Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.

Slides:



Advertisements
Similar presentations
Lecture 13 Page 1 CS 111 Online File Systems: Introduction CS 111 On-Line MS Program Operating Systems Peter Reiher.
Advertisements

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
Protection and Security. Policy & Mechanism Protection mechanisms are tools used to implement security policies –Authentication –Authorization –Cryptography.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Protection and Security CSCI 444/544 Operating Systems Fall 2008.
Lecture 7 Access Control
Present by Napasakorn Sukjay Poom Samaharn
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 17 Page 1 CS 111 Spring 2015 Operating System Security CS 111 Operating Systems Peter Reiher.
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
G53SEC 1 Access Control principals, objects and their operations.
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
Protection in General- Purpose OS Week-3. Our Main Concern In what way do operating systems protect one user’s process from inadvertent or malicious interaction.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Protection (Chapter 14)
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
Access Control Lesson Introduction ●Understand the importance of access control ●Explore ways in which access control can be implemented ●Understand how.
Lecture 17 Page 1 CS 111 Fall 2015 Operating System Security CS 111 Operating Systems Peter Reiher.
Secure Operating Systems Lesson F: Capability Based Systems.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Chapter 14: Protection Goals.
Lecture 3 Page 1 CS 136, Fall 2010 Security Mechanisms CS 136 Computer Security Peter Reiher September 30, 2010.
Protection & Security Greg Bilodeau CS 5204 October 13, 2009.
Lecture 3 Page 1 CS 136, Winter 2010 Security Mechanisms CS 136 Computer Security Peter Reiher January 12, 2010.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 12 Page 1 CS 111 Summer 2014 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 14 Page 1 CS 111 Online File Systems: Naming, Reliability, and Advanced Issues CS 111 On-Line MS Program Operating Systems Peter Reiher.
Lecture 10 Page 1 CS 111 Online Memory Management CS 111 On-Line MS Program Operating Systems Peter Reiher.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
ACCESS MATRIX IMPLEMENTATION AND COMPARISON By: Rushabh Dharwadkar Roll no: TE COMP.
Lecture 2 Page 1 CS 136, Spring 2016 Security Principles, Policies, and Tools CS 136 Computer Security Peter Reiher March 31, 2016.
W4118 Operating Systems Instructor: Junfeng Yang.
Lecture 2 Page 1 CS 136, Fall 2011 Security Principles, Policies, and Tools CS 136 Computer Security Peter Reiher September 27, 2011.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Outline The basic authentication problem
Outline Security design principles Security policies Basic concepts
Capabilities Each subject keeps a set of data items that specify his allowable accesses Essentially, a set of tickets Possession of the capability for.
Outline Basic concepts in computer security
Chapter 14: Protection Modified by Dr. Neerja Mhaskar for CS 3SH3.
Chapter 14: System Protection
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Outline What does the OS protect? Authentication for operating systems
Outline Security design principles Security policies Basic concepts
Outline What does the OS protect? Authentication for operating systems
Operating Systems Security
Chapter 14: Protection.
CE Operating Systems Lecture 21
Outline Security tools Access control. Security Mechanisms CS 136 Computer Security Peter Reiher April 7, 2009.
Chapter 14: Protection.
CS703 - Advanced Operating Systems
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Access Control Dr. X Parenthesis: before we dive deeper into crypto, we will explore and old but still valid security principle, access controls.
Presentation transcript:

Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher

Lecture 14 Page 2 CS 111 Summer 2013 Outline Basic concepts in computer security Access control Cryptography

Lecture 14 Page 3 CS 111 Summer 2013 Security: Basic Concepts What do we mean by security? What is trust? Why is security a problem? – In particular, a problem with a different nature than, say, performance – Or even reliability

Lecture 14 Page 4 CS 111 Summer 2013 What Is Security? Security is a policy – E.g., “no unauthorized user may access this file” Protection is a mechanism – E.g., “the system checks user identity against access permissions” Protection mechanisms implement security policies We need to understand our goals to properly set our policies – And threats to achieving our goals – These factors drive which mechanisms we must use

