320 likes | 326 Views
Operating Systems CMPSCI 377 Lecture 22: Protection & Security. Emery Berger University of Massachusetts, Amherst. Security. Secure if either: Cost of attacking system > value of protected resources; You attack $100 of gold with a $120 attack dog.
E N D
Operating SystemsCMPSCI 377Lecture 22: Protection & Security Emery Berger University of Massachusetts, Amherst
Security • Secure if either: • Cost of attacking system > value of protected resources; • You attack $100 of gold with a $120 attack dog. • Cost can equal the computer or network resources required to attack the system • Time to attack system longer than time resource has value • Don’t need to protect time and place of secret event after event takes place • Time can be processing time to compute correct result (e.g., guessing a password)
Protection • Let’s say we have a valuable resource like an O.S. • collection of objects, hardware & software • objects have unique names • accessed through well-defined set of operations • Goal of protection: • Ensure each object accessed correctly & only by authorized processes according to some policy. • Policy = statement of what states (and operations) are allowed (i.e., secure/authorized) vs. not allowed (i.e., nonsecure/unauthorized) for specific system
Protection Domains • Access-right = <object-name, rights-set> • Rights-set = subset of all valid operations that can be performed on the object • (i.e., the policy!) • Domain = set of access-rights
UNIX: Domain Implementation • Example 1: UNIX • Domain implemented as “user-id” • Files are an example of an object • (we’ll see others, like laser printers and email servers) • Sometimes, OS does domain switching to execute some task • Each file has associated domain bit (setuid bit) • When file executed and setuid=on,user-id set to owner of the file being executed • When execution completes, user-id is reset • “ps” is a setuid program, as is “lpr”.
Domain Implementation • MULTICS • Precursor to UNIX, by MIT & GE • “Ring” protection system, by Bob Graham
Multics: Rings • Nested domain structure (“rings”) • Let Di and Djbe any two domain rings • If j < I Di Dj • lower-level = more privileges • each process maintains current ring number
Access Matrix • Column = access-control list for one object • Defines who can perform what operation • Row = capability list • Operations allowed on what objects, per-domain
Use of Access Matrix (Cont.) • Design separates mechanism from policy • Mechanism • Operating system provides access-matrix + rules. • Ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced • Policy • User dictates policy:who can access what object and in what mode
Dynamic Access Matrices • Extend for dynamic protection:Operations to add, delete access rights • transfer – switch from domain Di to Dj • owner of Oi • copy op from Oi to Oj • control – Di can modify Dj’s access rights
Switching Domains • Switching domains: add domains as objects!
Access Matrix with Copy Rights • Asterisk denotes that access right can be copied within column
Access Matrix With Owner Rights • Ownership:can add new rights, remove some rights
Control: Modifying Access Matrix • Control: process executing in one domain can modify another domain • Example:D2 changes D4
Implementation of Access Matrix • Global table – <domain, object, right-set> • Too large, no grouping • Access list – <domain, right-set> per object • Simple • Capability List – list of objects + operations • Object name = capability (think: special pointer) • Check in capability list for access
Revocation of Access Rights • Access-list scheme: • Search for right to be revoked, delete • Immediate, can be selective (just affect some users), can be partial (just some rights revoked)
Revocation of Access Rights • Capabilities: more complicated • Reacquisition: • Try to reacquire after deletion • Back-pointers: point from object to capabilities • Expensive (used in MULTICS) • Indirection: • Capability points to entry in table • Not selective • Keys: • One key per capability • Check in global key table
Language-Based Protection • Specification of protection in programming language: • Allows high-level description of policies for allocation and use of resources • Example: Java • Language implementation: • Can provide software for protection enforcement when automatic hardware-supported checking is unavailable • Interpret protection specifications to generate calls on whatever protection system provided by hardware and OS
Security • The Security Problem • Authentication • Program Threats • System Threats • Threat Monitoring • Encryption
The Security Problem • Security must consider external environment of the system, and protect it from: • unauthorized access • malicious modification or destruction • accidental introduction of inconsistency • Easier to protect against accidental than malicious misuse
Authentication • User identity most often established through passwords, can be considered a special case of either keys or capabilities. • Passwords must be kept secret. • Frequent change of passwords • Use of “non-guessable” passwords • Log all invalid access attempts
Program Threats (“Malware”) • Trojan Horse • Code segment that misuses its environment • Exploits mechanisms for allowing programs written by users to be executed by other users • Trap Door • Specific user identifier or password that circumvents normal security procedures. • Could be included in compiler
System Threats: Worms • Worms – use spawn mechanism; standalone program • Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs • Grappling hook program uploaded main worm program
System Threats: Viruses • Viruses – fragment of code embedded in a legitimate program • Mainly affect PCs, infected via Internet • “Old days”: exchanging floppy disks containing an infection
Threat Monitoring • Check for suspicious patterns of activity • i.e., several incorrect password attempts may signal password guessing • Audit log • Records time, user, & type of all accesses to object • Useful for recovery from violation, developing better security measures • Scan system periodically for security holes • Done when the computer is relatively unused
Threat Monitoring (Cont.) • Check for: • Short or easy-to-guess passwords • Unauthorized setuid programs • Unauthorized programs in system directories • Unexpected long-running processes • Improper directory protections • Improper protections on system data files • Dangerous entries in the program search path (Trojan horse) • Changes to system programs: monitor checksum values
Encryption • Encrypt clear text into cipher text, and vice versa • Properties of good encryption technique: • Relatively simple for authorized users to encrypt and decrypt data • Encryption scheme depends not on secrecy of algorithm but on parameter of algorithm called encryption key • Extremely difficult for an intruder to determine the encryption key • Advanced Encryption Standard now standard (Rijndael)
Encryption (Cont.) • Public-key encryption based on each user having two keys: • public key – published key used to encrypt data • private key – key known only to individual user used to decrypt data • Encryption scheme is public, but still strong • No reliance on security through obscurity • Basis of these: • Easy to multiply primes, but hard to factor this product
Summary • Protection • Protection Domains, Access Matrix, Revocation of Access Rights, Capability-Based Systems, Language-Based Protection • Security • Authentication, Program Threats, System Threats, Threat Monitoring, Encryption