Outline Announcements Protection and security.

Slides:



Advertisements
Similar presentations
Protection Goals of Protection Domain of Protection Access Matrix
Advertisements

Slide 14-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 5 14 Protection and Security.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Slide 14-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 5.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Security  The Security Problem  Authentication  Program Threats  System Threats  Securing Systems  Intrusion (unwanted involvement) Detection  Encryption.
Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
Protection and Security. Policy & Mechanism Protection mechanisms are tools used to implement security policies –Authentication –Authorization –Cryptography.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Bilkent University Department of Computer Engineering
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Reasons for Protection n Prevent users from accessing information they shouldn’t have access to. n Ensure that each program component uses system resources.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Chapter 14: Protection.
Protection and Security CSCI 444/544 Operating Systems Fall 2008.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Operating Systems Protection & Security.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
Protection and Security
Silberschatz and Galvin  Operating System Concepts Module 20: Security The Security Problem Authentication Program Threats System Threats Threat.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.
14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.
Operating Systems 1 K. Salah Module 6.0: Security and Protection  Types of misuse: –1. Accidental –2. Intentional –Protection is to prevent either accidental.
Cryptography, Authentication and Digital Signatures
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
30.1 Lecture 30 Security II Based on Silberschatz & Galvin’s slides And Stallings’ slides.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Protection (Chapter 14)
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Goals of Protection Operating.
CSE Operating System Principles Protection.
Saurav Karmakar. Chapter 14: Protection  Goals of Protection  Principles of Protection  Domain of Protection  Access Matrix  Implementation of Access.
PROTECTION.
Operating Systems Protection Alok Kumar Jagadev.
Chapter 14: Protection Modified by Dr. Neerja Mhaskar for CS 3SH3.
Chapter 14: System Protection
Operating System Concepts
Chapter 14: Protection.
Chapter 14: Protection Source & Copyright: Operating System Concepts, Silberschatz, Galvin and Gagne.
Chapter 14: Protection.
Resource Management Chapter 19 9/20/2018 Crowley OS Chap. 19.
Chapter 14: Protection.
12: Security The Security Problem Authentication Program Threats
Chapter 14: Protection.
CE Operating Systems Lecture 21
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Security.
Chapter 14: Protection.
Chapter 14: Protection.
Protection and Security
Operating System Concepts
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Operating System Concepts
Chapter 14: Protection.
Operating System Concepts
Chapter 14: Protection.
Presentation transcript:

Outline Announcements Protection and security

Announcements Lab 3 is due tomorrow at your demonstration time You have three minutes for preparation and three minutes to give a demonstration which needs to convince others and myself that: You have implemented the APIs correctly Note the penalty for missing an API is 15 points Because of the time limit, you better use a script file of some kind to do your demonstration 4/8/2019 COP4610

Announcements – cont. Final exam will be on 5:30 - 7:30 pm, Dec. 11, 2003 Here in LOV 101 I will have office hours on Sunday, Dec. 7, 2003 From 10:00am – 5:30 pm except a lunch break Unfortunately, I need to attend a conference from Dec. 8 to Dec. 11 in Canada I will be back on Dec. 11 late that night I will have another professor to proctor the final exam 4/8/2019 COP4610

Protection and Security Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed through a well-defined set of operations Protection and security problem - ensure that each object is accessed correctly and only by those processes of authorized users that are allowed to do so 4/8/2019 COP4610

Allowing Only Authorized Access Authentication Authorization Subject Unauthorized Access Secure Entity Subject 4/8/2019 COP4610

Protection and Security – cont. Authentication Internal External Authorization Network security Secure entity is not copied or accessed during its transit Cryptography 4/8/2019 COP4610

Policy vs. Mechanism An organization’s security policy defines the rules for authorizing access to its computers and information resources A particular strategy that dictates the way a mechanism is used to achieve specific goals Protection mechanisms are tools for implementing the organization’s security policy 4/8/2019 COP4610

Internal Access Authorization Internal authorization is part of the task of managing resource sharing The goal is to protect one process’s resources from the actions of other processes 4/8/2019 COP4610

Hardware protection mechanisms Processor modes and privileged instructions only valid in system mode Memory protection Devices, and in particular disks, are protected with processor modes and/or memory protection 4/8/2019 COP4610

