Security

1
Security

• Chapter 9

9.1 The security environment 9.2 User
authentication 9.3 Attacks from inside the
system 9.4 Attacks from outside the system 9.5
Protection mechanisms
2
The Security EnvironmentThreats

• Security goals and threats

3
Intruders

• Common Categories
• Casual prying by nontechnical users
• Snooping by insiders
• Determined attempt to make money
• Commercial or military espionage

4
Accidental Data Loss

• Common Causes
• Acts of God
• fires, floods, wars
• Hardware or software errors
• CPU malfunction, bad disk, program bugs
• Human errors
• data entry, wrong tape mounted

5
User Authentication

• Basic Principles. Authentication must identify
• Something the user knows
• Something the user has
• Something the user is
• This is done before user can use the system

6
Authentication Using Passwords

• (a) A successful login
• (b) Login rejected after name entered
• (c) Login rejected after name and password typed

7
Authentication Using Passwords

• How a cracker broke into LBL
• a U.S. Dept. of Energy research lab

8
Authentication Using Passwords
,
,
,
,
Password
Salt

• The use of salt to defeat precomputation of
• encrypted passwords

9
Authentication Using a Physical Object

• Magnetic cards
• magnetic stripe cards
• chip cards stored value cards, smart cards

10
Authentication Using Biometrics

• A device for measuring finger length.

11
Countermeasures

• Limiting times when someone can log in
• Automatic callback at number prespecified
• Limited number of login tries
• A database of all logins
• Simple login name/password as a trap
• security personnel notified when attacker bites

12
Operating System SecurityTrojan Horses

• Free program made available to unsuspecting user
• Actually contains code to do harm
• Place altered version of utility program on
  victim's computer
• trick user into running that program

13
Login Spoofing

• (a) Correct login screen
• (b) Phony login screen

14
Logic Bombs

• Company programmer writes program
• potential to do harm
• OK as long as he/she enters password daily
• ff programmer fired, no password and bomb
  explodes

15
Trap Doors

• (a) Normal code.
• (b) Code with a trapdoor inserted

16
Buffer Overflow

• (a) Situation when main program is running
• (b) After program A called
• (c) Buffer overflow shown in gray

17
Generic Security Attacks

• Typical attacks
• Request memory, disk space, tapes and just read
• Try illegal system calls
• Start a login and hit DEL, RUBOUT, or BREAK
• Try modifying complex OS structures
• Try to do specified DO NOTs
• Convince a system programmer to add a trap door
• Beg admin's secy to help a poor user who forgot
  password

18
Famous Security Flaws
(a)
(b)
(c)

• The TENEX password problem

19
Design Principles for Security

• System design should be public
• Default should be n access
• Check for current authority
• Give each process least privilege possible
• Protection mechanism should be
• simple
• uniform
• in lowest layers of system
• Scheme should be psychologically acceptable

And keep it simple
20
Network Security

• External threat
• code transmitted to target machine
• code executed there, doing damage
• Goals of virus writer
• quickly spreading virus
• difficult to detect
• hard to get rid of
• Virus program can reproduce itself
• attach its code to another program
• additionally, do harm

21
Virus Damage Scenarios

• Blackmail
• Denial of service as long as virus runs
• Permanently damage hardware
• Target a competitor's computer
• do harm
• espionage
• Intra-corporate dirty tricks
• sabotage another corporate officer's files

22
How Viruses Work

• Virus written in assembly language
• Inserted into another program
• use tool called a dropper
• Virus dormant until program executed
• then infects other programs
• eventually executes its payload

23
The Internet Worm

• Consisted of two programs
• bootstrap to upload worm
• the worm itself
• Worm first hid its existence
• Next replicated itself on new machines

24
Protection Mechanisms Protection Domains (1)

• Examples of three protection domains

25
Protection Domains (2)

• A protection matrix

26
Protection Domains (3)

• A protection matrix with domains as objects

27
Access Control Lists (1)

• Use of access control lists of manage file access

28
Access Control Lists (2)

• Two access control lists

29
Capabilities (1)

• Each process has a capability list

30
Capabilities (2)

• Cryptographically-protected capability
• Generic Rights
• Copy capability
• Copy object
• Remove capability
• Destroy object

Server Object Rights f(Objects, Rights, Check)
31
Input/Output

• Chapter 5

5.1 Principles of I/O hardware 5.2 Principles of
I/O software 5.3 I/O software layers 5.4
Disks 5.5 Clocks
32
Input/Output

• One of O.S main functions control I/O
• Issue commands to devices
• Catch interrupts
• Handle errors
• Provide interface between devices and rest of
  system
• Electrical Engineers Programmers
• I/O devices can be block devices and character
  devices
• Block devices store information in fixed-size
  blocks
• A character device accepts or delivers a stream
  of characters
• Classification is not perfect (e.g. tapes, clocks)

33
Principles of I/O Hardware

• Some typical device, network, and data base rates

34
Device Controllers

• I/O devices have components
• mechanical component
• electronic component
• The electronic component is the device controller
• may be able to handle multiple devices
• Interface between controller and device is a very
  low-level interface
• E.g. disks preamble serial bit stream
  checksum
• Controller's tasks
• convert serial bit stream to block of bytes
• perform error correction as necessary
• make available to main memory

35
Memory-Mapped I/O

• Each controller has a few registers data buffer
  to commu-nicate with CPU. These can be used by OS
  to read/write.

