1 / 33

Module 18: Protection

Module 18: Protection. Goals of Protection Domain of Protection Access Matrix Implementation of Access Matrix Revocation of Access Rights Capability-Based Systems Language-Based Protection. Domain Structure.

valmai
Download Presentation

Module 18: Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Module 18: Protection • Goals of Protection • Domain of Protection • Access Matrix • Implementation of Access Matrix • Revocation of Access Rights • Capability-Based Systems • Language-Based Protection Applied Operating System Concepts

  2. Domain Structure • Protection problem - ensure that each object is accessed correctly and only by those processes that are allowed to do so. (internal problem) • Security problem: Preserve system & data. (+ external environment) • Access-right = <object-name, rights-set>“rights-set” is a subset of operations that can be performed on the object. • Domain = set of access-rights, {<obj name, op> <name op> <name op>} • 주체: 사람(user-id) or process or function 예: <homework.hwp {RW}> Domains need not be disjoint <game.EXE {X}> Applied Operating System Concepts

  3. Domain • Static vs dynamic domain – process lifetime • “need-to-know” principle • Phases within process execution • user is domain • Login / logout – domain 변화 2. process is domain 3. procedure is domain • Protection (access right) 는 single-user-system (Windows/PC) 보다는 multi-user-system (UNIX, Linux / Server)에서 필요함 Applied Operating System Concepts

  4. UNIX 경우 • System consists of 2 domains: • User lee park kim (can access his own resources only) • Supervisor can access any resources in system • UNIX 예 • Domain = user-id • Eg What if “lee” login  work for while  change password “lee” cannot write tosystem-wide password file • Domain switch accomplished as follows: • Each file can have extra domain bit (called “setuid” bit in UNIX). • File A in this example updates password file. • When file A is executed and (“setuid” bit of file A = on), • Current user-id lee is switched to superuser till file A run complete. • When execution of file A completes -- user-id is reset back to “lee”. Applied Operating System Concepts

  5. Access Matrix Figure 1: 예 domain D3 = { <file-2, R>, <file-3, X>} User 가 hwp, cc 등으로 새 파일을 만들면 default 값이 부여됨 Applied Operating System Concepts

  6. For Dynamic Protection, ieDynamic association between process & domain Switch right Copy right Transfer right Limited copy right Owner right Control right Applied Operating System Concepts

  7. “switch” rightDi can switch to other protection domain Figure 18-4 D2 can “switch” to (D3 or D4) Applied Operating System Concepts

  8. Figure 18-5 Figure 18-5 “Copy” Right Asterisk (*) means “can copy to up/down” Can change columns Applied Operating System Concepts

  9. Figure 18-5 Figure 18-5 “Limited copy” Right But (*) is not allowed down here D2 can give R to D3 But D3 cannot propagate R Applied Operating System Concepts

  10. “Transfer” Right “Copy” from (m,j) to (n,j) Remove original entry 결과적으로 “transfer” 가 됨 R Figure 18-5 removed R-copied Figure 18-5 Applied Operating System Concepts

  11. “Owner” Right “owner” right can change any entry in this column 예: If D2 is owner of file F3 D2 can decide what others are allowed to do with F3 Applied Operating System Concepts

  12. D4 write* read read switch “Control” right 예: If D2 has control over D4 D2 can modify D4 row “control”right Can changerows Applied Operating System Concepts

  13. Use of Access Matrix (Cont.) • Access matrix design separates mechanism from policy. • Mechanism • How to do • Operating system provides Access-matrix + rules. • It ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced. • Policy • What to do • User dictates policy. • Who can access what object and in what mode. • Implementaion – sparse, big Applied Operating System Concepts

  14. F2 P1 P3 P5 P3 Implementation of Access Matrix • Each column = Access-control list for one object Defines who can perform what operation on this object. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read • Each Row = Capability List (like a key)Fore each domain, what operations allowed on what objects. Object 1 – Read Object 4 – Read, Write, Execute Object 5 – Read, Write, Delete, Copy Applied Operating System Concepts

  15. F2 P1 P3 P5 Revocation of Access Rights • Access List – Delete access rights from access list. • Simple, Immediate • Capability List – Scheme required to locate capability in the system before capability can be revoked. 예: Access list 에서 … “ f2에 대해서는 이제 모든 P의 R 를 취소 하라” …(쉽다) “P451에 대해서는 이제 모든 F의 W를 취소하라” ….(expensive) Applied Operating System Concepts

  16. Capability-Based Systems • Hydra • Fixed set of access rights known to and interpreted by the system. • Interpretation of user-defined rights performed solely by user's program; system provides access protection for use of these rights. • Cambridge CAP System • Data capability - provides standard read, write, execute of individual storage segments associated with object. • Software capability -interpretation left to the subsystem, through its protected procedures. Applied Operating System Concepts

  17. Language-Based Protection • Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources. • Language implementation can provide software for protection enforcement when automatic hardware-supported checking is unavailable. • Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system. Applied Operating System Concepts