Software protection mechanisms Hardware resources are protected by hardware protection mechanisms Logical resources are only accessed through system calls All system calls must be authorized by a protection monitor The protection monitor accesses the protection database to make decisions 4/8/2019 COP4610

Protection monitors for file access 4/8/2019 COP4610

Protection monitors in an OS 4/8/2019 COP4610

A Protection System 4/8/2019 COP4610

A Protection System Subjects Objects a S desires a access to X S X 4/8/2019 COP4610

A Protection System Subjects Objects Protection State X S desires a access to X Protection state reflects current ability to access X 4/8/2019 COP4610

A Protection System Subjects Objects Protection State State Transition X State Transition S desires a access to X Protection state reflects current ability to access X Authorities can change 4/8/2019 COP4610

A Protection System Subjects Objects Protection State State Transition X State Transition S desires a access to X Protection state reflects current ability to access X Authorities can change What are rules for changing authority? Rules 4/8/2019 COP4610

A Protection System Subjects Objects Protection State State Transition X State Transition S desires a access to X Protection state reflects current ability to access X Authorities can change What are rules for changing authority? How are the rules chosen? Rules Policy 4/8/2019 COP4610

Protection System Example S desires a access to X 4/8/2019 COP4610

Protection System Example S desires a access to X Captures the protection state S a Access matrix 4/8/2019 COP4610

Protection System Example (S, a, X) Access authentication S X X S desires a access to X Captures the protection state Generates an unforgeable ID S a Access matrix 4/8/2019 COP4610

Protection System Example (S, a, x) Access authentication Monitor S X X S desires a access to X Captures the protection state Generates an unforgeable ID Checks the access against the protection state S a 4/8/2019 COP4610

Access Matrix The protection state can be represented using an access matrix An access matrix A has one row for each subject and one column for each object Each entry A[S, X] is a set that describes the access rights held by subject S to object X Access authentication If subject S initiates type a access to X then if a A[S,X], the access is valid. If a  A[S, X], the access is invalid. 4/8/2019 COP4610

An Access Matrix Example 4/8/2019 COP4610

Use of Access Matrix If a process in Domain Di tries to do “op” on object Oj, then “op” must be in the access matrix. Can be expanded to dynamic protection. Operations to add, delete access rights. Special access rights: owner of Oi copy op from Oi to Oj control – Di can modify Djs access rights transfer – switch from domain Di to Dj 4/8/2019 COP4610

Use of Access Matrix - cont. Access matrix design separates mechanism from policy Mechanism Operating system provides Access-matrix + rules If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced Policy User dictates policy Who can access what object and in what mode 4/8/2019 COP4610

Domain Structure Access-right = <object-name, rights-set> Rights-set is a subset of all valid operations that can be performed on the object. Domain = set of access-rights that a subject has at any given time 4/8/2019 COP4610

Changing Protection State 4/8/2019 COP4610

Protection domains A capability is a unique, global name for an access right to an object in the system A protection domain is a set of capabilities to perform certain actions on certain objects A process can move from protection domain to protection domain so, at any point, it has exactly the capabilities it needs for the current job (the principle of least privilege) This is more flexible than associating capabilities directly with a process 4/8/2019 COP4610

Ring Architecture for Protection Domains 4/8/2019 COP4610

Domain Implementation UNIX Domain = user-id Domain switch accomplished via file system. Each file has associated with it a domain bit (setuid bit). When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset. 4/8/2019 COP4610

Implementing the Access Matrix Usually a sparse matrix Too expensive to implement as a table Implement as a list of table entries Column oriented list is called an access control list (ACL) List kept at the object UNIX file protection bits are one example Row oriented list is a called a capability list List kept with the subject (i.e., process) Kerberos ticket is a capability Mach mailboxes protected with capabilities 4/8/2019 COP4610

Access Control Lists Derived from an Access Matrix Store the Access Matrix by columns Each ACL is kept at the object UNIX file protection bits are one example Windows resource managers also use ACLs for protection X X X S a a a X a X a X a Resource Descriptor Resource Descriptor Resource Descriptor 4/8/2019 COP4610

Access Control Example F1 F2 D1 D2 S1 control block wakeup owner control owner read* write* seek owner S2 control stop owner update owner seek* S3 control delete execute owner Access List of F2 {S2, {update}} {S3,{execute, owner}} 4/8/2019 COP4610

