Download presentation
1
Protection and Security
2
Protection and Security
Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed through a well-defined set of operations (hopefully) Protection and security problem - ensure that each object is accessed correctly and only by those processes of authorized users that are allowed to do so
3
Protection and Security – cont.
OS designer faces challenge of creating a protection scheme that cannot be bypassed by any software that may be created in the future Networking adds to the problem as it allows access to a computer and its resources without being in the same physical location See next frame
4
Protection – Internal Access Authorization
5
Policy vs. Mechanism An organization’s security policy defines the rules for authorizing access to its computers and information resources A particular strategy that dictates the way a mechanism is used to achieve specific goals Protection mechanisms are tools for implementing the organization’s security policy
6
Policy & Mechanism A security policy is a strategy that dictates the way a mechanism is used to achieve a specific goal Accountants have access to payroll files OS processes have access to the page table Client process has access to information provided by a server A protection mechanism is a set of components used to implement any one of different sets of strategies Authentication Authorization Cryptography
7
Policy & Mechanism – cont.
Example - Computers in lab Policy: can only be used by students registered for graduate classes Mechanism: authentication via username and password; set up via class list and request Policy: students may only have N bytes of storage space Mechanism: establish a quota system on disk
8
Policy & Mechanism – cont.
The security policy specifies the ways resources should be shared among members of the organization and with members external to the organization The mechanism is the specific steps and tools provided by the system to enforce the policy
9
Security Goals Authentication Authorization Machine X Resource W
Process A Resource X Resource Y read Resource Z read read/write Process B read/write Authentication Machine Y Authorization Process C
10
Implementing Policy & Mechanism
Policies selected by system administrators – after the OS and protection mechanisms have been designed and implemented OS designer must foresee all the policies that may be selected and implement the mechanisms accordingly Very difficult task – usually handled by sending out patches as security holes are found
11
The Security Problem Security must consider external environment of the system, and protect it from unauthorized access. malicious modification or destruction accidental introduction of inconsistency. Easier to protect against accidental than malicious misuse
12
Authentication Mechanisms
Basis of most protection mechanisms Two types of authentication External: verify the user Usually username/password combination May require two passwords or other identification Internal: verify the process Don’t allow one users process to appear to be that of another user Network access accentuates the problem Is the computer who it says it is?
13
User Authentication Three types of authentication:
Something a user knows e.g. a password, a combination, answers to personal questions Something a user has e.g. a badge, a smart card, a key Something a user is e.g. fingerprint, signature, voice print, hand geometry, retinal blood vessel pattern
14
Authentication User identity most often established through passwords, can be considered a special case of either keys or capabilities. Passwords must be kept secret. Frequent change of passwords. Use of “non-guessable” passwords. Log all invalid access attempts. Encryption
15
User Authentication Possible mechanisms
Recognize repeated login attempts Disconnect after some threshold is reached Disregard correct passwords after some threshold of failures has been reached Make login process slow – handle computer generated attempts
16
Network Authentication
Need to be able to communicate between computers without significantly increasing the overhead involved Most typical access is for file transport Messages File downloading Obtaining network services
17
Program Threats Trojan Horse Trap Door
Code segment that misuses its environment. Exploits mechanisms for allowing programs written by users to be executed by other users. Trap Door Specific user identifier or password that circumvents normal security procedures. Could be included in a compiler.
18
System Threats Worms – use spawn mechanism; standalone program
Internet worm Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs. Grappling hook program uploaded main worm program. Viruses – fragment of code embedded in a legitimate program. Mainly effect microcomputer systems. Downloading viral programs from public bulletin boards or exchanging floppy disks containing an infection. Safe computing.
19
The Morris Internet Worm
20
The confinement problem
How do we prevent a program from leaking information to others? It is not as simple as preventing IPC and I/O A covert channel is a hidden means of communication information e.g. sending bits by manipulating the CPU load
21
Threat Monitoring Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing. Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures. Scan the system periodically for security holes; done when the computer is relatively unused.
22
Threat Monitoring – cont.
