270 likes | 447 Views
CHAPTER 4. Protection in General-Purpose Operating Systems. Objectives. Identify protection features provided by the operating system Explain the need for protection and controls in the OS Define memory and address protection define in general OS Explain about file protection mechanism in OS
E N D
CHAPTER 4 Protection in General-Purpose Operating Systems (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Objectives • Identify protection features provided by the operating system • Explain the need for protection and controls in the OS • Define memory and address protection define in general OS • Explain about file protection mechanism in OS • Discuss what is user authentication and understand the needs for authentication in general OS (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Protected Objects and Methods of Protection • A bit of history .. • Once upon a time, there were no OS. • Executive design to assist individual programmers and to smooth transition from one user to another. • Monitors maintained control over all resources. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Protected Objects • The rise of multiprogramming means several aspects required protection. • Memory • Sharable I/O devices, such as disks • Serially reusable I/O devices, such as printers • Sharable programs • Network • Sharable data (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Security Methods of OS • Basic of protection is separation: keeping one user’s objects separate from other user. • Several ways can occur: • physical separation , in which different processes use different physical objects, such as separate printers for output requiring different levels of security • temporal separation , in which processes having different security requirements are executed at different times • logical separation , in which users operate under the illusion that no other processes exist, as when an operating system constrains a program's accesses so that the program cannot access objects outside its permitted domain • cryptographic separation , in which processes conceal their data and computations in such a way that they are unintelligible to outside processes (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Security Methods of OS (cont) • Levels of protection: • Do not protect • Isolate • Share all or share nothing • Share via access limitation • Share by capability • Limit use of an object (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Addresses 0 OS n n + 1 User Program Space High Memory and Address Protection • Fence • Introduced in single-user OS. • To prevent a faulty user program from destroying part of the residents portion of the OS. • Fence Register – location of fence could be changed. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Memory and Address Protection (cont) • Relocation • Process of taking a program written as if it began at address 0 and changing all addresses to reflect the actual address at which the program is located in memory. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Operating System Base Register User A Program Space Bounds Register User B Program Space User C Program Space Memory and Address Protection (cont) • Base/Bounds Registers • Provide base or starting address. • All addresses inside a program are offsets from base address. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Memory and Address Protection (cont) • Tagged Architecture • Every word of machine memory has one or more bits to identify the access rights to that word. • Access bits are set only by OS instructions. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
OS Segments SUB MAIN SEG_A MAIN SUB DATA_SEG SEG_A DATA_SEG Memory and Address Protection (cont) • Segmentation • Dividing a program into separate pieces. • Each pieces has a logical unit – relationship among all code or data values. • Advantages and benefits ??? (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Memory and Address Protection (cont) • Paging • Alternative to segmentation. • Program divided into equally sizes pieces called pages. • Fixed sized means no fragmentation problem. • Refers to figure 4-9 page 195. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Control of Access to General Objects • Objects to protect: • Memory • File or data on an auxiliary storage device • Hardware device • A table of the OS • Data structure such as stack • Protection mechanism itself • etc. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Control of Access to General Objects (cont) • Complementary goals in protecting objects: • Check every access – revoke user’s privilege • Enforce least privilege – least task of every user • Verify acceptable usage – yes-no decision (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Control of Access to General Objects (cont) • Directory • Protect object by using file directory mechanism. • No user allowed to write in the file directory – to forge access to a file. • OS maintain all file directories, under commands from owners of files. • Read, write and execute. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Control of Access to General Objects (cont) • Access Control List • List of who should access to the object and what their access is. • Use Access control matrix to maintain. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
File Protection Mechanism • Basic Forms of Protection • All-None Protection • File become public. • User can read, modify and delete. • Unacceptable – lack of trust, complexity etc. • Group Protection • Identifying groups of users that have relationship. • All unauthorized users separated into group. • Introduced new difficulties – multiple personalities, limited sharing. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
