Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 12 Page 1 CS 111 Summer 2014 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.

Published byIsabella Robbins Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 12 Page 1 CS 111 Summer 2014 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher."— Presentation transcript:

1 Lecture 12 Page 1 CS 111 Summer 2014 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher

2 Lecture 12 Page 2 CS 111 Summer 2014 Security Goals Confidentiality – If it’s supposed to be secret, be careful who hears it Integrity – Don’t let someone change something they shouldn’t Availability – Don’t let someone stop others from using services Exclusivity – Don’t let someone use something he shouldn’t Note that we didn’t mention “computers” here – This classification of security goals is very general

3 Lecture 12 Page 3 CS 111 Summer 2014 Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to only the right people How do we ensure that a given resource can only be accessed by the proper people? The OS plays a major role in enforcing access control

4 Lecture 12 Page 4 CS 111 Summer 2014 Common Mechanisms for Access Control in Operating Systems Access control lists – Like a list of who gets to do something Capabilities – Like a ring of keys that open different doors They have different properties And are used by the OS in different ways

5 Lecture 12 Page 5 CS 111 Summer 2014 The Language of Access Control Subjects are active entities that want to gain access to something – E.g., users or programs Objects represent things that can be accessed – E.g., files, devices, database records Access is any form of interaction with an object An entity can be both subject and object

6 Lecture 12 Page 6 CS 111 Summer 2014 Access Control Lists ACLs For each protected object, maintain a single list Each list entry specifies a subject who can access the object – And the allowable modes of access When a subject requests access to a object, check the access control list

7 Lecture 12 Page 7 CS 111 Summer 2014 An Analogy Joe Hipster You’re Not On the List! This is an access control list

8 Lecture 12 Page 8 CS 111 Summer 2014 An ACL Protecting a File write File X ACL for file X A read write B C none Subject ASubject BSubject C read denied The file is the object The process trying to access it is the subject

9 Lecture 12 Page 9 CS 111 Summer 2014 Issues For Access Control Lists How do you know the requestor is who he says he is? How do you protect the access control list from modification? How do you determine what resources a user can access?

10 Lecture 12 Page 10 CS 111 Summer 2014 An Example Use of ACLs: the Unix File System An ACL-based method for protecting files – Developed in the 1970s Still in very wide use today – With relatively few modifications Per-file ACLs (files are the objects) Three subjects on list for each file Owner, group, other And three modes – Read, write, execute – Sometimes these have special meanings

11 Lecture 12 Page 11 CS 111 Summer 2014 Storing the ACLs They can be very small – Since there are only three entries – Basic ACL is only 9 bits Therefore, kept inside the file descriptor Makes it easy to find them – Since trying to open the file requires the file descriptor, anyway Checking this ACL is not much more than a logical AND with the requested access mode

12 Lecture 12 Page 12 CS 111 Summer 2014 Pros and Cons of ACLs +Easy to figure out who can access a resource +Easy to revoke or change access permissions –Hard to figure out what a subject can access –Changing access rights requires getting to the object

13 Lecture 12 Page 13 CS 111 Summer 2014 Capabilities Each subject keeps a set of data items that specify his allowable accesses Essentially, a set of tickets To access an object, present the proper capability Possession of the capability for an object implies that access is allowed

14 Lecture 12 Page 14 CS 111 Summer 2014 An Analogy The key is a capability

15 Lecture 12 Page 15 CS 111 Summer 2014 Capabilities Protecting a File Read X Subject BSubject C Capabilities for C Capabilities for A File X Read, Write Capabilities for B File X Read File X Subject A Capability Checking File X Read, Write read File X Read, Write Check validity of capability OK!

16 Lecture 12 Page 16 CS 111 Summer 2014 Capabilities Denying Access write denied write User B User C Capabilities for C Capabilities for A File X Read, Write Capabilities for B File X Read File X User A Capability Checking Check validity of capability No Capability Provided!

17 Lecture 12 Page 17 CS 111 Summer 2014 Properties of Capabilities Capabilities are essentially a data structure – Ultimately, just a collection of bits Merely possessing the capability grants access – So they must not be forgeable How do we ensure unforgeability for a collection of bits? One solution: – Don’t let the user/process have them – Store them in the operating system

18 Lecture 12 Page 18 CS 111 Summer 2014 Revoking Capabilities A simple problem for capabilities stored in the operating system – Just have the OS get rid of it Much harder if it’s not in the operating system – E.g., in a network context How do we make the bundle of bits change from valid to invalid? Consider the real world problem of a door lock If several people have the key, how do we keep one of them out?

19 Lecture 12 Page 19 CS 111 Summer 2014 Pros and Cons of Capabilities +Easy to determine what objects a subject can access +Potentially faster than ACLs (in some circumstances) +Easy model for transfer of privileges –Hard to determine who can access an object –Requires extra mechanism to allow revocation –In network environment, need cryptographic methods to prevent forgery

20 Lecture 12 Page 20 CS 111 Summer 2014 OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g., Unix/Linux uses ACLs for file opens That creates a file descriptor with a particular set of access rights – E.g., read-only The descriptor is essentially a capability

21 Lecture 12 Page 21 CS 111 Summer 2014 Enforcing Access in an OS Protected resources must be inaccessible – Hardware protection must be used to ensure this – So only the OS can make them accessible to a process To get access, issue request to resource manager – Resource manager consults access control policy data Access may be granted directly – Resource manager maps resource into process Access may be granted indirectly – Resource manager returns a “capability” to process

