1 / 32

Operating Systems CMPSCI 377 Lecture 22: Protection & Security

Operating Systems CMPSCI 377 Lecture 22: Protection & Security. Emery Berger University of Massachusetts, Amherst. Security. Secure if either: Cost of attacking system > value of protected resources; You attack $100 of gold with a $120 attack dog.

Download Presentation

Operating Systems CMPSCI 377 Lecture 22: Protection & Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Operating SystemsCMPSCI 377Lecture 22: Protection & Security Emery Berger University of Massachusetts, Amherst

  2. Security • Secure if either: • Cost of attacking system > value of protected resources; • You attack $100 of gold with a $120 attack dog. • Cost can equal the computer or network resources required to attack the system • Time to attack system longer than time resource has value • Don’t need to protect time and place of secret event after event takes place • Time can be processing time to compute correct result (e.g., guessing a password)

  3. Protection • Let’s say we have a valuable resource like an O.S. • collection of objects, hardware & software • objects have unique names • accessed through well-defined set of operations • Goal of protection: • Ensure each object accessed correctly & only by authorized processes according to some policy. • Policy = statement of what states (and operations) are allowed (i.e., secure/authorized) vs. not allowed (i.e., nonsecure/unauthorized) for specific system

  4. Protection Domains • Access-right = <object-name, rights-set> • Rights-set = subset of all valid operations that can be performed on the object • (i.e., the policy!) • Domain = set of access-rights

  5. UNIX: Domain Implementation • Example 1: UNIX • Domain implemented as “user-id” • Files are an example of an object • (we’ll see others, like laser printers and email servers) • Sometimes, OS does domain switching to execute some task • Each file has associated domain bit (setuid bit) • When file executed and setuid=on,user-id set to owner of the file being executed • When execution completes, user-id is reset • “ps” is a setuid program, as is “lpr”.

  6. Domain Implementation • MULTICS • Precursor to UNIX, by MIT & GE • “Ring” protection system, by Bob Graham

  7. Multics: Rings • Nested domain structure (“rings”) • Let Di and Djbe any two domain rings • If j < I Di  Dj • lower-level = more privileges • each process maintains current ring number

  8. Access Matrix • Column = access-control list for one object • Defines who can perform what operation • Row = capability list • Operations allowed on what objects, per-domain

  9. Use of Access Matrix (Cont.) • Design separates mechanism from policy • Mechanism • Operating system provides access-matrix + rules. • Ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced • Policy • User dictates policy:who can access what object and in what mode

  10. Dynamic Access Matrices • Extend for dynamic protection:Operations to add, delete access rights • transfer – switch from domain Di to Dj • owner of Oi • copy op from Oi to Oj • control – Di can modify Dj’s access rights

  11. Switching Domains • Switching domains: add domains as objects!

  12. Access Matrix with Copy Rights • Asterisk denotes that access right can be copied within column

  13. Access Matrix With Owner Rights • Ownership:can add new rights, remove some rights

  14. Control: Modifying Access Matrix • Control: process executing in one domain can modify another domain • Example:D2 changes D4

  15. Implementation of Access Matrix • Global table – <domain, object, right-set> • Too large, no grouping • Access list – <domain, right-set> per object • Simple • Capability List – list of objects + operations • Object name = capability (think: special pointer) • Check in capability list for access

  16. Revocation of Access Rights • Access-list scheme: • Search for right to be revoked, delete • Immediate, can be selective (just affect some users), can be partial (just some rights revoked)

  17. Revocation of Access Rights • Capabilities: more complicated • Reacquisition: • Try to reacquire after deletion • Back-pointers: point from object to capabilities • Expensive (used in MULTICS) • Indirection: • Capability points to entry in table • Not selective • Keys: • One key per capability • Check in global key table

  18. Language-Based Protection • Specification of protection in programming language: • Allows high-level description of policies for allocation and use of resources • Example: Java • Language implementation: • Can provide software for protection enforcement when automatic hardware-supported checking is unavailable • Interpret protection specifications to generate calls on whatever protection system provided by hardware and OS

  19. Java Security Model

  20. Security • The Security Problem • Authentication • Program Threats • System Threats • Threat Monitoring • Encryption

  21. The Security Problem • Security must consider external environment of the system, and protect it from: • unauthorized access • malicious modification or destruction • accidental introduction of inconsistency • Easier to protect against accidental than malicious misuse

  22. Authentication • User identity most often established through passwords, can be considered a special case of either keys or capabilities. • Passwords must be kept secret. • Frequent change of passwords • Use of “non-guessable” passwords • Log all invalid access attempts

  23. Program Threats (“Malware”) • Trojan Horse • Code segment that misuses its environment • Exploits mechanisms for allowing programs written by users to be executed by other users • Trap Door • Specific user identifier or password that circumvents normal security procedures. • Could be included in compiler

  24. System Threats: Worms • Worms – use spawn mechanism; standalone program • Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs • Grappling hook program uploaded main worm program

  25. System Threats: Viruses • Viruses – fragment of code embedded in a legitimate program • Mainly affect PCs, infected via Internet • “Old days”: exchanging floppy disks containing an infection

  26. The Morris Internet Worm (1988)

  27. Threat Monitoring • Check for suspicious patterns of activity • i.e., several incorrect password attempts may signal password guessing • Audit log • Records time, user, & type of all accesses to object • Useful for recovery from violation, developing better security measures • Scan system periodically for security holes • Done when the computer is relatively unused

  28. Threat Monitoring (Cont.) • Check for: • Short or easy-to-guess passwords • Unauthorized setuid programs • Unauthorized programs in system directories • Unexpected long-running processes • Improper directory protections • Improper protections on system data files • Dangerous entries in the program search path (Trojan horse) • Changes to system programs: monitor checksum values

  29. Network Security Through Domain Separation Via Firewall

  30. Encryption • Encrypt clear text into cipher text, and vice versa • Properties of good encryption technique: • Relatively simple for authorized users to encrypt and decrypt data • Encryption scheme depends not on secrecy of algorithm but on parameter of algorithm called encryption key • Extremely difficult for an intruder to determine the encryption key • Advanced Encryption Standard now standard (Rijndael)

  31. Encryption (Cont.) • Public-key encryption based on each user having two keys: • public key – published key used to encrypt data • private key – key known only to individual user used to decrypt data • Encryption scheme is public, but still strong • No reliance on security through obscurity • Basis of these: • Easy to multiply primes, but hard to factor this product

  32. Summary • Protection • Protection Domains, Access Matrix, Revocation of Access Rights, Capability-Based Systems, Language-Based Protection • Security • Authentication, Program Threats, System Threats, Threat Monitoring, Encryption

More Related