Check for: Short or easy-to-guess passwords Unauthorized set-uid programs Unauthorized programs in system directories Unexpected long-running processes Improper directory protections Improper protections on system data files Dangerous entries in the program search path (Trojan horse) Changes to system programs: monitor checksum values
23
Kerberos Network Authentication
A set of network protocols used to authen-ticate access to a computer by a user at a different computer using an unsecure network Assumes information over network could be tampered with Does not assume OS on either machine is secure Developed at MIT in 80’s; widely used
24
Kerberos Authentication Server Client Server
Client asks authentication server for credentials of the server process
25
Kerberos Authentication Encrypted for client Server
Encrypted for server Ticket Client Client ID Session Key Session Key Server Authentication server returns the credentials as ticket & session key with key encrypted using client key
26
Kerberos Authentication Encrypted for client Server
Encrypted for server Ticket Session Key Client Client ID Session Key Session Key Server Client decrypts ticket & key; keeps copy of session key Sends copy of ticket to server
27
Kerberos Authentication Encrypted for client Server
Encrypted for server Ticket Session Key Client Client ID Session Key Session Key Ticket Server Client ID Server decrypts copy of ticket to obtain secure copy of client ID and session key Session Key Client ID Session Key
28
Kerberos Authentication
Once these steps completed, client and server processes both have copy of session key and can begin secure communication Authentication server MUST be trusted It has copy of client’s ID, knows how to encrypt info that only client can decrypt, knows how to encrypt info that only server can decrypt, and can create unique session key
29
Authorization Is this user/process allowed to access the resource under the current policy? What type of access is allowable? Read Write Execute Append
30
Internal Access Authorization
Internal authorization is part of the task of managing resource sharing The goal is to protect one process’s resources from the actions of other processes
31
Protection Problems Sharing parameters Confinement
Process calls procedure in another process’s address space, which then modifies parameters, so that when original process regains control, variables in its address space have been changed Confinement Contain all rights to resources so that they do not propagate outside some chosen set of processes
32
Protection Problems – cont.
Allocating rights A process provides another process with specific rights to use its resources; should be a temporary allocation; but what if 2nd process passes those rights on to other processes without knowledge or permission of original process (the owner of the resource) Trojan horse Special case of allocating rights: client process invokes a service program which then takes advantage of the client’s process rights
33
Lampson’s Protection Model
Active parts (e.g., processes or threads) Act on behalf of users Operate in different protection domains The set of rights a process has at any given time Subject is a process executing in a specific domain Passive parts are called objects Correspond to resources NOTE: not related to OOP terminology
34
Model Want mechanism to implement different security policies for subjects to access objects Many different policies must be possible Policy may change over time
35
Protection System Composed of
Set of objects Set of subjects Set of rules specifying protection policy Represents accessibility of objects by subjects Guarantees that the protection state is checked for each access of an object by a subject
36
A Protection System Subjects Objects a S X S desires a access to X
37
A Protection System Subjects Objects Protection State
X S desires a access to X Protection state reflects current ability to access X
38
A Protection System Subjects Objects Protection State State Transition
X State Transition S desires a access to X Protection state reflects current ability to access X Authorities can change
39
A Protection System Subjects Objects Protection State State Transition
X State Transition S desires a access to X Protection state reflects current ability to access X Authorities can change What are rules for changing authority? Rules
40
A Protection System Subjects Objects Protection State State Transition
X State Transition S desires a access to X Protection state reflects current ability to access X Authorities can change What are rules for changing authority? How are the rules chosen? Rules Policy
41
Access Matrix The protection state can be represented using an access matrix An access matrix A has one row for each subject and one column for each object Note: subjects are also objects (processes controlling processes) Each entry A[S, X] is a set that describes the access rights held by subject S to object X Access authentication If subject S initiates type a access to X then if a A[S,X], the access is valid. If a A[S, X], the access is invalid.
