Lecture 12 Page 1 CS 111 Summer 2014 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.

Slides:



Advertisements
Similar presentations
Lecture 13 Page 1 CS 111 Online File Systems: Introduction CS 111 On-Line MS Program Operating Systems Peter Reiher.
Advertisements

Copyright ©: Lawrence Angrave, Vikram Adve, Caccamo 1 Virtual Memory III.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
I/O Tanenbaum, ch. 5 p. 329 – 427 Silberschatz, ch. 13 p
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 17 Page 1 CS 111 Spring 2015 Operating System Security CS 111 Operating Systems Peter Reiher.
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.
CS 153 Design of Operating Systems Spring 2015 Lecture 17: Paging.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Virtual Memory Review Goal: give illusion of a large memory Allow many processes to share single memory Strategy Break physical memory up into blocks (pages)
Lecture 11 Page 1 CS 111 Online Memory Management: Paging and Virtual Memory CS 111 On-Line MS Program Operating Systems Peter Reiher.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Operating Systems Lecture 14 Segments Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software Engineering.
Lecture 9 Page 1 CS 136, Spring 2009 Operating System Security CS 136 Computer Security Peter Reiher April 28, 2009.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
Operating Systems Security
Lecture 18 Windows – NT File System (NTFS)
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Lecture 17 Page 1 CS 111 Fall 2015 Operating System Security CS 111 Operating Systems Peter Reiher.
Secure Operating Systems Lesson F: Capability Based Systems.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Chapter 14: Protection Goals.
Lecture 3 Page 1 CS 136, Fall 2010 Security Mechanisms CS 136 Computer Security Peter Reiher September 30, 2010.
Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Lecture 3 Page 1 CS 136, Winter 2010 Security Mechanisms CS 136 Computer Security Peter Reiher January 12, 2010.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 8 Page 1 CS 236 Online Protecting Interprocess Communications Operating systems provide various kinds of interprocess communications –Messages.
Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 8 Page 1 CS 236, Spring 2008 Operating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
Lecture 2 Page 1 CS 136, Spring 2016 Security Principles, Policies, and Tools CS 136 Computer Security Peter Reiher March 31, 2016.
Lecture 2 Page 1 CS 136, Fall 2011 Security Principles, Policies, and Tools CS 136 Computer Security Peter Reiher September 27, 2011.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Introduction to Operating Systems
Capabilities Each subject keeps a set of data items that specify his allowable accesses Essentially, a set of tickets Possession of the capability for.
Outline Basic concepts in computer security
Protecting Memory What is there to protect in memory?
Chapter 14: System Protection
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Outline Paging Swapping and demand paging Virtual memory.
Outline What does the OS protect? Authentication for operating systems
Modularity and Memory Clearly, programs must have access to memory
Outline What does the OS protect? Authentication for operating systems
O.S Lecture 13 Virtual Memory.
Chapter 14: Protection.
CE Operating Systems Lecture 21
Chapter 2: Operating-System Structures
Chapter 14: Protection.
Outline Introduction Memory protection Buffer overflows
Outline Introduction Memory protection Buffer overflows
Chapter 2: Operating-System Structures
Outline Introduction Memory protection Buffer overflows
Presentation transcript:

Lecture 12 Page 1 CS 111 Summer 2014 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher

Lecture 12 Page 2 CS 111 Summer 2014 Security Goals Confidentiality – If it’s supposed to be secret, be careful who hears it Integrity – Don’t let someone change something they shouldn’t Availability – Don’t let someone stop others from using services Exclusivity – Don’t let someone use something he shouldn’t Note that we didn’t mention “computers” here – This classification of security goals is very general

Lecture 12 Page 3 CS 111 Summer 2014 Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to only the right people How do we ensure that a given resource can only be accessed by the proper people? The OS plays a major role in enforcing access control

Lecture 12 Page 4 CS 111 Summer 2014 Common Mechanisms for Access Control in Operating Systems Access control lists – Like a list of who gets to do something Capabilities – Like a ring of keys that open different doors They have different properties And are used by the OS in different ways

Lecture 12 Page 5 CS 111 Summer 2014 The Language of Access Control Subjects are active entities that want to gain access to something – E.g., users or programs Objects represent things that can be accessed – E.g., files, devices, database records Access is any form of interaction with an object An entity can be both subject and object

