Protection and Security

Protection and Security Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed through a well-defined set of operations (hopefully) Protection and security problem - ensure that each object is accessed correctly and only by those processes of authorized users that are allowed to do so

Protection and Security – cont. OS designer faces challenge of creating a protection scheme that cannot be bypassed by any software that may be created in the future Networking adds to the problem as it allows access to a computer and its resources without being in the same physical location See next frame

Protection – Internal Access Authorization

Policy vs. Mechanism An organization’s security policy defines the rules for authorizing access to its computers and information resources A particular strategy that dictates the way a mechanism is used to achieve specific goals Protection mechanisms are tools for implementing the organization’s security policy

Policy & Mechanism A security policy is a strategy that dictates the way a mechanism is used to achieve a specific goal Accountants have access to payroll files OS processes have access to the page table Client process has access to information provided by a server A protection mechanism is a set of components used to implement any one of different sets of strategies Authentication Authorization Cryptography

Policy & Mechanism – cont. Example - Computers in lab Policy: can only be used by students registered for graduate classes Mechanism: authentication via username and password; set up via class list and request Policy: students may only have N bytes of storage space Mechanism: establish a quota system on disk

Policy & Mechanism – cont. The security policy specifies the ways resources should be shared among members of the organization and with members external to the organization The mechanism is the specific steps and tools provided by the system to enforce the policy

Security Goals Authentication Authorization Machine X Resource W Process A Resource X Resource Y read Resource Z read read/write Process B read/write Authentication Machine Y Authorization Process C

Implementing Policy & Mechanism Policies selected by system administrators – after the OS and protection mechanisms have been designed and implemented OS designer must foresee all the policies that may be selected and implement the mechanisms accordingly Very difficult task – usually handled by sending out patches as security holes are found

The Security Problem Security must consider external environment of the system, and protect it from unauthorized access. malicious modification or destruction accidental introduction of inconsistency. Easier to protect against accidental than malicious misuse

Authentication Mechanisms Basis of most protection mechanisms Two types of authentication External: verify the user Usually username/password combination May require two passwords or other identification Internal: verify the process Don’t allow one users process to appear to be that of another user Network access accentuates the problem Is the computer who it says it is?

User Authentication Three types of authentication: Something a user knows e.g. a password, a combination, answers to personal questions Something a user has e.g. a badge, a smart card, a key Something a user is e.g. fingerprint, signature, voice print, hand geometry, retinal blood vessel pattern

Authentication User identity most often established through passwords, can be considered a special case of either keys or capabilities. Passwords must be kept secret. Frequent change of passwords. Use of “non-guessable” passwords. Log all invalid access attempts. Encryption

User Authentication Possible mechanisms Recognize repeated login attempts Disconnect after some threshold is reached Disregard correct passwords after some threshold of failures has been reached Make login process slow – handle computer generated attempts

Network Authentication Need to be able to communicate between computers without significantly increasing the overhead involved Most typical access is for file transport Email Messages File downloading Obtaining network services

Program Threats Trojan Horse Trap Door Code segment that misuses its environment. Exploits mechanisms for allowing programs written by users to be executed by other users. Trap Door Specific user identifier or password that circumvents normal security procedures. Could be included in a compiler.

System Threats Worms – use spawn mechanism; standalone program Internet worm Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs. Grappling hook program uploaded main worm program. Viruses – fragment of code embedded in a legitimate program. Mainly effect microcomputer systems. Downloading viral programs from public bulletin boards or exchanging floppy disks containing an infection. Safe computing.

The Morris Internet Worm

The confinement problem How do we prevent a program from leaking information to others? It is not as simple as preventing IPC and I/O A covert channel is a hidden means of communication information e.g. sending bits by manipulating the CPU load

Threat Monitoring Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing. Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures. Scan the system periodically for security holes; done when the computer is relatively unused.

