Professional Documents
Culture Documents
Unit 07 - Protection & Security
Unit 07 - Protection & Security
Selected Topics
Operating System Concepts – 9th Edition Silberschatz, Galvin and Gagne ©2013
Goals of Protection
Operating System Concepts – 9th Edition 14.2 Silberschatz, Galvin and Gagne ©2013
Principles of Protection
Guiding principle – principle of least privilege
Programs, users and systems should be given just enough
privileges to perform their tasks
Limits damage if entity has a bug, gets abused
Can be static (during life of system, during life of
process) or
Dynamic (changed by process as needed) – domain
switching, privilege escalation
“Need to know” a similar concept regarding access to data
Operating System Concepts – 9th Edition 14.3 Silberschatz, Galvin and Gagne ©2013
Domain Structure
Operating System Concepts – 9th Edition 14.4 Silberschatz, Galvin and Gagne ©2013
Domain Implementation (UNIX)
Domain = user-id
Domain switch accomplished via file system
Each file has associated with it a domain bit (setuid bit)
When file is executed and setuid = on, then user-id is
set to owner of the file being executed
When execution completes user-id is reset
Domain switch accomplished via passwords
su command temporarily switches to another user’s
domain when other domain’s password provided
Domain switching via commands
sudo command prefix executes specified command in
another domain (if original domain has privilege or
password given)
Operating System Concepts – 9th Edition 14.5 Silberschatz, Galvin and Gagne ©2013
Domain Implementation (MULTICS)
Let Di and Dj be any two domain rings
If j < I Di Dj
Operating System Concepts – 9th Edition 14.6 Silberschatz, Galvin and Gagne ©2013
Multics Benefits and Limits
Operating System Concepts – 9th Edition 14.7 Silberschatz, Galvin and Gagne ©2013
Access Matrix
View protection as a matrix (access matrix)
Rows represent domains
Columns represent objects
Access(i, j) is the set of operations that a process
executing in Domaini can invoke on Objectj
Figure A
Operating System Concepts – 9th Edition 14.8 Silberschatz, Galvin and Gagne ©2013
Use of Access Matrix
If a process in Domain Di tries to do “op” on object Oj, then
“op” must be in the access matrix
User who creates object can define access column for that
object
Can be expanded to dynamic protection
Operations to add, delete access rights
Special access rights:
owner of Oi
copy op from Oi to Oj (denoted by “*”)
control – Di can modify Dj access rights
transfer – switch from domain Di to Dj
Copy and Owner applicable to an object
Control applicable to domain object
Operating System Concepts – 9th Edition 14.9 Silberschatz, Galvin and Gagne ©2013
Use of Access Matrix (Cont.)
Operating System Concepts – 9th Edition 14.10 Silberschatz, Galvin and Gagne ©2013
Access Matrix of Figure A with Domains as Objects
Operating System Concepts – 9th Edition 14.11 Silberschatz, Galvin and Gagne ©2013
Access Matrix with Copy Rights
Operating System Concepts – 9th Edition 14.12 Silberschatz, Galvin and Gagne ©2013
Access Matrix With Owner Rights
Operating System Concepts – 9th Edition 14.13 Silberschatz, Galvin and Gagne ©2013
Implementation of Access Matrix
Operating System Concepts – 9th Edition 14.14 Silberschatz, Galvin and Gagne ©2013
Implementation of Access Matrix (Cont.)
Operating System Concepts – 9th Edition 14.15 Silberschatz, Galvin and Gagne ©2013
Implementation of Access Matrix (Cont.)
Operating System Concepts – 9th Edition 14.16 Silberschatz, Galvin and Gagne ©2013
Implementation of Access Matrix (Cont.)
Operating System Concepts – 9th Edition 14.17 Silberschatz, Galvin and Gagne ©2013
Implementation of Access Matrix (Cont.)
