340 likes | 352 Views
Learn about the fundamental concepts of protection and security in operating systems, including protection domains, access matrices, capability-based systems, and language-based protection. Explore the goals, implementation, and revocation of access rights. Discover how security addresses authentication, program threats, system threats, threat monitoring, and encryption in computer systems.
E N D
Operating SystemsCMPSCI 377Lecture 22: Protection & Security Emery Berger University of Massachusetts, Amherst
Protection vs. Security • Protection = controlling access to programs & data stored on computer system • Internal problem • Security = protecting system from external unauthorized access, malicious destruction, etc.
Protection • Goals of Protection • Protection Domains • Access Matrix • Implementation • Revocation of Access Rights • Capability-Based Systems • Language-Based Protection
Protection Goal • OS: collection of objects, hardware & software • Objects have unique names • Accessed through well-defined set of operations • Goal of protection: • Ensure each object accessed correctly & only by those processes that are allowed to do so
Protection Domains • Access-right = <object-name, rights-set>Rights-set = subset of all valid operations that can be performed on the object • Domain = set of access-rights
Domain Implementation • UNIX • Domain = user-id • Domain switch accomplished via file system • Each file has associated domain bit (setuid bit) • When file executed and setuid = on,user-id set to owner of the file being executed • When execution completes, user-id is reset
Domain Implementation • MULTICS • Precursor to UNIX, by MIT & GE • “Ring” protection system, by Bob Graham
Multics: Rings • Nested domain structure (“rings”) • Let Di and Djbe any two domain rings • If j < I Di Dj • lower-level = more privileges • each process maintains current ring number
Access Matrix • Column = access-control list for one object • Defines who can perform what operation • Row = capability list • Operations allowed on what objects, per-domain
Use of Access Matrix (Cont.) • Design separates mechanism from policy • Mechanism • Operating system provides access-matrix + rules. • Ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced • Policy • User dictates policy:who can access what object and in what mode
Dynamic Access Matrices • Extend for dynamic protection:Operations to add, delete access rights • transfer – switch from domain Di to Dj • owner of Oi • copy op from Oi to Oj • control – Di can modify Dj’s access rights
Switching Domains • Switching domains: add domains as objects!
Access Matrix with Copy Rights • Asterisk denotes that access right can be copied within column
Access Matrix With Owner Rights • Ownership:can add new rights, remove some rights
Control: Modifying Access Matrix • Control: process executing in one domain can modify another domain • Example:D2 changes D4
Implementation of Access Matrix • Global table – <domain, object, right-set> • Too large, no grouping • Access list – <domain, right-set> per object • Simple • Capability List – list of objects + operations • Object name = capability (think: special pointer) • Check in capability list for access
Revocation of Access Rights • Access-list scheme: • Search for right to be revoked, delete • Immediate, can be selective (just affect some users), can be partial (just some rights revoked)
Revocation of Access Rights • Capabilities: more complicated • Reacquisition: • Try to reacquire after deletion • Back-pointers: point from object to capabilities • Expensive (used in MULTICS) • Indirection: • Capability points to entry in table • Not selective • Keys: • One key per capability • Check in global key table
Capability-Based Systems • Hydra • Fixed set of access rights known to and interpreted by the system • Interpretation of user-defined rights performed solely by user's program • System provides access protection for use of these rights • Cambridge CAP System • Data capability - provides standard read, write, execute of individual storage segments associated with objects • Software capability – interpretation left to the subsystem, through its protected procedures
Language-Based Protection • Specification of protection in programming language: • Allows high-level description of policies for allocation and use of resources • Example: Java • Language implementation: • Can provide software for protection enforcement when automatic hardware-supported checking is unavailable • Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system
Security • The Security Problem • Authentication • Program Threats • System Threats • Threat Monitoring • Encryption
The Security Problem • Security must consider external environment of the system, and protect it from: • unauthorized access • malicious modification or destruction • accidental introduction of inconsistency • Easier to protect against accidental than malicious misuse
Authentication • User identity most often established through passwords, can be considered a special case of either keys or capabilities. • Passwords must be kept secret. • Frequent change of passwords • Use of “non-guessable” passwords • Log all invalid access attempts
Program Threats (“Malware”) • Trojan Horse • Code segment that misuses its environment • Exploits mechanisms for allowing programs written by users to be executed by other users • Trap Door • Specific user identifier or password that circumvents normal security procedures. • Could be included in compiler
System Threats: Worms • Worms – use spawn mechanism; standalone program • Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs • Grappling hook program uploaded main worm program
System Threats: Viruses • Viruses – fragment of code embedded in a legitimate program • Mainly affect PCs, infected via Internet • “Old days”: exchanging floppy disks containing an infection
Threat Monitoring • Check for suspicious patterns of activity • i.e., several incorrect password attempts may signal password guessing • Audit log • Records time, user, & type of all accesses to object • Useful for recovery from violation, developing better security measures • Scan system periodically for security holes • Done when the computer is relatively unused
Threat Monitoring (Cont.) • Check for: • Short or easy-to-guess passwords • Unauthorized setuid programs • Unauthorized programs in system directories • Unexpected long-running processes • Improper directory protections • Improper protections on system data files • Dangerous entries in the program search path (Trojan horse) • Changes to system programs: monitor checksum values
Encryption • Encrypt clear text into cipher text, and vice versa • Properties of good encryption technique: • Relatively simple for authorized users to encrypt and decrypt data • Encryption scheme depends not on secrecy of algorithm but on parameter of algorithm called encryption key • Extremely difficult for an intruder to determine the encryption key • Advanced Encryption Standard now standard (Rijndael)
Encryption (Cont.) • Public-key encryption based on each user having two keys: • public key – published key used to encrypt data • private key – key known only to individual user used to decrypt data • Encryption scheme is public, but still strong • No reliance on security through obscurity • Basis of these: • Easy to multiply primes, but hard to factor this product
Summary • Protection • Protection Domains, Access Matrix, Revocation of Access Rights, Capability-Based Systems, Language-Based Protection • Security • Authentication, Program Threats, System Threats, Threat Monitoring, Encryption