Presentation on theme: "CHAPTER 4 Protection in General-Purpose Operating Systems (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 1."— Presentation transcript:
CHAPTER 4 Protection in General-Purpose Operating Systems (c) by Syed Ardi Syed Yahya Kamal, UTM
Objectives (c) by Syed Ardi Syed Yahya Kamal, UTM Identify protection features provided by the operating system Explain the need for protection and controls in the OS Define memory and address protection define in general OS Explain about file protection mechanism in OS Discuss what is user authentication and understand the needs for authentication in general OS
Protected Objects and Methods of Protection (c) by Syed Ardi Syed Yahya Kamal, UTM A bit of history.. Once upon a time, there were no OS. Executive design to assist individual programmers and to smooth transition from one user to another. Monitors maintained control over all resources.
Protected Objects (c) by Syed Ardi Syed Yahya Kamal, UTM The rise of multiprogramming means several aspects required protection. Memory Sharable I/O devices, such as disks Serially reusable I/O devices, such as printers Sharable programs Network Sharable data
Security Methods of OS (c) by Syed Ardi Syed Yahya Kamal, UTM Basic of protection is separation: keeping one user’s objects separate from other user. Several ways can occur: physical separation, in which different processes use different physical objects, such as separate printers for output requiring different levels of security temporal separation, in which processes having different security requirements are executed at different times logical separation, in which users operate under the illusion that no other processes exist, as when an operating system constrains a program's accesses so that the program cannot access objects outside its permitted domain cryptographic separation, in which processes conceal their data and computations in such a way that they are unintelligible to outside processes
Security Methods of OS (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM Levels of protection: Do not protect Isolate Share all or share nothing Share via access limitation Share by capability Limit use of an object
Memory and Address Protection Fence Introduced in single-user OS. To prevent a faulty user program from destroying part of the residents portion of the OS. Fence Register – location of fence could be changed. (c) by Syed Ardi Syed Yahya Kamal, UTM User Program Space OS Addresses 0 n n + 1 High
Memory and Address Protection (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM Relocation Process of taking a program written as if it began at address 0 and changing all addresses to reflect the actual address at which the program is located in memory.
Memory and Address Protection (cont) Base/Bounds Registers Provide base or starting address. All addresses inside a program are offsets from base address. (c) by Syed Ardi Syed Yahya Kamal, UTM Operating System User A Program Space User B Program Space User C Program Space Base Register Bounds Register
Memory and Address Protection (cont) Tagged Architecture Every word of machine memory has one or more bits to identify the access rights to that word. Access bits are set only by OS instructions. TagMemory Word R0001 RW0137 X RW4091 (c) by Syed Ardi Syed Yahya Kamal, UTM
Memory and Address Protection (cont) Segmentation Dividing a program into separate pieces. Each pieces has a logical unit – relationship among all code or data values. Advantages and benefits ??? (c) by Syed Ardi Syed Yahya Kamal, UTM OS Segments SUB MAIN SEG_A DATA_SEG SUB MAIN SEG_A DATA_SEG
Memory and Address Protection (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM Paging Alternative to segmentation. Program divided into equally sizes pieces called pages. Fixed sized means no fragmentation problem. Refers to figure 4-9 page 195.
Control of Access to General Objects (c) by Syed Ardi Syed Yahya Kamal, UTM Objects to protect: Memory File or data on an auxiliary storage device Hardware device A table of the OS Data structure such as stack Protection mechanism itself etc.
Control of Access to General Objects (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM Complementary goals in protecting objects: Check every access – revoke user’s privilege Enforce least privilege – least task of every user Verify acceptable usage – yes-no decision
Control of Access to General Objects (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM Directory Protect object by using file directory mechanism. No user allowed to write in the file directory – to forge access to a file. OS maintain all file directories, under commands from owners of files. Read, write and execute.
Control of Access to General Objects (cont) Access Control List List of who should access to the object and what their access is. Use Access control matrix to maintain. Bibliog.cHelp.txtPrinterSys_Clock User AORWRWR User SRRWR Sys_Mgr-RWOORW (c) by Syed Ardi Syed Yahya Kamal, UTM
File Protection Mechanism (c) by Syed Ardi Syed Yahya Kamal, UTM Basic Forms of Protection All-None Protection File become public. User can read, modify and delete. Unacceptable – lack of trust, complexity etc. Group Protection Identifying groups of users that have relationship. All unauthorized users separated into group. Introduced new difficulties – multiple personalities, limited sharing.