Threat Monitoring – cont. Check for: Short or easy-to-guess passwords Unauthorized set-uid programs Unauthorized programs in system directories Unexpected long-running processes Improper directory protections Improper protections on system data files Dangerous entries in the program search path (Trojan horse) Changes to system programs: monitor checksum values

Kerberos Network Authentication A set of network protocols used to authen-ticate access to a computer by a user at a different computer using an unsecure network Assumes information over network could be tampered with Does not assume OS on either machine is secure Developed at MIT in 80’s; widely used

Kerberos Authentication Server Client Server Client asks authentication server for credentials of the server process

Kerberos Authentication Encrypted for client Server Encrypted for server Ticket Client Client ID Session Key Session Key Server Authentication server returns the credentials as ticket & session key with key encrypted using client key

Kerberos Authentication Encrypted for client Server Encrypted for server Ticket Session Key Client Client ID Session Key Session Key Server Client decrypts ticket & key; keeps copy of session key Sends copy of ticket to server

Kerberos Authentication Encrypted for client Server Encrypted for server Ticket Session Key Client Client ID Session Key Session Key Ticket Server Client ID Server decrypts copy of ticket to obtain secure copy of client ID and session key Session Key Client ID Session Key

Kerberos Authentication Once these steps completed, client and server processes both have copy of session key and can begin secure communication Authentication server MUST be trusted It has copy of client’s ID, knows how to encrypt info that only client can decrypt, knows how to encrypt info that only server can decrypt, and can create unique session key

Authorization Is this user/process allowed to access the resource under the current policy? What type of access is allowable? Read Write Execute Append

Internal Access Authorization Internal authorization is part of the task of managing resource sharing The goal is to protect one process’s resources from the actions of other processes

Protection Problems Sharing parameters Confinement Process calls procedure in another process’s address space, which then modifies parameters, so that when original process regains control, variables in its address space have been changed Confinement Contain all rights to resources so that they do not propagate outside some chosen set of processes

Protection Problems – cont. Allocating rights A process provides another process with specific rights to use its resources; should be a temporary allocation; but what if 2nd process passes those rights on to other processes without knowledge or permission of original process (the owner of the resource) Trojan horse Special case of allocating rights: client process invokes a service program which then takes advantage of the client’s process rights

Lampson’s Protection Model Active parts (e.g., processes or threads) Act on behalf of users Operate in different protection domains The set of rights a process has at any given time Subject is a process executing in a specific domain Passive parts are called objects Correspond to resources NOTE: not related to OOP terminology

Model Want mechanism to implement different security policies for subjects to access objects Many different policies must be possible Policy may change over time

Protection System Composed of Set of objects Set of subjects Set of rules specifying protection policy Represents accessibility of objects by subjects Guarantees that the protection state is checked for each access of an object by a subject

A Protection System Subjects Objects a S X S desires a access to X

A Protection System Subjects Objects Protection State X S desires a access to X Protection state reflects current ability to access X

A Protection System Subjects Objects Protection State State Transition X State Transition S desires a access to X Protection state reflects current ability to access X Authorities can change

A Protection System Subjects Objects Protection State State Transition X State Transition S desires a access to X Protection state reflects current ability to access X Authorities can change What are rules for changing authority? Rules

A Protection System Subjects Objects Protection State State Transition X State Transition S desires a access to X Protection state reflects current ability to access X Authorities can change What are rules for changing authority? How are the rules chosen? Rules Policy

Access Matrix The protection state can be represented using an access matrix An access matrix A has one row for each subject and one column for each object Note: subjects are also objects (processes controlling processes) Each entry A[S, X] is a set that describes the access rights held by subject S to object X Access authentication If subject S initiates type a access to X then if a A[S,X], the access is valid. If a  A[S, X], the access is invalid.

