1 / 41

Protection and Security

Protection and Security. 14. Allowing Only Authorized Access. Authorized Access. Authentication Authorization. Subject. Unauthorized Access. Secure Entity. Subject. Policy & Mechanism. Protection mechanisms are tools used to implement security policies Authentication Authorization

Download Presentation

Protection and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Operating Systems: A Modern Perspective, Chapter 5

  2. Protectionand Security 14 Operating Systems: A Modern Perspective, Chapter 5

  3. Allowing Only Authorized Access Authorized Access Authentication Authorization Subject Unauthorized Access Secure Entity Subject Operating Systems: A Modern Perspective, Chapter 5

  4. Policy & Mechanism • Protection mechanisms are tools used to implement security policies • Authentication • Authorization • Cryptography • A security policy reflects an organization’s strategy for authorizing access to the computer’s resources only to authenticated parties • Accountants have access to payroll files • OS processes have access to the page table • Client process has access to information provided by a server Operating Systems: A Modern Perspective, Chapter 5

  5. Cryptographically Protected Information Secure Container Secure Element Secure Element Secure Environment Secure Environment Operating Systems: A Modern Perspective, Chapter 5

  6. Windows 2000 Logon Local Security Authority Subsystem (Lsass) Winlogon process LSA* Server Netlogon Network Authentic. LSA Policy Active Directory SAM Active Directory SAM** Server User Space Supervisor Space Security Reference Monitor (SRM) * Local Security Authority ** Security Accounts Manager (SAM) Operating Systems: A Modern Perspective, Chapter 5

  7. Process C Resource W Process B Resource X Resource Y Process A Resource Z Security Goals Machine X read read read/write read/write • Authentication Machine Y • Authorization Operating Systems: A Modern Perspective, Chapter 5

  8. Authentication • User/process authentication • Is this user/process who it claims to be? • Passwords • More sophisticated mechanisms • Authentication in networks • Is this computer who it claims to be? • File downloading • Obtaining network services • The Java promise Operating Systems: A Modern Perspective, Chapter 5

  9. Authorization • Is this user/process allowed to access the resource under the current policy? • What type of access is allowable? • Read • Write • Execute • Append Operating Systems: A Modern Perspective, Chapter 5

  10. Lampson’s Protection Model • Active parts (e.g., processes) • Operate in different domains • Subject is a process in a domain • Passive parts are called objects • Want mechanism to implement different security policies for subjects to access objects • Many different policies must be possible • Policy may change over time Operating Systems: A Modern Perspective, Chapter 5

  11. A Protection System Subjects Objects a S X • S desires a access to X Operating Systems: A Modern Perspective, Chapter 5

  12. A Protection System Subjects Objects Protection State S X • S desires a access to X • Protection state reflects current ability to access X Operating Systems: A Modern Perspective, Chapter 5

  13. A Protection System Subjects Objects Protection State S X State Transition • S desires a access to X • Protection state reflects current ability to access X • Authorities can change Operating Systems: A Modern Perspective, Chapter 5

  14. A Protection System Subjects Objects Protection State S X State Transition • S desires a access to X • Protection state reflects current ability to access X • Authorities can change • What are rules for changing authority? Rules Operating Systems: A Modern Perspective, Chapter 5

  15. A Protection System Subjects Objects Protection State S X State Transition • S desires a access to X • Protection state reflects current ability to access X • Authorities can change • What are rules for changing authority? • How are the rules chosen? Rules Policy Operating Systems: A Modern Perspective, Chapter 5

  16. Protection System Example a S X • S desires a access to X Operating Systems: A Modern Perspective, Chapter 5

  17. Protection System Example S X X • S desires a access to X • Captures the protection state S a Access matrix Operating Systems: A Modern Perspective, Chapter 5

  18. Protection System Example (S, a, X) Access authentication S X X • S desires a access to X • Captures the protection state • Generates an unforgeable ID S a Access matrix Operating Systems: A Modern Perspective, Chapter 5

  19. Protection System Example (S, a, x) Access authentication Monitor S X X • S desires a access to X • Captures the protection state • Generates an unforgeable ID • Checks the access against the protection state S a Operating Systems: A Modern Perspective, Chapter 5

  20. Protection State Example S1 S2 S3 F1 F2 D1 D2 S1 control block wakeup owner control owner read* write* seek owner S2 control stop owner update owner seek* S3 control delete execute owner Operating Systems: A Modern Perspective, Chapter 5

  21. A Protection System Subjects Objects Protection State S X State Transition Rules Handling state changes Policy Operating Systems: A Modern Perspective, Chapter 5

  22. Policy Rules Example S1 S2 S3 F1 F2 D1 D2 S1 control block wakeup owner control owner read* write* seek owner S2 control stop owner update owner seek* S3 control delete execute owner Rules for a Particular Policy Rule Command by S0 Authorization Effect 1 transfer(a|a*) to (S, X) a*A[S0, X] A[S, X] = A[S, X]{a|a*} 2 grant(a|a*) to (S, X) ownerA[S0, X] A[S, X] = A[S, X]{a|a*} 3 delete a from (S, X) controlA[S0, S] A[S, X] = A[S, X]-{a} or ownerA[S0, X] Operating Systems: A Modern Perspective, Chapter 5