42
Protection System Example
S desires a access to X
43
Protection System Example
S desires a access to X Captures the protection state S a Access matrix
44
Protection System Example
(S, a, X) Access authentication S X X S desires a access to X Captures the protection state Generates an unforgeable ID S a Access matrix
45
Protection System Example
(S, a, x) Access authentication Monitor S X X S desires a access to X Captures the protection state Generates an unforgeable ID Checks the access against the protection state S a
46
Example Suppose simple system Let the access matrix be
Subjects = {S1, S2, S3} Objects = subjects {F1, F2, D1, D2} F represent files, D devices Let the access matrix be S1 S2 S3 F1 F2 D1 D2 S1 control block wakeup owner control owner read* write* seek owner S2 control stop owner update owner seek* S3 control delete execute owner
47
Example – cont. The * is called a copy flag
It allows the process to transfer an access right to another process
48
Example – cont. If S2 attempts to update access to F2
It initiates access Causing protection system to create record of form (S2, update, F2) Record given to monitor for F2 Monitor checks access table Since access is valid, S2 is allowed to update F2
49
Example – cont. If S2 attempts execute access to F2
It initiates access Causing protection system to create record of form (S2, execute, F2) Record given to monitor for F2 Monitor checks access table Since access is invalid, S2 is not allowed to execute F2 Violation is reported to OS
50
Changing Protection State
Subjects Objects Protection State S X State Transition Rules Handling state changes Policy
51
Policy Rules Example Rules for a Particular Policy S1 S2 S3 F1 F2 D1
control block wakeup owner control owner read* write* seek owner S2 control stop owner update owner seek* S3 control delete execute owner Rules for a Particular Policy Rule Command by S0 Authorization Effect 1 transfer(a|a*) to (S, X) a*A[S0, X] A[S, X] = A[S, X]{a|a*} 2 grant(a|a*) to (S, X) ownerA[S0, X] A[S, X] = A[S, X]{a|a*} 3 delete a from (S, X) controlA[S0, S] A[S, X] = A[S, X]-{a} or ownerA[S0, X]
52
Policy Rules Example The policy rules determine who controls the propagation of the various types of access Access may be Transferred: process must have copy flag for right Granted: process must be owner of object Don’t need copy flag Deleted: process must own or control object Example: rule 1 determines what rights can be transferred from one process to another Command: transfer(a|a*) to (S, X) Authorization: a*A[S0, X] S1 can transfer read or read* access to S2 or S3 for F1 because S1 has the copy flag set
53
Protection State The copy flag and rules are designed to prevent indiscriminate propagation of access rights among subjects Right can only be propagated when owner transfers copy flag to another subject Subject may then transfer right with or without copy flag This transfer may be nondestructive (first subject keeps access) or destructive (first subject loses access)
54
Results of Rules These rules (along with a few others) define a protection system that addresses the problems mentioned earlier: Masquerading: subject must be authenticated and given unforgeable signature Confinement and allocating rights: rights are restricted to a designated set of subjects An untrusted subsystem must be memoryless (confined with respect to its ability to retain information or leak it to other subjects)
55
Results of Rules – cont. Sharing of parameters: allow only indirect access to objects by untrusted subjects Create gatekeeper subject to protect object from unwanted accesses by untrusted subjects Trojan horses: problem caused by process assuming rights of another while acting on its behalf this model distinguishes between two processes using the same rights on different subjects Many rule sets may solve problem for specific policies, but don’t guarantee solution independent of policy
56
Cost of Protection Mechanisms
Basic protection model requires that each resource access be passed through a monitor before request can be granted This may introduce a substantial performance cost Need to decide if performance hit is justified If information MUST be secure, the cost of performance is not an issue
57
Implementing Internal Authorization
Protection model describes logical set of components that can be used What implementations are cost effective? How can an access matrix be implemented efficiently? Need to consider Access matrix not only possible representation Access matrix must be secured; only read and written by selected processes Goal is to route all accesses through protection monitor Protection system should be able to authenticate the source of each request Monitor must be protected process to implement the rules Must not be possible for other subjects to compromise monitor
58
Protection Domain The particular set of rights a process has at any given time Two level domain architecture Supervisor domain: has more rights than user User domain: fewer rights than supervisor User domain Supervisor domain
59
Protection Domains The two-level domain can be generalized to a set of N concentric rings Domain ring architecture for protection R0 RS+1 RN-1 The innermost rings have more rights than the outermost ones
60
Protection Domains – cont.
