Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Slides:



Advertisements
Similar presentations
Part IV: Memory Management
Advertisements

Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 36 Virtual Memory Read.
OS Fall’02 Virtual Memory Operating Systems Fall 2002.
Virtual Memory Chapter 18 S. Dandamudi To be used with S. Dandamudi, “Fundamentals of Computer Organization and Design,” Springer,  S. Dandamudi.
CSC 405 Introduction to Computer Security
Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.
CMPT 300: Final Review Chapters 8 – Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
File Management Systems
Operating System Support Focus on Architecture
Memory Management and Paging CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
Paging and Virtual Memory. Memory management: Review  Fixed partitioning, dynamic partitioning  Problems Internal/external fragmentation A process can.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMPT 300: Final Review Chapters 8 – Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
1 Chapter 8 Virtual Memory Virtual memory is a storage allocation scheme in which secondary memory can be addressed as though it were part of main memory.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Memory Management Five Requirements for Memory Management to satisfy: –Relocation Users generally don’t know where they will be placed in main memory May.
95-752:7-1 Operating System Features :7-2 Operating System Features Memory protection Temporary file issues Dead space issues Sandboxing Object.
Chapter 12 File Management Systems
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
SE571 Security in Computing
Chapter 91 Translation Lookaside Buffer (described later with virtual memory) Frame.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
03/05/2008CSCI 315 Operating Systems Design1 Memory Management Notice: The slides for this lecture have been largely based on those accompanying the textbook.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Virtual Memory Chantha Thoeun. Overview  Purpose:  Use the hard disk as an extension of RAM.  Increase the available address space of a process. 
Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.
Systems Security & Audit Operating Systems security.
1 Chapter 12 File Management Systems. 2 Systems Architecture Chapter 12.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.
Memory Management Chapter 7.
Cosc 3P92 Week 9 & 10 Lecture slides
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
CIS250 OPERATING SYSTEMS Memory Management Since we share memory, we need to manage it Memory manager only sees the address A program counter value indicates.
File Systems (1). Readings r Reading: Disks, disk scheduling (3.7 of textbook; “How Stuff Works”) r Reading: File System Implementation ( of textbook)
Memory Management – Page 1 of 49CSCI 4717 – Computer Architecture Memory Management Uni-program – memory split into two parts –One for Operating System.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 4 – Access Control.
G53SEC 1 Access Control principals, objects and their operations.
Security in Operating Systems Cuiwei Zhao. Security in Operating System §Security breaches §Security goals §Protected objects of the general purpose operating.
Chapter 4 – Protection in General Purpose Operating Systems  Protection features provided by general-purpose operating systems— protecting memory, files,
Protection in General- Purpose OS Week-3. Our Main Concern In what way do operating systems protect one user’s process from inadvertent or malicious interaction.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.
SAM-21 Fortress Model and Defense in Depth Some revision on Computer Architecture.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Security in Computing Protection in General-Purpose Operating Systems.
By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.
Operating Systems Lecture 14 Segments Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software Engineering.
Linux-vs-Windows Security
Computer Security: Principles and Practice
Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
CSE Operating System Principles Protection.
SECURITY IN COMPUTING BY PFLEEGER Operating Systems Security.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Computer Security: Chapter 5 Operating Systems Security.
6- 1 Last time ● Controls against security flaws in programs ● Various controls applicable to each of the stages in the software development lifecycle.
PROTECTION.
Non Contiguous Memory Allocation
Chapter 14: Protection Modified by Dr. Neerja Mhaskar for CS 3SH3.
Chapter 14: System Protection
General OS Security: Memory Protection and Access Control
Operating Systems Security
Protection in Operating Systems
Lecture 3: Main Memory.
Chapter 14: Protection.
Access Control Dr. X Parenthesis: before we dive deeper into crypto, we will explore and old but still valid security principle, access controls.
Presentation transcript:

Chapter 6 User Protections in OS

csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access to objects 3.File protection 4.User authentication

csci5233 computer security & integrity (Chap. 6) 3 User-level protection The general-purpose OS supports multiprogramming (aka multi-tasking), the concurrent use of system resources by more than one user. It is critical to protect one user from interference from another user. What would need to be protected? –Computation –Files –Anything else?