  23. Protection Domains • Lampson model uses processes and domains -- how is a domain implemented? • Supervisor/user hardware mode bit • Software extensions -- rings • Inner rings have higher authority • Ring 0 corresponds to supervisor mode • Rings 1 to S have decreasing protection, and are used to implement the OS • Rings S+1 to N-1 have decreasing protection, and are used to implement applications Operating Systems: A Modern Perspective, Chapter 5

  24. Protection Domains (cont) • Ring crossing is a domain change • Inner ring crossing  rights amplification • Specific gates for crossing • Protected by an authentication mechanism • Outer ring crossing uses less-protected objects • No authentication • Need a return path • Used in Multics and Intel 80386 (& above) hardware Operating Systems: A Modern Perspective, Chapter 5

  25. User Supv A Two-level Domain Architecture Operating Systems: A Modern Perspective, Chapter 5

  26. Ri R2 R1 … … R0 The General Ring Architecture Operating Systems: A Modern Perspective, Chapter 5

  27. Implementing the Access Matrix • Usually a sparse matrix • Too expensive to implement as a table • Implement as a list of table entries • Column oriented list is called an access control list (ACL) • List kept at the object • UNIX file protection bits are one example • Row oriented list is a called a capability list • List kept with the subject (i.e., process) • Kerberos ticket is a capability • Mach mailboxes protected with capabilities Operating Systems: A Modern Perspective, Chapter 5

  28. Store the Access Matrix by columns Each ACL is kept at the object UNIX file protection bits are one example Windows resource managers also use ACLs for protection X X X a a a Access Control Lists Derived from an Access Matrix X X X S a a a Resource Descriptor Resource Descriptor Resource Descriptor Operating Systems: A Modern Perspective, Chapter 5

  29. Store the Access Matrix by rows List kept with the subject (i.e., process) Examples Ticket to a concert Kerberos ticket Mach mailboxes S a a S Capability Lists Derived from an Access Matrix X a S S a a S a S Process Descriptor Process Descriptor Process Descriptor Operating Systems: A Modern Perspective, Chapter 5

  30. More on Capabilities • Provides an address to object from a very large address space • Possession of a capability represents authorization for access • Implied properties: • Capabilities must be very difficult to guess • Capabilities must be unique and not reused • Capabilities must be distinguishable from randomly generated bit patterns Operating Systems: A Modern Perspective, Chapter 5

  31. Cryptography • Information can be encoded using a key when it is written (or transferred) -- encryption • It is then decoded using a key when it is read (or received) -- decryption • Very widely used for secure network transmission Operating Systems: A Modern Perspective, Chapter 5

  32. More on Cryptography encryption plaintext ciphertext decryption Operating Systems: A Modern Perspective, Chapter 5

  33. More on Cryptography Ke Kd C = EKe(plaintext) Encrypt Decrypt plaintext plaintext Operating Systems: A Modern Perspective, Chapter 5

  34. More on Cryptography Ke Kd C = EKe(plaintext) Encrypt Decrypt plaintext plaintext Invader Side information plaintext Operating Systems: A Modern Perspective, Chapter 5

  35. Cryptographic Systems Cryptographic Systems Modern Systems Conventional Systems • Ke and Kd are essentially the same Private Key Public Key • Ke and Kd are private • Ke is public • Kd is private Operating Systems: A Modern Perspective, Chapter 5

  36. Kerberos Authentication Server Client Server Operating Systems: A Modern Perspective, Chapter 5

  37. Kerberos Authentication Server Encrypted for client Encrypted for server Ticket Client Client ID Session Key Session Key Server Operating Systems: A Modern Perspective, Chapter 5

  38. Kerberos Authentication Server Encrypted for client Encrypted for server Ticket Session Key Client Client ID Session Key Session Key Server Operating Systems: A Modern Perspective, Chapter 5

  39. Kerberos Authentication Server Encrypted for client Encrypted for server Ticket Session Key Client Client ID Session Key Session Key Ticket Server Client ID Session Key Client ID Session Key Operating Systems: A Modern Perspective, Chapter 5

  40. The DES Algorithm Plain Text 64-bit Block IP 64-bit Block Lj-1 Rj-1 Kj = j(K, j) f  Rj-1 Rj-1 64-bit Block IP-1 64-bit Block Operating Systems: A Modern Perspective, Chapter 5

  41. A Digital Rights Management System Publisher Distributor, etc Style Editor Rights Editor • Other parties may contribute to rights spec Raw Style Rights Translate Client API Content Repository Query Consumer Admin API Distribute Serve InTransit Server Playback Consumable Operating Systems: A Modern Perspective, Chapter 5

More Related