CS 3204 Operating Systems Godmar Back Lecture 26.

Slides:



Advertisements
Similar presentations
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Advertisements

Chapter 6 Security Kernels.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
CSE331: Introduction to Networks and Security Lecture 15 Fall 2002.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
1 Protection and Security Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Summary of Lecture 1 Security attack types: either by function or by the property being compromised Security mechanism – prevention, detection and reaction.
Protection and Security CSCI 444/544 Operating Systems Fall 2008.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Operating Systems Protection & Security.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.
G53SEC 1 Reference Monitors Enforcement of Access Control.
CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
1 Chapter 1 The need for security Computerized trend (all kind of information are in the database) Information passing through Internet.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition The Security Requirements Triad Data confidentiality Privacy Data Integrity.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Protection and Security Questions answered in this lecture: How can a system authenticate a user? How are access rights specified? What are common security.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
G53SEC 1 Access Control principals, objects and their operations.
Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Protection (Chapter 14)
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Security CS Introduction to Operating Systems.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Information Security in Distributed Systems Distributed Systems1.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
Operating Systems Security
COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Presented by: Dr. Munam Ali Shah
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
SECURITY Prepared By: Dr. Vipul Vekariya.. 2 S ECURITY Secure system will control, through use of specific futures, access to information that only properly.
Access Control Model SAM-5.
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Operating Systems Protection Alok Kumar Jagadev.
Chapter 14: Protection Modified by Dr. Neerja Mhaskar for CS 3SH3.
Chapter 14: System Protection
Computer Data Security & Privacy
Operating system Security
Discretionary Access Control (DAC)
Chapter 14: Protection.
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Chapter 14: Protection.
Security.
Chapter 14: Protection.
Operating System Concepts
CSE 542: Operating Systems
Mohammad Alauthman Computer Security Mohammad Alauthman
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Chapter 14: Protection.
CS703 - Advanced Operating Systems
Presentation transcript:

CS 3204 Operating Systems Godmar Back Lecture 26

10/11/2015CS 3204 Fall Announcements Project 4 due Dec 10 Reading Chapter December 11, Thursday –1:30pm opening ceremony of new lab space –20 pts of extra credit if you demo Pintos on your laptop

Protection & Security

10/11/2015CS 3204 Fall Security Requirements & Threats Requirement –Confidentiality –Integrity –Availability –Authenticity Threat –Interception –Modification –Interruption –Fabrication The goal of a protection system is to ensure these requirements and protect against accidental or intentional misuse

10/11/2015CS 3204 Fall Policy vs Mechanism First step in addressing security: separate the “what should be done” from the “how it should be done” part The security policy specifies what is allowed and what is not A protection system is the mechanism that enforces the security policy

10/11/2015CS 3204 Fall Protection: AAA Core components of any protection mechanism Authentication –Verify that we really know who we are talking to Authorization –Check that user X is allowed to do Y Access enforcement –Ensure that authorization decision is respected –Hard: every system has holes Social vs technical enforcement

10/11/2015CS 3204 Fall Authentication Methods Passwords –Weakest form, and most common –Subject to dictionary attacks –Passwords should not be stored in clear text, instead, use one-way hash function Badge or Keycard –Should not be (easily) forgeable –Problem: how to invalidate? Biometrics –Problem: ensure trusted path to device

10/11/2015CS 3204 Fall Authorization Once user has been authenticated, need some kind of database to keep track of what they are allowed to do Simple model: –Access Matrix File 1TTY 2 User ACan ReadExclusive Access User BCan R/W-- Principals (e.g. users) Objects (e.g. files, resources)

10/11/2015CS 3204 Fall Variations on Access Control Matrices RBAC (Role-based Access Control) –Principals are no longer users, but roles –Examples: “mail admin”, “web admin”, etc. TE (Type Enforcement) –Objects are grouped into classes or types; columns of matrix are then labeled with those types Domains vs Principals –Rows represent “protection domain” –Processes (or code) execute in one domain (book uses this terminology)

10/11/2015CS 3204 Fall Representing Access Matrices Problem: access matrices can be huge –How to represent them in a condensed way? Two choices: by row, or by column By row: Capabilities –What is principal X allowed to do? By column: Access Control Lists –Who has access to resource Y?

