Presentation is loading. Please wait.

Presentation is loading. Please wait.

SE571 Security in Computing

Published byEaster Atkins Modified over 8 years ago

Similar presentations

Presentation on theme: "SE571 Security in Computing"— Presentation transcript:

1 SE571 Security in Computing
Chap4: Protection in General-Purpose Operating Systems

2 Objectives Protection features provided by general-purpose operating systems: protecting memory, files, and the execution environment Controlled access to objects User authentication SE571 Security in Computing Dr. Ogara

3 Operating System Functions
access control identity and credential management information flow audit and integrity protection Each of these activities has security implications SE571 Security in Computing Dr. Ogara

4 Memory Protection Protection can be built into the hardware mechanisms that control efficient use of memory SE571 Security in Computing Dr. Ogara

5 Memory Protection Types of memory protection Fences Relocation
Base/bound registers Tagged architecture Segmentation Paging Combined paging with segmentation SE571 Security in Computing Dr. Ogara

6 Types of Memory Protection
Fence Used to confine users to one side of a boundary Simplest form of memory protection was introduced in single-user operating systems Provide a lower bound (a starting address) but not an upper one Fences may be fixed or variable SE571 Security in Computing Dr. Ogara

7 Types of Memory Protection
Problem very restrictive because a predefined amount of space was always reserved for the operating system, whether it was needed or not. If less than the predefined space was required, the excess space was wasted. Conversely, if the operating system needed more space, it could not grow beyond the fence boundary. SE571 Security in Computing Dr. Ogara

8 Types of Memory Protection
Fixed Fence Used to confine users to one side of a boundary simplest form of memory protection was introduced in single-user operating systems SE571 Security in Computing Dr. Ogara

9 Types of Memory Protection
Variable Fence Uses fence register containing the address of the end of the operating system. location of the fence can be changed A fence register protects only in one direction. In other words, an operating system can be protected from a single user, but the fence cannot protect one user from another user SE571 Security in Computing Dr. Ogara

10 Figure 4-1  Fixed Fence. SE571 Security in Computing Dr. Ogara

11 Figure 4-2 Variable Fence Register.
SE571 Security in Computing Dr. Ogara

12 Types of Memory Protection
Relocation process of taking a program written as if it began at address 0 and changing all addresses to reflect the actual address at which the program is located in memory SE571 Security in Computing Dr. Ogara

13 Types of Memory Protection
Base/Bounds Registers /Second Registers Upper address limit, in the same way that a base or fence register is a lower address limit Provides an upper bound that can be useful in knowing how much space is allotted and in checking for overflows into “forbidden” areas Protects outside users from errors in any other user’s program SE571 Security in Computing Dr. Ogara

14 Figure 4-3 Pair of Base/Bounds Registers.
SE571 Security in Computing Dr. Ogara

15 Types of Memory Protection
Tagged Architecture every word of machine memory has one or more extra bits to identify the access rights to that word SE571 Security in Computing Dr. Ogara

16 Figure 4-5 Example of Tagged Architecture.
SE571 Security in Computing Dr. Ogara

17 Types of Memory Protection
Segmentation Involves the simple notion of dividing a program into separate pieces. Each piece has a logical unity, exhibiting a relationship among all of its code or data values Allows a program to be divided into many pieces having different access rights Each segment has a unique name SE571 Security in Computing Dr. Ogara

18 Types of Memory Protection
Segmentation Security benefits Segmentation offers these security benefits: Each address reference is checked for protection. Many different classes of data items can be assigned different levels of protection. Two or more users can share access to a segment, with potentially different access rights. A user cannot generate an address or access to an unpermitted segment. SE571 Security in Computing Dr. Ogara

19 Types of Memory Protection
Paging program is divided into equal-sized pieces called pages, and memory is divided into equal- sized units called page frames all pages in the paging approach are of the same fixed size, so fragmentation is not a problem Each page can fit in any available page in memory, and thus there is no problem of addressing beyond the end of a page SE571 Security in Computing Dr. Ogara

20 Types of Memory Protection
Combined Paging with Segmentation Combines two approaches Paging offers implementation efficiency, while segmentation offers logical protection characteristics SE571 Security in Computing Dr. Ogara

21 Control of Access to General Objects
Objects which need protection memory a file or data set on an auxiliary storage device an executing program in memory a directory of files a hardware device a data structure, such as a stack SE571 Security in Computing Dr. Ogara

22 Control of Access to General Objects
Objects which need protection a table of the operating system instructions, especially privileged instructions passwords and the user authentication mechanism the protection mechanism itself SE571 Security in Computing Dr. Ogara