Inner rings have higher authority Ring 0 corresponds to supervisor mode Rings 1 to S have decreasing protection, and are used to implement the OS Rings S+1 to N-1 have decreasing protection, and are used to implement applications Lampson model uses processes and domains -- how is a domain implemented? Supervisor/user hardware mode bit Software extensions -- rings
61
Protection Domains – cont.
Ring crossing is a domain change Inner ring crossing rights amplification Specific gates for crossing Protected by an authentication mechanism Outer ring crossing uses less-protected objects No authentication Need a return path Used in Multics and Intel (& above) hardware
62
Implementing Access Matrix
Usually a sparse matrix Too expensive to implement as a table Implement as a list of table entries Column oriented list is called an access control list (ACL) List kept at the object UNIX file protection bits are one example Row oriented list is a called a capability list List kept with the subject (i.e., process) Kerberos ticket is a capability
63
Unix Protection Scheme
Mode of access: read, write, execute Three classes of users RWX a) owner access 7 RWX b) groups access 6 1 1 0 c) public access 1 0 0 1
64
Protection Domains A capability is a unique, global name for an access right to an object in the system A protection domain is a set of capabilities to perform certain actions on certain objects A process can move from protection domain to protection domain so, at any point, it has exactly the capabilities it needs for the current job (the principle of least privilege) This is more flexible than associating capabilities directly with a process
65
More on Capabilities Provides an address to object from a very large address space Possession of a capability represents authorization for access Implied properties: Capabilities must be very difficult to guess Capabilities must be unique and not reused Capabilities must be distinguishable from randomly generated bit patterns
66
Cryptography Even in secure OS, information will sometimes be temporarily unprotected Ex.: while being transferred from one part of OS to another, as in Kerberos authentication strategy Information can be encoded using a key when it is written (or transferred) -- encryption It is then decoded using a key when it is read (or received) -- decryption
67
More on Cryptography encryption plaintext ciphertext decryption
68
Two Basic Strategies Details of encryption and decryption are unknown
Functions are complex making it difficult to guess how translation is accomplished Details are known, but the keys are secret and difficult to forge Difficult to guess a key
69
More on Cryptography Ke = encryption key Kd = decryption key Ke Kd
C = EKe(plaintext) Encrypt Decrypt plaintext plaintext Ke = encryption key Kd = decryption key
70
More on Cryptography Ke Kd C = EKe(plaintext) Encrypt Decrypt
Invader Side information plaintext
71
Cryptographic Systems
Modern Systems Conventional Systems Ke and Kd are essentially the same Private Key Public Key Ke and Kd are private Ke is public Kd is private
72
Encryption Encrypt clear text into cipher text.
Properties of good encryption technique: Relatively simple for authorized users to encrypt and decrypt data. Encryption scheme depends not on the secrecy of the algorithm but on a parameter of the algorithm called the encryption key Extremely difficult for an intruder to determine the encryption key Data Encryption Standard substitutes characters and rearranges their order on the basis of an encryption key provided to authorized users via a secure mechanism. Scheme only as secure as the mechanism.
73
Encryption - cont. Public-key encryption based on each user having two keys: public key – published key used to encrypt data. private key – key known only to individual user used to decrypt data. Must be an encryption scheme that can be made public without making it easy to figure out the decryption scheme. Efficient algorithm for testing whether or not a number is prime. No efficient algorithm is known for finding the prime factors of a number.
74
Public Key Cryptography
Clear text encrypted by public key can be decrypted by private key, and vice versa Two users can generate authenticated, private communications Information is signed by user 1 and encrypted with user 1’s private key The entire message is then encrypted with user 2’s public key and transmitted User 2 then decrypts using user 2’s private key and then with user 1’s public key
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.