• Separate I/O and memory space
• Memory-mapped I/O
• Hybrid (e.g. Pentium, addresses 640K to 1MB for
  buffers, I/O ports 0 to 64K)

36
Memory-Mapped I/O

• (a) A single-bus architecture
• (b) A dual-bus memory architecture

37
Direct Memory Access (DMA)

• DMA controller is required
• Disk reads when not DMA is used
• Disk controller reads serially bit-by-bit the
  block
• Causes an interrupt
• Transfer block to memory
• With DMA the procedure is differrent
• CPU programs DMA controller by setting addresses
• Instructs disk controller to read data into its
  buffer
• When block in buffer, DMA starts.

38
Direct Memory Access (DMA)

• Operation of a DMA transfer

39
Interrupts Revisited

• How interrupts happens. Connections between
  devices and interrupt controller actually use
  interrupt lines on the bus rather than dedicated
  wires

40
Principles of I/O SoftwareGoals of I/O Software

• Device independence
• programs can access any I/O device
• without specifying device in advance (floppy,
  hard drive, or CD-ROM)
• Uniform naming
• name of a file or device a string or an integer
• not depending on which machine
• Error handling
• handle as close to the hardware as possible

41
Goals of I/O Software

• Synchronous vs. asynchronous transfers
• blocking transfers vs. interrupt-driven (in
  programs we use blocking I/O it is up to OS to
  make asynchronous look like synchronous)
• Buffering
• data coming off a device cannot be stored in
  final destination (e.g. packets in networks)
• Sharable vs. dedicated devices
• disks are sharable
• tape drives would not be

42
I/O Software Layers

• Layers of the I/O Software System

43
Interrupt Handlers (1)

• Interrupt handlers are best hidden
• have driver starting an I/O operation block until
  interrupt notifies of completion
• Interrupt procedure does its task
• then unblocks driver that started it
• Steps must be performed in software after
  interrupt completed
• Save regs not already saved by interrupt hardware
• Set up context for interrupt service procedure

44
Interrupt Handlers (2)

• Set up stack for interrupt service procedure
• Ack interrupt controller, reenable interrupts
• Copy registers from where saved
• Run service procedure
• Set up MMU context for process to run next
• Load new process' registers
• Start running the new process
• A lot of work!!!

45
Device Drivers

• Each I/O device needs some device-specific code
  to control it.
• Logical position of device drivers is shown here
• Communications between drivers and device
  controllers goes over the bus

46
Device-Independent I/O Software

• Some parts of I/O software is not
  device-specific. The exact boundary is system
  specific and depends on other factors.
• Functions of the device-independent I/O software

Uniform interfacing for device drivers
Buffering
Error reporting
Allocating and releasing dedicate devices
Providing a deice-independent block size
47
User-Space I/O Software

• Most of the I/O software is within the OS
• A small portion consists of libraries linked
  together with user programs (e.g. system calls)
• count write(fd,buffer,nbytes)

48
DisksDisk Hardware

• Disk parameters for the original IBM PC floppy
  disk and a Western Digital WD 18300 hard disk

49
Disk Hardware

• Physical geometry of a disk with two zones
• A possible virtual geometry for this disk

50
Disk Formatting

• A disk sector

51
Disk Formatting
An illustration of cylinder skew
52
Disk Formatting

• No interleaving
• Single interleaving
• Double interleaving

53
Disk Arm Scheduling Algorithms

• Time required to read or write a disk block
  determined by 3 factors
• Seek time
• Rotational delay
• Actual transfer time
• Seek time dominates the other two times
• Error checking is done by controllers
• If FCFS, nothing much can be done. If heavily
  loaded, then multiple algorithms

54
Disk Arm Scheduling Algorithms

• If FCFS, nothing much can be done. If heavily
  loaded, then many pending requests. There are
  algorithms to find a good sequence to minimize
  seek time.
• Many disk drivers maintain table, indexed by
  cylinder number with all pending requests for
  each cylinder chained together in a linked list.
• FCFS
• SSF
• Elevator

55
Disk Arm Scheduling Algorithms
Pending requests
Initial position

• Shortest Seek First (SSF) disk scheduling
  algorithm
• A request for block 11. While seeking, new
  requests for 1, 36, 16, 34, 9 and 12 are coming.
• Problem?

56
Disk Arm Scheduling Algorithms

• The elevator algorithm for scheduling disk
  requests. Similar to elevators in tall buildings
  they keep moving toward one direction until no
  more requests toward this.
• A slight modification always move toward one
  direction

57
Error Handling

• A disk track with a bad sector
• Substituting a spare for the bad sector
• Shifting all the sectors to bypass the bad one

58
ClocksClock Hardware

• A programmable clock
• One shot mode
• Square-wave mode

59
Clock Software (clock driver)

• Maintaining the time of the day
• Accounting for processes
• Accounting for CPU usage
• Implementing the alarm system call for user
  processes.

• Three ways to maintain the time of day

60
Clock Software

• Simulating multiple timers with a single clock