  18. F3 F2 P1 P3 P5 P사병 P사단장 P대통령 P대통령 P사단장 P사병 P기자 18.3. Information Flow 문제 (Confinement Problem) Information initially held in an object migrate outside of its execution environment? Access Control 만 가지고는 제어 불가능 - Pp가 Oi에 대한 access 권한이 있어서 Oi 를 read 함 - Pp가 Oi의 private copy 를 얻은 후 - 그것을 임의로 다른 프로세스 Pq에게 양도하면? 예: 장군 R W W(보고), but not--Read 병사 사람들간 보안등급 (장군, 병사) Information flow control between classification level Applied Operating System Concepts

  19. Module 19: Security • The Security Problem • Authentication • Program Threats • System Threats • Threat Monitoring • Encryption Applied Operating System Concepts

  20. The Security Problem • Malicious or accidental • Malicious access 의 종류 • read (theft), write (변조), destruction • High level (External Security) • Physical level-- 경비, 출입통제, CCTV .. • Human level • Classification – 사람/정보 • Division of responsibility • Authorization – userid 인가절차 등 • Monitoring, auditing (log 자동 기록) • Low level (Internal Security) – Security at OS level (이 ch 의 주제) • Password • 암호화 • 프로세스 위협 등 Applied Operating System Concepts

  21. 19.2. Authentication (입증, 인증) • User identity - is user’s identity authentic? • Possession – card, key, • Knowledge – password, user-id, 다른 지식 • Attribute – fingerprint, signature, 음성, 지문, … • Password 의 문제점 • 보관이 어렵다 • 길거나 암기가 어려우면 적어놓음 • 누출의 형태 • Guess, try-all-combination이 쉬움 • Over the shoulder • Sniffing the network Applied Operating System Concepts

  22. Unix 와 password 8회 (26)(26) … (26) (52)(52)…..(52) • DES (Data Encryption Standard) Algorithm • /etc/passwd file – stores password in encrypted form (superuser 도 해독할 수 없다) • 예: koh:v3iiDXuMFyM4o:213:200:/u2/koh/:/bin/sh: • Login 하면 encrypt 하여 /etc/passwd 과 비교한다 • Once encrypted, almost impossible to decrypt (invert가 불가능한 f(x)– info. lost) • f(x) is easy to get given x. (반면 encryption은 완전 복원 가능) • But not reverse. Given f(x)  x is hard to get • 8 글자 password  2.28 billion yr (assume 10 encrypt / sec) • 갈수록 하드웨어가 발달 – password cracker (Morris worm) • Guess 하기가 어려운 password를 선택할 것 • “lee” 과 같은 dictionary word guess 는 불과 수초면 충분함 • “pklhw” (암기가 쉽고, crack 어려움 – “prof koh loves his wife” ) • 비사전, 대/소문자, Digit, 특수문자( _ ) 사용 – cracking 시간을 대폭 늘림 • Password aging – 기한이 지나면 새 password 권유 Applied Operating System Concepts

  23. “One-time password” • Password exposure 문제를 해결 • Card 휴대 --- 내부에 계산기, 입력자판, 출력 • PIN (Personnal ID No.) 입력 (이것은 시스템도 알고 있는 shared secret 임) • Current time = random seed로 사용 • f (seed, secret)  일회용 password displayed • 시간 PIN • 사용후 폐기 Applied Operating System Concepts

  24. 19.3 Program Threats • Trojan Horse • Code segment that misuses its environment. • 예: 가짜 login code가 먼저 훔쳐낸 후 진짜 login code 를 시작시킴 • 예: PPT 내의 검색기  (검색 파일 이름=*.ppt)  모든 ppt file 봄 • 예: router, handler … • Exploits mechanisms for allowing programs written by A to be executed by B. (program A 의 설계자가 범인. B 는 속아서 그것을 실행함) • Trap Door • Software designer 가 그만이 사용할 수 있는 기능을 심어놓음. • 예: 은행 잔고에서 소수점 이하 액수를 빼 돌림 • Could be included in a compiler. • Source code 를 보지 않는 한 알아낼 수 없음 • Software designer 가 범인 Applied Operating System Concepts

  25. 19.4. System Threats • Worms – use spawn(産卵) mechanism (childprocess create); 무수한 program을 양산 시켜 기계를 압도시킴 Internet worm –인터넷 공간에서 spawn • Viruses • fragment of code embedded in a legitimate program. • (worm은 독립적인 프로그램) • PC 같은 single user system 에 만연 (no protection) • Antivirus programs • 특정 instruction code 들을 검색함 • 새 virus – 새 anti-virus program • 정품만 사용할 것. • 문제시 formatting 등 철저 대비 (특히 boot sector). • Boot 할때 마다 file 들의 checksum 을계산 보관 – reboot 시 비교 Applied Operating System Concepts

