Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security: Chapter 5 Operating Systems Security.

Published byMelina Alexander Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Security: Chapter 5 Operating Systems Security."— Presentation transcript:

1 Computer Security: Chapter 5 Operating Systems Security

2 OS SECURITY What is OS? A program that acts as an intermediary between user and computer hardware Purpose of OS: provide an environment in which a user can execute programs in a convenient and efficient manner SCSR3413 Computer Security – 2013/14 i 2

3 OS Security : Overview What is protection in OS?  Prevention of mischievous, intentional violation of an access restriction by a user  Prevention of erroneous program from affecting the execution of other programs  Improve reliability SCSR3413 Computer Security – 2013/14 i 3

4 Protection of resources OS Protection includes these:  Memory protection  File protection  General control of access to objects  User authentication SCSR3413 Computer Security – 2013/14 i 4

5 Basis of protection : separation Physical separation  Different processes use different physical objects  Separate printers for different levels of security Temporal separation  Processes with different security req. are executed at different times Logical separation  Programs cannot access outside its permitted domain  Illusion of single process operation Cryptographic separation  Process conceal data and computations that its unintelligible to outside process SCSR3413 Computer Security – 2013/14 i 5

6 Is separation the only answer? Separation of different forms may be combined Separation can lead to poor resource sharing We want users and objects to be able to share algorithms and functions without compromising their security needs A practical OS provides protection by separation and ‘controlled’ sharing SCSR3413 Computer Security – 2013/14 i 6

7 OS can help via Do not protect  OS with no protection Isolate  Different processes running concurrently are unaware of the presence of each other Share all or share nothing  Public (for all) or private (for owner only) Share via access limitation  Ensuring only authorized access occurs Share by capabilities  Dynamic creation of sharing rights – can depend on owner/ context of computation/object Limit use of an object  To what extend is your privileges? E.g. Can view but not print SCSR3413 Computer Security – 2013/14 i 7

8 Granularity  Access can be controlled at various levels Bit, byte, element word  The larger the level of object controlled, the easier the access control implementation SCSR3413 Computer Security – 2013/14 i 8

9 Memory and address protection Protection can be built into h/ware that controls use of memory Include  Fence  Relocation  Base/bounds registers  Tagged architecture  Segmentation  Paging  Combined paging with segmentation SCSR3413 Computer Security – 2013/14 i 9

10 Memory Protection: Fence In a farm, a fence keeps the cows from grazing the neighbours yard/land. In OS, same function. Keeps the users from ‘grazing’/destroying the OS resident portion of memory. SCSR3413 Computer Security – 2013/14 i 10

11 SCSR3413 Computer Security – 2013/14 i 11

12 Fence… Fixed fence is very restrictive  Amount of space predefined  Whether OS use it or not - its there Waste of space may occur  OS have no space to grow SCSR3413 Computer Security – 2013/14 i 12

13 Fence… Fence register is another way  Fence is not fixed – can be changed  The register contains the end of OS  Address of user programs or modification will be compared to the register.  If address in user area – instruction executed  If address in OS area – error condition raised  Can protect OS from user but not user from another user  User cannot identify certain areas as off-limits SCSR3413 Computer Security – 2013/14 i 13

14 SCSR3413 Computer Security – 2013/14 i 14

15 Memory Protection: Relocation OS do change, hence programs must be written in a way that does not depend on placement at a specific location in memory. Relocation takes a program and puts it in an appropriate place/address, with the help of a relocation factor. Fence register can be a h/ware relocation device. SCSR3413 Computer Security – 2013/14 i 15

16 SCSR3413 Computer Security – 2013/14 i 16

17 Memory Protection: Base/Bounds Registers Relocation provides the base/starting address – the lower bound All address in a program are offset to the base address A variable fence register = base register But a program can still overflow into other areas, and may cause problem So a register with the upper bound address is needed SCSR3413 Computer Security – 2013/14 i 17

18 Bounds register – upper address limit  Knowing how much space is allotted  Checking for overflows A program address should be above the base address and below the bound address Protects a program’s addresses from being modified by another user Context switching – transferring control from one user to the other (base and bound changed) SCSR3413 Computer Security – 2013/14 i 18

19 Another pair of base/bound registers may be used for addresses inside a user’s address space  Program Base/Bound – for instructions only  Data Base/Bound – for data access only Saves user from overwriting and destroying his program Also gives the ability to split program into 2 pieces and relocated separately SCSR3413 Computer Security – 2013/14 i 19

20 SCSR3413 Computer Security – 2013/14 i 20

21 SCSR3413 Computer Security – 2013/14 i 21

22 Memory Protection: Tagged Architecture Every word of machine has one or a few extra bits to identify access rights to that word. Access bits can only be set by OS instruction (privileged) Adjacent locations may have different access rights SCSR3413 Computer Security – 2013/14 i 22

