Title: Emery Berger
1Operating SystemsCMPSCI 377Lecture 22
Protection Security
- Emery Berger
- University of Massachusetts, Amherst
2Security
- Secure if either
- Cost of attacking system gt value of protected
resources - You attack 100 of gold with a 120 attack dog.
- Cost can equal the computer or network resources
required to attack the system - Time to attack system longer than time resource
has value - Dont need to protect time and place of secret
event after event takes place - Time can be processing time to compute correct
result (e.g., guessing a password)
3Protection
- Lets say we have a valuable resource like an
O.S. - collection of objects, hardware software
- objects have unique names
- accessed through well-defined set of operations
- Goal of protection
- Ensure each object accessed correctly only by
authorized processes according to some policy. - Policy statement of what states (and
operations) are allowed (i.e., secure/authorized)
vs. not allowed (i.e., nonsecure/unauthorized)
for specific system
4Protection Domains
- Access-right ltobject-name, rights-setgt
- Rights-set subset of all valid operations that
can be performed on the object - (i.e., the policy!)
- Domain set of access-rights
5UNIX Domain Implementation
- Example 1 UNIX
- Domain implemented as user-id
- Files are an example of an object
- (well see others, like laser printers and email
servers) - Sometimes, OS does domain switching to execute
some task - Each file has associated domain bit (setuid bit)
- When file executed and setuidon,user-id set to
owner of the file being executed - When execution completes, user-id is reset
- ps is a setuid program, as is lpr.
6Domain Implementation
- MULTICS
- Precursor to UNIX, by MIT GE
- Ring protection system, by Bob Graham
7Multics Rings
- Nested domain structure (rings)
- Let Di and Dj be any two domain rings
- If j lt I ? Di ? Dj
- lower-level more privileges
- each process maintains current ring number
8Access Matrix
- Column access-control list for one object
- Defines who can perform what operation
- Row capability list
- Operations allowed on what objects, per-domain
9Use of Access Matrix (Cont.)
- Design separates mechanism from policy
- Mechanism
- Operating system provides access-matrix rules.
- Ensures that the matrix is only manipulated by
authorized agents and that rules are strictly
enforced - Policy
- User dictates policywho can access what object
and in what mode
10Dynamic Access Matrices
- Extend for dynamic protectionOperations to add,
delete access rights - transfer switch from domain Di to Dj
- owner of Oi
- copy op from Oi to Oj
- control Di can modify Djs access rights
11Switching Domains
- Switching domains add domains as objects!
12Access Matrix with Copy Rights
- Asterisk denotes that access right can be copied
within column
13Access Matrix With Owner Rights
- Ownershipcan add new rights, remove some rights
14Control Modifying Access Matrix
- Control process executing in one domain can
modify another domain - ExampleD2 changes D4
15Implementation of Access Matrix
- Global table ltdomain, object, right-setgt
- Too large, no grouping
- Access list ltdomain, right-setgt per object
- Simple
- Capability List list of objects operations
- Object name capability (think special pointer)
- Check in capability list for access
16Revocation of Access Rights
- Access-list scheme
- Search for right to be revoked, delete
- Immediate, can be selective (just affect some
users), can be partial (just some rights revoked)
17Revocation of Access Rights
- Capabilities more complicated
- Reacquisition
- Try to reacquire after deletion
- Back-pointers point from object to capabilities
- Expensive (used in MULTICS)
- Indirection
- Capability points to entry in table
- Not selective
- Keys
- One key per capability
- Check in global key table
18Language-Based Protection
- Specification of protection in programming
language - Allows high-level description of policies for
allocation and use of resources - Example Java
- Language implementation
- Can provide software for protection enforcement
when automatic hardware-supported checking is
unavailable - Interpret protection specifications to generate
calls on whatever protection system provided by
hardware and OS
19Java Security Model
20Security
- The Security Problem
- Authentication
- Program Threats
- System Threats
- Threat Monitoring
- Encryption
21The Security Problem
- Security must consider external environment of
the system, and protect it from - unauthorized access
- malicious modification or destruction
- accidental introduction of inconsistency
- Easier to protect against accidental than
malicious misuse
22Authentication
- User identity most often established through
passwords, can be considered a special case of
either keys or capabilities. - Passwords must be kept secret.
- Frequent change of passwords
- Use of non-guessable passwords
- Log all invalid access attempts
23Program Threats (Malware)
- Trojan Horse
- Code segment that misuses its environment
- Exploits mechanisms for allowing programs written
by users to be executed by other users - Trap Door
- Specific user identifier or password that
circumvents normal security procedures. - Could be included in compiler
24System Threats Worms
- Worms use spawn mechanism standalone program
- Exploited UNIX networking features (remote
access) and bugs in finger and sendmail programs - Grappling hook program uploaded main worm program
25System Threats Viruses
- Viruses fragment of code embedded in a
legitimate program - Mainly affect PCs, infected via Internet
- Old days exchanging floppy disks containing an
infection
26The Morris Internet Worm (1988)
27Threat Monitoring
- Check for suspicious patterns of activity
- i.e., several incorrect password attempts may
signal password guessing - Audit log
- Records time, user, type of all accesses to
object - Useful for recovery from violation, developing
better security measures - Scan system periodically for security holes
- Done when the computer is relatively unused
28Threat Monitoring (Cont.)
- Check for
- Short or easy-to-guess passwords
- Unauthorized setuid programs
- Unauthorized programs in system directories
- Unexpected long-running processes
- Improper directory protections
- Improper protections on system data files
- Dangerous entries in the program search path
(Trojan horse) - Changes to system programs monitor checksum
values
29Network Security Through Domain Separation Via
Firewall
30Encryption
- Encrypt clear text into cipher text, and vice
versa - Properties of good encryption technique
- Relatively simple for authorized users to encrypt
and decrypt data - Encryption scheme depends not on secrecy of
algorithm but on parameter of algorithm called
encryption key - Extremely difficult for an intruder to determine
the encryption key - Advanced Encryption Standard now standard
(Rijndael)
31Encryption (Cont.)
- Public-key encryption based on each user having
two keys - public key published key used to encrypt data
- private key key known only to individual user
used to decrypt data - Encryption scheme is public, but still strong
- No reliance on security through obscurity
- Basis of these
- Easy to multiply primes, but hard to factor this
product
32Summary
- Protection
- Protection Domains, Access Matrix, Revocation of
Access Rights, Capability-Based Systems,
Language-Based Protection - Security
- Authentication, Program Threats, System Threats,
Threat Monitoring, Encryption