File Protection Mechanism (cont) • Single Permissions • Password or Other Token • Form of password protection to a file. • User accesses are limited to one who supply the correct password. • Suffer difficulties – loss, time consuming, disclosure by other party (unauthorized user). • Temporary Acquired Permission • Use by UNIX – set user id (suid). • Three-level user-group-world hierarchy. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
User Authentication • Authentication mechanisms use any of three qualities to confirm user’s identity: • Something the user knows – password, PIN numbers, mother’s name. • Something the user has – identity badges, physical keys, driver’s license. • Something the user is – called biometrics. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
passwords suffer from some difficulties of use: • Loss. Depending on how the passwords are implemented, it is possible that no one will be able to replace a lost or forgotten password. if the user loses the password, a new one must be assigned. • Use. Supplying a password for each access to a file can be inconvenient and time consuming. • Disclosure. If a password is disclosed to an unauthorized individual, the file becomes immediately accessible. If the user then changes the password to reprotect the file, all the other legitimate users must be informed of the new password because their old password will fail. • Revocation. To revoke one user's access right to a file, someone must change the password, thereby causing the same problems as disclosure. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Additional Authentication Information • Using additional authentication information is called multifactor authentication • Requires the true user to be present and to make use of something he/she knows or has • Something you have+ something you know • E.g. Credit card+ PIN code • Something you know+ something you are • E.g. Password+ fingerprint • Something you have+ something you are • E.g. smart card+iris recognition (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
User Authentication (cont) • Attacks on passwords: • Try all possible password. • Try many probable password. • Try passwords likely for the user. • Search for the system list of password. • Ask the user. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Loose-Lipped Systems • Some systems help the attacker to break in more quickly • Better systems give no information until the end of the dialogue: (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
User Authentication (cont) • Password selection criteria: • Use characters other than just A-Z. • Choose long password. • Avoid actual names or words. • Choose an unlikely password. • Change the password regularly. • Don’t write it down. • Don’t tell anyone else. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Biometrics: Authentication Not Using Passwords • Biometrics are biological authenticators, based on some physical characteristic of the human body. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004
Problems with Biometrics • Biometrics are relatively new, and some people find their use intrusive. Hand geometry and face recognition (which can be done from a camera across the room) are scarcely invasive, but people have real concerns about peering into a laser beam or sticking a finger into a slot. (See [SCH06a] for some examples of people resisting biometrics.) • Biometric recognition devices are costly, although as the devices become more popular, their costs go down. Still, outfitting every user's workstation with a reader can be expensive for a large company with many employees. • All biometric readers use sampling and establish a threshold for when a match is close enough to accept. The device has to sample the biometric, measure often hundreds of key points, and compare that set of measurements with a template. There is normal variability if, for example, your face is tilted, you press one side of a finger more than another, or your voice is affected by an infection. Variation reduces accuracy. • Biometrics can become a single point of failure. Consider a retail application in which a biometric recognition is linked to a payment scheme: As one user puts it, "If my credit card fails to register, I can always pull out a second card, but if my fingerprint is not recognized, I have only that one finger." Forgetting a password is a user's fault; failing biometric authentication is not. • Although equipment is improving, there are still false readings. We label a "false positive" or "false accept" a reading that is accepted when it should be rejected (that is, the authenticator does not match) and a "false negative" or "false reject" one that rejects when it should accept. Often, reducing a false positive rate increases false negatives, and vice versa. The consequences for a false negative are usually less than for a false positive, so an acceptable system may have a false positive rate of 0.001 percent but a false negative rate of 1 percent. • The speed at which a recognition must be done limits accuracy. We might ideally like to take several readings and merge the results or evaluate the closest fit. But authentication is done to allow a user to do something: Authentication is not the end goal but a gate keeping the user from the goal. The user understandably wants to get past the gate and becomes frustrated and irritated if authentication takes too long. • Although we like to think of biometrics as unique parts of an individual, forgeries are possible. The most famous example was an artificial fingerprint produced by researchers in Japan [MAT02]. Although difficult and uncommon, forgery will be an issue whenever the reward for a false positive is high enough. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004