Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 4 – Protection in General Purpose Operating Systems  Protection features provided by general-purpose operating systems— protecting memory, files,

Published byArthur Darrell Potter Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 4 – Protection in General Purpose Operating Systems  Protection features provided by general-purpose operating systems— protecting memory, files,"— Presentation transcript:

1 Chapter 4 – Protection in General Purpose Operating Systems  Protection features provided by general-purpose operating systems— protecting memory, files, and the execution environment  Controlled access to objects  User authentication

2 Protected Objects and Methods of Protections  1rst OS were simple utilities – executives  Multiprogramming OS required monitors which oversaw each program’s execution  Protected objects MemoryMemory Sharable I/O devices (disks)Sharable I/O devices (disks) Serially reusable devices (printers)Serially reusable devices (printers) Shareable programs & subproceduresShareable programs & subprocedures NetworksNetworks Shareable DataShareable Data

3 Security Methods of Operating Systems  Physical Separation (different processes use different objects)  Temporal Separation (processes executed at different times)  Logical Separation (process appears to be alone)  Cryptographic Separation (processes conceal data and computations)

4 Security Methods of Operating Systems  Want to be able to share resources without compromising security Do not protectDo not protect Isolate different processesIsolate different processes Share all or nothingShare all or nothing Share via access limitation (granularity)Share via access limitation (granularity) Share by capabilitiesShare by capabilities Limit use of an objectLimit use of an object

5 Memory & Address Protection  Fence – confines user to one side of boundary Use predefined memory addressesUse predefined memory addresses Can protect OS, but not one user from anotherCan protect OS, but not one user from another  Relocation – changes all addresses of program using offset  Base/Bounds Registers Uses variable fence register (base register) to provide lower boundUses variable fence register (base register) to provide lower bound Uses bounds register for upper addressUses bounds register for upper address

6 Memory & Address Protection  Tagged Architecture Every word of machine memory has extra bits to indicate access rights (expensive)Every word of machine memory has extra bits to indicate access rights (expensive)  Segmentation (program divided into pieces) Each segment has name & offsetEach segment has name & offset  Each address reference is checked for protection  Different classes of data can be assigned different levels of protection  Users can share access to segments  User cannot access an unpermitted segment  Paging (program uses equal sized “pages”; memory divided into equal sized page frames)

7 Control of Access to General Objects  Memory  File/data set  Program in memory  Directory of files  Hardware device  Data structure (stack)  Operating system table  Instructions (privileged)  Passwords / user authentication mechanism  Protection mechanism

8 Goals in protecting objects  Check every access  Enforce least privilege  Verify acceptable usage

9 Directory mechanism  Each user (subject) has a file directory, which lists all files accessible by user  List can become too large if many shared objects  Cannot revoke rights of everyone to an object  File names for different owners may be different

10 Access Control List  One list for each object with list showing all subjects & their access rights  Can use wildcards to limit size of ACL  Access Control Matrix Rows for subjectsRows for subjects Columns for objectsColumns for objects Sparse matrix of triples Sparse matrix of triples

11 Capability  Unforgeable token that gives possessor rights to an object  Predecessor of Kerberos  Can propagate capabilities to other subjects  Capabilities must be stored in inaccessible memory

12 Procedure-Oriented Access Control  Procedure that controls access to objects including what subjects can do to objects

13 File Protection Mechanisms  All-None Protection Lack of trustLack of trust All or nothingAll or nothing Timesharing issuesTimesharing issues ComplexityComplexity File listingsFile listings

14 File Protection Mechanisms  Group Protection User cannot belong to two groupsUser cannot belong to two groups Forces one person to be multiple usersForces one person to be multiple users Forces user to be put into all groupsForces user to be put into all groups Files can only be shared within groupsFiles can only be shared within groups

15 File Protection Mechanisms  Single Permissions Password/Token for each filePassword/Token for each file  Can be lost  Inconvenient  Must be protected (if changed, must notify all users) Temporary Acquired PermissionTemporary Acquired Permission  UNIX’s set userid (suid)

16 User Authentication  Something the user knows (password, PIN, passphrase, mother’s maiden name)  Something the user has (ID, key, driver’s license, uniform)  Something the user is (biometrics)