Capability Lists Derived from an Access Matrix Store the Access Matrix by rows List kept with the subject (i.e., process) Examples Ticket to a concert Kerberos ticket Mach mailboxes S a S a S a S a Process Descriptor S a Process Descriptor a S Process Descriptor 4/8/2019 COP4610

Capability List Example F1 F2 D1 D2 S1 control block wakeup owner control owner read* write* seek owner S2 control stop owner update owner seek* S3 control delete execute owner Capability list of S2 {S2, {control}} {S3, {stop}} {F1, {owner}} {F2, {update}} {D1, {owner}} {D2, seek*}} 4/8/2019 COP4610

More on Capabilities Provides an address to object from a very large address space Possession of a capability represents authorization for access Implied properties: Capabilities must be very difficult to guess Capabilities must be unique and not reused Capabilities must be distinguishable from randomly generated bit patterns 4/8/2019 COP4610

Revocation of Access Rights Access List – Delete access rights from access list. Simple Immediate Capability List – Scheme required to locate capability in the system before capability can be revoked. Reacquisition Back-pointers Indirection Keys 4/8/2019 COP4610

Unix Protection Scheme Mode of access: read, write, execute Three classes of users RWX a) owner access 7  1 1 1 RWX b) groups access 6  1 1 0 c) public access 1  0 0 1 4/8/2019 COP4610

The Security Problem Security must consider external environment of the system, and protect it from unauthorized access. malicious modification or destruction accidental introduction of inconsistency. Easier to protect against accidental than malicious misuse 4/8/2019 COP4610

User authentication Three types of authentication: Something a user knows e.g. a password, a combination, answers to personal questions Something a user has e.g. a badge, a smart card, a key Something a user is e.g. fingerprint, signature, voice print, hand geometry, retinal blood vessel pattern 4/8/2019 COP4610

Authentication User identity most often established through passwords, can be considered a special case of either keys or capabilities. Passwords must be kept secret. Frequent change of passwords. Use of “non-guessable” passwords. Log all invalid access attempts. Encryption 4/8/2019 COP4610

Program Threats Trojan Horse Trap Door Code segment that misuses its environment. Exploits mechanisms for allowing programs written by users to be executed by other users. Trap Door Specific user identifier or password that circumvents normal security procedures. Could be included in a compiler. 4/8/2019 COP4610

System Threats Worms – use spawn mechanism; standalone program Internet worm Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs. Grappling hook program uploaded main worm program. Viruses – fragment of code embedded in a legitimate program. Mainly effect microcomputer systems. Downloading viral programs from public bulletin boards or exchanging floppy disks containing an infection. 4/8/2019 COP4610

The confinement problem How do we prevent a program from leaking information to others? It is not as simple as preventing IPC and I/O A covert channel is a hidden means of communication information e.g. sending bits by manipulating the CPU load 4/8/2019 COP4610

The Morris Internet Worm 4/8/2019 COP4610

Threat Monitoring Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing. Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures. Scan the system periodically for security holes; done when the computer is relatively unused. 4/8/2019 COP4610

Threat Monitoring – cont. Check for: Short or easy-to-guess passwords Unauthorized set-uid programs Unauthorized programs in system directories Unexpected long-running processes Improper directory protections Improper protections on system data files Dangerous entries in the program search path (Trojan horse) Changes to system programs: monitor checksum values 4/8/2019 COP4610

Encryption 4/8/2019 COP4610

Encryption – cont. Encrypt clear text into cipher text. Properties of good encryption technique: Relatively simple for authorized users to encrypt and decrypt data. Encryption scheme depends not on the secrecy of the algorithm but on a parameter of the algorithm called the encryption key Extremely difficult for an intruder to determine the encryption key 4/8/2019 COP4610

Cryptography Information can be encoded using a key when it is written (or transferred) -- encryption It is then decoded using a key when it is read (or received) -- decryption Very widely used for secure network transmission 4/8/2019 COP4610

More on Cryptography encryption plaintext ciphertext decryption 4/8/2019 COP4610

More on Cryptography Ke Kd C = EKe(plaintext) Encrypt Decrypt 4/8/2019 COP4610

More on Cryptography Ke Kd C = EKe(plaintext) Encrypt Decrypt Invader Side information plaintext 4/8/2019 COP4610

