Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

Similar presentations

Presentation on theme: "CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security."— Presentation transcript:

1 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security

2 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 2 Computer Security 1. External Security: Physical access to computer facility 2. Interface Security: Authentication of user 3. Internal Security: u Protection: control of access within computer systems u Communication security: control of information on communication lines between computer systems u File security: control of stored information

3 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 3 Potential Security Violations Unauthorized information release: Unauthorized person can read information or use computer program Unauthorized information modification: Unauthorized person can change information Unauthorized denial of service: Unauthorized person prevents authorized users from accessing system (including overload, change in scheduling algorithms, etc.)

4 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 4 Policies and mechanisms; Protection domain Policies and mechanisms - Policies: what should be done Security policies: which user can have access to what resources - Mechanisms: how it should be done Protection: mechanisms that control user access to system resources Protection vs. security: Protection is a mechanism and security is a policy. Protection domain of a process - Process domain: Resources that can access Operations it can use on these resources - Protection domain changes when control moves to another process - Policy: process should access only resources it needs for its task

5 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 5 Design Principles for Secure Systems (Saltzer and Schroeder) Economy: Protection mechanism should be economical, i.e. low development cost and low system overhead Complete mediation: every request to access an object should be validated Open design: protection mechanism should work even if its design is well known Separation of privileges: protection mechanism should require two conditions to allow access Least privilege: a process should receive only minimum access rights required to complete its task Least common mechanism: minimum shared mechanism between users. Shared mechanisms (variables) can become information path Acceptability: Protection mechanism should be easy to use Fail-safe defaults: Default case should be denial of access.

6 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 6 The Access Matrix Model Model components – Current objects: set of entities, ‘O’, to which access is to be controlled Examples: files, memory pages, devices – Current subjects: set of entities, ‘s’, that access current objects (s  o) Example: (process, domain) pair – Generic rights/rules: access rights that subjects can have to objects: R={r 1, r 2,…,r m } Examples: read, write, execute, own, block

7 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 7 The access matrix model (cont.) Protection state of a system Triplet (S, O, P) Where P is the access matrix

8 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 8 Enforcing a Security Policy A security policy is enforced by validating every user access for appropriate access rights Subject Object Object S Monitor O 1. Subject ‘S’ requests access ‘  ’ to object ‘O’ 2. Protection system gives (S, , O) to monitor for ‘ O’ 3. Monitor validates access rights of ‘S’ to ‘O if   P [s,o] then access permitted else access denied Example:

9 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 9 Implementations of the Access Matrix (1) Capability-based method: - Decompose the access control matrix by rows and delete null entries - A row has access rights of a subject to objects (2) Access control list method: - Decompose the access control matrix by columns and delete null entries - A column has access rights of all subjects to an object (3) Lock-key method: - Combination of capability-based and access control list methods

10 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 10 (1) Capability-Based Method Capability: Tuple (O, P[S,O]) Each subject assigned a list of capabilities, one for each object it is allowed to access Capability structure: - Object descriptor: points of object - Access rights: list of all access rights the subject is allowed on the object Object Descriptor Access Rights (read, write, execute)

11 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 11 (1) Capabilities-Based Method (cont.) Principles: – Each subject has a collection of capabilities, one for each object, to which has access – Each object is protected by a guard (monitor), which holds object identifier – When a subject presents a capability that matches identifier, access is allowed Model of a descriptor-based capability system with authentication mechanism 1. User presents id and password 2. System authenticates user 3. System creates a process S and assigns it capabilities in respective catalog 4. Process S can access all segments for which has capabilities

12 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 12

13 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 13 (1) Capabilities-Based Method (cont.) Capability-based addressing

14 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 14 (1) Capabilities-Based Method (cont.) - Concepts: Integrate capabilities with main memory addressing mechanisms Keep separate capability information from object location info. (to allow simultaneous access to shared objects) - Effective address: capability id of object + offset within object - Operation: Search capability list vs. id Validate access Search object table w. object descriptor Physical location = base + offset - Advantages: relocatability and sharing - Example: IBM system/38

15 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 15 Implementation considerations Protection of capabilities - Issues: capabilities should be protected against unauthorized changes - Solutions: (a) tagged approach, (b) partitioned approach (a) Tagged approach: · Additional bits (flag) to each memory Location and processor register On - capability Off - ordinary data (user data or instruction) Separate instructions can modify locations if ‘On’; not available to users · Examples: Burroughs B6700, Rice Research Computer (b) Partitioned approach: · Separate partitions within object (segments), for capabilities and ordinary data · Separate processor registers also · Users cannot access segments and registers with capabilities · Examples: Plessey system and Chicago Magic Number Machine

16 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 16 Advantages of Capabilities - Efficiency: easy test of access rights - Simplicity: simple implementation of addressing - Flexibility: ease of defining access rights

17 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 17 Issues With Capabilities Control of propagation: - Issue: how to control propagation of capabilities once the object owner has given a capability to another subject - Options: · Add a ‘copy bit’ to each capability · Provide a depth counter incremented/decremented w. each copy Review: - Issue: difficult to implement review of access, i.e. identification of all subjects which can access an object - Option: partitioned approach makes it easier Revocation of access rights: - Issue: once a capability is given to a subject, it is difficult to revoke - Options: destroy copy of object or indirect addressing Garbage collection: - Issue: when all capabilities for an object disappear, object has to be removed - Options: keep count of copies of capabilities & detect zero Domain switching - Issue: how does the set of capabilities change when subject changes domains - Option: ‘enter’ capability

18 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 18 Revocation of Capabilities Capabilities are granted to subject A subject who has a capability may want to give a copy to another subject Problem: after giving a capability to another subject the initial subject may want to revoke it (take it back) Solution: - Owner of object X creates C – capability that points indirectly to descriptor for X - Owner of object X gives C to other subjects - To revoke it, X is removed

19 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 19

20 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 20 Domain Switching Processes may need to switch from one set of capabilities (domain) to another set (domain) to perform a task. Domain switching with ‘enter’ capabilities (Dennis & Van Horn) - Enter capability points to capability list for procedure to be called (entry point in a protected subsystem) - When entry point is called, domain is switched to that of called procedure; domain restored at procedure return

21 CS-550 (M.Soneru): Protection and Security - 1 [SaS] 21

Download ppt "CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security."

Similar presentations

Ads by Google