Lecture 12 Page 6 CS 111 Summer 2014 Access Control Lists ACLs For each protected object, maintain a single list Each list entry specifies a subject who can access the object – And the allowable modes of access When a subject requests access to a object, check the access control list

Lecture 12 Page 7 CS 111 Summer 2014 An Analogy Joe Hipster You’re Not On the List! This is an access control list

Lecture 12 Page 8 CS 111 Summer 2014 An ACL Protecting a File write File X ACL for file X A read write B C none Subject ASubject BSubject C read denied The file is the object The process trying to access it is the subject

Lecture 12 Page 9 CS 111 Summer 2014 Issues For Access Control Lists How do you know the requestor is who he says he is? How do you protect the access control list from modification? How do you determine what resources a user can access?

Lecture 12 Page 10 CS 111 Summer 2014 An Example Use of ACLs: the Unix File System An ACL-based method for protecting files – Developed in the 1970s Still in very wide use today – With relatively few modifications Per-file ACLs (files are the objects) Three subjects on list for each file Owner, group, other And three modes – Read, write, execute – Sometimes these have special meanings

Lecture 12 Page 11 CS 111 Summer 2014 Storing the ACLs They can be very small – Since there are only three entries – Basic ACL is only 9 bits Therefore, kept inside the file descriptor Makes it easy to find them – Since trying to open the file requires the file descriptor, anyway Checking this ACL is not much more than a logical AND with the requested access mode

Lecture 12 Page 12 CS 111 Summer 2014 Pros and Cons of ACLs +Easy to figure out who can access a resource +Easy to revoke or change access permissions –Hard to figure out what a subject can access –Changing access rights requires getting to the object

Lecture 12 Page 13 CS 111 Summer 2014 Capabilities Each subject keeps a set of data items that specify his allowable accesses Essentially, a set of tickets To access an object, present the proper capability Possession of the capability for an object implies that access is allowed

Lecture 12 Page 14 CS 111 Summer 2014 An Analogy The key is a capability

Lecture 12 Page 15 CS 111 Summer 2014 Capabilities Protecting a File Read X Subject BSubject C Capabilities for C Capabilities for A File X Read, Write Capabilities for B File X Read File X Subject A Capability Checking File X Read, Write read File X Read, Write Check validity of capability OK!

Lecture 12 Page 16 CS 111 Summer 2014 Capabilities Denying Access write denied write User B User C Capabilities for C Capabilities for A File X Read, Write Capabilities for B File X Read File X User A Capability Checking Check validity of capability No Capability Provided!

Lecture 12 Page 17 CS 111 Summer 2014 Properties of Capabilities Capabilities are essentially a data structure – Ultimately, just a collection of bits Merely possessing the capability grants access – So they must not be forgeable How do we ensure unforgeability for a collection of bits? One solution: – Don’t let the user/process have them – Store them in the operating system

Lecture 12 Page 18 CS 111 Summer 2014 Revoking Capabilities A simple problem for capabilities stored in the operating system – Just have the OS get rid of it Much harder if it’s not in the operating system – E.g., in a network context How do we make the bundle of bits change from valid to invalid? Consider the real world problem of a door lock If several people have the key, how do we keep one of them out?

Lecture 12 Page 19 CS 111 Summer 2014 Pros and Cons of Capabilities +Easy to determine what objects a subject can access +Potentially faster than ACLs (in some circumstances) +Easy model for transfer of privileges –Hard to determine who can access an object –Requires extra mechanism to allow revocation –In network environment, need cryptographic methods to prevent forgery

Lecture 12 Page 20 CS 111 Summer 2014 OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g., Unix/Linux uses ACLs for file opens That creates a file descriptor with a particular set of access rights – E.g., read-only The descriptor is essentially a capability

Lecture 12 Page 21 CS 111 Summer 2014 Enforcing Access in an OS Protected resources must be inaccessible – Hardware protection must be used to ensure this – So only the OS can make them accessible to a process To get access, issue request to resource manager – Resource manager consults access control policy data Access may be granted directly – Resource manager maps resource into process Access may be granted indirectly – Resource manager returns a “capability” to process

