Emery Berger - PowerPoint PPT Presentation

About This Presentation
Title:

Emery Berger

Description:

Operating Systems CMPSCI 377 Lecture 22: Protection & Security Emery Berger University of Massachusetts, Amherst Security Secure if either: Cost of attacking system ... – PowerPoint PPT presentation

Number of Views:115
Avg rating:3.0/5.0
Slides: 33
Provided by: csUmassE
Category:

less

Transcript and Presenter's Notes

Title: Emery Berger


1
Operating SystemsCMPSCI 377Lecture 22
Protection Security
  • Emery Berger
  • University of Massachusetts, Amherst

2
Security
  • Secure if either
  • Cost of attacking system gt value of protected
    resources
  • You attack 100 of gold with a 120 attack dog.
  • Cost can equal the computer or network resources
    required to attack the system
  • Time to attack system longer than time resource
    has value
  • Dont need to protect time and place of secret
    event after event takes place
  • Time can be processing time to compute correct
    result (e.g., guessing a password)

3
Protection
  • Lets say we have a valuable resource like an
    O.S.
  • collection of objects, hardware software
  • objects have unique names
  • accessed through well-defined set of operations
  • Goal of protection
  • Ensure each object accessed correctly only by
    authorized processes according to some policy.
  • Policy statement of what states (and
    operations) are allowed (i.e., secure/authorized)
    vs. not allowed (i.e., nonsecure/unauthorized)
    for specific system

4
Protection Domains
  • Access-right ltobject-name, rights-setgt
  • Rights-set subset of all valid operations that
    can be performed on the object
  • (i.e., the policy!)
  • Domain set of access-rights

5
UNIX Domain Implementation
  • Example 1 UNIX
  • Domain implemented as user-id
  • Files are an example of an object
  • (well see others, like laser printers and email
    servers)
  • Sometimes, OS does domain switching to execute
    some task
  • Each file has associated domain bit (setuid bit)
  • When file executed and setuidon,user-id set to
    owner of the file being executed
  • When execution completes, user-id is reset
  • ps is a setuid program, as is lpr.

6
Domain Implementation
  • MULTICS
  • Precursor to UNIX, by MIT GE
  • Ring protection system, by Bob Graham

7
Multics Rings
  • Nested domain structure (rings)
  • Let Di and Dj be any two domain rings
  • If j lt I ? Di ? Dj
  • lower-level more privileges
  • each process maintains current ring number

8
Access Matrix
  • Column access-control list for one object
  • Defines who can perform what operation
  • Row capability list
  • Operations allowed on what objects, per-domain

9
Use of Access Matrix (Cont.)
  • Design separates mechanism from policy
  • Mechanism
  • Operating system provides access-matrix rules.
  • Ensures that the matrix is only manipulated by
    authorized agents and that rules are strictly
    enforced
  • Policy
  • User dictates policywho can access what object
    and in what mode

10
Dynamic Access Matrices
  • Extend for dynamic protectionOperations to add,
    delete access rights
  • transfer switch from domain Di to Dj
  • owner of Oi
  • copy op from Oi to Oj
  • control Di can modify Djs access rights

11
Switching Domains
  • Switching domains add domains as objects!

12
Access Matrix with Copy Rights
  • Asterisk denotes that access right can be copied
    within column

13
Access Matrix With Owner Rights
  • Ownershipcan add new rights, remove some rights

14
Control Modifying Access Matrix
  • Control process executing in one domain can
    modify another domain
  • ExampleD2 changes D4

15
Implementation of Access Matrix
  • Global table ltdomain, object, right-setgt
  • Too large, no grouping
  • Access list ltdomain, right-setgt per object
  • Simple
  • Capability List list of objects operations
  • Object name capability (think special pointer)
  • Check in capability list for access

16
Revocation of Access Rights
  • Access-list scheme
  • Search for right to be revoked, delete
  • Immediate, can be selective (just affect some
    users), can be partial (just some rights revoked)