csci5233 computer security & integrity (Chap. 6) 4 Protected Objects Memory Shared I/O devices (e.g., disks, printers, tape drives, …) Sharable programs and sub-procedures Sharable data … (See p.242 for a detailed listing)  The controlled sharing of these objects is the responsibility of the OS.

csci5233 computer security & integrity (Chap. 6) 5 Protection Mechanisms: considerations A. Types of separation B. Levels of protection C. Granularity of protection control Types of separation Separation is the basis of protection. It keeps different users’ objects separate from each other.

csci5233 computer security & integrity (Chap. 6) 6 Protection Mechanisms: considerations Types of separation 1.Physical separation 2.Temporal separation 3.Logical separation 4.Cryptographic separation  Concerns: resource utilization versus order of the security provided  The goal of protection: To allow multi-tasking of processes with different security needs

csci5233 computer security & integrity (Chap. 6) 7 Protection Mechanisms: considerations Levels of protection  No protection – feasible when ‘temporal separation’ is applied  Isolation – confinement, separate addressing space and resources  Share all or share nothing – public vs private objects  Share via access limitation – ACL (access control list)  Share by capabilities – an extension of ACL; dynamic determination of access rights (user + object + context of access)  Limit use of an object – finer control over the use of an object (Example: read but no print; aggregate but no individual data items)

csci5233 computer security & integrity (Chap. 6) 8 Protection Mechanisms: considerations Granularity of protection control Example: Granularity of data control Bit  byte  word  field  record  file  … Another example: Granularity of access rights What does that mean? Trade-offs: Finer control leads to more complex implementation. Why? Coarse control, on the other hand, results in low order of security. Why?

csci5233 computer security & integrity (Chap. 6) 9 Memory Protection Mechanisms Preventing one process from affecting the memory of other processes Built-in hardware protection mechanisms are common. Mechanisms: fence, relocation, base/bounds registers, tagged architecture, segmentation, paging, combined paging with segmentation

csci5233 computer security & integrity (Chap. 6) 10 Memory Protection Mechanisms Fence protects the OS from the user processes a predefined address (Fig. 6-1) fence register (Fig. 6-2, p.232) Limitations?

csci5233 computer security & integrity (Chap. 6) 11 Memory Protection Mechanisms Relocation A reloadable module can be loaded to a different starting address each time it is loaded. Who is in charge of determining the starting address of a module? Fence register can be used as a hardware relocation device. Any limitation?

csci5233 computer security & integrity (Chap. 6) 12 Memory Protection Mechanisms Base/Bounds Registers Base, bound, offset Fig. 6-3 (p.233) Fig. 6-4 (p.234): Two pairs of base/bounds registers The use of base/bounds registers enables context switch of processes. Any limitations? Contiguous address space All-or-nothing sharing (that is, no selective sharing)

csci5233 computer security & integrity (Chap. 6) 13 Memory Protection Mechanisms Tagged architecture Every word of memory has extra tag bit(s) to identify its access rights. The bits are tested every time an instruction accesses that location. The bits can only be set by the OS instructions. Fig. 6-5 (p.235) Any problems? Incompatible with the existing OS codes

csci5233 computer security & integrity (Chap. 6) 14 Memory Protection Mechanisms Segmentation A program is divided into separate pieces, segments. Each segment is a logical unit, which may contains code or data. A program may be composed of several segments, each of which has different access rights. Fig. 6-6 (p.237) Q: Who’s keeping track of the relationship between logical names and their corresponding physical addresses? Fig. 6-7 (p.238): Segment translation table Addressing (in a program) = segment name + offset within the segment

csci5233 computer security & integrity (Chap. 6) 15 Segmentation Segmentation enables the OS to become an intermediary between a process and the physical memory. Benefits 1.Protection of memory addresses: 1.Each address reference is checked for protection. 2.A user cannot generate an address or access to an unpermitted segment. 2.Enabling flexible protection mechanisms: 1.Different levels of protection can be assigned to different classes of data items. 2.A segment may be shared by two or more users, each with different access rights.

csci5233 computer security & integrity (Chap. 6) 16 Segmentation Does segmentation present any challenges or problems? –A challenge: A process may access offset beyond the end of a segment. Solution: run-time verification by the OS Implementation problems: 1.Segment names are inconvenient to encode in instructions, resulting in possibly slow lookup of the STT. Solution? Conversion of names to numbers during program compilation/translation Impact? Difficulty in sharing of the same segment name between two procedures. 2.Segmentation can lead to memory fragmentation.