Protection System Example S desires a access to X

Protection System Example S desires a access to X Captures the protection state S a Access matrix

Protection System Example (S, a, X) Access authentication S X X S desires a access to X Captures the protection state Generates an unforgeable ID S a Access matrix

Protection System Example (S, a, x) Access authentication Monitor S X X S desires a access to X Captures the protection state Generates an unforgeable ID Checks the access against the protection state S a

Example Suppose simple system Let the access matrix be Subjects = {S1, S2, S3} Objects = subjects  {F1, F2, D1, D2} F represent files, D devices Let the access matrix be S1 S2 S3 F1 F2 D1 D2 S1 control block wakeup owner control owner read* write* seek owner S2 control stop owner update owner seek* S3 control delete execute owner

Example – cont. The * is called a copy flag It allows the process to transfer an access right to another process

Example – cont. If S2 attempts to update access to F2 It initiates access Causing protection system to create record of form (S2, update, F2) Record given to monitor for F2 Monitor checks access table Since access is valid, S2 is allowed to update F2

Example – cont. If S2 attempts execute access to F2 It initiates access Causing protection system to create record of form (S2, execute, F2) Record given to monitor for F2 Monitor checks access table Since access is invalid, S2 is not allowed to execute F2 Violation is reported to OS

Changing Protection State Subjects Objects Protection State S X State Transition Rules Handling state changes Policy

Policy Rules Example Rules for a Particular Policy S1 S2 S3 F1 F2 D1 control block wakeup owner control owner read* write* seek owner S2 control stop owner update owner seek* S3 control delete execute owner Rules for a Particular Policy Rule Command by S0 Authorization Effect 1 transfer(a|a*) to (S, X) a*A[S0, X] A[S, X] = A[S, X]{a|a*} 2 grant(a|a*) to (S, X) ownerA[S0, X] A[S, X] = A[S, X]{a|a*} 3 delete a from (S, X) controlA[S0, S] A[S, X] = A[S, X]-{a} or ownerA[S0, X]

Policy Rules Example The policy rules determine who controls the propagation of the various types of access Access may be Transferred: process must have copy flag for right Granted: process must be owner of object Don’t need copy flag Deleted: process must own or control object Example: rule 1 determines what rights can be transferred from one process to another Command: transfer(a|a*) to (S, X) Authorization: a*A[S0, X] S1 can transfer read or read* access to S2 or S3 for F1 because S1 has the copy flag set

Protection State The copy flag and rules are designed to prevent indiscriminate propagation of access rights among subjects Right can only be propagated when owner transfers copy flag to another subject Subject may then transfer right with or without copy flag This transfer may be nondestructive (first subject keeps access) or destructive (first subject loses access)

Results of Rules These rules (along with a few others) define a protection system that addresses the problems mentioned earlier: Masquerading: subject must be authenticated and given unforgeable signature Confinement and allocating rights: rights are restricted to a designated set of subjects An untrusted subsystem must be memoryless (confined with respect to its ability to retain information or leak it to other subjects)

Results of Rules – cont. Sharing of parameters: allow only indirect access to objects by untrusted subjects Create gatekeeper subject to protect object from unwanted accesses by untrusted subjects Trojan horses: problem caused by process assuming rights of another while acting on its behalf this model distinguishes between two processes using the same rights on different subjects Many rule sets may solve problem for specific policies, but don’t guarantee solution independent of policy

Cost of Protection Mechanisms Basic protection model requires that each resource access be passed through a monitor before request can be granted This may introduce a substantial performance cost Need to decide if performance hit is justified If information MUST be secure, the cost of performance is not an issue

Implementing Internal Authorization Protection model describes logical set of components that can be used What implementations are cost effective? How can an access matrix be implemented efficiently? Need to consider Access matrix not only possible representation Access matrix must be secured; only read and written by selected processes Goal is to route all accesses through protection monitor Protection system should be able to authenticate the source of each request Monitor must be protected process to implement the rules Must not be possible for other subjects to compromise monitor

Protection Domain The particular set of rights a process has at any given time Two level domain architecture Supervisor domain: has more rights than user User domain: fewer rights than supervisor User domain Supervisor domain

