430 likes | 675 Views
Outline. Announcements Protection and security . Announcements. Lab 3 is due today in class You can turn it in by 5:00pm today without late penalty The last time and date you can turn the lab 3 in with 10 % penalty is 5:00pm, Dec. 5, 2001 Homework #5
E N D
Outline • Announcements • Protection and security
Announcements • Lab 3 is due today in class • You can turn it in by 5:00pm today without late penalty • The last time and date you can turn the lab 3 in with 10 % penalty is 5:00pm, Dec. 5, 2001 • Homework #5 • You need to turn in your Homework #5 at the beginning of class this Friday, Dec. 7, 2001 • I will distribute and discuss the solutions in that class COP4610
Announcements – cont. • Final exam will be on 10:00am - 12:00 noon, Dec. 14, 2001 • We will have recitations this Wednesday • I will answer questions • I will then talk about case studies in operating systems • UNIX • WindowsNT • Linux COP4610
Protection and Security • Operating system consists of a collection of objects, hardware or software • Each object has a unique name and can be accessed through a well-defined set of operations • Protection and security problem - ensure that each object is accessed correctly and only by those processes of authorized users that are allowed to do so COP4610
Protection and Security – cont. • Internal authentication • Protection • External authentication • Security COP4610
Policy vs. Mechanism • An organization’s security policy defines the rules for authorizing access to its computers and information resources • A particular strategy that dictates the way a mechanism is used to achieve specific goals • Protection mechanisms are tools for implementing the organization’s security policy COP4610
Internal Access Authorization • Internal authorization is part of the task of managing resource sharing • The goal is to protect one process’s resources from the actions of other processes COP4610
Hardware protection mechanisms • Processor modes and privileged instructions only valid in system mode • Memory protection • Devices, and in particular disks, are protected with processor modes and/or memory protection COP4610
Software protection mechanisms • Hardware resources are protected by hardware protection mechanisms • Logical resources are only accessed through system calls • All system calls must be authorized by a protection monitor • The protection monitor accesses the protection database to make decisions COP4610
Protection monitors in an OS COP4610
A Protection System COP4610
A Protection System – cont. COP4610
Access Matrix • The protection state can be represented using an access matrix • An access matrix A has one row for each subject and one column for each object • Each entry A[S, X] is a set that describes the access rights held by subject S to object X • Access authentication • If subject S initiates type a access to X then if aA[S,X], the access is valid. If a A[S, X], the access is invalid. COP4610
An Access Matrix Example COP4610
Use of Access Matrix • If a process in Domain Di tries to do “op” on object Oj, then “op” must be in the access matrix. • Can be expanded to dynamic protection. • Operations to add, delete access rights. • Special access rights: • owner of Oi • copy op from Oi to Oj • control – Di can modify Djs access rights • transfer – switch from domain Di to Dj COP4610
Use of Access Matrix - cont. • Access matrix design separates mechanism from policy • Mechanism • Operating system provides Access-matrix + rules • If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced • Policy • User dictates policy • Who can access what object and in what mode COP4610
Domain Structure • Access-right = <object-name, rights-set>Rights-set is a subset of all valid operations that can be performed on the object. • Domain = set of access-rights that a subject has at any given time COP4610
Changing Protection State COP4610
Protection domains • A capability is a unique, global name for an access right to an object in the system • A protection domain is a set of capabilities to perform certain actions on certain objects • A process can move from protection domain to protection domain so, at any point, it has exactly the capabilities it needs for the current job (the principle of least privilege) • This is more flexible than associating capabilities directly with a process COP4610
Domain Implementation • UNIX • Domain = user-id • Domain switch accomplished via file system. • Each file has associated with it a domain bit (setuid bit). • When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset. COP4610
Implementation of Access Matrix • Each column = Access-control list for one object Defines who can perform what operation.Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read • Each Row = Capability List (like a key)Fore each domain, what operations allowed on what objects. • Object 1 – Read • Object 4 – Read, Write, Execute • Object 5 – Read, Write, Delete, Copy COP4610
