Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 8 Page 1 CS 236, Spring 2008 Protecting Interprocess Communications Operating systems provide various kinds of interprocess communications –Messages.

Published byGabriel Arnold Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 8 Page 1 CS 236, Spring 2008 Protecting Interprocess Communications Operating systems provide various kinds of interprocess communications –Messages."— Presentation transcript:

1 Lecture 8 Page 1 CS 236, Spring 2008 Protecting Interprocess Communications Operating systems provide various kinds of interprocess communications –Messages –Semaphores –Shared memory –Sockets How can we be sure they’re used properly?

2 Lecture 8 Page 2 CS 236, Spring 2008 IPC Protection Issues How hard it is depends on what you’re worried about For the moment, let’s say we’re worried about one process improperly using IPC to get info from another –Process A wants to steal information from process B How would process A do that?

3 Lecture 8 Page 3 CS 236, Spring 2008 Message Security Process AProcess B Can process B use message- based IPC to steal the secret? Gimme your secret That’s probably not going to work

4 Lecture 8 Page 4 CS 236, Spring 2008 How Can B Get the Secret? He can convince the system he’s A –A problem for authentication He can break into A’s memory –That doesn’t use message IPC –And is handled by page tables He can forge a message from someone else to get the secret He can “eavesdrop” on someone else who gets the secret

5 Lecture 8 Page 5 CS 236, Spring 2008 Forging An Identity Process AProcess B Process C I’m C, gimme your secret Will A know B is lying?

6 Lecture 8 Page 6 CS 236, Spring 2008 Operating System Protections The operating system knows who each process belongs to It can tag the message with the identity of the sender –Raw message never available outside the OS If the receiver cares, he can know the identity

7 Lecture 8 Page 7 CS 236, Spring 2008 How About Eavesdropping? Process AProcess B Process C I’m C, gimme your secret Can process B “listen in” on this message?

8 Lecture 8 Page 8 CS 236, Spring 2008 What’s Really Going on Here? On a single machine, what is a message send, really? A message is copied from a process buffer to an OS buffer –Then from the OS buffer to another process’ buffer –Sometimes optimizations skip some copies If attacker can’t get at processes’ internal buffers and can’t get at OS buffers, he can’t “eavesdrop”

9 Lecture 8 Page 9 CS 236, Spring 2008 Returning to an Earlier Issue What are buffers, really? Data held in memory pages Really in page frames Page frames are shared –Serially Will the page frame I allocate contain data from its last user?

10 Lecture 8 Page 10 CS 236, Spring 2008 Avoiding Page Frame “Eavesdropping” Zero pages on deallocation Zero pages on allocation Mark pages as unreadable until a process writes them –Need to ensure partial write doesn’t clear the mark entirely

11 Lecture 8 Page 11 CS 236, Spring 2008 Other Forms of IPC Semaphores, sockets, shared memory, RPC Pretty much all the same –Use system calls for access –Which belong to some process –Which belongs to some principal –OS can check principal against access control permissions at syscall time –Ultimately, data is held in some type of memory Which shouldn’t be improperly accessible

12 Lecture 8 Page 12 CS 236, Spring 2008 So When Is It Hard? 1.Always possible that there’s a bug in the operating system –Allowing masquerading, eavesdropping, etc. –Or, if the OS itself is compromised, all bets are off 2.What if the OS has to prevent cooperating processes from sharing information?

13 Lecture 8 Page 13 CS 236, Spring 2008 The Hard Case Process AProcess B Process A wants to tell the secret to process B But the OS has been instructed to prevent that A necessary part of Bell-La Padula, e.g. Can the OS prevent A and B from colluding to get the secret to B?

14 Lecture 8 Page 14 CS 236, Spring 2008 OS Control of Interactions OS can “understand” the security policy Can maintain labels on files, process, data pages, etc. Can regard any IPC or I/O as a possible leak of information –To be prohibited if labels don’t allow it

15 Lecture 8 Page 15 CS 236, Spring 2008 Example Bell-LaPadula doesn’t allow writedown Process A is at Top Secret clearance It tries to send a message to process B –Which is at Secret clearance OS understands Bell-LaPadula –Observes illegal access and prevents the IPC

16 Lecture 8 Page 16 CS 236, Spring 2008 Covert Channels Tricky ways to pass information Requires cooperation of sender and receiver –Generally in active attempt to deceive system Use something not ordinarily regarded as a communications mechanism

17 Lecture 8 Page 17 CS 236, Spring 2008

18 Lecture 8 Page 18 CS 236, Spring 2008 Covert Channels in Computers Generally, one process “sends” covert message to another –But could be computer to computer How? –Disk activity –Page swapping –Time slice behavior –Use of a peripheral device –Limited only by imagination

19 Lecture 8 Page 19 CS 236, Spring 2008 Handling Covert Channels Relatively easy if you know what the channel is –Put randomness/noise into channel to wash out message Hard to impossible if you don’t know what the channel is Not most people’s problem

20 Lecture 8 Page 20 CS 236, Spring 2008 File Protection How do we apply these access protection mechanisms to a real system resource? Files are a common example of a typically shared resource If an OS supports multiple users, it needs to address the question of file protection