22 Lecture 12 Page 22 CS 111 Summer 2014 Direct Access To Resources OS checks access control on initial request If OK, OS maps it into a process’ address space – The process manipulates resource with normal instructions – Examples: shared data segment or video frame buffer Advantages: – Access check is performed only once, at grant time – Very efficient, process can access resource directly Disadvantages: – Process may be able to corrupt the resource – Access revocation may be awkward You’ve pulled part of a process’ address space out from under it

23 Lecture 12 Page 23 CS 111 Summer 2014 Indirect Access To Resources Resource is not directly mapped into process – Process must issue service requests to use resource – Access control can be checked on each request – Examples: network and IPC connections Advantages: – Only resource manager actually touches resource – Resource manager can ensure integrity of resource – Access can be checked, blocked, revoked at any time If revoked, system call can just return error code Disadvantages: – Overhead of system call every time resource is used

24 Lecture 12 Page 24 CS 111 Summer 2014 Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files? Devices? IPC? Secure booting

25 Lecture 12 Page 25 CS 111 Summer 2014 Protecting Memory Most modern operating systems provide strong memory protection Usually hardware-based Most commonly through use of page tables and paging hardware To remind you, addresses issued by programs translated by hardware to physical addresses – If page tables handled right, process can’t even name other processes’ memory

26 Lecture 12 Page 26 CS 111 Summer 2014 Protecting Files We’ve already discussed this Most file systems have a built-in access control model The OS must enforce it All file access done through system calls Which gives the OS a chance to enforce the access control policy Typically checked on open

27 Lecture 12 Page 27 CS 111 Summer 2014 A File Protection Vulnerability Unix/Linux systems only check access permissions on open The open file descriptor limits access to what was checked for But if the access permissions change while the file is open, access is NOT revoked Sometimes possible to keep files open for a long, long time So if user once had access to a file, may be hard to ever push him out again

28 Lecture 12 Page 28 CS 111 Summer 2014 Another File Data Vulnerability What if someone bypasses the operating system? Directly accessing the disk as a device The OS typically won’t allow that to happen – If it’s still in control... But there can be flaws or misconfigurations Or the disk can be moved to another machine – Which may not enforce the access permissions it specifies

29 Lecture 12 Page 29 CS 111 Summer 2014 Full Disk Encryption FDE A solution to this problem Encrypt everything you put on the disk Decrypt data moved from the disk to memory Can be done in hardware – Typically in the disk drive or controller Or software – Typically by the operating system Various options for storing the key

30 Lecture 12 Page 30 CS 111 Summer 2014 Protecting Devices Most devices are treated as files So the file protection model applies In some cases, some parts of the devices are memory mapped into processes – Memory protections apply, here – But potential issues if you map them into more than one process Non-OS controlled bus interfaces can also cause problems (e.g., Firewire)

31 Lecture 12 Page 31 CS 111 Summer 2014 Protecting IPC IPC channels are often also treated like files So the same protection model and mechanisms apply Even shared memory is handled this way – But especially important to remember that you don’t get complete mediation here – And granularity of protection is the segment, not the word or page or block

32 Lecture 12 Page 32 CS 111 Summer 2014 Secure Boot Our OS-based protection mechanisms rely on one fundamental assumption – We are running an OS that properly implements them What if we aren’t running the OS that we think we are? Then all bets are off The false OS can do whatever it wants So we need to be sure we’ve booted what we wanted to boot

33 Lecture 12 Page 33 CS 111 Summer 2014 The Bootstrap Process When a computer is powered on, the OS is not usually resident in memory It gets put there by a bootstrap loader The bootstrap program is usually very short Located in an easily defined place Hardware finds it, loads it, runs it Bootstrap then takes care of initializing the OS

34 Lecture 12 Page 34 CS 111 Summer 2014 Booting and Security Most systems make it hard to change bootstrap loader – But it must have enough flexibility to load different OSes – From different places on machine Malware likes to corrupt the bootstrap Trusted computing platforms can help secure bootstrapping

35 Lecture 12 Page 35 CS 111 Summer 2014 Approaches to Bootstrap Security TPM – an industry standard A hardware-assisted method to guarantee that the right bootstrap was loaded – And, from that, guarantee that the right OS was booted – And possibly build up further security from that SecureBoot – a Microsoft technology Built into the boot hardware and SW Essentially, only allows booting of particular OS versions

Download ppt "Lecture 12 Page 1 CS 111 Summer 2014 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher."

Similar presentations

Lecture 13 Page 1 CS 111 Online File Systems: Introduction CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 13 Page 1 CS 111 Online File Systems: Introduction CS 111 On-Line MS Program Operating Systems Peter Reiher.
Copyright ©: Lawrence Angrave, Vikram Adve, Caccamo 1 Virtual Memory III.

Copyright ©: Lawrence Angrave, Vikram Adve, Caccamo 1 Virtual Memory III.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.

19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.

CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
I/O Tanenbaum, ch. 5 p. 329 – 427 Silberschatz, ch. 13 p. 495 - 527.

I/O Tanenbaum, ch. 5 p. 329 – 427 Silberschatz, ch. 13 p
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 17 Page 1 CS 111 Spring 2015 Operating System Security CS 111 Operating Systems Peter Reiher.

Lecture 17 Page 1 CS 111 Spring 2015 Operating System Security CS 111 Operating Systems Peter Reiher.
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.

Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.

Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.
CS 153 Design of Operating Systems Spring 2015 Lecture 17: Paging.

CS 153 Design of Operating Systems Spring 2015 Lecture 17: Paging.

Similar presentations

Ads by Google