Revocation of Access Rights • Access List – Delete access rights from access list. • Simple • Immediate • Capability List – Scheme required to locate capability in the system before capability can be revoked. • Reacquisition • Back-pointers • Indirection • Keys COP4610
Unix Protection Scheme • Mode of access: read, write, execute • Three classes of users RWX a) owner access 7 1 1 1 RWX b) groups access 6 1 1 0 RWX c) public access 1 0 0 1 COP4610
Capability-Based Systems • Hydra • Fixed set of access rights known to and interpreted by the system • Interpretation of user-defined rights performed solely by user's program; system provides access protection for use of these rights. • Cambridge CAP System • Data capability - provides standard read, write, execute of individual storage segments associated with object. • Software capability -interpretation left to the subsystem, through its protected procedures. COP4610
The Security Problem • Security must consider external environment of the system, and protect it from • unauthorized access. • malicious modification or destruction • accidental introduction of inconsistency. • Easier to protect against accidental than malicious misuse COP4610
User authentication • Three types of authentication: • Something a user knows • e.g. a password, a combination, answers to personal questions • Something a user has • e.g. a badge, a smart card, a key • Something a user is • e.g. fingerprint, signature, voice print, hand geometry, retinal blood vessel pattern COP4610
Authentication • User identity most often established through passwords, can be considered a special case of either keys or capabilities. • Passwords must be kept secret. • Frequent change of passwords. • Use of “non-guessable” passwords. • Log all invalid access attempts. • Encryption COP4610
Authentication • User authentication • Authentication in networks COP4610
Program Threats • Trojan Horse • Code segment that misuses its environment. • Exploits mechanisms for allowing programs written by users to be executed by other users. • Trap Door • Specific user identifier or password that circumvents normal security procedures. • Could be included in a compiler. COP4610
System Threats • Worms – use spawn mechanism; standalone program • Internet worm • Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs. • Grappling hook program uploaded main worm program. • Viruses – fragment of code embedded in a legitimate program. • Mainly effect microcomputer systems. • Downloading viral programs from public bulletin boards or exchanging floppy disks containing an infection. • Safe computing. COP4610
The confinement problem • How do we prevent a program from leaking information to others? • It is not as simple as preventing IPC and I/O • A covert channel is a hidden means of communication information • e.g. sending bits by manipulating the CPU load COP4610
The Morris Internet Worm COP4610
Threat Monitoring • Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing. • Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures. • Scan the system periodically for security holes; done when the computer is relatively unused. COP4610
Threat Monitoring – cont. • Check for: • Short or easy-to-guess passwords • Unauthorized set-uid programs • Unauthorized programs in system directories • Unexpected long-running processes • Improper directory protections • Improper protections on system data files • Dangerous entries in the program search path (Trojan horse) • Changes to system programs: monitor checksum values COP4610
Network Security Through Domain Separation Via Firewall COP4610
Encryption • Encrypt clear text into cipher text. • Properties of good encryption technique: • Relatively simple for authorized users to encrypt and decrypt data. • Encryption scheme depends not on the secrecy of the algorithm but on a parameter of the algorithm called the encryption key • Extremely difficult for an intruder to determine the encryption key • Data Encryption Standard substitutes characters and rearranges their order on the basis of an encryption key provided to authorized users via a secure mechanism. Scheme only as secure as the mechanism. COP4610
Encryption - cont. • Public-key encryption based on each user having two keys: • public key – published key used to encrypt data. • private key – key known only to individual user used to decrypt data. • Must be an encryption scheme that can be made public without making it easy to figure out the decryption scheme. • Efficient algorithm for testing whether or not a number is prime. • No efficient algorithm is know for finding the prime factors of a number. COP4610
Authentication of public keys COP4610
Summary • “None of the protection systems that exist today ... are completely fail-safe. The best we can do is to make it as difficult as possible for somebody to break a security device or get inside • Internal authentication and external authentication • Access matrix and implementation of access matrix COP4610