10/11/2015CS 3204 Fall Access Control Lists General: store list of for each object Example: files. For each file store who is allowed to access it (and how) Most contemporary file systems support it. Groups can be used to compress the information: –Old-style Unix permissions rwxr-xr-x Q.: where in the filesystem would you store ACLs/permissions?

10/11/2015CS 3204 Fall Capabilities General idea: store (capability) list of for each user Typically used in systems that must be very secure –Default is empty capability list Capabilities also often function as names –Can access something if you know the name –Must make names unforgeable, or must have system monitor who holds what capabilities (e.g., by storing them in protected area)

10/11/2015CS 3204 Fall Examples of Attacks Abuse of valid privilege –Admin decides to delete your mp3s Denial of service attack –Run this loop on your P4: while (1) { mkdir(“x”); chdir(“x”); } Sniffing/Listening attack Trojan Horse Worm or virus

10/11/2015CS 3204 Fall Simple Stack Overflow Example #include int unsafe_function() { char buf[8]; printf("Enter your name: "); gets(buf); printf("Your name is: %s\n", buf); } void do_something_bad() { printf("do_something_bad called!\n"); } int main() { unsafe_function(); } #include int unsafe_function() { char buf[8]; printf("Enter your name: "); gets(buf); printf("Your name is: %s\n", buf); } void do_something_bad() { printf("do_something_bad called!\n"); } int main() { unsafe_function(); } > > nm stackattack | grep do_something_bad T do_something_bad > od -h badinput * /stackattack < badinput Enter your name: Your name is: V V do_something_bad called! > > nm stackattack | grep do_something_bad T do_something_bad > od -h badinput * /stackattack < badinput Enter your name: Your name is: V V do_something_bad called! Simplified variant of “return-to-libc” attack in which attacker redirects control to function embedded in program (which then compromises security) In practice, attacker usually sends position- independent code along that exec()’s a shell

Defense against Stack Overflow Static Defenses: –Use of type-safe languages –Code analysis Dynamic Defenses: –Detect stack corruption before abnormal control transfer occurs Canaries, stack frame reallocation -fstack-protector in gcc (ProPolice) –Prevent execution of any code on stack Remove execute privilege from stack Generalization: W  X –Address Space Randomization Helps against attacks that require that attacker knows address in program (less effective on 32-bit systems) 10/11/2015CS 3204 Fall

10/11/2015CS 3204 Fall Principle of Least Privilege Containment “need-to-know” basis: every process should have only access right for the operations it needs to do its work –Hard to implement: how can you be sure the program will still work? How can you be sure you’ve given just enough privileges and no more? –Example: Linux SE

10/11/2015CS 3204 Fall Other Countermeasures Logging: –Keep an audit log of all actions performed –Must protect log (from theft & forgery) Verification & Proofs –Problem of verifying the specification vs. implementation

10/11/2015CS 3204 Fall Trusted Computing Base The part of the system that enforces access control decisions –Also protects authentication information Issues: –Single Bug in TCB may compromise entire security policy –Need to keep it small and manageable –Usually: entire kernel is part of TCB (huge!) Weakest link phenomenon

10/11/2015CS 3204 Fall MLS-Multilevel Security –Unclassified –Confidential –Secret –Top Secret No read up No write down –*-property Trusted Systems Properties: Complete mediation (mandatory access control on every access) Isolated/tamper-proof reference monitor Verification (the hardest)

10/11/2015CS 3204 Fall Security & System Structure Q.: Does system structure matter when building secure systems? Monolithic kernels: processes call into kernel to obtain services (Pintos, Linux, Windows) Microkernels: processes call only into kernel to send/receive messages, they communicate with other processes to obtain services –Asbestos [SOSP’05] exploits this to track information flow across processesSOSP’05 –HiStar [OSDI’06] optimizes this further by avoiding explicit message passing; using “call gates” insteadOSDI’06

10/11/2015CS 3204 Fall Language-Based Protection Based on type-safe languages (Java, C#, etc.) –Do not allow direct memory access –Include access modifiers (private/public, etc.) –Verify code before they execute it with respect to these safety property Build security systems on top of type-safe language runtimes which associate code with sets of privileges

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.