23 Control of Access to General Objects
Directory Works like file directory Listing of objects accessible by a single subject Each user has a file directory, which lists all the files to which that user has access. Every file has a unique owner who possesses “control” access rights Rights to files: read, write, and execute SE571 Security in Computing Dr. Ogara

24 Figure 4-10 Directory Access.
SE571 Security in Computing Dr. Ogara

25 Control of Access to General Objects
Access Control List A table identifying subjects that can access a single object Each object and the list shows all subjects who should have access to the object and what their access is Each object has one access control list Directory is created for each object SE571 Security in Computing Dr. Ogara

26 Figure 4-12 Access Control List.
SE571 Security in Computing Dr. Ogara

27 Control of Access to General Objects
Access Control Matrix A table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object Most subjects do not have access rights to most objects Implementation is rarely used SE571 Security in Computing Dr. Ogara

28 Control of Access to General Objects
Capability Is an unforgeable token that gives the possessor certain rights to an object Is a ticket that gives permission to a subject to have a certain type of access to an object For the capability to offer solid protection, the ticket must be unforgeable SE571 Security in Computing Dr. Ogara

29 Control of Access to General Objects
Kerberos Kerberos implements both authentication and access authorization by means of capabilities, called tickets, secured with symmetric cryptography Requires two systems, called the authentication server (AS) and the ticket-granting server (TGS), which are both part of the key distribution center (KDC) SE571 Security in Computing Dr. Ogara

30 Control of Access to General Objects
Kerberos A user presents an authenticating credential (a password) to the authentication server and receives a ticket (encrypted) showing that the user has passed authentication Uses shared encryption keys Implements single sign-on user signs on once and after that user’s actions are authorized without the user signing on again. SE571 Security in Computing Dr. Ogara

31 Control of Access to General Objects
Procedure-Oriented Access Control Procedure that controls access to objects Procedure forms a capsule around the object, permitting only certain specified accesses Implements the principle of information hiding because implementing an object are known only to the object’s control procedure SE571 Security in Computing Dr. Ogara

32 Control of Access to General Objects
Role-Based Access Control Allows us to associate privileges with groups, for example, administrators vs. regular users (lower privilege) SE571 Security in Computing Dr. Ogara

33 File Protection Mechanisms
Forms of Protection All-none protection User can read, modify, or delete a file belonging to any other user/OS files SE571 Security in Computing Dr. Ogara

34 File Protection Mechanisms
Forms of Protection Group protection Identify group of users, for example, Windows Administrators Power users Users Guests A user is recognized by two identifiers (usually numbers): a user ID and a group ID SE571 Security in Computing Dr. Ogara

35 File Protection Mechanisms
Individual Permissions Persistent permissions Temporary acquired permissions Per-object and per-user protection SE571 Security in Computing Dr. Ogara

36 User Authentication Authentications in organizations and systems
Documents Voice recognition Fingerprint Retina matching SE571 Security in Computing Dr. Ogara

37 User Authentication Authentications uses any of three qualities to confirm a user’s identity Something the user knows - Passwords, PIN numbers, passphrases, a secret handshake, and mother’s maiden name are examples of what a user may know. Something the user has- Identity badges, physical keys, a driver’s license, or a uniform are common examples of things people have that make them recognizable. Something the user is(biometrics) - are based on a physical characteristic of the user, such as a fingerprint, the pattern of a person’s voice, or a face (picture). SE571 Security in Computing Dr. Ogara

Download ppt "SE571 Security in Computing"

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.

CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Access Control Methodologies

Access Control Methodologies
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.
Protection and Security. Policy & Mechanism Protection mechanisms are tools used to implement security policies –Authentication –Authorization –Cryptography.

Protection and Security. Policy & Mechanism Protection mechanisms are tools used to implement security policies –Authentication –Authorization –Cryptography.
Memory Management Design & Implementation Segmentation Chapter 4.

Memory Management Design & Implementation Segmentation Chapter 4.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.

19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
1 Chapter 8 Virtual Memory Virtual memory is a storage allocation scheme in which secondary memory can be addressed as though it were part of main memory.

1 Chapter 8 Virtual Memory Virtual memory is a storage allocation scheme in which secondary memory can be addressed as though it were part of main memory.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
95-752:7-1 Operating System Features. 95-752:7-2 Operating System Features Memory protection Temporary file issues Dead space issues Sandboxing Object.

95-752:7-1 Operating System Features :7-2 Operating System Features Memory protection Temporary file issues Dead space issues Sandboxing Object.

Similar presentations

Ads by Google