Presentation on theme: "CHAPTER 4 Protection in General-Purpose Operating Systems (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 1."— Presentation transcript:
CHAPTER 4 Protection in General-Purpose Operating Systems (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 1
Objectives (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 2 Identify protection features provided by the operating system Explain the need for protection and controls in the OS Define memory and address protection define in general OS Explain about file protection mechanism in OS Discuss what is user authentication and understand the needs for authentication in general OS
Protected Objects and Methods of Protection (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 3 A bit of history.. Once upon a time, there were no OS. Executive design to assist individual programmers and to smooth transition from one user to another. Monitors maintained control over all resources.
Protected Objects (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 4 The rise of multiprogramming means several aspects required protection. Memory Sharable I/O devices, such as disks Serially reusable I/O devices, such as printers Sharable programs Network Sharable data
Security Methods of OS (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 5 Basic of protection is separation: keeping one user’s objects separate from other user. Several ways can occur: physical separation, in which different processes use different physical objects, such as separate printers for output requiring different levels of security temporal separation, in which processes having different security requirements are executed at different times logical separation, in which users operate under the illusion that no other processes exist, as when an operating system constrains a program's accesses so that the program cannot access objects outside its permitted domain cryptographic separation, in which processes conceal their data and computations in such a way that they are unintelligible to outside processes
Security Methods of OS (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 6 Levels of protection: Do not protect Isolate Share all or share nothing Share via access limitation Share by capability Limit use of an object
Memory and Address Protection Fence Introduced in single-user OS. To prevent a faulty user program from destroying part of the residents portion of the OS. Fence Register – location of fence could be changed. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 7 User Program Space OS Addresses 0 n n + 1 High
Memory and Address Protection (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 8 Relocation Process of taking a program written as if it began at address 0 and changing all addresses to reflect the actual address at which the program is located in memory.
Memory and Address Protection (cont) Base/Bounds Registers Provide base or starting address. All addresses inside a program are offsets from base address. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 9 Operating System User A Program Space User B Program Space User C Program Space Base Register Bounds Register
Memory and Address Protection (cont) Tagged Architecture Every word of machine memory has one or more bits to identify the access rights to that word. Access bits are set only by OS instructions. TagMemory Word R0001 RW0137 X RW4091 (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 10
Memory and Address Protection (cont) Segmentation Dividing a program into separate pieces. Each pieces has a logical unit – relationship among all code or data values. Advantages and benefits ??? (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 11 OS Segments SUB MAIN SEG_A DATA_SEG SUB MAIN SEG_A DATA_SEG
Memory and Address Protection (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 12 Paging Alternative to segmentation. Program divided into equally sizes pieces called pages. Fixed sized means no fragmentation problem. Refers to figure 4-9 page 195.
Control of Access to General Objects (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 13 Objects to protect: Memory File or data on an auxiliary storage device Hardware device A table of the OS Data structure such as stack Protection mechanism itself etc.
Control of Access to General Objects (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 14 Complementary goals in protecting objects: Check every access – revoke user’s privilege Enforce least privilege – least task of every user Verify acceptable usage – yes-no decision
Control of Access to General Objects (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 15 Directory Protect object by using file directory mechanism. No user allowed to write in the file directory – to forge access to a file. OS maintain all file directories, under commands from owners of files. Read, write and execute.
Control of Access to General Objects (cont) Access Control List List of who should access to the object and what their access is. Use Access control matrix to maintain. Bibliog.cHelp.txtPrinterSys_Clock User AORWRWR User SRRWR Sys_Mgr-RWOORW (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 16
File Protection Mechanism (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 17 Basic Forms of Protection All-None Protection File become public. User can read, modify and delete. Unacceptable – lack of trust, complexity etc. Group Protection Identifying groups of users that have relationship. All unauthorized users separated into group. Introduced new difficulties – multiple personalities, limited sharing.
