Introduction to Security Technology (Topic 1)

1
Introduction to Security Technology(Topic 1)

• Pirooz Saeidi
• Main Source Security in Computing by
• C.P. Pfleeger and S.L. Pfleeger
• ISBN 0-13-035548-8

2
Protection in General Purpose Operating Systems

• Agenda
• Protected Objects and Methods of Protection
• Memory and Address Protection
• Control of Access to General Objects
• File Protection Mechanisms
• User Authentication
• Summary.

3
Operating Systems and Protected Objects

• User program and data in operating systems that
  support multiprogramming should be protected
  against other users.
• Thus, protecting one user's programs and data
  from other users' programs is an important issue.
  

4
Operating Systems and Protected Objects

• Aspects of a computing system that require
  protection are
• Memory
• Sharable I/O devices
• disks
• Serially reusable I/O devices
• printers and tape drives
• Sharable programs
• Networks
• Sharable data

5
Security Methods of Operating Systems

• The basis of protection is separation
• Simply keep one user's objects separate from
  other users.
• Separation can happen in the following ways
• Physical separation
• Temporal separation
• Logical separation
• Cryptographic separation

6
Security Methods of Operating Systems

• Physical Separation
• Different processes use different physical
  objects
• For example have separate printers for output
  requiring different levels of security.
• Temporal separation
• Processes having different security requirements
  are executed at different times.

7
Security Methods of Operating Systems

• Logical separation
• Users operate under the illusion that no other
  processes exist,
• For example an operating system restricting a
  program to access objects outside its permitted
  domain.
• Cryptographic separation
• Processes hide their data and logic so that they
  are meaningless to outside processes.

8
Security Methods of Operating Systems

• Separation is not sufficient!
• Sometimes those separated objects may need to
  share resources. These are a range of options
• Do not protect
• Isolate
• Share all or share nothing
• Share via access limitation
• Share by capabilities
• Limit use of an object

9
Memory and Address Protection

• With multiprogramming we need to prevent one
  program from affecting the memory of other
  programs.
• Protection can be built into the hardware
  mechanisms at virtually no additional cost.
• Fence is a simple method to confine users to one
  side of a boundary.
• Single-user operating systems, used it to prevent
  a faulty user program from destroying resident
  portions of the operating system.

10
Memory and Address Protection - Fence

• The fence can be a predefined memory address,
  allowing the operating system to be on one side
  and the user to reside on the other.
• This method uses a fixed memory address and is
  not efficient.

11
Memory and Address Protection Fence Register

• Fence Register contains the address of the end of
  the operating system.
• Unlike a fixed fence, the location of the fence
  can be changed.
• The program addresses are automatically compared
  with the fence address.
• If the address gt fence address (it is in the user
  area), then execute the instruction
• if address lt fence address (it is, in the
  operating system area), then raise an error

12
Memory and Address Protection Fence Register
13
Memory and Address Protection Fence Register
Limitations

• A fence register protects only in one direction.
  The operating system can be protected from a
  single user,
• The fence cannot protect one user from another
  user.
• Something more is needed!

14
Memory and Address ProtectionRelocation

• With fixed sized operating systems programmers
  can write code assuming that the program begins
  at a constant address.
• When the operating systems upgrade to new
  versions, the programs must be written so that
  they will not depend on placement at a fixed
  location in memory.

15
Memory and Address ProtectionRelocation

• Relocation is the process of adding a constant
  relocation factor to each address of the program.
  
• This relocation factor is the starting address of
  the memory assigned for the program.
• The fence register can be used as a hardware
  relocation device.
• The contents of the fence register can be added
  to each program address.
• So the address can be relocated and it will be
  guaranteed that no other program can access a
  location lower than the fence address.

16
Memory and Address ProtectionRelocation using
Base/Bounds Registers

• All addresses inside a program are offsets from
  that base address.
• A variable fence register can be used as a base
  register to keep a lower address limit . A second
  register, called a bounds register, can also be
  used as an upper address limit.
• Each program address is forced to be within the
  following range
• base address lt program address lt bounds address

17
Memory and Address ProtectionRelocation using
Base/Bounds

• This method protects a program's addresses from
  modification by another user

18
Memory and Address ProtectionTagged Architecture

• The problem with using base/bounds registers is
  that each pair of registers confines accesses to
  a consecutive range of addresses.
• This does not work if you want to protect some
  data values but not all. For example fields of a
  record.
• A tagged architecture can solve this problem by
  adding one or more extra bits to each word to
  identify the access rights to that word.

19
Memory and Address ProtectionTagged Architecture

• These access bits can be set only by privileged
  (operating system) instructions.
• The bits are tested every time an instruction
  accesses that location.

20
Memory and Address ProtectionSegmentation

• Developed as an alternative to give the same
  effect of having an unbounded number of
  base/bounds registers.
• Segmentation allows a program to be divided into
  many pieces having different access rights.
• Each segment has a unique name.
• A code or data item within a segment is addressed
  as the pair ltname, offsetgt,
• where name is the name of the segment containing
  the data item and offset is its location within
  the segment.

21
Memory and Address ProtectionSegmentation

• The relationship between a logical segment and
  its true memory position

22
Memory and Address ProtectionSegmentation

• When a program generates an address of the form
  ltname, offsetgt, the operating system looks up
  name in the segment table and determines its real
  starting memory address.

23
Memory and Address Protection Paging

• One alternative to segmentation is paging.
• The program is divided into equal-sized pieces
  called pages, and memory is divided into
  equal-sized units, called page frames.
• each address in a paging system is in two parts
• ltpage, offsetgt.

24
Memory and Address Protection Paging

• Address translation is done through a page table

25
Memory and Address Protection Paging Vs
Segmentation

• With a segmentation approach, a programmer must
  be conscious of segments. So the protection of
  these logical units can be different
• In a paging operating system, a programmer is
  unaware of page boundaries.
• Thus, a change to a program, such as the addition
  of one instruction, will push all subsequent
  instructions to lower addresses and move a few
  bytes from the end of each page to the start of
  the next.
• This shifting is transparent to the user. So
  protection treats all page contents in the same
  way.