Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include."— Presentation transcript:

1 Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include materials from Modern Operating Systems, 3 rd ed., by Andrew Tanenbaum and from Operating System Concepts, 7 th ed., by Silbershatz, Galvin, & Gagne)

2 Introduction to Protection and Security CS-3013 A-term 20092 Concepts Protection: Mechanisms and policy to keep programs and users from accessing or changing stuff they should not do Internal to OS §9.1-9.3 in Tanenbaum Security: Issues external to OS Authentication of user, validation of messages, malicious or accidental introduction of flaws, etc. §9.4-9.8 in Tanenbaum

3 Introduction to Protection and Security CS-3013 A-term 20093 Outline The first computer virus Some program threats Overview of protection mechanisms

4 Introduction to Protection and Security CS-3013 A-term 20094 The First Computer Virus Reading assignment:– Ken Thompson, “Reflections on Trusting Trust,” Communications of ACM, vol.27, #8, August 1984, pp. 761-763 (pdf)pdf Three steps 1.Program that prints a copy of itself 2.Training a compiler to understand a constant 3.Embedding a Trojan Horse without a trace Required reading

5 Introduction to Protection and Security CS-3013 A-term 20095 Step 1 – Program to print copy of itself How do we do this? First, store character array representing text of program Body of program Print declaration of character array Loop through array, printing each character Print entry array as a string Result: general method for program to reproduce itself to any destination!

6 Introduction to Protection and Security CS-3013 A-term 20096 Step 2 – Teaching constant values to compiler … /* reading string constants */ if (s[i++] == '\\') if (s[i] == 'n') insert ('\n'); elseif (s[i] == 'v') insert ('\v'); elseif … Question: How does compiler know what integer values to insert for '\n', '\v', etc.?

7 Introduction to Protection and Security CS-3013 A-term 20097 Step 2 (continued) Answer: In the first compiler for this machine type, insert the actual character code i.e., 11 (decimal) for ‘\v’, etc. /* reading string constants */ if (s[i++] == '\\') if (s[i] == 'n') insert ('\n'); elseif (s[i] == 'v') insert (11); elseif … Next: Use the first compiler to compile itself!

8 Introduction to Protection and Security CS-3013 A-term 20098 Step 2 (continued) Result: a compiler that “knows” how to interpret the sequence “\v” And all compilers derived from this one, forever after! Finally: replace the value “11” in the source code of the compiler with ‘\v’ and compile itself again Note: no trace of values of special characters in … –The C Programming Language book –source code of C compiler I.e., special character values are self-reproducing

9 Introduction to Protection and Security CS-3013 A-term 20099 Step 3 – Inserting a Trojan Horse In compiler source, add the text if (match(sourceString, pattern) insert the Trojan Horse code where “pattern” is the login code (for example) In compiler source, add additional text if (match(sourceString2, pattern2) insert the self-reproducing code where “pattern2” is a part of the compiler itself Use this compiler to recompile itself, then remove source

10 Introduction to Protection and Security CS-3013 A-term 200910 Step 3 – Concluded Result: an infected compiler that will a.Insert a Trojan Horse in the login code of any Unix system b.Propagate itself to all future compilers c.Leave no trace of Trojan Horse in its source code Like a biological virus: –A small bundle of code that uses the compiler’s own reproductive mechanism to propagate itself

11 Introduction to Protection and Security CS-3013 A-term 200911 Questions?

12 Introduction to Protection and Security CS-3013 A-term 200912 Program Threats Trojan Horse –Code segment that misuses its environment –Exploits mechanisms for allowing programs written by users to be executed by other users –Spyware, pop-up browser windows, covert channels Trap Door –Specific user identifier or password that circumvents normal security procedures –Could be included in a compiler Logic Bomb –Program that initiates a security incident under certain circumstances Stack and Buffer Overflow –Exploits a bug in a program (overflow either the stack or memory buffers)