csci5233 computer security & integrity (Chap. 6) 17 Paging A program is divided into equal-sized pages. Memory is divided into the same sized units, called page frames. The page size is typically between 512 and 4096 bytes. (That is, between 9 and 12 address bits.) address = Table lookup is needed to translate a logical address to the physical address location. Fig. 6-8, p.240.

csci5233 computer security & integrity (Chap. 6) 18 Paging Advantages: 1.Fragmentation is not a problem (as in segmentation). 2.No problem of addressing beyond the end of a page. 3.The entire mechanism of paging and address translation is hidden from the programmer. Unlike segmentation, there is no logical unity to a page. –Is this an advantage or disadvantage? –From the standpoint of protection, a definite disadvantage. Why?

csci5233 computer security & integrity (Chap. 6) 19 Paging + Segmentation (combined) c.f., –Paging: efficient –Segmentation: logical protection characteristics Paged segmentation: two layers of address translation –A program is first divided into segments. –Each segment is divided into pages. –Figure 6-9, p.241.

csci5233 computer security & integrity (Chap. 6) 20 Controlled Access to Objects What objects need to be protected? Memory, files, directories, an executing program, h/w device, data structure in memory, OS tables, instructions, passwords, the user authentication mechanisms, the protection mechanism itself, … Memory protection is a special case of the protection of general objects. In comparison, protection of memory is simple. Why? (p.242)

csci5233 computer security & integrity (Chap. 6) 21 Controlled Access to Objects Access to an object is performed by a subject. A subject may be an end user, a programmer, a program, another object, or anything else that seeks to use an object. General goals in protecting objects: 1.Revocability of a user’s privilege to access an object. 2.The least privilege principle 3.Verification of object-specific usages

csci5233 computer security & integrity (Chap. 6) 22 Controlled Access to Objects An example of object protection: a simple approach relying on directories of files The objects - files in the directory, the directory itself Sample subjects - users of the system Each file has a unique owner, who controls access to the file. Each user has a file directory, which includes all files the user has access. The file directories must be maintained by the OS. Why? Access rights include read, write, execute, and owner? Fig. 6-10, p.243. Why would the above simple approach not work? 3 problems (p.244)

csci5233 computer security & integrity (Chap. 6) 23 Controlled Access to Objects Alternative approaches for access control –ACL (access control list) –ACM (access control matrix) –capabilities for access control –procedure-oriented access control

csci5233 computer security & integrity (Chap. 6) 24 Controlled Access to Objects ACL Each object has an ACL, which includes all subjects that would have access to the object and what their access is. Fig (p.246) In comparison: In the previous approach, each subject has a directory list, which includes all objects that the subject may access and the respective access rights. User designation vs group designation In Multics: user, group, compartment In Unix: owner, group, world In Windows?

csci5233 computer security & integrity (Chap. 6) 25 Controlled Access to Objects ACM Fig (p.247) Disadvantage: mostly sparse; inefficient searching

csci5233 computer security & integrity (Chap. 6) 26 Controlled Access to Objects Capability A capability is an unforgeable token giving the possessor certain rights to an object. A capability is a ticket giving permission to a subject to perform a certain type of access on an object. To prevent forgery, a capability is usually maintained by the OS. A new access right: the right to transfer a capability Domain: The collection of capabilities defines a domain. (Fig. 6-14, p.248) An executing program or sub-procedure operates in a domain. A sub-procedure in a program may have different domain from the main program. (Fig. 6-15, p.249) Significance: groundwork for subsequent production use in systems such as Kerberos, which is a popular network authentication protocol (Ch. 9)

csci5233 computer security & integrity (Chap. 6) 27 Controlled Access to Objects Procedure-oriented access control Access to an object is controlled by its access-control procedures. The procedures defines a trusted interface through which access to a given object can be made. Purpose: To enable more complex access control beyond read, write, and execute. Benefits: information hiding; flexible Disadvantage: inefficient access

csci5233 computer security & integrity (Chap. 6) 28 Summary Next: 6.4 (file protection), 6.5 (user authentication)