Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 3204 Operating Systems Godmar Back Lecture 26.

Published byArlene Dennis Modified over 9 years ago

Similar presentations

Presentation on theme: "CS 3204 Operating Systems Godmar Back Lecture 26."— Presentation transcript:

1 CS 3204 Operating Systems Godmar Back Lecture 26

2 10/11/2015CS 3204 Fall 20082 Announcements Project 4 due Dec 10 Reading Chapter 10-12 December 11, Thursday –1:30pm opening ceremony of new lab space –20 pts of extra credit if you demo Pintos on your laptop

3 Protection & Security

4 10/11/2015CS 3204 Fall 20084 Security Requirements & Threats Requirement –Confidentiality –Integrity –Availability –Authenticity Threat –Interception –Modification –Interruption –Fabrication The goal of a protection system is to ensure these requirements and protect against accidental or intentional misuse

5 10/11/2015CS 3204 Fall 20085 Policy vs Mechanism First step in addressing security: separate the “what should be done” from the “how it should be done” part The security policy specifies what is allowed and what is not A protection system is the mechanism that enforces the security policy

6 10/11/2015CS 3204 Fall 20086 Protection: AAA Core components of any protection mechanism Authentication –Verify that we really know who we are talking to Authorization –Check that user X is allowed to do Y Access enforcement –Ensure that authorization decision is respected –Hard: every system has holes Social vs technical enforcement

7 10/11/2015CS 3204 Fall 20087 Authentication Methods Passwords –Weakest form, and most common –Subject to dictionary attacks –Passwords should not be stored in clear text, instead, use one-way hash function Badge or Keycard –Should not be (easily) forgeable –Problem: how to invalidate? Biometrics –Problem: ensure trusted path to device

8 10/11/2015CS 3204 Fall 20088 Authorization Once user has been authenticated, need some kind of database to keep track of what they are allowed to do Simple model: –Access Matrix File 1TTY 2 User ACan ReadExclusive Access User BCan R/W-- Principals (e.g. users) Objects (e.g. files, resources)

9 10/11/2015CS 3204 Fall 20089 Variations on Access Control Matrices RBAC (Role-based Access Control) –Principals are no longer users, but roles –Examples: “mail admin”, “web admin”, etc. TE (Type Enforcement) –Objects are grouped into classes or types; columns of matrix are then labeled with those types Domains vs Principals –Rows represent “protection domain” –Processes (or code) execute in one domain (book uses this terminology)

10 10/11/2015CS 3204 Fall 200810 Representing Access Matrices Problem: access matrices can be huge –How to represent them in a condensed way? Two choices: by row, or by column By row: Capabilities –What is principal X allowed to do? By column: Access Control Lists –Who has access to resource Y?

11 10/11/2015CS 3204 Fall 200811 Access Control Lists General: store list of for each object Example: files. For each file store who is allowed to access it (and how) Most contemporary file systems support it. Groups can be used to compress the information: –Old-style Unix permissions rwxr-xr-x Q.: where in the filesystem would you store ACLs/permissions?

12 10/11/2015CS 3204 Fall 200812 Capabilities General idea: store (capability) list of for each user Typically used in systems that must be very secure –Default is empty capability list Capabilities also often function as names –Can access something if you know the name –Must make names unforgeable, or must have system monitor who holds what capabilities (e.g., by storing them in protected area)

13 10/11/2015CS 3204 Fall 200813 Examples of Attacks Abuse of valid privilege –Admin decides to delete your mp3s Denial of service attack –Run this loop on your P4: while (1) { mkdir(“x”); chdir(“x”); } Sniffing/Listening attack Trojan Horse Worm or virus

