U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.

Slides:



Advertisements
Similar presentations
Protection Goals of Protection Domain of Protection Access Matrix
Advertisements

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Security  The Security Problem  Authentication  Program Threats  System Threats  Securing Systems  Intrusion (unwanted involvement) Detection  Encryption.
Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.
Bilkent University Department of Computer Engineering
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
1999 Chapter 8-Protection Goals of Protection Domain of Protection Access Matrix Implementation of Access Matrix Revocation of Access Rights Capability-Based.
Reasons for Protection n Prevent users from accessing information they shouldn’t have access to. n Ensure that each program component uses system resources.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
1 Protection and Security Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Chapter 14: Protection.
Chapter 14: Protection.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 14: Protection.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.
Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.
Operating Systems Protection & Security.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
Silberschatz and Galvin  Operating System Concepts Module 20: Security The Security Problem Authentication Program Threats System Threats Threat.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.
Protection.
Protection & Security Introduction to Operating Systems: Module 16.
14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.
Operating Systems 1 K. Salah Module 6.0: Security and Protection  Types of misuse: –1. Accidental –2. Intentional –Protection is to prevent either accidental.
30.1 Lecture 30 Security II Based on Silberschatz & Galvin’s slides And Stallings’ slides.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 AE4B33OSS Chapter 14: Protection Goals of Protection Principles of Protection Domain.
Silberschatz, Galvin, and Gagne  Applied Operating System Concepts Module 18: Protection Goals of Protection Domain of Protection Access Matrix.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Protection (Chapter 14)
Cosc 4740 Chapter 13: Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique.
Protection Nadeem Majeed Choudhary
Modul ke: Fakultas Program Studi Proteksi SISTEM OPERASI Misbahul Fajri, ST., MTI. 14 FASILKOM Teknik Informatika.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Chapter 14: Protection Goals.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Goals of Protection Operating.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Goals of Protection Operating system consists of a collection.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 14: Protection.
11.1 CSE Department MAITSandeep Tayal 11: Protection Goals of Protection Domain of Protection Access Matrix Implementation of Access Matrix Revocation.
CSE Operating System Principles Protection.
18.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 18: Protection Goals of Protection Domain of Protection Access Matrix.
Chapter 17: System Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 17: Protection Goals of Protection Principles.
Saurav Karmakar. Chapter 14: Protection  Goals of Protection  Principles of Protection  Domain of Protection  Access Matrix  Implementation of Access.
PROTECTION.
Operating Systems Protection Alok Kumar Jagadev.
Chapter 14: System Protection
Operating System Concepts
Chapter 14: Protection.
12: Security The Security Problem Authentication Program Threats
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Security.
Chapter 14: Protection.
Chapter 14: Protection.
Operating System Concepts
Chapter 14: Protection.
Chapter 14: Protection.
Operating System Concepts
Chapter 14: Protection.
Operating System Concepts
Presentation transcript:

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture 22: Protection & Security Brian Levine

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 2 Protection vs. Security Policy = the set of allowable states of a system. Security = protecting the confidentiality, integrity, and availability of a system according to the rules set out by a specific policy. Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually accompanied by detection and response mechanisms! Book is poorly written in this regard “security is a measure of confidence that the integrity of a system and its data will be preserved. Security assurance is a much broader topic than is protection”. Assurance = degree of confidence that a particular system meets its security requirements based on specific evidence.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 3 Protection Goals of Protection Protection Domains Access Matrix Implementation Revocation of Access Rights Capability-Based Systems Language-Based Protection

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 4 Goals of Security Some is secure if either The cost of attacking the system is more than the value of protected resources; You attack $100 of gold with a $120 attack dog. Cost can equal the computer or network resources required to attack the system Or, The time it takes to attack the system is a duration of time longer than the resource remain valuable. You don’t need to protect the time and place of a secret event after the event takes place. Time can be the processing time to compute the correct result (e.g., guessing a password)

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 5 Protection Goal Let’s say we have a valuable resource like an O.S. collection of objects, hardware & software Objects have unique names Accessed through well-defined set of operations Goal of protection: Ensure each object accessed correctly & only by authorized processes according to some policy. A policy is a statement of what states (and operations) are allowed (i.e., secure/authorized), and what are not allowed (i.e., nonsecure/unauthorized) for a specific system.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 6 Protection Domains Access-right = Rights-set = subset of all valid operations that can be performed on the object (i.e., the policy!) Domain = set of access-rights

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 7 Domain Implementation Example 1: UNIX Domain is implemented as the “user-id” Files are an example of an object (we’ll see others, like laser printers and servers) Sometimes, the OS will do domain switching to execute some task accomplished via file system Each file has associated domain bit (setuid bit) When file executed and setuid=on, user-id set to owner of the file being executed When execution completes, user-id is reset “ps” is a setuid program, as is “lpr”.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 8 Domain Implementation (II) Example 2: MULTICS Precursor to UNIX, by MIT & GE “Ring” protection system by Bob Graham

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 9 Multics: Rings Nested domain structure (“rings”) Let D i and D j be any two domain rings If j < I  D i  D j lower-level = more privileges each process maintains current ring number

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 10 Access Matrix Column = access-control list for one object, F i Defines who can perform what operation on the object Row = capability list Operations allowed on what objects, per-domain

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 11 Use of Access Matrix (Contd.) Mechanism: something that enforces policy. Design separates mechanism from policy Mechanism Operating system provides access-matrix + rules. Ensures that the matrix is manipulated only by authorized agents and that rules are strictly enforced Policy User dictates policy: who can access what object and in what mode

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 12 Dynamic Access Matrices Extend for dynamic protection: Operations to add, delete access rights transfer – switch from domain D i to D j owner of O i copy op from O i to O j control – D i can modify D j ’s access rights

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 13 Switching Domains Switching domains: add domains as objects!