  26. Security 향상을 위한 관리기법 • Threat monitoring • 수상한 행동 감시 • 예: 잘못된 password 가 반복되면 … • Audit log • records activity (time/user/accesses/object) • File 크기가 문제 • 정기적 감사 • Easy-to-guess password 매우 오랫동안 도는 프로그램 • 바뀐 checksum System 영역에 새 파일 … • 물리적 고립 (네트워크 연결은 위험 가중) • physical lock/room, disallow all remote accesses … Applied Operating System Concepts

  27. Network Security Through Domain Separation Via Firewall 3. trusted 1. untrusted Firewall (router or computer): Monitor all network accesses Separate trusted/untrusted systems Log all connections 2. semitrusted Applied Operating System Concepts

  28. 19.6. Encryption • 어쩔 수 없이 정보가 노출될 수 밖에 없다면? • 예: 통신, DB 환경?  Encrypt (암호화)  비밀번호 없이는 풀 수 없음 • Properties of good encryption technique: • Relatively simple for authorized users to encrypt and decrypt data. • Encryption scheme depends not only the secrecy of the algorithm • but on a parameter of the algorithm called the encryption key. • Extremely difficult for an intruder to determine the encryption key. clear text  [encrypt]  cipher text 전송 [decrypt]  original clear text | | encryption key (송신용) decryption key(수신용) • 전송 전에 key 값을 송수신자에게 전달해야 함 (안전한 경로로) Applied Operating System Concepts

  29. Key 의 관리 • Remote - 어떻게 전달해주는가? (보안 certificate 기관서 암호화 인증서) • 얼마나 자주 바꾸어주는가? • 한사람이 key 를 악용하면? (Key escrow – N 명에게 key 를 분할) • RSA, DES, El Gamal 기법 등 • Crypto-analysis (cryptography 와 반대– 박근수 교수) • key 없이 cipher text 로 부터 직접 clear text 를 알아냄 (code 횟수 등 비교) • RSA 등은 뚫린 적이 없음 (Exponential complexity) • 예: (ASCII code + 3) -- 즉 “A” becomes “D” --- private key 방식 clear text  [encrypt]  cipher text 전송 [decrypt]  original clear text | | encryption key (“add 3”) decryption key(3) 예: 난수표 (mapping table = key) --- privatekey 방식 Applied Operating System Concepts

  30. Public key encryption (예: RSA) • Public key = (e, n) • Private key = (d, n) • Break long message into short messages M, treat M as an integer in [0, n-1] • Encrypt: E(M) = Me mod n = C ----- 송신자 (M 은 원문, C는 암호화된 글) • Decrypt: D(C) = Cd mod n 즉 M을 반복 e 회 곱셈 -- 중간 n-bit 선택 • C 를 주면 (Cd mod n) ------------------- 수신자가 암호를 푼다 (C를 d 회 곱셈) ((Me mod n)x(Me mod n) ….(Me mod n)) mod n d 회 반복 (Me)d mod n --------------------- …. modulo operation 을 거쳐서 … M --------------------- 위의 성질을 가지도록 key 를 선택 e를 공개해도 d를 모르도록 key를 선택 (위의 성질: e*d = 1 mod K) • (e, n) 을 아는 사람은 누구나 암호로 송신할 수 있다. (public key) • (d, n) 이 없으면 decrypt 를 --- 즉 해독을 할 수 없다. • (e, n) 을 알아도 (d) 를 알아낼 수는 없게{e, d, n}를 설계 Applied Operating System Concepts

  31. Encryption 의 활용영역 -- 실생활에서의 문제들 • Digital signature • RSA 의 역 • Only one sender can generate signature (private key) • All others can read the signature (public key) • Certified mail • A wants proof that B received the file • Contract Signing • 한개의 문서에 대해 양자가 동시에 commit • Kerberos • LAN 에 연결된 한개의 서버에서만 login 하면 다른 모든 서버 사용 • 예: 서울대 email server, 게시판 server, ….. • false message 를 암호화해서 message 사이에 insert 하면? • Checksum (reduced form) 을 역시 encrypt 해서 활용 Applied Operating System Concepts

  32. 19.7. Computer Security Classification • 미국 국방성 분류 기준 – A B C D • D등급 DOS, Windows – 최하등급 • C등급 auditing이 반드시 되는가? ----------------------------------------------- C1 (UNIX)          protection? file 의 사용자를 개개 user 까지로 제한가능? ------------- C2 (secure UNIX) 특정 users 를 지정해 audit 할 수 있는가? 한 user 가 버린 storage object 를 다른 user 가 활용? • B등급 multi-level security -- superuser도 제한 ---------------------------------------- B1 {사람}{object} 마다 보안등급 – mandatory access control (上位 不許) 매쪽 상하단에 보안등급 명시 등 보안등급을 모든 resource 로 확대 등 ------------------------------------------- B2 정책 위반하는 event monitor 기능 ------------------------------------------- B3 • A1     formal proof • A,B 등의 등급 컴퓨터는 수출 금지.  Linux 가 여러 나라에 보급되는 이유. Applied Operating System Concepts

  33. Java Security Model Applied Operating System Concepts

More Related