Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protection in General- Purpose OS Week-3. Our Main Concern In what way do operating systems protect one user’s process from inadvertent or malicious interaction.

Published byWalter McBride Modified over 8 years ago

Similar presentations

Presentation on theme: "Protection in General- Purpose OS Week-3. Our Main Concern In what way do operating systems protect one user’s process from inadvertent or malicious interaction."— Presentation transcript:

1 Protection in General- Purpose OS Week-3

2 Our Main Concern In what way do operating systems protect one user’s process from inadvertent or malicious interaction by another user? OS may be vulnerable to certain kinds of vulnerabilities simply because of the nature of the programs itself, on the basis that they “offer different access to different items by different kinds of users” “It is important to pay careful attention to defining access, granting access, and controlling intentional and unintentional corruption of data and relationships” Multitasking: To schedule and execute multiple tasks (program) simultaneously; control being passed from one to the other using interrupts; To handle multiple tasks at once

3 Object Protection Memory Protection - Methods Fence – in single-user OS prevent faulty user program destroying resident OS. It confine user program to one side of the boundary. Fence implementation (1) – Fixed fence. OS resides in predefined memory space and user on another. Unfortunately, this kind of implementation was very restrictive because a predefined amount of space was always reserved for the operating system, whether it was needed or not. Fence implementation (2) – Variable fence register (base register). It contains address of the end of OS. It cannot protect one user against another. The location of the fence could be changed. Each time a user program generated an address for data modification, the address was automatically compared with the fence address.

4 Object Protection Memory Protection - Methods Figure 1 – Fixed Fence

5 Object Protection Memory Protection - Methods Figure 2 – Variable Fence Register

6 Object Protection Memory Protection - Methods Relocation – OS size change overtime. programs relocated to starting address by relocation factor. The relocation factor is the starting address of the memory assigned for the program. Fence register can be used as a hardware relocation device; fence register contents added to program address. This action both relocates the address and guarantees that no one can access a location lower than the fence address. Base/Bounds Registers – needed for multiuser environment. Base register provides only lower bound (starting address). Bound register provide upper address limit. Each user program reside within base and bound addresses. OS employs context switching when transferring controls.

7 Object Protection Memory Protection – Methods: This technique protects a program's addresses from modification by another user. Figure 3 – Pair of Base and Bound Register

8 Object Protection Memory Protection - Methods Tags – needed because base/bounds registers create an all or nothing for sharing data. A tagged architecture provides for one or more extra bits in each word of memory to identify access rights – R-W-RW-X Segmentation – simply dividing a program into separate pieces with logical memory addressing. Segmentation was developed as a feasible means to produce the effect of the equivalent of an unbounded number of base/bounds registers. Paging – alternative to segmentation. A program divided into equal pieces called pages and memory into equal sized units called page frames.

9 Object Protection Memory Protection - Methods Figure 4 – Example of Tagged Architecture

10 Object Protection Memory Protection - Methods Figure 4 – Example of Segmentation

11 Object Protection General Control of Access of Objects - Methods File Directory – mechanism for protecting objects (files) from users (subjects). Every file has a unique owner who possesses controls access and revocation rights, including who else has what access. Each user has a file directory, which lists all the files which that user has access

12 Object Protection General Control of Access of Objects - Methods Figure 5 – Directory Access

13 Object Protection General Control of Access of Objects - Methods Alternative is Access Control List (ACL) – differs from directory list – one access control list per object i.e. no need for an entry for the object in the individual directory of each user Capability – OS hands some protection burden to user – Ticketing system – Lead to Kerberos system

14 Object Protection General Control of Access of Objects - Methods Figure 6 – Access Control List

15 Object Protection Kerberos implements authentication and access authorisation by means of ticketing capabilities; MS OS NT+ Secure with symmetric cryptography Uses authentication server (AS) and ticket-granting server (TGS), both part of KDC. User presents authentication credentials (e.g. password) to AS and receives authentication ticket showing that he/she has passed To access a resource (e.g. Printer) user sends ticket to TGS; TGS returns authorised ticket and another ticket to present to Printer for access

16 Authentication Based on something you know Passwords, PIN numbers, mother’s name etc. something you have Identify badges, physical keys, driver’s licence etc something you are Biometrics – physical characteristics of users, such as fingerprint, pattern of person’s voice or face (picture)

17 Authentication Attacks on Passwords Try all possible passwords (exhaustive or brute force attack) Try frequently used passwords (probable passwords? Think of a work!) Try passwords likely for the user Search for the system list of passwords (plaintext or encrypted?) Ask the user!

18 Authentication Attacks on Password Figure 7 – User’s Password Choice

19 Authentication Authentication techniques (discussed later) challenge-response (e.g. one-time password) Impersonation of login – one sided Biometrics (authentication without passwords) Identification (“this is Captain Cook”) Vs Authentication (“ I am Captain Cook, present my hand to prove it”) Acceptance – people find them intrusive

20 Authentication Biometrics (authentication without passwords) processing speed – speed at which recognition is done impacts on accuracy “false positive or “false accept” (a reading that is accepted when it should be rejected) Vs “false negatives” or “false reject” (one that rejects when it should accept)

21 Thank You !

Download ppt "Protection in General- Purpose OS Week-3. Our Main Concern In what way do operating systems protect one user’s process from inadvertent or malicious interaction."

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Threads, SMP, and Microkernels

Threads, SMP, and Microkernels
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Access Control Methodologies

Access Control Methodologies
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
File Management Chapter 12. File Management A file is a named entity used to save results from a program or provide data to a program. Access control.

File Management Chapter 12. File Management A file is a named entity used to save results from a program or provide data to a program. Access control.
Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.
Protection and Security. Policy & Mechanism Protection mechanisms are tools used to implement security policies –Authentication –Authorization –Cryptography.

Protection and Security. Policy & Mechanism Protection mechanisms are tools used to implement security policies –Authentication –Authorization –Cryptography.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
1 Chapter 8 Virtual Memory Virtual memory is a storage allocation scheme in which secondary memory can be addressed as though it were part of main memory.

1 Chapter 8 Virtual Memory Virtual memory is a storage allocation scheme in which secondary memory can be addressed as though it were part of main memory.
Computer Organization and Architecture

Computer Organization and Architecture
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
SE571 Security in Computing

SE571 Security in Computing

Similar presentations

Ads by Google