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 14 Access Matrix with Copy Rights Asterisk denotes that access right can be copied within column

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 15 Access Matrix With Owner Rights Ownership: can add new rights, remove some rights

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 16 Control: Modifying Access Matrix Control: process executing in one domain can modify another domain Example: D2 changes D4

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 17 Implementation of Access Matrix Global table – Too large, no grouping Access list – per object Simple Capability List – list of objects + operations Object name = capability (think: special pointer) Check in capability list for access

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 18 Revocation of Access Rights Access-list scheme: Search for right to be revoked, delete Immediate, can be selective (just affect some users), can be partial (just some rights revoked)

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 19 Revocation of Access Rights Capabilities: more complicated Reacquisition: Try to reacquire after deletion Back-pointers: point from object to capabilities Expensive (used in MULTICS) Indirection: Capability points to entry in table Not selective Keys: One key per capability Check in global key table

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 20 Capability-Based Systems Hydra Fixed set of access rights known to and interpreted by the system Interpretation of user-defined rights performed solely by user's program System provides access protection for use of these rights Cambridge CAP System Data capability - provides standard read, write, execute of individual storage segments associated with objects Software capability – interpretation left to the subsystem, through its protected procedures

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 21 Language-Based Protection Specification of protection in programming language: Allows high-level description of policies for allocation and use of resources Example: Java Language implementation: Can provide software for protection enforcement when automatic hardware-supported checking is unavailable Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 22 Security The Security Problem Authentication Program Threats System Threats Threat Monitoring Encryption

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 23 Security Security must address the external environment of the system and protect it from: Confidentiality: ensuring objects are available only to authorized peers E.g., no unauthorized read access Integrity: ensuring objects have not been maliciously or accidentally modified. No introduction of inconsistency. Availability: ensuring objects are available without delay and operate correctly (to authorized peers) No malicious destruction of resources (i.e., objects) Easier to protect against accidental than malicious misuse.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 24 Authentication Authentication of the corroboration of an identity (i,e., of a domain). User identity is most often established through passwords. can be considered a special case of either keys or capabilities. Passwords must be kept secret. Good practices: Frequent change of passwords Use of “non-guessable” passwords Log all invalid access attempts

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 25 Encryption Cryptography is a set of mathematical functions with a set of nice properties. A common mechanism for enforcing policies. Crypto will encrypt clear text into cipher text, and vice versa Properties of good encryption technique: Encryption scheme depends not on secrecy of algorithm but on parameter of algorithm called encryption key Extremely difficult for an intruder to determine the encryption key If we keep the algorithm secret, we have to change it each time someone leaves our group.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 26 Encryption (Cont.) Advanced Encryption Standard (AES) now government standard (replaced DES algorithm). Symmetric key algorithm: one shared shared by a pair of users used for both encryption and decryption. Asymmetric or public/private-key algorithms are based on each user having two keys: public key – published key used to decrypt data enciphered by the private key. private key – key known only to individual user, used to decrypt data enciphered by the public key. If I send you some data that is decryptable only with my public key, then you believe that I must have sent it Authentication and integrity! Basis of these algorithms: Easy to multiply primes, but hard to factor this product About 1000 times slower processing than symmetric key algs.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 27 Program Threats (“Malware”) Trojan Horse Code segment that misuses its environment. One program that covertly runs another malicious program Trap/Back Door Specific user identifier or password that circumvents normal security procedures. (e.g., “joshua” in War Games 1982 if you are old like me.) Could be included in compiler Ken Thompson’s Turing Award lecture

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 28 More malware: Worms Worms – use spawn mechanism; standalone program that is self-perpetuating. The lay press often calls them “viruses”. Exploited UNIX networking features (remote access) and bugs in fingerd and sendmail programs Nowadays, often propagate through design flaws in mail readers Mailer opens mail, executes javascript, forwards the mail to all entries of the address book

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 29 System Threats: Viruses Viruses – fragment of code embedded in a legitimate program Mainly affect PCs, infected via Internet “Old days”: exchanging floppy disks containing an infection. In general, they require action by the user to perpetuate themselves (downloading a web file). In contrast: Worms propogate themselves: once they reach their target, they attempt to reach other targets.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 30 The Morris Internet Worm (1988)

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 31 Threat Monitoring Check for suspicious patterns of activity i.e., several incorrect password attempts may signal password guessing Audit log Records time, user, & type of all accesses to object Useful for recovery from violation, developing better security measures Scan system periodically for security holes Done when the computer is relatively unused

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 32 Threat Monitoring (Cont.) Check for: Short or easy-to-guess passwords Unauthorized setuid programs Unauthorized programs in system directories Unexpected long-running processes Improper directory protections Improper protections on system data files Dangerous entries in the program search path (Trojan horse) Changes to system programs: monitor checksum values

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 33 Network Security Through Domain Separation Via Firewall

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 34 What’s wrong with this picture? IDS=intrusion detection system

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 35 Java Security Model

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 36 Summary Protection Protection Domains, Access Matrix, Revocation of Access Rights, Capability-Based Systems, Language-Based Protection Security Authentication, Program Threats, System Threats, Threat Monitoring, Encryption

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.