Protection and Security
CSCI 444/544 Operating Systems
Fall 2008
Agenda
• Protection goals and principle
• User authentication and access control
• Security vulnerabilities
• Cryptography as a security tool
Goals
Protection more important as computer systems develop• Multiple users have access to same resources• Computers connected to network• Increasing importance to electronic commerce
Goals: Ensure users only do what they are supposed to do• Prevent accidental misuse
– Example: Mistakenly overwrite command interpreter.
– Relatively easy to solve by making hard to do
• Prevent malicious abuse– Example: Break into accounting system and transfer $1million
– Hard to completely eliminate
Principle of Protection
Guiding principle – principle of least privilege• Programs, users and systems should be given just
enough privileges to perform their tasks
Components of Protection Mechanism
Authentication• Make sure system knows who are you
Authorization • Determine what the user is and is not allowed to do
Access enforcement• Make sure no loopholes in the system
Auditing• Record what users and programs are doing for later
analysis/prosecution
Authentication
How do you prove who you are?Passwords
• Secret piece of information known only by user• System should not store in readable form
– One-way transformations must be used when check
• Disadvantage: Relatively easy to crack– Humans choose poor passwords
• Short passwords are easy to find with brute force• Common words found in dictionaries
Key• Physical possession of item proves identity• Should not be forgeable or able to be copied• Advantage: If stolen, user is aware• Disadvantage: Relatively expensive to make
Authorization Determination
Access rights represented with access matrix• One domain (e.g., user) per row• One resource (e.g., files) per column• Each entry indicates privileges of domain for resource
File A File B File C File D
User 1 RW RW RW RW
User 2 RW RW - -
User 3 RW R - -
User 4 RW R RW -
User 5 RW R RW -
Representation of Access Matrix
Access matrix is sparsely populated• Condense information by expressing in two forms
– Access control list: Per column
– Capability: Per row
Access Control Lists
Access Control Lists: (ACLs)• For each resource, indicate users that can perform operations
– General form: Each resource has list of <user, privilege> pairs
• Disadvantage– Tedious to have separate entry for every user
• Optimization– Group users into classes
– UNIX example: • Three classes of users: self, group, everyone else• Three privileges: read, write, execute
• Advantage: Easy to revoke privileges
Access Control Lists
Use of access control lists for managing file access
R
CapabilitiesCapabilities
• For each user, indicate resources that can be accessed– General form: Each user has list of <resource, privilege> pairs
• Compare against ACL– May built-in with handle to resources– More efficient access right checking
• Important concern– a user should not be able to tamper its capabilities
• Disadvantage– Difficult to revoke capabilities, since they are distributed
throughout the system
Implementing Capabilities
Kernel-space capability list (C-list)– User programs use handles (e.g. file descriptor) to refer to
them
Implementing Capabilities
Tagged architecture• Memory words containing capabilities are tagged
– user programs can only read those words– Only kernel can change those words
Cryptographically-protected capabilities• C-list is in user space, but
– capability is formed cryptographically so that user cannot
tamper it.– does not require hardware support
Access Control
Protection can be applied to non-file resources
Solaris 10 provides role-based access control to implement least privilege• Privilege is right to execute system call or use an option
within a system call• Can be assigned to processes• Users assigned roles granting access to privileges and
programs
Role-based Access Control in Solaris
Revocation of Access Rights
Access List – Delete access rights from access list.• Simple • Immediate
Capability List – Scheme required to locate capability in the system before capability can be revoked.
Access Enforcement
Responsibilities of security kernel• Protecting identification and authorization information• Enforcing access controls
Requirements• Must run in protected mode• As small and simple as possible
Paradox• More powerful protection mechanism -->
Larger and more complex security kernel -->More likely to have implementation bugs -->More security holes
The Security Problem
Security must consider external environment of the system, and protect the system resources
Intruders (crackers) attempt to breach security
Threat is potential security violation
Attack is attempt to breach security
Attack can be accidental or malicious
Easier to protect against accidental than malicious misuse
Security Violations
Categories• Breach of confidentiality• Breach of integrity• Breach of availability• Theft of service• Denial of service
Methods• Masquerading (breach authentication)• Replay attack
– Message modification
• Man-in-the-middle attack• Session hijacking
Program Threats
Trojan Horse• Code segment that misuses its environment• Exploits mechanisms for allowing programs written by users to be
executed by other users• Spyware, pop-up browser windows, covert channels
Trap Door• Specific user identifier or password that circumvents normal security
procedures• Could be included in a compiler
Logic Bomb• Program that initiates a security incident under certain circumstances
Stack and Buffer Overflow• Exploits a bug in a program (overflow either the stack or memory buffers)
System and Network ThreatsVirus
• fragment of malicious code embedded in legitimate code• spread by copying infected program over network or floppy disk
Worm• Capable of spreading itself from machine to machine• Grappling hook program uploaded main worm program
Port scanning• Automated attempt to connect to a range of ports on one or a range of IP
addresses
Denial of Service• Overload the targeted computer preventing it from doing any useful work• Distributed denial-of-service (DDOS) come from multiple sites at once
Security Services
Authentication
Access Control
Confidentiality
Integrity
Security Mechanisms
Cryptography• Encryption/Decryption
– Symmetric Key
– Asymmetric Key (Public-key system)
• Entity or Message Authentication – Public-key and Hash function
• Digital Signature
• Key distribution