CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

Slides:



Advertisements
Similar presentations
Memory.
Advertisements

Part IV: Memory Management
Chapter 15 Address Translation Chien-Chung Shen CIS, UD
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Access Control Methodologies
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
CSC 405 Introduction to Computer Security
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Chapter 9 – Real Memory Organization and Management
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 3.2 : Virtual Memory
1 Pertemuan 04 Pengamanan Akses Sistem Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
1 Chapter 8 Virtual Memory Virtual memory is a storage allocation scheme in which secondary memory can be addressed as though it were part of main memory.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Computer Organization and Architecture
95-752:7-1 Operating System Features :7-2 Operating System Features Memory protection Temporary file issues Dead space issues Sandboxing Object.
Virtual Memory BY JEMINI ISLAM. What is Virtual Memory Virtual memory is a memory management system that gives a computer the appearance of having more.
SE571 Security in Computing
 2004 Deitel & Associates, Inc. All rights reserved. Chapter 9 – Real Memory Organization and Management Outline 9.1 Introduction 9.2Memory Organization.
NS-H /11041 System Security. NS-H /11042 Authentication Verifying the identity of another entity Two interesting cases (for this class): –Computer.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.
G53SEC 1 Reference Monitors Enforcement of Access Control.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
1 Chapter 3.2 : Virtual Memory What is virtual memory? What is virtual memory? Virtual memory management schemes Virtual memory management schemes Paging.
Chapter 4 Storage Management (Memory Management).
Chapter 8 – Main Memory (Pgs ). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.
Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-8 Memory Management (2) Department of Computer Science and Software.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
Security in Operating Systems Cuiwei Zhao. Security in Operating System §Security breaches §Security goals §Protected objects of the general purpose operating.
CE Operating Systems Lecture 14 Memory management.
Protection in General- Purpose OS Week-3. Our Main Concern In what way do operating systems protect one user’s process from inadvertent or malicious interaction.
G53SEC 1 Reference Monitors Enforcement of Access Control.
1 Memory Management Chapter 7. 2 Memory Management Subdividing memory to accommodate multiple processes Memory needs to be allocated to ensure a reasonable.
Security in Computing Protection in General-Purpose Operating Systems.
By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
1 Memory Management Chapter 7. 2 Memory Management Subdividing memory to accommodate multiple processes Memory needs to be allocated to ensure a reasonable.
Swap Space and Other Memory Management Issues Operating Systems: Internals and Design Principles.
Lectures 8 & 9 Virtual Memory - Paging & Segmentation System Design.
Virtual Memory Pranav Shah CS147 - Sin Min Lee. Concept of Virtual Memory Purpose of Virtual Memory - to use hard disk as an extension of RAM. Personal.
Virtual Memory From course notes University of Waikato. Some material by Tony McGregor Other material from: The Architecture.
8.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Fragmentation External Fragmentation – total memory space exists to satisfy.
Chapter 7 Memory Management Eighth Edition William Stallings Operating Systems: Internals and Design Principles.
Memory Management Chapter 5 Advanced Operating System.
1 Memory Management n In most schemes, the kernel occupies some fixed portion of main memory and the rest is shared by multiple processes.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
SECURITY IN COMPUTING BY PFLEEGER Operating Systems Security.
Chapter 8: Memory Management. 8.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 8: Memory Management Background Swapping Contiguous.
Computer Security: Chapter 5 Operating Systems Security.
Memory Management.
Non Contiguous Memory Allocation
Lecture 12 Virtual Memory.
Simple/Basic Segmentation
Chapter 9 – Real Memory Organization and Management
Operating Systems Security
Memory Management Lectures notes from the text supplement by Siberschatz and Galvin Modified by B.Ramamurthy 11/12/2018.
Operating System Concepts
Lecture 14 Virtual Memory and the Alpha Memory Hierarchy
Memory Management 11/17/2018 A. Berrached:CS4315:UHD.
Segmentation Lecture November 2018.
Main Memory Background Swapping Contiguous Allocation Paging
Memory management Explain how memory is managed in a typical modern computer system (virtual memory, paging and segmentation should be described.
Lecture 7: Flexible Address Translation
Presentation transcript:

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz

Exam stats  Median: 75  Letter grades –85-100: A –65-85: B –50-65: C –< 50: D/F

Memory Protection

Memory protection  Usually think of multi-user security in terms of files, but memory protection must also be done –Behind the scenes…handled by OS automatically  Enforce logical separation –Users operate under the illusion that no other user’s processes are running, and in fact are unable to access objects outside some permitted domain

Memory protection  “Fence”: restricts access to portions of memory –Introduced in single-user systems to prevent (accidental) destruction of OS code  E.g., predefined memory address where OS resides; users disallowed from modifying –Can be enforced at the hardware level  Drawbacks –Fixed space allocated for OS –What if OS is supposed to be “modifiable”? –May waste space

Continued…  Variation is to have a “fence register” which stores the address of the protected portion of memory –Allow easy “relocation” by simple addition (in hardware) –Protected portion can dynamically change  More opportunity for security breaches…

Base/bounds registers  Can have two registers: base register and bounds register –Memory access restricted to lie between these two  Contents of these registers will be changed by the OS, per-user, as part of context switching  Can also have an additional base/bounds register for each user, to logically separate instructions from data –Prevent accidental overwriting of executable code

Tagged architecture  Base/bounds registers offer very course-grained protection –Also, have the restriction that different sections of memory space must be contiguous  Possible to improve this by tagging every, e.g., word of memory –E.g., label each word read/write/execute  Can be wasteful of memory…  Requires changes at the hardware level

Segmentation  Program components divided into logical segments (e.g., code of a single procedure; local variables)  Each segment has a unique name; items in segment addressed by (name, offset)  Each segment may be stored anywhere in memory –OS handles mapping; transparent to user –Can implement diff. protection for each segment –OS controls which programs have which entries in their segment address tables –Multiple users can potentially be given access to the same segment –Complete mediation

Drawbacks of segmentation?  Users can guess memory locations  Users can generate (name, offset) where the offset is larger than the segment size –Can fix this by storing current segment length in the segment address table, but this is inefficient  Memory fragmentation  Address table lookup can be slow

Paging  Similar to segmentation, but with fixed-size segments called pages –Addressing via (page, offset)  Avoids fragmentation problem…and “large offset” issue  Programmer need not be aware of pages (in contrast to segments, which were logical units)  Drawbacks –“Re-paging” causes potential security problems as data is shifted from one page to another –Can be difficult to describe desired protection, since pages are no longer logical units

Combining the approaches  Segmentation better for security; paging better for efficiency –Combine to get best of both  Program divided into logical segments; each segment broken into fixed-size pages

Network Security

Authentication: an Overview

Authentication  Verifying the identity of another entity –Computer authenticating to another computer –Person authenticating to a local computer –Person authenticating to a remote computer  Two issues: –How authentication information is stored (at both ends) –Authentication protocol itself

Authentication  Authentication may be based on –What you know –What you have –What you are –Examples?  Can also consider two-factor authentication  Mutual authentication vs. unidirectional authentication

Authentication  Important to be clear about what is being authenticated –The user? –The machine? –The user’s role? –The data?  What assumptions are being made? –E.g., login on untrusted terminal

Attack taxonomy  Passive attacks  Active attacks –Impersonation –Man-in-the-middle  Server compromise  Different attacks may be easier/more difficult in different settings

Address-based authentication  Is sometimes used (e.g., unix)  This is generally not very secure –Relatively easy to forge source addresses of network packets

Password-based protocols  Password-based authentication –Any system based on low-entropy shared secret (note: different from book definitions!)  Distinguish on-line attacks vs. off-line attacks

Password selection  User selection of passwords is typically very weak –Lower entropy password makes dictionary attacks easier  Typical passwords: –Derived from account names or usernames –Dictionary words, reversed dictionary words, or small modifications of dictionary words –Etc.

Better password selection  Non-alphanumeric characters  Longer phrases  Can try to enforce good password selection…  …but these types of passwords are difficult for people to memorize and type!

From passwords to keys?  Can potentially use passwords to derive symmetric or public keys  What is the entropy of the resulting key?  Often allows off-line dictionary attacks on the password

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.