23 Advantage  Can pick and choose what to protect and what not to  Minimum sharing for task completion  With few extra bits, different data classes can be separated and data fields protected Disadvantage  Major changes to conventional OS needed for implementation Cost SCSR3413 Computer Security – 2013/14 i 23

24 Memory Protection: Segmentation = dividing a program into separate pieces/segments having different access rights Each segment has a unique name Code within a segment addressed as  Name – name of segment  Offset – its location from the start of the segment SCSR3413 Computer Security – 2013/14 i 24

25 Segmentation… Program is a long collection of segments and these segments may be placed in any available memory locations. OS must have a way arranging this  Segment look-up tables  Keeps segment name and true address in memory  User need not know the address, just SCSR3413 Computer Security – 2013/14 i 25

26 SCSR3413 Computer Security – 2013/14 i 26

27 SCSR3413 Computer Security – 2013/14 i 27

28 Benefit of segmentation  Each address reference is checked for protection  Many different classes of data item can be assigned different levels of protection  2 or more users can share access to a segment, with potentially different access rights  A user cannot generate an address or access to an unpermitted segment. SCSR3413 Computer Security – 2013/14 i 28

29 Segmentation must offer protection while being efficient. Problems with segmentation  Protection problem – segment size  Efficiency problem – segment name  Memory utilization problem SCSR3413 Computer Security – 2013/14 i 29

30 Protection problem  A user can refer to a valid segment name with an offset beyond end of segment  can read other parts of memory, hence unsafe  but segment A is 200 bytes long  So must check generated address to verify that its not beyond end of segment  have segment length in look-up table  Need more time and more resources SCSR3413 Computer Security – 2013/14 i 30

31 Efficiency problem  Segment name inconvenient to encode and will also slow look-up  Compiler can translate name to numbers but problem when 2 procedures share the same segment Memory utilization problem  Segmentation can cause fragmentation, hence lead to poor memory utilization  Compaction can help but compacting and updating the look-up table takes time SCSR3413 Computer Security – 2013/14 i 31

32 Memory Protection: Paging Program divided to equal-sized pieces called pages Memory is divided to equal-sized units called page frames. Address: As with segmentation, OS maintains a table (page translation table) of user page numbers and their true addresses in memory SCSR3413 Computer Security – 2013/14 i 32

33 SCSR3413 Computer Security – 2013/14 i 33

34 All pages same fixed size : no fragmentation No addressing beyond end of page : will be directed to next page page size = 64 bytes (64=2 6 ), number of pages =10. Largest offset value 111111= 63 any larger will translate to next page Say  SCSR3413 Computer Security – 2013/14 i 34

35 Segments are logical units, paging is not. When additional instruction are added  Subsequent instruction are pushed to lower addresses  Instructions at the end, becomes the start of a new page. Problem: no way of establishing if all values on a page should be protected at the same level SCSR3413 Computer Security – 2013/14 i 35

36 Memory Protection: Combined paging and segmentation Paging offers implementation efficiency Segmentation offers logical protection Combined: can use the best of both features SCSR3413 Computer Security – 2013/14 i 36

37 SCSR3413 Computer Security – 2013/14 i 37

38 SCSR3413 Computer Security – 2013/14 i Quick Summary Looked at  Memory protection Fence, base/bound, paging, segmentation 38

Download ppt "Computer Security: Chapter 5 Operating Systems Security."

Similar presentations

Memory Management Chapter 7.

Memory Management Chapter 7.
Memory Management Chapter 7. Memory Management Subdividing memory to accommodate multiple processes Memory needs to be allocated efficiently to pack as.

Memory Management Chapter 7. Memory Management Subdividing memory to accommodate multiple processes Memory needs to be allocated efficiently to pack as.
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.
CS 153 Design of Operating Systems Spring 2015

CS 153 Design of Operating Systems Spring 2015
Memory Management Design & Implementation Segmentation Chapter 4.

Memory Management Design & Implementation Segmentation Chapter 4.
1 Memory Management Chapter 7. 2 Memory Management Subdividing memory to accommodate multiple processes Memory needs to be allocated to ensure a reasonable.

1 Memory Management Chapter 7. 2 Memory Management Subdividing memory to accommodate multiple processes Memory needs to be allocated to ensure a reasonable.
Memory Management 2010.

Memory Management 2010.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Memory Management Chapter 5.

Memory Management Chapter 5.
Computer Organization and Architecture

Computer Organization and Architecture
95-752:7-1 Operating System Features. 95-752:7-2 Operating System Features Memory protection Temporary file issues Dead space issues Sandboxing Object.

95-752:7-1 Operating System Features :7-2 Operating System Features Memory protection Temporary file issues Dead space issues Sandboxing Object.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
SE571 Security in Computing

SE571 Security in Computing
1 Lecture 8: Memory Mangement Operating System I Spring 2008.

1 Lecture 8: Memory Mangement Operating System I Spring 2008.
Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.

Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.

Similar presentations

Ads by Google