File Protection Mechanism (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 18 Single Permissions Password or Other Token Form of password protection to a file. User accesses are limited to one who supply the correct password. Suffer difficulties – loss, time consuming, disclosure by other party (unauthorized user). Temporary Acquired Permission Use by UNIX – set user id (suid). Three-level user-group-world hierarchy.
User Authentication (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 19 Authentication mechanisms use any of three qualities to confirm user’s identity: Something the user knows – password, PIN numbers, mother’s name. Something the user has – identity badges, physical keys, driver’s license. Something the user is – called biometrics.
(c) by Syed Ardi Syed Yahya Kamal, UTM 2004 20 passwords suffer from some difficulties of use: Loss. Depending on how the passwords are implemented, it is possible that no one will be able to replace a lost or forgotten password. if the user loses the password, a new one must be assigned. Use. Supplying a password for each access to a file can be inconvenient and time consuming. Disclosure. If a password is disclosed to an unauthorized individual, the file becomes immediately accessible. If the user then changes the password to reprotect the file, all the other legitimate users must be informed of the new password because their old password will fail. Revocation. To revoke one user's access right to a file, someone must change the password, thereby causing the same problems as disclosure.
Additional Authentication Information (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 21 Using additional authentication information is called multifactor authentication Requires the true user to be present and to make use of something he/she knows or has Something you have+ something you know E.g. Credit card+ PIN code Something you know+ something you are E.g. Password+ fingerprint Something you have+ something you are E.g. smart card+iris recognition
User Authentication (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 22 Attacks on passwords: Try all possible password. Try many probable password. Try passwords likely for the user. Search for the system list of password. Ask the user.
Loose-Lipped Systems (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 23 Some systems help the attacker to break in more quickly Better systems give no information until the end of the dialogue:
User Authentication (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 24 Password selection criteria: Use characters other than just A-Z. Choose long password. Avoid actual names or words. Choose an unlikely password. Change the password regularly. Don’t write it down. Don’t tell anyone else.
Biometrics: Authentication Not Using Passwords (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 25 Biometrics are biological authenticators, based on some physical characteristic of the human body.
Problems with Biometrics (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 26 Biometrics are relatively new, and some people find their use intrusive. Hand geometry and face recognition (which can be done from a camera across the room) are scarcely invasive, but people have real concerns about peering into a laser beam or sticking a finger into a slot. (See [SCH06a] for some examples of people resisting biometrics.) Biometric recognition devices are costly, although as the devices become more popular, their costs go down. Still, outfitting every user's workstation with a reader can be expensive for a large company with many employees. All biometric readers use sampling and establish a threshold for when a match is close enough to accept. The device has to sample the biometric, measure often hundreds of key points, and compare that set of measurements with a template. There is normal variability if, for example, your face is tilted, you press one side of a finger more than another, or your voice is affected by an infection. Variation reduces accuracy. Biometrics can become a single point of failure. Consider a retail application in which a biometric recognition is linked to a payment scheme: As one user puts it, "If my credit card fails to register, I can always pull out a second card, but if my fingerprint is not recognized, I have only that one finger." Forgetting a password is a user's fault; failing biometric authentication is not. Although equipment is improving, there are still false readings. We label a "false positive" or "false accept" a reading that is accepted when it should be rejected (that is, the authenticator does not match) and a "false negative" or "false reject" one that rejects when it should accept. Often, reducing a false positive rate increases false negatives, and vice versa. The consequences for a false negative are usually less than for a false positive, so an acceptable system may have a false positive rate of 0.001 percent but a false negative rate of 1 percent. The speed at which a recognition must be done limits accuracy. We might ideally like to take several readings and merge the results or evaluate the closest fit. But authentication is done to allow a user to do something: Authentication is not the end goal but a gate keeping the user from the goal. The user understandably wants to get past the gate and becomes frustrated and irritated if authentication takes too long. Although we like to think of biometrics as unique parts of an individual, forgeries are possible. The most famous example was an artificial fingerprint produced by researchers in Japan [MAT02]. Although difficult and uncommon, forgery will be an issue whenever the reward for a false positive is high enough.