Presentation is loading. Please wait.

Presentation is loading. Please wait.

What we will cover… Protection and Security in OS.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "What we will cover… Protection and Security in OS."— Presentation transcript:

1 What we will cover… Protection and Security in OS

2 Difference between Protection & Security
Protection: Mostly, mechanism for controlling access to system resources by processes. This includes a means of specifying controls and a means of enforcing the controls. This is an internal problem. Security: Mostly, assuring the integrity of system resources and data. Protection is the enforcement aspect of security. Security must also consider the external environment in which the system operates.

3 Domain of Protection Who needs protection?
System resources need protection resources include both hardware and software examples of software resources: files, programs, buffers, semaphores etc. examples of hardware resources: CPU, memory segments, printers, disks etc. think of each resource as an object accessible only through associated operations Protection From whom? Other users (user domain) Other processes (process domain)

4 Principle of Protection
Guiding principle – principle of least privilege Programs, users and systems should be given just enough privileges to perform their tasks Also known as “need-to-know” principle

5 Domain Structure Implement protection domain
a process has an associated protection domain and operates within this domain a protection domain is a set of ordered pairs each ordered pair consists of an object and a set of access rights (permitted operations) Access-right = <object-name, rights-set> where rights-set is a subset of all valid operations that can be performed on the object. Domain = set of access-rights

6 Protection Domain Structure
The association between a process and a domain can be fixed (static) or can change as process executed (dynamic) Static association is easier to implement while dynamic association is more complex Which one is better? Static association may violate need-to-know principle Dynamic association change association dynamically by either (1) modifying the domain, or (2) switching to a different domain

7 Domain Implementation (MULTICS)
Let Di and Dj be any two domain rings. If j < i  Di  Dj Disadvantages: Too complicated Violating need-to-know principle

8 Domain Implementation (UNIX)
System consists of 2 domains: User mode Kernel mode UNIX Domain = user-id Domain switch accomplished via file system. Each file has associated with it a domain bit (setuid bit). When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset.

9 Domain Implementation (UNIX)
Is it safe?

10 Domain Example load load
Processes move back and forth between user mode, (i.e., user domain) and kernel mode, (i.e., kernel domain). Unix setuid User mode process Kernel mode real user id = 201 effective user id = 201 exec(“shell”) load shell owner=100 setuid bit=0 real user id = 201 effective user id = 201 exec(“a.out”) a.out owner=100 setuid bit=1 load 100

11 Access Matrix View protection as a matrix (access matrix)
Rows represent domains Columns represent objects Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj

12 Access Matrix

13 Visualizing access matrix for UNIX
-rwxr-xr-x 1 John students May 14 07:15 chatter -rw-r John students May 14 08:27 guru.c -rwxr-xr-- 2 John students May 17 11:59 data Domain/object chatter guru.c data Owner Read, write, execute Read, write group Read, execute Read world

14 Use of Access Matrix If a process in Domain Di tries to do “op” on object Oj, then “op” must be in the access matrix. Can be expanded to dynamic protection. Special operations to change content of access matrix Change access rights: copy an access right from one domain to another owner rights

15 Access Matrix with Copy Rights

16 Access Matrix With Owner Rights

17 Use of Access Matrix (Cont.)
Access matrix design separates mechanism from policy. Policy User dictates policy. Who can access what object and in what mode. Mechanism Operating system provides access-matrix + rules. It ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced.

18 Security

19 The Security Problem Security must consider external environment of the system, and protect the system resources Intruders (crackers) attempt to breach security (malicious access): Unauthorized reading of data Unauthorized modifications of data Unauthorized destruction of data Preventing legitimate use of the systems (denial of service)

20 User Authentication Protection (earlier discussed) majorly dependent on user authentication Based on use of Passwords Biometrics is another option but Still not implemented Not cost-effective yet An operating system bases much of its protection on knowing who a user of the system is. The ways of an operating system identify and authenticate a user are: 1. Use of Passwords 2. Attacks on Passwords 3. Password Selection Criteria 4. The Authentication Process 5. Flaws in the Authentication Process 6. Authentication Other Than Passwords

21 Use of Passwords Passwords are mutually agreed-upon code words, assumed to be known only to the user and the system. The use of passwords is fairly straightforward. A user enters some piece of identification, such as a name or an assigned user ID, if the identification matches that on file for the user, the user is authenticated to the system. If the identification match fails, the user is rejected by the system. Passwords are mutually agreed-upon code words, assumed to be known only to the user and the system. The use of of passwords is fairly straightforward. A user enters some piece of identification, such as a name or an assigned user ID, if the identification matches that on file for the user, the user is authenticated to the system. If the identification match fails, the user is rejected by the system.