13 Introduction to Protection and Security CS-3013 A-term 200913 C Program with Buffer-overflow Condition #include #define BUFFER SIZE 256 int main(int argc, char *argv[]) { char buffer[BUFFER SIZE]; if (argc < 2) return -1; else { strcpy(buffer,argv[1]); return 0; }

14 Introduction to Protection and Security CS-3013 A-term 200914 Layout of Typical Stack Frame

15 Introduction to Protection and Security CS-3013 A-term 200915 Modified Shell Code #include int main(int argc, char *argv[]) { execvp('\bin\sh', '\bin \sh', NULL); return 0; }

16 Introduction to Protection and Security CS-3013 A-term 200916 Hypothetical Stack Frame Before attack After attack

17 Introduction to Protection and Security CS-3013 A-term 200917 Effect If you can con a privileged program into reading a string into a buffer unprotected from overflow, then … …you have just gained the privileges of that program in a shell!

18 Introduction to Protection and Security CS-3013 A-term 200918 Program Threats – Viruses Code fragment embedded in legitimate programs Very specific to CPU architecture, operating system, applications Usually borne via email or as a macro E.g., Visual Basic Macro to reformat hard drive Sub AutoOpen() Dim oFS Set oFS = CreateObject(’’Scripting.FileSystemObject’ ’) vs = Shell(’’c:command.com /k format c:’’,vbHide) End Sub

19 Introduction to Protection and Security CS-3013 A-term 200919 Program Threats (Cont.) Virus dropper inserts virus onto the system Many categories of viruses, literally many thousands of viruses –File –Boot –Macro –Polymorphic –Source code –Encrypted –Stealth –Tunneling –Multipartite –Armored

20 Introduction to Protection and Security CS-3013 A-term 200920 Questions?

21 Introduction to Protection and Security CS-3013 A-term 200921 Goals of Protection Operating system consists of a collection of objects (hardware or software) Each object has a unique name and can be accessed through a well-defined set of operations. Protection problem – to ensure that each object is accessed correctly and only by those processes that are allowed to do so.

22 Introduction to Protection and Security CS-3013 A-term 200922 Guiding Principles of Protection Principle of least privilege –Programs, users and systems should be given just enough privileges to perform their tasks Separate policy from mechanism –Mechanism: the stuff built into the OS to make protection work –Policy: the data that says who can do what to whom

23 Introduction to Protection and Security CS-3013 A-term 200923 Domain Structure Access-right = where rights-set is a subset of all valid operations that can be performed on the object. Domain = set of access-rights

24 Introduction to Protection and Security CS-3013 A-term 200924 Conceptual Representation – Access Matrix View protection as a matrix (access matrix) Rows represent domains Columns represent objects Access(i, j) is set of operations that process executing in Domain i can invoke on Object j

25 Introduction to Protection and Security CS-3013 A-term 200925 Textbook Access Matrix Columns are access control lists (ACLs) Associated with each object Rows are capabilities Associated with each user, group, or domain

26 Introduction to Protection and Security CS-3013 A-term 200926 Unix & Linux System comprises many domains:– –Each user –Each group –Kernel/System (Windows has even more domains than this!)

27 Introduction to Protection and Security CS-3013 A-term 200927 Unix/Linux Matrix file1file 2file 3devicedomain User/Domain 1 rrxrwx–enter User/Domain 2 rxrxrwx– User/Domain 3 rw–––– … Columns are access control lists (ACLs) Associated with each object Rows are capabilities Associated with each user or each domain

28 Introduction to Protection and Security CS-3013 A-term 200928 Changing Domains (Unix) Domain = uid or gid Domain switch via file access controls –Each file has associated with it a domain bit (setuid bit). rwS instead of rwx –When executed with setuid = on, then uid or gid is temporarily set to owner or group of file. –When execution completes uid or gid is reset. Separate mechanism for entering kernel domain –System call interface

29 Introduction to Protection and Security CS-3013 A-term 200929 General (textbook) representation Domains as objects added to Access Matrix