21 Lecture 8 Page 21 CS 236, Spring 2008 Unix File Protection A model for protecting files developed in the 1970s Still in very wide use today –With relatively few modifications To review, three subjects Owner, group, other and three modes –Read, write, execute –Sometimes these have special meanings

22 Lecture 8 Page 22 CS 236, Spring 2008 Setuid/Setgid Programs Unix mechanisms for changing your user identity and group identity Either indefinitely or for the run of a single program Created to deal with inflexibilities of the Unix access control model But the source of endless security problems

23 Lecture 8 Page 23 CS 236, Spring 2008 Why Are Setuid Programs Necessary? The print queue is essentially a file Someone must own that file How will other people put stuff in the print queue? –Without making the print queue writeable for all purposes Typical Unix answer is run the printing program setuid –To the owner of the print queue

24 Lecture 8 Page 24 CS 236, Spring 2008 Why Are Setuid Programs Dangerous? Essentially, setuid programs expand a user’s security domain In an encapsulated way –Abilities of the program limit the operations in that domain Need to be damn sure that the program’s abilities are limited

25 Lecture 8 Page 25 CS 236, Spring 2008 Some Examples of Setuid Dangers Setuid programs that allow forking of a new shell Setuid programs with powerful debugging modes Setuid programs with “interesting” side effects –E.g., lpr options that allow file deletion

26 Lecture 8 Page 26 CS 236, Spring 2008 Encrypted File Systems Data stored on disk is subject to many risks –Improper access through OS flaws –But also somehow directly accessing the disk If the OS protections are bypassed, how can we protect data? How about if we store it in encrypted form?

27 Lecture 8 Page 27 CS 236, Spring 2008 An Example of an Encrypted File System Sqzmredq #099 sn lx rzuhmfr zbbntms KsKs Transfer $100 to my savings account Issues for encrypted file systems: When does the cryptography occur? Where does the key come from? What is the granularity of cryptography?

28 Lecture 8 Page 28 CS 236, Spring 2008 When Does Cryptography Occur? Transparently when user opens file? –In disk drive? –In OS? –In file system? By explicit user command? –Or always, implicitly? How long is the data decrypted? Where does it exist in decrypted form?

29 Lecture 8 Page 29 CS 236, Spring 2008 Where Does the Key Come From? Provided by human user? Stored somewhere in file system? Stored on a smart card? Stored in the disk hardware? Stored on another computer? Where and for how long do we store the key?

30 Lecture 8 Page 30 CS 236, Spring 2008 What Is the Granularity of Cryptography? An entire file system? Per file? Per block? Consider both in terms of: –How many keys? –When is a crypto operation applied?

31 Lecture 8 Page 31 CS 236, Spring 2008 What Are You Trying to Protect Against With Crypto File Systems? Unauthorized access by improper users? –Why not just access control? The operating system itself? –What protection are you really getting? Data transfers across a network? –Why not just encrypt while in transit? Someone who accesses the device not using the OS? –A realistic threat in your environment?

32 Lecture 8 Page 32 CS 236, Spring 2008 Full Disk Encryption All data on the disk is encrypted Data is encrypted/decrypted as it enters/leaves disk Primary purpose is to prevent improper access to stolen disks –Designed mostly for laptops

33 Lecture 8 Page 33 CS 236, Spring 2008 Hardware Vs. Software Full Disk Encryption HW advantages: –Probably faster –Totally transparent, works for any OS –Setup probably easier HW disadvantages: –Not ubiquitously available today –More expensive (not that much, though - ~$90 vs. ~$50 for 80Gbyte disk) –Might not fit into a particular machine –Backward compatibility

34 Lecture 8 Page 34 CS 236, Spring 2008 An Example of Hardware Full Disk Encryption Seagate’s Momentus 5400 FDE product line Hardware encryption for entire disk –Using AES Key accessed via user password –Hashed password stored on disk –Check performed by the disk itself, pre-boot –44 Mbytes/sec sustained transfer rate Primarily for laptops

35 Lecture 8 Page 35 CS 236, Spring 2008 Example of Software Full Disk Encryption Vista BitLocker Doesn’t encrypt quite the whole drive –Need unencrypted partition to hold bootstrap stuff Uses AES for cryptography Key stored either in special hardware or USB drive Microsoft claims “single digit percentage” overhead –One independent study claims 12%

Download ppt "Lecture 8 Page 1 CS 236, Spring 2008 Protecting Interprocess Communications Operating systems provide various kinds of interprocess communications –Messages."

Similar presentations

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.

Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Operating System Organization

Operating System Organization
Lecture 19 Page 1 CS 111 Online Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 On-Line MS Program Operating.

Lecture 19 Page 1 CS 111 Online Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 On-Line MS Program Operating.
Programming Satan’s Computer

Programming Satan’s Computer
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Lecture 8 Page 1 CS 136, Fall 2014 Operating System Security Computer Security Peter Reiher October 30, 2014.

Lecture 8 Page 1 CS 136, Fall 2014 Operating System Security Computer Security Peter Reiher October 30, 2014.
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.

Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems CSCI-6140 – Computer Operating Systems David Goldschmidt, Ph.D.

Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems CSCI-6140 – Computer Operating Systems David Goldschmidt, Ph.D.
1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.

1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,

Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
Lecture 17 Page 1 CS 236 Online Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 17 Page 1 CS 236 Online Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Similar presentations

Ads by Google