Cryptographic Systems Modern Systems Conventional Systems Ke and Kd are essentially the same Private Key Public Key Ke and Kd are private Ke is public Kd is private 4/8/2019 COP4610

Private Key Cryptography Data encryption standard (DES) It is a block cipher that crypts 64-bit data blocks using a 56-bit key Two basic operations Permutation Substitution Three stages Initial permutation stage Complex transformation stage Final permutation stage 4/8/2019 COP4610

Private Key Cryptography – cont. 4/8/2019 COP4610

Private Key Cryptography – cont. 4/8/2019 COP4610

Private Key Cryptography – cont. 4/8/2019 COP4610

Public Key Cryptography Private key cryptography and conventional cryptographic techniques require the distribution of secret keys Known as the key distribution problem Public key cryptography solves the key distribution problem by making the encryption procedure and the associated key available in the public domain 4/8/2019 COP4610

Public Key Cryptography – cont. Now it is possible for two users to have a secure communication even they have not communicated before Implementation issues One-way functions 4/8/2019 COP4610

RSA Method The encryption key is a pair (e, n) The decryption key is a pair (d, n) 4/8/2019 COP4610

RSA Method – cont. Generating the private and public key requires four steps Choose two very large prime numbers, p and q Compute n = p x q and z = (p – 1) x (q – 1) Choose a number d that is relatively prime to z Compute the number e such that e x d = 1 mod z 4/8/2019 COP4610

Authentication In distributed systems, authentication means verifying the identity of communicating entities to each other The assumption is that the communication network is not secure in that an intruder can copy and play back a message on the network The textbook called it “interactive secure connections” 4/8/2019 COP4610

Authentication – cont. Authentication based on a shared secret key. 4/8/2019 COP4610

Authentication – cont. Authentication based on a shared secret key, but using three instead of five messages. 4/8/2019 COP4610

Authentication – cont. The reflection attack. 4/8/2019 COP4610

Authentication Using Public-Key Cryptography Mutual authentication in a public-key cryptosystem. 4/8/2019 COP4610

Message Integrity and Confidentiality Message integrity means that messages are protected against modification Confidentiality ensures that messages cannot be intercepted and read by eavesdroppers Digital signatures A user cannot forge the signature of other users A sender of a signed message cannot deny the validity of his signature on the message A recipient of a signed message cannot modify the signature in the message 4/8/2019 COP4610

Digital Signatures Digital signing a message using public-key cryptography. 4/8/2019 COP4610

Digital Signatures – cont. 4/8/2019 COP4610

Digital Signatures – cont. Digitally signing a message using a message digest. 4/8/2019 COP4610

Kerberos Authentication Server Client Server 4/8/2019 COP4610

Kerberos Authentication Encrypted for client Server Encrypted for server Ticket Client Client ID Session Key Session Key Server 4/8/2019 COP4610

Kerberos Authentication Encrypted for client Server Encrypted for server Ticket Session Key Client Client ID Session Key Session Key Server 4/8/2019 COP4610

Kerberos Authentication Encrypted for client Server Encrypted for server Ticket Session Key Client Client ID Session Key Session Key Ticket Server Client ID Session Key Client ID Session Key 4/8/2019 COP4610

A Digital Rights Management System Publisher Distributor, etc Style Editor Rights Editor Other parties may contribute to rights spec Raw Style Rights Translate Client API Content Repository Query Consumer Admin API Distribute Serve InTransit Server Playback 4/8/2019 COP4610 Consumable

Electronic Payment Systems Payment systems based on direct payment between customer and merchant. Paying in cash. Using a check. Using a credit card. 4/8/2019 COP4610

Electronic Payment Systems – cont. Payment systems based on money transfer between banks. Payment by money order. Payment through debit order. 4/8/2019 COP4610

E-cash 4/8/2019 COP4610

Windows NT/2000/XP Logon Local Security Authority Subsystem (Lsass) Winlogon process LSA* Server Netlogon Network Authentic. LSA Policy Active Directory SAM Active Directory SAM** Server User Space Supervisor Space Security Reference Monitor (SRM) * Local Security Authority ** Security Accounts Manager (SAM) 4/8/2019 COP4610

Summary “None of the protection systems that exist today ... are completely fail-safe. The best we can do is to make it as difficult as possible for somebody to break a security device or get inside Authentication Authorization Access matrix and implementations of access matrix 4/8/2019 COP4610