22 Attacks on Passwords Try all possible passwords
exhaustive or brute force attack Is this impossible to create? Try many probable passwords Users do not likely select a password uncommon, hard to spell or pronounce, very long Try passwords likely for the user Password generally is meaningful to the user Here are some ways you might be able to determine a user’s password. An attacker tries all possible passwords. It is called brute force or exhaustive attack. Generally user won’t select a long, uncommon,hard to spell or pronounce password. So probably the intruder may guess the password. A user likely selects passwords meaningful to him/her. For example, the name of a spouse, a child, a brother or sister, a pet, a street name, or something similar.

23 Attacks on Passwords (cont’)
Encrypted password (used in UNIX) Flaw was user tends to select a meaningful password (a word in the dictionary) System encrypts the word and stores the encrypted version The process is irreversible, so apparently secure Dictionary attack Off-line cluster attack In order to validate passwords, the system must have a way of comparing entries with actual passwords. Rather than trying to guess a user’s password, an attacker may instead target the system password file. The most easy way is to obtain the password directly from the user. People often tape a password to the side of a terminal, or write it on a card just inside the top desk drawer and so on.

24 Many Password Selection Criteria
Use characters other than just A-Z Choose long passwords Avoid actual names or words Choose an unlikely password Change the password regularly Don’t write it down Don’t tell anyone else The preceding slides lead to some conclusions regarding appropriate passwords. Passwords should be hard to guess and hard to determine exhaustively. Here are some suggestions regarding password selection: Use characters other than just A-Z Choose long passwords Avoid actual names or words Choose an unlikely password Change the password regularly Don’t write it down Don’t tell anyone else

25 The Authentication Process
Intentionally slow This makes exhaustive attack infeasible Identify intruder from the normal user Some who continuously fails to login may not be an authorized user. System disconnect a user after three to five failed logins What is the flaw? Some authentication procedures are intentionally slow. A legitimate user will not complain if the login process takes 5 or 10 seconds. To a penetrator who is trying an exhaustive search or a dictionary search, this delay makes this class of attack infeasible. Even a terrible typist should be able to login successfully in three to five tries. So someone who continuously fails to login may not be an authorized user. System disconnect a user after three to five failed logins

26 Program Threats Trojan Horse Trap Door
Code segment that misuses its environment Exploits mechanisms for allowing programs written by users to be executed by other users Spyware, pop-up browser windows, covert channels PWSteal.Tarno.Q - registers itself as a browser helper (key logger) Trap Door Specific user identifier or password that circumvents normal security procedures Could be included in a program Combination of trojan horse and trap door even fatal Trojan.Lodeight.A opens a Back-door on TCP port 1084

27 How to defend against such program threats
Analyze the execution patterns of the Trojan Horses & Trapdoors The malicious code is executed without user intervention. The malicious code may be directed by a remote attacker once a connection is made. Resources used by the malicious code, such as file names and network addresses, are hard-coded in the binary. OS resources (processes, memory) used by the malicious code may be consumed for the purpose of degrading performance. A key characteristic of Trojan Horses and Trapdoors is that they cannot be invoked by the attacker and are autonomous – at least until a connection is made.

28 Program Threats (contd.)
Stack and Buffer Overflow Exploits a bug in a program (overflow either the stack or memory buffers)

29 Simple example code #include <string.h> void foo (char *bar) {
char c[12]; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) foo(argv[1]);

30 "hello" is the first command line argument.
Stack Buffer Overflow Before data is copied. "hello" is the first command line argument. "A​A​A​A​A​A​A​A​A​A​A​A​A​A​A​A​A​A​A​A​\x08​\x35​\xC0​\x80" is the first command line argument.

31 System and Network Threats
Worms – use spawn mechanism; standalone program Morris worm Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs Grappling hook program uploaded main worm program

32 System and Network Threats
Denial of Service Easier than penetration attacks Overload the targeted computer preventing it from doing any useful work Distributed denial-of-service (DDOS) come from multiple sites at once Open tcp connection (never closing one)

33 Security Through Domain Separation Via Firewall

Download ppt "What we will cover… Protection and Security in OS."

Similar presentations

Protection Goals of Protection Domain of Protection Access Matrix

Protection Goals of Protection Domain of Protection Access Matrix
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.

Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
1999 Chapter 8-Protection Goals of Protection Domain of Protection Access Matrix Implementation of Access Matrix Revocation of Access Rights Capability-Based.

1999 Chapter 8-Protection Goals of Protection Domain of Protection Access Matrix Implementation of Access Matrix Revocation of Access Rights Capability-Based.
Reasons for Protection n Prevent users from accessing information they shouldn’t have access to. n Ensure that each program component uses system resources.

Reasons for Protection n Prevent users from accessing information they shouldn’t have access to. n Ensure that each program component uses system resources.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
1 Protection and Security Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually.

1 Protection and Security Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Chapter 14: Protection.

Chapter 14: Protection.
Protection and Security CSCI 444/544 Operating Systems Fall 2008.

Protection and Security CSCI 444/544 Operating Systems Fall 2008.
Chapter 14: Protection.

Chapter 14: Protection.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 14: Protection.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.
Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.

Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.

Similar presentations

Ads by Google