17 Use of Passwords  Mutually agreed-upon code words, assumed known only to user and system  First line of defense  Loose-Lipped Systems WELCOME TO XYZ COMPUTINGWELCOME TO XYZ COMPUTING ENTER USER ID: summersENTER USER ID: summers INVALID USER NAMEINVALID USER NAME ENTER USER ID:ENTER USER ID:

18 Attack on Passwords  Ask the user  Search for the system list of passwords Find a valid user IDFind a valid user ID Create a list of possible passwords (encrypt if needed)Create a list of possible passwords (encrypt if needed) Rank the passwords from high to low probabilityRank the passwords from high to low probability Try each passwordTry each password If attempt fails, try again (don't exceed password lockout)If attempt fails, try again (don't exceed password lockout)

19 Attack on Passwords  Exhaustive Attack (brute-force) 18,278 passwords of 3 letters or less18,278 passwords of 3 letters or less 1 password / millisecond would take 18 seconds (8 minutes for 4 letters, 3.5 hours for 5 letters)1 password / millisecond would take 18 seconds (8 minutes for 4 letters, 3.5 hours for 5 letters)  Probable passwords (dictionary attack) 80,000 word dictionary would take 80 seconds80,000 word dictionary would take 80 seconds Expanded “dictionary”Expanded “dictionary”

20 Attack on Passwords  UK Study (http://www.cnn.com/2002/TECH/ptech/03/13/dangerous.pass words/?related) 50% passwords were family names50% passwords were family names Celebrities/soccer stars – 9% eachCelebrities/soccer stars – 9% each Pets – 8%Pets – 8% 10% reflect a fantasy10% reflect a fantasy Only 10% use cryptic combinationsOnly 10% use cryptic combinations

21 Attack on Passwords  Look on desk…  Try no password  Try user ID  Try user’s name  Common words (password, private, secret)  Short dictionary  Complete English word list  Common non-English dictionaries  Dictionary with capitalization and substitutions (0 for o and 1 for i)  Brute force (lowercase alphabet)  Brute force (full character set)

22 Attack on Passwords  Plaintext System Password List (MS Windows)  Encrypted Password List – 1-way (/etc/passwd)  Shadow Password List (/etc/shadow)  Salt – 12-bit number formed from system time and process id; concatenated to password

23 Password Selection Criteria  Use characters other than A-Z  Choose long passwords  Avoid names and words  Choose unlikely password  Change password regularly (don’t reuse)  Don’t write it down  Don’t tell anyone  http://www.mit.edu/afs/sipb/project/doc/passwor ds/passwords.html http://www.mit.edu/afs/sipb/project/doc/passwor ds/passwords.html http://www.mit.edu/afs/sipb/project/doc/passwor ds/passwords.html  One-time passwords

24 Authentication  Should be slow (5-10 seconds)  Should only allow a limited # of failures (e.g. 3)  Challenge-Response Systems  Impersonation of Login  Authentication Other than Passwords

Download ppt "Chapter 4 – Protection in General Purpose Operating Systems  Protection features provided by general-purpose operating systems— protecting memory, files,"

Similar presentations

CHAPTER 4 Protection in General-Purpose Operating Systems (c) by Syed Ardi Syed Yahya Kamal, UTM 2004 1.

CHAPTER 4 Protection in General-Purpose Operating Systems (c) by Syed Ardi Syed Yahya Kamal, UTM
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Access Control Methodologies

Access Control Methodologies
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
7-1 Last time Protection in General-Purpose Operating Systems History Separation vs. Sharing Segmentation and Paging Access Control Matrix Access Control.

7-1 Last time Protection in General-Purpose Operating Systems History Separation vs. Sharing Segmentation and Paging Access Control Matrix Access Control.
Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.
Memory Management Design & Implementation Segmentation Chapter 4.

Memory Management Design & Implementation Segmentation Chapter 4.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.

19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 Security and Protection Chapter 9. 2 The Security Environment Threats Security goals and threats.

1 Security and Protection Chapter 9. 2 The Security Environment Threats Security goals and threats.
95-752:7-1 Operating System Features. 95-752:7-2 Operating System Features Memory protection Temporary file issues Dead space issues Sandboxing Object.

95-752:7-1 Operating System Features :7-2 Operating System Features Memory protection Temporary file issues Dead space issues Sandboxing Object.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

Similar presentations

Ads by Google