Option 4 – Lock-key
Compromise between access lists and capability lists
Each object has list of unique bit patterns, called locks
Each domain has list of unique bit patterns, called keys
Process in a domain can only access object if domain
has key that matches one of the locks
Operating System Concepts – 9th Edition 14.18 Silberschatz, Galvin and Gagne ©2013
Comparison of Implementations
Operating System Concepts – 9th Edition 14.19 Silberschatz, Galvin and Gagne ©2013
Access Control
Protection can be applied to non-file
resources
Oracle Solaris 10 provides role-
based access control (RBAC) to
implement least privilege
Privilege is right to execute
system call or use an option
within a system call
Can be assigned to processes
Users assigned roles granting
access to privileges and
programs
Enable role via password to
gain its privileges
Similar to access matrix
Operating System Concepts – 9th Edition 14.20 Silberschatz, Galvin and Gagne ©2013
Capability-Based Systems
Hydra
Fixed set of access rights known to and interpreted by the system
i.e. read, write, or execute each memory segment
User can declare other auxiliary rights and register those with
protection system
Accessing process must hold capability and know name of
operation
Rights amplification allowed by trustworthy procedures for a
specific type
Interpretation of user-defined rights performed solely by user's
program; system provides access protection for use of these rights
Operations on objects defined procedurally – procedures are
objects accessed indirectly by capabilities
Solves the problem of mutually suspicious subsystems
Includes library of prewritten security routines
Operating System Concepts – 9th Edition 14.21 Silberschatz, Galvin and Gagne ©2013
Chapter 15: Security
Selected Topics
Operating System Concepts – 9th Edition Silberschatz, Galvin and Gagne ©2013
The Security Problem
System secure if resources used and accessed as intended
under all circumstances
Unachievable
Intruders (crackers) attempt to breach security
Threat is potential security violation
Attack is attempt to breach security
Attack can be accidental or malicious
Easier to protect against accidental than malicious misuse
Operating System Concepts – 9th Edition 14.23 Silberschatz, Galvin and Gagne ©2013
Security Violation Categories
Breach of confidentiality
Unauthorized reading of data
Breach of integrity
Unauthorized modification of data
Breach of availability
Unauthorized destruction of data
Theft of service
Unauthorized use of resources
Denial of service (DOS)
Prevention of legitimate use
Operating System Concepts – 9th Edition 14.24 Silberschatz, Galvin and Gagne ©2013
Standard Security Attacks
Operating System Concepts – 9th Edition 14.25 Silberschatz, Galvin and Gagne ©2013
Security Violation Methods
Masquerading (breach authentication)
Pretending to be an authorized user to escalate privileges
Replay attack
As is or with message modification
Man-in-the-middle attack
Intruder sits in data flow, masquerading as sender to receiver
and vice versa
Session hijacking
Intercept an already-established session to bypass
authentication
Operating System Concepts – 9th Edition 14.26 Silberschatz, Galvin and Gagne ©2013
Security Measure Levels
Impossible to have absolute security, but make cost to perpetrator sufficiently high to deter
most intruders
Security must occur at four levels to be effective:
Physical
Data centers, servers, connected terminals
Human
Avoid social engineering (SE), phishing, dumpster diving (DD)
Operating System
Protection mechanisms, debugging
Network
Intercepted communications, interruption, DOS
Security is as weak as the weakest link in the chain
But can too much security be a problem?
SE: the psychological manipulation of people into performing actions or divulging confidential information
Phishing: Fraudulently obtaining private information
DD: technique used to retrieve information that could be used to carry out an attack or gain access to a
computer network from disposed items
Operating System Concepts – 9th Edition 14.27 Silberschatz, Galvin and Gagne ©2013
Program Threats
Many variations, many names
Trojan Horse
Code segment that misuses its environment
Exploits mechanisms for allowing programs written by users to be
executed by other users
Spyware, pop-up browser windows, covert channels
Up to 80% of spam delivered by spyware-infected systems
Trap Door
Specific user identifier or password that circumvents normal
security procedures
Could be included in a compiler
How to detect them?
Operating System Concepts – 9th Edition 14.28 Silberschatz, Galvin and Gagne ©2013
Program Threats (Cont.)
Logic Bomb
Program that initiates a security incident under certain
circumstances
Stack and Buffer Overflow
Exploits a bug in a program (overflow either the stack or
memory buffers)
Failure to check bounds on inputs, arguments
Write past arguments on the stack into the return address
on stack
When routine returns from call, returns to hacked address
Pointed to code loaded onto stack that executes
malicious code
Unauthorized user or privilege escalation
Operating System Concepts – 9th Edition 14.29 Silberschatz, Galvin and Gagne ©2013
Program Threats (Cont.)
