Operating Systems Lecture 12

1
Operating SystemsLecture 12

• File Access Control
• Security and Protection

phones off (please)
2
Overview

• Security
• the security environment
• famous security flaws
• user authentication
• passwords
• Protection
• protection domains (users and groups)
• protection matrix
• access control lists
• file permissions
• capabilities
• Locking Mechanisms

3
Basic Definitions

• The term security is used in a broad sense to
  refer to the overall problem of ensuring that the
  information in the computer (code and/or data)
  are not (mis-)used by unauthorised personnel
• system management problems rather than operating
  system problems
• technical, managerial, legal and political issues
• The term protection is used in a narrow sense to
  refer to the specific operating system mechanisms
  used to safeguard information in the computer
• an internal technical problem for the operating
  system

4
Security
5
The Security Environment

• Security has many facets
• two of the most important are
• data loss
• intruders
• Some common causes of data loss
• acts of god
• floods, earthquakes, riots, wars
• hardware / software errors
• processor faults, disk crashes, telecomms breaks,
  bugs
• human error
• incorrect data entry, e.g. rm -r as root in
  UNIX, lost media
• Always maintain adequate backups (offsite)

6
Intruder Types

• Casual prying by nontechnical users
• leaving your computer on when youre out of the
  room
• forgetting to log out a UNIX terminal
• Snooping by technical experts
• students, hobbyists, operators, etc., consider it
  a personal challenge to break into a system
• Money making
• deliberately breaking into e.g. banks for
  financial gain
• rounding fractions, siphoning old accounts,
  blackmail
• Commercial / political espionage
• serious and well-funded attempt to gain access

7
Famous Security Flaws

• UNIX
• the command mkdir foo ran with root permissions
• the inode was created and then the owner changed
• the inode could be removed and a new foo quickly
  linked to /etc/passwd before the chown
• result the user owned the password file!
• TENEX
• the login password verifier checked one character
  at a time in sequence and stopped on a mismatch
• a password could be positioned with only the
  first character on a page boundary
• if a page fault occurred the 1st char was
  correct, etc!

8
The Internet Worm

• In Nov. 1988, an American graduate student,
  Robert Tappan Morris, released a worm program
• Morris had discovered two bugs in BSD UNIX
• one was in finger, a command to provide personal
  user details over the network
• it could be overloaded by submitting a lengthy
  user name
• the other was in sendmail
• allowed a bootstrap program to be mailed and run
  remotely
• the worm then cracked (guessed) user passwords
• Unfortunately a bug caused his program to
  multiply wildly out of control and crash the
  whole internet
• he got a 10,000 fine, 3 yrs probation, 400 hrs
  C.S.!

9
The Melissa Virus

• March 26th, 1999, David L. Smith released a
  Microsoft Word 97 macro virus onto the internet
• it was christened Melissa by antivirus software
  sellers
• It ran when a Word email attachment was opened
  and it used MS Outlook to email copies to others
• by March 29th ? 100,000 systems were infected!
• David Smith was arrested on April 1st
• traced through his ISP (AOL) and phone lines
• caused gt 80m damage (mainly sys admin time)
• He had pleaded guilty by Dec 9th, 1999
• sentence was predicted to be 10 years and
  150,000
• actually received 20 months and 10,000 fine

10
Generic Types

• Trojan Horse
• modifying a normal program to perform a security
  breach in addition to its usual functions
• Trapdoor Attack
• a system programmer leaves a secret security
  hole in a piece of privileged software when its
  written
• Worms
• a self-contained self-replicating program
• designed to cause automatic damage?
• Viruses
• a self-replicating program that attaches itself
  to other programs (in order to do damage)

11
User Authentication

• User authentication is the process of identifying
  users and allowing authorised ones to log in
• The most widely used form of authentication is
  the combination of a username and password pair
• the username is publicly known id code
• the password is private to the individual
• the password entered at login is not displayed!
• The user passwords must be held on the system
• the common method is to use a one-way encryption
  algorithm, storing the encrypted versions is a
  file
• entered word is encrypted and compared to file
  entry

12
Password Guessing

• If the password file is publicly readable and the
  encryption algorithm is known, then guesses can
  be made and compared to the password file
• Morris Thompson 1979 (RTMs dad!) studied
  this and found 86 of password could be easily
  guessed
• e.g. username (!), username reversed, initials,
  common words
• this can be prevented by concatenating a random
  number (known to passwd checker) to each password
• or by not allowing the password file to be
  readable
• only a special system program (slow!) can access
  passwords
• Difficult passwds can be generated by the system
• easy to check passwds can be detected internally

