Emery Berger

1
Operating SystemsCMPSCI 377Lecture 22
Protection Security

• Emery Berger
• University of Massachusetts, Amherst

2
Security

• Secure if either
• Cost of attacking system gt value of protected
  resources
• You attack 100 of gold with a 120 attack dog.
• Cost can equal the computer or network resources
  required to attack the system
• Time to attack system longer than time resource
  has value
• Dont need to protect time and place of secret
  event after event takes place
• Time can be processing time to compute correct
  result (e.g., guessing a password)

3
Protection

• Lets say we have a valuable resource like an
  O.S.
• collection of objects, hardware software
• objects have unique names
• accessed through well-defined set of operations
• Goal of protection
• Ensure each object accessed correctly only by
  authorized processes according to some policy.
• Policy statement of what states (and
  operations) are allowed (i.e., secure/authorized)
  vs. not allowed (i.e., nonsecure/unauthorized)
  for specific system

4
Protection Domains

• Access-right ltobject-name, rights-setgt
• Rights-set subset of all valid operations that
  can be performed on the object
• (i.e., the policy!)
• Domain set of access-rights

5
UNIX Domain Implementation

• Example 1 UNIX
• Domain implemented as user-id
• Files are an example of an object
• (well see others, like laser printers and email
  servers)
• Sometimes, OS does domain switching to execute
  some task
• Each file has associated domain bit (setuid bit)
• When file executed and setuidon,user-id set to
  owner of the file being executed
• When execution completes, user-id is reset
• ps is a setuid program, as is lpr.

6
Domain Implementation

• MULTICS
• Precursor to UNIX, by MIT GE
• Ring protection system, by Bob Graham

7
Multics Rings

• Nested domain structure (rings)
• Let Di and Dj be any two domain rings
• If j lt I ? Di ? Dj

• lower-level more privileges
• each process maintains current ring number

8
Access Matrix

• Column access-control list for one object
• Defines who can perform what operation
• Row capability list
• Operations allowed on what objects, per-domain

9
Use of Access Matrix (Cont.)

• Design separates mechanism from policy
• Mechanism
• Operating system provides access-matrix rules.
• Ensures that the matrix is only manipulated by
  authorized agents and that rules are strictly
  enforced
• Policy
• User dictates policywho can access what object
  and in what mode

10
Dynamic Access Matrices

• Extend for dynamic protectionOperations to add,
  delete access rights
• transfer switch from domain Di to Dj
• owner of Oi
• copy op from Oi to Oj
• control Di can modify Djs access rights

11
Switching Domains

• Switching domains add domains as objects!

12
Access Matrix with Copy Rights

• Asterisk denotes that access right can be copied
  within column

13
Access Matrix With Owner Rights

• Ownershipcan add new rights, remove some rights

14
Control Modifying Access Matrix

• Control process executing in one domain can
  modify another domain
• ExampleD2 changes D4

15
Implementation of Access Matrix

• Global table ltdomain, object, right-setgt
• Too large, no grouping
• Access list ltdomain, right-setgt per object
• Simple
• Capability List list of objects operations
• Object name capability (think special pointer)
• Check in capability list for access

16
Revocation of Access Rights

• Access-list scheme
• Search for right to be revoked, delete
• Immediate, can be selective (just affect some
  users), can be partial (just some rights revoked)

17
Revocation of Access Rights

• Capabilities more complicated
• Reacquisition
• Try to reacquire after deletion
• Back-pointers point from object to capabilities
• Expensive (used in MULTICS)
• Indirection
• Capability points to entry in table
• Not selective
• Keys
• One key per capability
• Check in global key table

18
Language-Based Protection

• Specification of protection in programming
  language
• Allows high-level description of policies for
  allocation and use of resources
• Example Java
• Language implementation
• Can provide software for protection enforcement
  when automatic hardware-supported checking is
  unavailable
• Interpret protection specifications to generate
  calls on whatever protection system provided by
  hardware and OS

19
Java Security Model
20
Security

• The Security Problem
• Authentication
• Program Threats
• System Threats
• Threat Monitoring
• Encryption

21
The Security Problem

• Security must consider external environment of
  the system, and protect it from
• unauthorized access
• malicious modification or destruction
• accidental introduction of inconsistency
• Easier to protect against accidental than
  malicious misuse

22
Authentication

• User identity most often established through
  passwords, can be considered a special case of
  either keys or capabilities.
• Passwords must be kept secret.
• Frequent change of passwords
• Use of non-guessable passwords
• Log all invalid access attempts

23
Program Threats (Malware)

• Trojan Horse
• Code segment that misuses its environment
• Exploits mechanisms for allowing programs written
  by users to be executed by other users
• Trap Door
• Specific user identifier or password that
  circumvents normal security procedures.
• Could be included in compiler

24
System Threats Worms

• Worms use spawn mechanism standalone program
• Exploited UNIX networking features (remote
  access) and bugs in finger and sendmail programs
• Grappling hook program uploaded main worm program

25
System Threats Viruses

• Viruses fragment of code embedded in a
  legitimate program
• Mainly affect PCs, infected via Internet
• Old days exchanging floppy disks containing an
  infection

26
The Morris Internet Worm (1988)
27
Threat Monitoring

• Check for suspicious patterns of activity
• i.e., several incorrect password attempts may
  signal password guessing
• Audit log
• Records time, user, type of all accesses to
  object
• Useful for recovery from violation, developing
  better security measures
• Scan system periodically for security holes
• Done when the computer is relatively unused

28
Threat Monitoring (Cont.)

• Check for
• Short or easy-to-guess passwords
• Unauthorized setuid programs
• Unauthorized programs in system directories
• Unexpected long-running processes
• Improper directory protections
• Improper protections on system data files
• Dangerous entries in the program search path
  (Trojan horse)
• Changes to system programs monitor checksum
  values

29
Network Security Through Domain Separation Via
Firewall
30
Encryption

• Encrypt clear text into cipher text, and vice
  versa
• Properties of good encryption technique
• Relatively simple for authorized users to encrypt
  and decrypt data
• Encryption scheme depends not on secrecy of
  algorithm but on parameter of algorithm called
  encryption key
• Extremely difficult for an intruder to determine
  the encryption key
• Advanced Encryption Standard now standard
  (Rijndael)

31
Encryption (Cont.)

• Public-key encryption based on each user having
  two keys
• public key published key used to encrypt data
• private key key known only to individual user
  used to decrypt data
• Encryption scheme is public, but still strong
• No reliance on security through obscurity
• Basis of these
• Easy to multiply primes, but hard to factor this
  product

32
Summary

• Protection
• Protection Domains, Access Matrix, Revocation of
  Access Rights, Capability-Based Systems,
  Language-Based Protection
• Security
• Authentication, Program Threats, System Threats,
  Threat Monitoring, Encryption