File Protection Mechanism (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM Single Permissions Password or Other Token Form of password protection to a file. User accesses are limited to one who supply the correct password. Suffer difficulties – loss, time consuming, disclosure by other party (unauthorized user). Temporary Acquired Permission Use by UNIX – set user id (suid). Three-level user-group-world hierarchy.
User Authentication (c) by Syed Ardi Syed Yahya Kamal, UTM Authentication mechanisms use any of three qualities to confirm user’s identity: Something the user knows – password, PIN numbers, mother’s name. Something the user has – identity badges, physical keys, driver’s license. Something the user is – called biometrics.
(c) by Syed Ardi Syed Yahya Kamal, UTM passwords suffer from some difficulties of use: Loss. Depending on how the passwords are implemented, it is possible that no one will be able to replace a lost or forgotten password. if the user loses the password, a new one must be assigned. Use. Supplying a password for each access to a file can be inconvenient and time consuming. Disclosure. If a password is disclosed to an unauthorized individual, the file becomes immediately accessible. If the user then changes the password to reprotect the file, all the other legitimate users must be informed of the new password because their old password will fail. Revocation. To revoke one user's access right to a file, someone must change the password, thereby causing the same problems as disclosure.
Additional Authentication Information (c) by Syed Ardi Syed Yahya Kamal, UTM Using additional authentication information is called multifactor authentication Requires the true user to be present and to make use of something he/she knows or has Something you have+ something you know E.g. Credit card+ PIN code Something you know+ something you are E.g. Password+ fingerprint Something you have+ something you are E.g. smart card+iris recognition
User Authentication (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM Attacks on passwords: Try all possible password. Try many probable password. Try passwords likely for the user. Search for the system list of password. Ask the user.
Loose-Lipped Systems (c) by Syed Ardi Syed Yahya Kamal, UTM Some systems help the attacker to break in more quickly Better systems give no information until the end of the dialogue:
User Authentication (cont) (c) by Syed Ardi Syed Yahya Kamal, UTM Password selection criteria: Use characters other than just A-Z. Choose long password. Avoid actual names or words. Choose an unlikely password. Change the password regularly. Don’t write it down. Don’t tell anyone else.
Biometrics: Authentication Not Using Passwords (c) by Syed Ardi Syed Yahya Kamal, UTM Biometrics are biological authenticators, based on some physical characteristic of the human body.
Problems with Biometrics (c) by Syed Ardi Syed Yahya Kamal, UTM Biometrics are relatively new, and some people find their use intrusive. Hand geometry and face recognition (which can be done from a camera across the room) are scarcely invasive, but people have real concerns about peering into a laser beam or sticking a finger into a slot. (See [SCH06a] for some examples of people resisting biometrics.) Biometric recognition devices are costly, although as the devices become more popular, their costs go down. Still, outfitting every user's workstation with a reader can be expensive for a large company with many employees. All biometric readers use sampling and establish a threshold for when a match is close enough to accept. The device has to sample the biometric, measure often hundreds of key points, and compare that set of measurements with a template. There is normal variability if, for example, your face is tilted, you press one side of a finger more than another, or your voice is affected by an infection. Variation reduces accuracy. Biometrics can become a single point of failure. Consider a retail application in which a biometric recognition is linked to a payment scheme: As one user puts it, "If my credit card fails to register, I can always pull out a second card, but if my fingerprint is not recognized, I have only that one finger." Forgetting a password is a user's fault; failing biometric authentication is not. Although equipment is improving, there are still false readings. We label a "false positive" or "false accept" a reading that is accepted when it should be rejected (that is, the authenticator does not match) and a "false negative" or "false reject" one that rejects when it should accept. Often, reducing a false positive rate increases false negatives, and vice versa. The consequences for a false negative are usually less than for a false positive, so an acceptable system may have a false positive rate of percent but a false negative rate of 1 percent. The speed at which a recognition must be done limits accuracy. We might ideally like to take several readings and merge the results or evaluate the closest fit. But authentication is done to allow a user to do something: Authentication is not the end goal but a gate keeping the user from the goal. The user understandably wants to get past the gate and becomes frustrated and irritated if authentication takes too long. Although we like to think of biometrics as unique parts of an individual, forgeries are possible. The most famous example was an artificial fingerprint produced by researchers in Japan [MAT02]. Although difficult and uncommon, forgery will be an issue whenever the reward for a false positive is high enough.