30 Introduction to Protection and Security CS-3013 A-term 200930 Practicalities At run-time… –What does the OS know about the user? –What does the OS know about the resources? What is the cost of checking and enforcing? –Access to the data –Cost of searching for a match Impractical to implement full Access Matrix –Size –Access controls disjoint from both objects and domains

31 Introduction to Protection and Security CS-3013 A-term 200931 ACLs vs. Capabilities Access Control List: Focus on resources –Good if resources greatly outnumber users –Can be implemented with minimal caching –Can be attached to objects (e.g., file metadata) –Good when the user who creates a resource has authority over it Capability System: Focus on users –Good if users greatly outnumber resources –Lots of information caching is needed –Good when a system manager has control over all resources

32 Introduction to Protection and Security CS-3013 A-term 200932 Both are needed ACLs for files and other proliferating resources Capabilities for major system functions The common OSs offer BOTH –Linux emphasizes an ACL model provides good control over files and resources that are file-like –Windows 2000/XP emphasize Capabilities provides good control over access to system functions (e.g. creating a new user, or doing a system backup…) Access control lists for files

33 Introduction to Protection and Security CS-3013 A-term 200933 …and good management, too! What do we need to know to set up a new user or to change their rights? …to set up a new resource or to change the rights of its users? …Who has the right to set/change access rights? No OS allows you to implement all the possible policies easily.

34 Introduction to Protection and Security CS-3013 A-term 200934 Enforcing Access Control User level privileges must always be less than OS privileges! –For example, a user should not be allowed to grab exclusive control of a critical device –or write to OS memory space …and the user cannot be allowed to raise his privilege level! The OS must enforce it…and the user must not be able to bypass the controls In most modern operating systems, the code which manages the resource enforces the policy

35 Introduction to Protection and Security CS-3013 A-term 200935 (Traditional) Requirements–System Call Code No user can interrupt it while it is running No user can feed it data to make it –violate access control policies –stop serving other users No user can replace or alter any system call code No user can add functionality to the OS! Data must NEVER be treated as code!

36 Introduction to Protection and Security CS-3013 A-term 200936 “Yeah, but …” No user can interrupt it while it is running Windows, Linux routinely interrupt system calls No user can feed it data to make it violate access control policies stop serving other users No user can replace or alter any system call code Except your average virus No user can add functionality to the OS! Except dynamically loaded device drivers Data must NEVER be treated as code! “One man’s code is another man’s data” A. Perlis

37 Introduction to Protection and Security CS-3013 A-term 200937 Saltzer-Schroeder Guidelines System design should be public Default should be no access Check current authority – no caching! Protection mechanism should be –Simple, uniform, built into lowest layers of system Least privilege possible for processes Psychologically acceptable KISS!

38 Introduction to Protection and Security CS-3013 A-term 200938 Reading Assignment Tanenbaum, Chapter 9

39 Introduction to Protection and Security CS-3013 A-term 200939 Questions?

Download ppt "Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include."

Similar presentations

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.

Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
What we will cover… Protection and Security in OS.

What we will cover… Protection and Security in OS.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Lecture 21 Chapter 14: Protection Chapter 15: Security

Lecture 21 Chapter 14: Protection Chapter 15: Security
1 Protection and Security Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually.

1 Protection and Security Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually.
Process in Unix, Linux and Windows CS-3013 C-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux and Windows CS-3013 C-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Chapter 14: Protection.

Chapter 14: Protection.
Protection and Security (Part 1) CS-502 Fall 20061 Protection and Security CS-502 Operating Systems Fall 2006 (Slides include materials from Operating.

Protection and Security (Part 1) CS-502 Fall Protection and Security CS-502 Operating Systems Fall 2006 (Slides include materials from Operating.
Processes in Unix, Linux, and Windows CS-502 Fall 20071 Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.

Processes in Unix, Linux, and Windows CS-502 Fall Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.
Protection and Security CSCI 444/544 Operating Systems Fall 2008.

Protection and Security CSCI 444/544 Operating Systems Fall 2008.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.
Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.

Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Operating Systems Protection & Security.

Operating Systems Protection & Security.

Similar presentations

Ads by Google