1 / 16

CS134a: Security

CS134a: Security. Overall outline Basic Issues Types of protection and security Penetration of a computing facility Access and information-flow control mechanisms Protection Problems. User authentication methods. Based on one or more of the following:

adele-prince
Download Presentation

CS134a: Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS134a: Security • Overall outline • Basic Issues • Types of protection and security • Penetration of a computing facility • Access and information-flow control mechanisms • Protection Problems Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  2. User authentication methods • Based on one or more of the following: • Knowledge of some “secret” information (e.g. password) • Possession of some artifact (e.g, key) • Physical characteristic (e.g. fingerprint, brainwave) • Secret information may be • password • an interactive dialog (what’s your SS#, mother’s maiden name, etc.) • a combination to the lock on a room Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  3. Physical artifacts • A card with machine-readable information • Bank machines (ATMs) require card+PIN • Badges • Keys Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  4. Physical characteristics • Kinds • Fingerprints: hard to implement • Hand geometry: lengths of fingers, etc. • Voice patterns • Signatures: speed and force of writing • Uncertain recognition may reject an authorized user • or accept an impostor Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  5. Penetration • A user may bypass authentication mechanisms • A user may obtain information that will permit legal entry • Wire tapping • Watching the network for cleartext passwords • Never send a cleartext password over Internet! Use encryption (like ssh) to protect your passwords • Trial-and-error • Guess a password: seems hard with 8-character passwords (64^8 combinations) • In practice, people tend to use a small subsets Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  6. Penetration • Browsing: When storage is deallocated, the system rarely erases it (free disk blocks or memory pages). Defense systems often require garbage to be copied onto deallocated areas. • Waste searching. Looking through garbage cans, etc., is highly successful. • Trap doors: applications may contain secret entries. A Trojan Horse is a program offered for public use that performs unadvertised actions. Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  7. Access and Information Flow Control • Process information locations • Registers • Associative memories (cache, TLB) • Primary memory • Secondary memory • Protection • OS saves and restores registers on each context switch; registers are private • Cache and TLB are inaccessible to user-mode programs Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  8. Access and information flow control • An execution environment includes • programs, files, processes residing in primary and secondary memory • hardware components like IO devices or special processors • Execution environment may be • static: constant for the life of a process • dynamic: varies with time • Dynamic environments are needed to provide the smallest possible execution environment Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  9. Main memory protection • Control process access to it’s own instructions, and to another process • A process should only be allowed to access in areas that are assigned by OS • Memory access rights: • Read(R): may read the contents, even copy it into executable areas • Write(R): may modify the contents; Append(R) only allows writing onto the end • Execute(R): may execute the contents as a program Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  10. Access control • Boolean logic • Ø(R Ú W Ú X): no access • R Ù Ø(W Ú X): read-only Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  11. Access control without virtual memory • Bounds registers Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  12. Access control without virtual memory • Identification keys • Memory is divided into blocks (like pages) • Each memory block has an n-bit pattern called a lock • Each process contains an n-bit key • Hardware compares the key with the lock on every access Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  13. Access control with virtual memory • Relocation register Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  14. Relocation register • Same problem: access control is inflexible • Could use locks and keys • Better to associate access control with each process and extend the Mmap function to handle extra info Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  15. Paged segmentation • Access rights are associated with each segment • Segment table entry: • pt_base: pointer to page table • int pt_len: length of page table • bool pt_resident: whether page table is in memory • access_rights access: access control info • Page table entry • pg_base: pointer to page • pg_resident: whether page is in memory Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

  16. Paged segmentation address translation Computing Systems http://www.cs.caltech.edu/cs134/cs134a November 13, 2014

More Related