Protection Domains The two-level domain can be generalized to a set of N concentric rings Domain ring architecture for protection R0 RS+1 RN-1 The innermost rings have more rights than the outermost ones

Protection Domains – cont. Inner rings have higher authority Ring 0 corresponds to supervisor mode Rings 1 to S have decreasing protection, and are used to implement the OS Rings S+1 to N-1 have decreasing protection, and are used to implement applications Lampson model uses processes and domains -- how is a domain implemented? Supervisor/user hardware mode bit Software extensions -- rings

Protection Domains – cont. Ring crossing is a domain change Inner ring crossing  rights amplification Specific gates for crossing Protected by an authentication mechanism Outer ring crossing uses less-protected objects No authentication Need a return path Used in Multics and Intel 80386 (& above) hardware

Implementing Access Matrix Usually a sparse matrix Too expensive to implement as a table Implement as a list of table entries Column oriented list is called an access control list (ACL) List kept at the object UNIX file protection bits are one example Row oriented list is a called a capability list List kept with the subject (i.e., process) Kerberos ticket is a capability

Unix Protection Scheme Mode of access: read, write, execute Three classes of users RWX a) owner access 7  1 1 1 RWX b) groups access 6  1 1 0 c) public access 1  0 0 1

Protection Domains A capability is a unique, global name for an access right to an object in the system A protection domain is a set of capabilities to perform certain actions on certain objects A process can move from protection domain to protection domain so, at any point, it has exactly the capabilities it needs for the current job (the principle of least privilege) This is more flexible than associating capabilities directly with a process

More on Capabilities Provides an address to object from a very large address space Possession of a capability represents authorization for access Implied properties: Capabilities must be very difficult to guess Capabilities must be unique and not reused Capabilities must be distinguishable from randomly generated bit patterns

Cryptography Even in secure OS, information will sometimes be temporarily unprotected Ex.: while being transferred from one part of OS to another, as in Kerberos authentication strategy Information can be encoded using a key when it is written (or transferred) -- encryption It is then decoded using a key when it is read (or received) -- decryption

More on Cryptography encryption plaintext ciphertext decryption

Two Basic Strategies Details of encryption and decryption are unknown Functions are complex making it difficult to guess how translation is accomplished Details are known, but the keys are secret and difficult to forge Difficult to guess a key

More on Cryptography Ke = encryption key Kd = decryption key Ke Kd C = EKe(plaintext) Encrypt Decrypt plaintext plaintext Ke = encryption key Kd = decryption key

More on Cryptography Ke Kd C = EKe(plaintext) Encrypt Decrypt Invader Side information plaintext

Cryptographic Systems Modern Systems Conventional Systems Ke and Kd are essentially the same Private Key Public Key Ke and Kd are private Ke is public Kd is private

Encryption Encrypt clear text into cipher text. Properties of good encryption technique: Relatively simple for authorized users to encrypt and decrypt data. Encryption scheme depends not on the secrecy of the algorithm but on a parameter of the algorithm called the encryption key Extremely difficult for an intruder to determine the encryption key Data Encryption Standard substitutes characters and rearranges their order on the basis of an encryption key provided to authorized users via a secure mechanism. Scheme only as secure as the mechanism.

Encryption - cont. Public-key encryption based on each user having two keys: public key – published key used to encrypt data. private key – key known only to individual user used to decrypt data. Must be an encryption scheme that can be made public without making it easy to figure out the decryption scheme. Efficient algorithm for testing whether or not a number is prime. No efficient algorithm is known for finding the prime factors of a number.

Public Key Cryptography Clear text encrypted by public key can be decrypted by private key, and vice versa Two users can generate authenticated, private communications Information is signed by user 1 and encrypted with user 1’s private key The entire message is then encrypted with user 2’s public key and transmitted User 2 then decrypts using user 2’s private key and then with user 1’s public key