Viruses
Code fragment embedded in legitimate program
Self-replicating, designed to infect other computers
Very specific to CPU architecture, operating system, applications
Usually borne via email or as a macro
Visual Basic Macro to reformat hard drive
Sub AutoOpen()
Dim oFS
Set oFS = CreateObject(’’Scripting.FileSystemObject’’)
vs = Shell(’’c:command.com /k format c:’’,vbHide)
End Sub
Operating System Concepts – 9th Edition 14.30 Silberschatz, Galvin and Gagne ©2013
Program Threats (Cont.)
Virus dropper inserts virus onto the system
Many categories of viruses, literally many thousands of viruses
File / parasitic
Boot / memory
Macro
Source code
Polymorphic to avoid having a virus signature
Encrypted
Stealth
Tunneling
Multipartite
Armored
Operating System Concepts – 9th Edition 14.31 Silberschatz, Galvin and Gagne ©2013
A Boot-sector Computer Virus
Operating System Concepts – 9th Edition 14.32 Silberschatz, Galvin and Gagne ©2013
The Threat Continues
Attacks still common, still occurring
Attacks moved over time from science experiments to tools of
organized crime
Targeting specific companies
Creating botnets to use as tool for spam and DDOS delivery
Keystroke logger to grab passwords, credit card numbers
Why is Windows the target for most attacks?
Most common
Everyone is an administrator
Licensing required?
Monoculture considered harmful
Operating System Concepts – 9th Edition 14.33 Silberschatz, Galvin and Gagne ©2013
System and Network Threats
Operating System Concepts – 9th Edition 14.34 Silberschatz, Galvin and Gagne ©2013
System and Network Threats (Cont.)
Operating System Concepts – 9th Edition 14.35 Silberschatz, Galvin and Gagne ©2013
The Morris Internet Worm
Operating System Concepts – 9th Edition 14.36 Silberschatz, Galvin and Gagne ©2013
System and Network Threats (Cont.)
Port scanning
Automated attempt to connect to a range of ports on one
or a range of IP addresses
Detection of answering service protocol
Detection of OS and version running on system
nmap scans all ports in a given IP range for a response
nessus has a database of protocols and bugs (and
exploits) to apply against a system
Frequently launched from zombie systems
To decrease trace-ability
Operating System Concepts – 9th Edition 14.37 Silberschatz, Galvin and Gagne ©2013
System and Network Threats (Cont.)
Denial of Service
Overload the targeted computer preventing it from doing any
useful work
Distributed denial-of-service (DDOS) come from multiple
sites at once
Consider the start of the IP-connection handshake (SYN)
How many started-connections can the OS handle?
Consider traffic to a web site
How can you tell the difference between being a target
and being really popular?
Accidental – CS students writing bad fork() code
Purposeful – extortion, punishment
Operating System Concepts – 9th Edition 14.38 Silberschatz, Galvin and Gagne ©2013
Cryptography as a Security Tool
Broadest security tool available
Internal to a given computer, source and destination of
messages can be known and protected
OS creates, manages, protects process IDs,
communication ports
Source and destination of messages on network cannot be
trusted without cryptography
Local network – IP address?
– Consider unauthorized host added
WAN / Internet – how to establish authenticity
– Not via IP address
Operating System Concepts – 9th Edition 14.39 Silberschatz, Galvin and Gagne ©2013
Cryptography
Operating System Concepts – 9th Edition 14.40 Silberschatz, Galvin and Gagne ©2013
Authentication
Constraining set of potential senders of a message
Complementary to encryption
Also can prove message unmodified
Algorithm components
A set K of keys
A set M of messages
A set A of authenticators
A function S : K → (M→ A)
That is, for each k K, Sk is a function for generating
authenticators from messages
Both S and Sk for any k should be efficiently computable
functions
A function V : K → (M × A→ {true, false}). That is, for each k K,
Vk is a function for verifying authenticators on messages
Both V and Vk for any k should be efficiently computable
functions
Operating System Concepts – 9th Edition 14.41 Silberschatz, Galvin and Gagne ©2013
Implementation of Cryptography