Lecture 14 Page 5 CS 111 Summer 2013 Security Goals Confidentiality – If it’s supposed to be secret, be careful who hears it Integrity – Don’t let someone change something they shouldn’t Availability – Don’t let someone stop others from using services Exclusivity – Don’t let someone use something he shouldn’t Note that we didn’t mention “computers” here – This classification of security goals is very general

Lecture 14 Page 6 CS 111 Summer 2013 Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to only the right people How do we ensure that a given resource can only be accessed by the proper people? The OS plays a major role in enforcing access control

Lecture 14 Page 7 CS 111 Summer 2013 Goals for Access Control Complete mediation Least privilege Useful in a networked environment Scalability Cost and usability

Lecture 14 Page 8 CS 111 Summer 2013 Common Mechanisms for Access Control in Operating Systems Access control lists – Like a list of who gets to do something Capabilities – Like a ring of keys that open different doors They have different properties And are used by the OS in different ways

Lecture 14 Page 9 CS 111 Summer 2013 The Language of Access Control Subjects are active entities that want to gain access to something – E.g., users or programs Objects represent things that can be accessed – E.g., files, devices, database records Access is any form of interaction with an object An entity can be both subject and object

Lecture 14 Page 10 CS 111 Summer 2013 Access Control Lists ACLs For each protected object, maintain a single list Each list entry specifies a subject who can access the object – And the allowable modes of access When a subject requests access to a object, check the access control list

Lecture 14 Page 11 CS 111 Summer 2013 An Analogy Joe Hipster You’re Not On the List! This is an access control list

Lecture 14 Page 12 CS 111 Summer 2013 An ACL Protecting a File write File X ACL for file X A read write B C none Subject ASubject BSubject C read denied The file is the object The process trying to access it is the subject

Lecture 14 Page 13 CS 111 Summer 2013 Issues For Access Control Lists How do you know the requestor is who he says he is? How do you protect the access control list from modification? How do you determine what resources a user can access?

Lecture 14 Page 14 CS 111 Summer 2013 Who Is The Requestor? Requires authentication – At the granularity of the access control list For operating systems, commonly that granularity is user – But could be process – Or something else We’ll discuss operating system authentication later

Lecture 14 Page 15 CS 111 Summer 2013 Protecting the ACL If entity can change the ACL, all protection disappears – Unless the entity is privileged to do so ACLs are commonly controlled by the OS Changes are made only through specific interfaces Allowing checks to be made at the time of the requested change

Lecture 14 Page 16 CS 111 Summer 2013 An Example Use of ACLs: the Unix File System An ACL-based method for protecting files – Developed in the 1970s Still in very wide use today – With relatively few modifications Per-file ACLs (files are the objects) Three subjects on list for each file Owner, group, other And three modes – Read, write, execute – Sometimes these have special meanings

Lecture 14 Page 17 CS 111 Summer 2013 Storing the ACLs They can be very small – Since there are only three entries – Basic ACL is only 9 bits Therefore, kept inside the file descriptor Makes it easy to find them – Since trying to open the file requires the file descriptor, anyway Checking this ACL is not much more than a logical AND with the requested access mode

Lecture 14 Page 18 CS 111 Summer 2013 Changing Access Permissions With ACLS Mechanically, the OS alone can change an ACL (in most systems) But who has the right to ask the OS to do so? In simple ACL systems, each object has an owner – Only the owner can change the ACL – Plus there’s often a superuser who can do anything In more sophisticated ACL systems, changing an ACL is a mode of access to the object – Those with such access can give it to others – Or there can even be a meta-mode, which says if someone who can change it can grant that permission to others

Lecture 14 Page 19 CS 111 Summer 2013 Pros and Cons of ACLs +Easy to figure out who can access a resource +Easy to revoke or change access permissions –Hard to figure out what a subject can access –Changing access rights requires getting to the object

Lecture 14 Page 20 CS 111 Summer 2013 Capabilities Each subject keeps a set of data items that specify his allowable accesses Essentially, a set of tickets To access an object, present the proper capability Possession of the capability for an object implies that access is allowed

Lecture 14 Page 21 CS 111 Summer 2013 An Analogy The key is a capability

Lecture 14 Page 22 CS 111 Summer 2013 Capabilities Protecting a File Read X Subject BSubject C Capabilities for C Capabilities for A File X Read, Write Capabilities for B File X Read File X Subject A Capability Checking File X Read, Write read File X Read, Write Check validity of capability OK!