17
Revocation of Access Rights
  • Capabilities more complicated
  • Reacquisition
  • Try to reacquire after deletion
  • Back-pointers point from object to capabilities
  • Expensive (used in MULTICS)
  • Indirection
  • Capability points to entry in table
  • Not selective
  • Keys
  • One key per capability
  • Check in global key table

18
Language-Based Protection
  • Specification of protection in programming
    language
  • Allows high-level description of policies for
    allocation and use of resources
  • Example Java
  • Language implementation
  • Can provide software for protection enforcement
    when automatic hardware-supported checking is
    unavailable
  • Interpret protection specifications to generate
    calls on whatever protection system provided by
    hardware and OS

19
Java Security Model
20
Security
  • The Security Problem
  • Authentication
  • Program Threats
  • System Threats
  • Threat Monitoring
  • Encryption

21
The Security Problem
  • Security must consider external environment of
    the system, and protect it from
  • unauthorized access
  • malicious modification or destruction
  • accidental introduction of inconsistency
  • Easier to protect against accidental than
    malicious misuse

22
Authentication
  • User identity most often established through
    passwords, can be considered a special case of
    either keys or capabilities.
  • Passwords must be kept secret.
  • Frequent change of passwords
  • Use of non-guessable passwords
  • Log all invalid access attempts

23
Program Threats (Malware)
  • Trojan Horse
  • Code segment that misuses its environment
  • Exploits mechanisms for allowing programs written
    by users to be executed by other users
  • Trap Door
  • Specific user identifier or password that
    circumvents normal security procedures.
  • Could be included in compiler

24
System Threats Worms
  • Worms use spawn mechanism standalone program
  • Exploited UNIX networking features (remote
    access) and bugs in finger and sendmail programs
  • Grappling hook program uploaded main worm program

25
System Threats Viruses
  • Viruses fragment of code embedded in a
    legitimate program
  • Mainly affect PCs, infected via Internet
  • Old days exchanging floppy disks containing an
    infection

26
The Morris Internet Worm (1988)
27
Threat Monitoring
  • Check for suspicious patterns of activity
  • i.e., several incorrect password attempts may
    signal password guessing
  • Audit log
  • Records time, user, type of all accesses to
    object
  • Useful for recovery from violation, developing
    better security measures
  • Scan system periodically for security holes
  • Done when the computer is relatively unused

28
Threat Monitoring (Cont.)
  • Check for
  • Short or easy-to-guess passwords
  • Unauthorized setuid programs
  • Unauthorized programs in system directories
  • Unexpected long-running processes
  • Improper directory protections
  • Improper protections on system data files
  • Dangerous entries in the program search path
    (Trojan horse)
  • Changes to system programs monitor checksum
    values

29
Network Security Through Domain Separation Via
Firewall
30
Encryption
  • Encrypt clear text into cipher text, and vice
    versa
  • Properties of good encryption technique
  • Relatively simple for authorized users to encrypt
    and decrypt data
  • Encryption scheme depends not on secrecy of
    algorithm but on parameter of algorithm called
    encryption key
  • Extremely difficult for an intruder to determine
    the encryption key
  • Advanced Encryption Standard now standard
    (Rijndael)

31
Encryption (Cont.)
  • Public-key encryption based on each user having
    two keys
  • public key published key used to encrypt data
  • private key key known only to individual user
    used to decrypt data
  • Encryption scheme is public, but still strong
  • No reliance on security through obscurity
  • Basis of these
  • Easy to multiply primes, but hard to factor this
    product

32
Summary
  • Protection
  • Protection Domains, Access Matrix, Revocation of
    Access Rights, Capability-Based Systems,
    Language-Based Protection
  • Security
  • Authentication, Program Threats, System Threats,
    Threat Monitoring, Encryption
Write a Comment
User Comments (0)
About PowerShow.com