Lecture 12 Page 22 CS 111 Summer 2014 Direct Access To Resources OS checks access control on initial request If OK, OS maps it into a process’ address space – The process manipulates resource with normal instructions – Examples: shared data segment or video frame buffer Advantages: – Access check is performed only once, at grant time – Very efficient, process can access resource directly Disadvantages: – Process may be able to corrupt the resource – Access revocation may be awkward You’ve pulled part of a process’ address space out from under it

Lecture 12 Page 23 CS 111 Summer 2014 Indirect Access To Resources Resource is not directly mapped into process – Process must issue service requests to use resource – Access control can be checked on each request – Examples: network and IPC connections Advantages: – Only resource manager actually touches resource – Resource manager can ensure integrity of resource – Access can be checked, blocked, revoked at any time If revoked, system call can just return error code Disadvantages: – Overhead of system call every time resource is used

Lecture 12 Page 24 CS 111 Summer 2014 Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files? Devices? IPC? Secure booting

Lecture 12 Page 25 CS 111 Summer 2014 Protecting Memory Most modern operating systems provide strong memory protection Usually hardware-based Most commonly through use of page tables and paging hardware To remind you, addresses issued by programs translated by hardware to physical addresses – If page tables handled right, process can’t even name other processes’ memory

Lecture 12 Page 26 CS 111 Summer 2014 Protecting Files We’ve already discussed this Most file systems have a built-in access control model The OS must enforce it All file access done through system calls Which gives the OS a chance to enforce the access control policy Typically checked on open

Lecture 12 Page 27 CS 111 Summer 2014 A File Protection Vulnerability Unix/Linux systems only check access permissions on open The open file descriptor limits access to what was checked for But if the access permissions change while the file is open, access is NOT revoked Sometimes possible to keep files open for a long, long time So if user once had access to a file, may be hard to ever push him out again

Lecture 12 Page 28 CS 111 Summer 2014 Another File Data Vulnerability What if someone bypasses the operating system? Directly accessing the disk as a device The OS typically won’t allow that to happen – If it’s still in control... But there can be flaws or misconfigurations Or the disk can be moved to another machine – Which may not enforce the access permissions it specifies

Lecture 12 Page 29 CS 111 Summer 2014 Full Disk Encryption FDE A solution to this problem Encrypt everything you put on the disk Decrypt data moved from the disk to memory Can be done in hardware – Typically in the disk drive or controller Or software – Typically by the operating system Various options for storing the key

Lecture 12 Page 30 CS 111 Summer 2014 Protecting Devices Most devices are treated as files So the file protection model applies In some cases, some parts of the devices are memory mapped into processes – Memory protections apply, here – But potential issues if you map them into more than one process Non-OS controlled bus interfaces can also cause problems (e.g., Firewire)

Lecture 12 Page 31 CS 111 Summer 2014 Protecting IPC IPC channels are often also treated like files So the same protection model and mechanisms apply Even shared memory is handled this way – But especially important to remember that you don’t get complete mediation here – And granularity of protection is the segment, not the word or page or block

Lecture 12 Page 32 CS 111 Summer 2014 Secure Boot Our OS-based protection mechanisms rely on one fundamental assumption – We are running an OS that properly implements them What if we aren’t running the OS that we think we are? Then all bets are off The false OS can do whatever it wants So we need to be sure we’ve booted what we wanted to boot

Lecture 12 Page 33 CS 111 Summer 2014 The Bootstrap Process When a computer is powered on, the OS is not usually resident in memory It gets put there by a bootstrap loader The bootstrap program is usually very short Located in an easily defined place Hardware finds it, loads it, runs it Bootstrap then takes care of initializing the OS

Lecture 12 Page 34 CS 111 Summer 2014 Booting and Security Most systems make it hard to change bootstrap loader – But it must have enough flexibility to load different OSes – From different places on machine Malware likes to corrupt the bootstrap Trusted computing platforms can help secure bootstrapping

Lecture 12 Page 35 CS 111 Summer 2014 Approaches to Bootstrap Security TPM – an industry standard A hardware-assisted method to guarantee that the right bootstrap was loaded – And, from that, guarantee that the right OS was booted – And possibly build up further security from that SecureBoot – a Microsoft technology Built into the boot hardware and SW Essentially, only allows booting of particular OS versions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.