Lecture 14 Page 23 CS 111 Summer 2013 Capabilities Denying Access write denied write User B User C Capabilities for C Capabilities for A File X Read, Write Capabilities for B File X Read File X User A Capability Checking Check validity of capability No Capability Provided!

Lecture 14 Page 24 CS 111 Summer 2013 Properties of Capabilities Capabilities are essentially a data structure – Ultimately, just a collection of bits Merely possessing the capability grants access – So they must not be forgeable How do we ensure unforgeability for a collection of bits? One solution: – Don’t let the user/process have them – Store them in the operating system

Lecture 14 Page 25 CS 111 Summer 2013 Capabilities and Networks Subject B Subject C Capabilities for C Capabilities for B File X Read Capabilities for A File X Read, Write Subject A Capability Checking File X File X Read, Write Subject A Subject B File X Read Subject C File X Read, Write How can we tell if it’s a good capability? File X Read, Write File X Read, Write File X Read, Write File X Read, Write

Lecture 14 Page 26 CS 111 Summer 2013 Cryptographic Capabilities Create unforgeable capabilities by using cryptography – We’ll discuss cryptography in detail in the next lecture Essentially, a user CANNOT create this capability for himself The examining entity can check the validity Prevents creation of capabilities from nothing – But doesn’t prevent copying them

Lecture 14 Page 27 CS 111 Summer 2013 Revoking Capabilities A simple problem for capabilities stored in the operating system – Just have the OS get rid of it Much harder if it’s not in the operating system – E.g., in a network context How do we make the bundle of bits change from valid to invalid? Consider the real world problem of a door lock If several people have the key, how do we keep one of them out?

Lecture 14 Page 28 CS 111 Summer 2013 Illustrating the Problem Fred Nancy Accounts receivable How do we take away Fred’s capability? Without taking away Nancy’s?

Lecture 14 Page 29 CS 111 Summer 2013 Changing Access Permissions With Capabilities Essentially, making a copy of the capability and giving it to someone else If capabilities are inside the OS, it must approve If capabilities are in user/process hands, they just copy the bits and hand out the copy – Crypto methods can customize a capability for one user, though Capability model often uses a particular type of capability to control creating others – Or a mode associated with a capability

Lecture 14 Page 30 CS 111 Summer 2013 Pros and Cons of Capabilities +Easy to determine what objects a subject can access +Potentially faster than ACLs (in some circumstances) +Easy model for transfer of privileges –Hard to determine who can access an object –Requires extra mechanism to allow revocation –In network environment, need cryptographic methods to prevent forgery

Lecture 14 Page 31 CS 111 Summer 2013 OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g., Unix/Linux uses ACLs for file opens That creates a file descriptor with a particular set of access rights – E.g., read-only The descriptor is essentially a capability

Lecture 14 Page 32 CS 111 Summer 2013 Enforcing Access in an OS Protected resources must be inaccessible – Hardware protection must be used to ensure this – So only the OS can make them accessible to a process To get access, issue request to resource manager – Resource manager consults access control policy data Access may be granted directly – Resource manager maps resource into process Access may be granted indirectly – Resource manager returns a “capability” to process

Lecture 14 Page 33 CS 111 Summer 2013 Direct Access To Resources OS checks access control on initial request If OK, OS maps it into a process’ address space – The process manipulates resource with normal instructions – Examples: shared data segment or video frame buffer Advantages: – Access check is performed only once, at grant time – Very efficient, process can access resource directly Disadvantages: – Process may be able to corrupt the resource – Access revocation may be awkward You’ve pulled part of a process’ address space out from under it

Lecture 14 Page 34 CS 111 Summer 2013 Indirect Access To Resources Resource is not directly mapped into process – Process must issue service requests to use resource – Access control can be checked on each request – Examples: network and IPC connections Advantages: – Only resource manager actually touches resource – Resource manager can ensure integrity of resource – Access can be checked, blocked, revoked at any time If revoked, system call can just return error code Disadvantages: – Overhead of system call every time resource is used

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.