13
Protection
14
Protection Domains

• First, have to distinguish policy from mechanism
• policy is what will be done
• whose data are to be protected from whom
• mechanism is how it will be done
• how the system enforces the protection policy
• A computer system is a collection of objects
• hardware objects (processor, disks, memory)
• software objects (files, processes)
• every object has a unique name in the system
• An access right is the ability or permission to
  perform an operation on an object
• A protection domain is a set of objects rights

15
UNIX Domains (Users and Groups)

• In UNIX a domain is associated with a user
• every user has a unique identifier, the user id
  (uid)
• Users may be grouped together in a many to many
  relationship
• every group has a unique identifier, the group id
  (gid)
• multiple users may be members of the same group
• a user may be a member of multiple groups
• Every object has a user and group owner
• When a process runs it acquires the uid and gid
  of the user that starts it
• A process may change these to its owner ids
• setuid set uid to owner setgid set gid to owner

16
MULTICS Domains (Rings)

• When a UNIX process does a system call it
  automatically acquires kernel (root) permissions
• this (and setuid / setgid) is called a domain
  switch
• These domain switches are remnants of a more
  powerful domain mechanism found in MULTICS
• MULTICS domains are organised as rings (64)
• the innermost ring (0) was the kernel with most
  power
• moving outward, the rings had successively less
  power

0
17
Protection Matrix

• Protection domains can be implemented through a
  matrix (2D-array) of access rights
• an access matrix

• in practice, an access matrix will be large and
  sparse
• most domains only access a few objects
• most objects wiill only be accessed by a few
  domains

18
Access Control Lists

• There are two approaches that may be used to
  efficiently store such a (sparse) matrix
• store only the non-empty elements of the matrix
  as lists of either columns or rows
• Listing by column associates a list of all
  domains that may access with the object
• this is called an access control list (ACL)
• For example, for each file there is a list of
• each user that is allowed to access the file
• with a set of access permissions
• e.g. LEC06-2.DOC (jong, rw), (cfi, r)

19
UNIX File Permissions

• Uses a reduced form of the access list concept
• rather than list every user that is allowed to
  access a file, the access rights are split into
  just three groups
• recall that each object (? file) has a uid and
  gid owner
• user (owner) permissions apply to file owner only
• r grants permission to read the file
• w grants permission to write to the file
• x grants permission to execute the file
• group (owner) permissions apply to any user who
  is a member of the files group owner
• other permissions apply to all other users
• For directories, x flag indicates search
  permission
• to allow a user to traverse (change into) the
  directory

20
Capabilities

• The other approach to implementing the protection
  matrix is to store information by rows
• for each domain a list is held of the objects
  that may be accessed by a process running in that
  domain
• this is called a capability list (C-list)
• The capability list is not directly accessible to
  the process, but rather is a protected object
• this implies that capability lists must be
  distinguished from other types of data to prevent
  tampering
• capability data may be tagged at a hardware level
• or, maintained exclusively within OS space (may
  be large)
• or, encrypted in user space (as in passwords)

21
Locking Mechanisms
22
File Locking

• A further aspect of data protection is locking
• one process has read/write permissions on a file
• another process has read permissions on the same
  file
• The file protection mechanisms do not prevent the
  file being written by the 1st and read by the 2nd
• this may cause significant problems and data loss
• even worse if both are writing a file at the same
  time!
• Some operating systems, e.g. UNIX, provide file
  locking mechanisms
• the information is held within the operating
  system open file tables

23
Example Record Locking

• Two kinds of lock are provided
• shared lock
• multiple shared locks are allowed on a single
  file, but an exclusive lock is not allowed if a
  shared lock exists
• exclusive lock
• any attempt to add a shared or another exclusive
  lock will fail
• The locks may be of any size
• the locking call has parameters filename, start,
  size
• When placing a lock, a process may block or not
• block system call doesnt return until the lock
  is placed
• no block system call returns with failure error

24
Summary

• Security
• the security environment
• famous security flaws
• user authentication
• passwords
• Protection
• protection domains (users and groups)
• protection matrix
• access control lists
• file permissions
• capabilities
• Locking Mechanisms