14 10/11/2015CS 3204 Fall 200814 Simple Stack Overflow Example #include int unsafe_function() { char buf[8]; printf("Enter your name: "); gets(buf); printf("Your name is: %s\n", buf); } void do_something_bad() { printf("do_something_bad called!\n"); } int main() { unsafe_function(); } #include int unsafe_function() { char buf[8]; printf("Enter your name: "); gets(buf); printf("Your name is: %s\n", buf); } void do_something_bad() { printf("do_something_bad called!\n"); } int main() { unsafe_function(); } > > nm stackattack | grep do_something_bad 08048456 T do_something_bad > od -h badinput 0000000 8456 0804 8456 0804 8456 0804 8456 0804 * 0000120./stackattack < badinput Enter your name: Your name is: V V do_something_bad called! > > nm stackattack | grep do_something_bad 08048456 T do_something_bad > od -h badinput 0000000 8456 0804 8456 0804 8456 0804 8456 0804 * 0000120./stackattack < badinput Enter your name: Your name is: V V do_something_bad called! Simplified variant of “return-to-libc” attack in which attacker redirects control to function embedded in program (which then compromises security) In practice, attacker usually sends position- independent code along that exec()’s a shell

15 Defense against Stack Overflow Static Defenses: –Use of type-safe languages –Code analysis Dynamic Defenses: –Detect stack corruption before abnormal control transfer occurs Canaries, stack frame reallocation -fstack-protector in gcc (ProPolice) –Prevent execution of any code on stack Remove execute privilege from stack Generalization: W  X –Address Space Randomization Helps against attacks that require that attacker knows address in program (less effective on 32-bit systems) 10/11/2015CS 3204 Fall 200815

16 10/11/2015CS 3204 Fall 200816 Principle of Least Privilege Containment “need-to-know” basis: every process should have only access right for the operations it needs to do its work –Hard to implement: how can you be sure the program will still work? How can you be sure you’ve given just enough privileges and no more? –Example: Linux SE

17 10/11/2015CS 3204 Fall 200817 Other Countermeasures Logging: –Keep an audit log of all actions performed –Must protect log (from theft & forgery) Verification & Proofs –Problem of verifying the specification vs. implementation

18 10/11/2015CS 3204 Fall 200818 Trusted Computing Base The part of the system that enforces access control decisions –Also protects authentication information Issues: –Single Bug in TCB may compromise entire security policy –Need to keep it small and manageable –Usually: entire kernel is part of TCB (huge!) Weakest link phenomenon

19 10/11/2015CS 3204 Fall 200819 MLS-Multilevel Security –Unclassified –Confidential –Secret –Top Secret No read up No write down –*-property Trusted Systems Properties: Complete mediation (mandatory access control on every access) Isolated/tamper-proof reference monitor Verification (the hardest)

20 10/11/2015CS 3204 Fall 200820 Security & System Structure Q.: Does system structure matter when building secure systems? Monolithic kernels: processes call into kernel to obtain services (Pintos, Linux, Windows) Microkernels: processes call only into kernel to send/receive messages, they communicate with other processes to obtain services –Asbestos [SOSP’05] exploits this to track information flow across processesSOSP’05 –HiStar [OSDI’06] optimizes this further by avoiding explicit message passing; using “call gates” insteadOSDI’06

21 10/11/2015CS 3204 Fall 200821 Language-Based Protection Based on type-safe languages (Java, C#, etc.) –Do not allow direct memory access –Include access modifiers (private/public, etc.) –Verify code before they execute it with respect to these safety property Build security systems on top of type-safe language runtimes which associate code with sets of privileges

Download ppt "CS 3204 Operating Systems Godmar Back Lecture 26."

Similar presentations

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
CSE331: Introduction to Networks and Security Lecture 15 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 15 Fall 2002.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
1 Protection and Security Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually.

1 Protection and Security Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Summary of Lecture 1 Security attack types: either by function or by the property being compromised Security mechanism – prevention, detection and reaction.

Summary of Lecture 1 Security attack types: either by function or by the property being compromised Security mechanism – prevention, detection and reaction.
Protection and Security CSCI 444/544 Operating Systems Fall 2008.

Protection and Security CSCI 444/544 Operating Systems Fall 2008.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Operating Systems Protection & Security.

Operating Systems Protection & Security.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.

14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.

Similar presentations

Ads by Google