These weaknesses may come from programming flaws or insecure configuration of the application programs or operating system. As the operating system is an essential part on any information system any vulnerability in it can make the whole system vulnerable. Most popular operating systems software in use today, were designed with some Information Assurance in mind. Many of them have sufficient security features and capabilities. However; their default configuration is wide-open with most security features not-enabled when installed in operational environments. This leaves the applications and networks using these operating systems exposed to attacks by computer hackers and unauthorized access to their resources. Proper configuration of the security features eliminates the basic vulnerabilities of the operating system and makes the whole information system more secure.

The idea of operating system hardening is to minimize a computer's exposure to current and future threats by configuring the security features of the operating system and removing unnecessary applications. Hardening of an operating system involves the removal of all non essential tools, utilities and other systems administration options, any of which could be used to ease a hacker's path to the systems. It also involves implementing the latest operating system patches and updates from the vendors. Following this, the hardening process will ensure that all appropriate security features are activated and configured correctly. Countermeasures like firewalls or anti-anything (antivirus, anti-spam, anti-spyware, etc.) are all reactive security tools. They are necessary countermeasures and a part of a comprehensive security system, but proactive actions, such as daily vigilance and operating system hardening ensures the highest level of network security. By hardening operating systems, security risks are significantly reduced, in turn reducing the inconvenience and cost involved in downtime and system rebuilds, and also damage to the organization’s reputation.

Different operating systems have different security features and thus different hardening capability. As the operating system represents the core of an information system it must be selected such that it fulfils the security requirements of the whole information system. Thus in the selection of the operating system the hardening capability present in it plays a crucial role. As there is large number of security features present in various operating systems, it will be quite difficult for an administrator to measure the hardening capability of the operating system qualitatively. Hence a method of quantitatively measuring the hardening capability of the operating system will be quite helpful in proper selection of the operating system.

This work presents a scoring scheme to systematically quantify the hardening capability present in an operating system. The scoring is based on a list of proposed security features for an operating system. The existence and appropriate setting of the security features increases the robustness of the operating system. All the security features are grouped into seven categories: Authentication, Network Access and Communication, System Right and Access Controls, Services, Data Access and File System, Patch Management, System Auditing

Each security feature is given a severity score by considering how much damage to the system can be prevented if that security feature is present in the operating system. A missing security feature provides the attacker an opportunity to violate the security of the system. This violation can be classified into four types: confidentiality violation, integrity violation, availability violation, and system compromised.

The hardening capability of an operating system is calculated according to the presence or absence of the security feature in the operating system. Scoring is done for each of the seven security hardening feature categories. If the security feature is present in operating system then its score is added to the score of its category, otherwise is it subtracted. To provide a concise view of the hardening capability an overall hardening capability score is also calculated.

For calculating the hardening capability score security hardening features in the operating system are matched with proposed security hardening features. Matching the natural language specification of the security features can result in incorrect matching due to the inherent ambiguity in natural language specification. To facilitate high-assurance hardening capability score, the proposed and operating system’s security hardening features are formally specified. A formal specification enables to describe security features clearly and precisely. It also could benefit us in automated calculation of hardening capability score on formal specifications.

The windows 2000 professional and windows XP SP2 operating systems, due to there large deployment, are used to build a hardening capability profile to exemplify the scheme usefulness.