operating systems security
DESCRIPTION
Operating Systems Security. Design Objectives Protection by separation Memory and address protection Access control for general objects Directory Access control lists, matrix Capability File protection mechanisms User authentication, passwords Trusted OS. Design Objectives. - PowerPoint PPT PresentationTRANSCRIPT
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
1
Operating Systems Security•Design Objectives•Protection by separation•Memory and address protection•Access control for general objects•Directory•Access control lists, matrix•Capability•File protection mechanisms•User authentication, passwords•Trusted OS
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
2
Design Objectives
• Access to resources• Controlling unintentional and
intentional corruption of data• Protection of one user’s
computation from interference from other users– Memory protection– File protection– General control of access to objects– User authentication
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
3
Protection by separation
• Physical separation: use of different objects
• Temporal separation: use of different times
• Logical separation: limiting program access to domains
• Cryptographic separation: concealment of data and computations
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
4
Memory and address protection• Fence, Fence register
– Can protect operating system from one user, but not users from each other
• Relocation (relocation factor)• Base/Bounds register (variable fence
register/upper address limit register)– For instructions code and for data space
• Tagged architecture: every word of machine memory has extra bits identifying access rights. Only OS instructions can set them.
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
5
Memory and address protection II
• Segmentation: program divided into segments represented as pair <name, offset>. OS maintains a table of segment names and true addresses in memory. Segments can be non-contiguous, and stored on auxiliary devices. Protection can be checked each time it is referenced. Fragmentation can be a problem
• Paging: programs divided into equal sized page frames represented as pair <page, offset>
• Paging and segmentation
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
6
Access control for general objects
• Objects: memory, files, executing program in memory, directory, hardware device, data structures, table of the OS, instructions, passwords/user authentication mechanism, protection mechanism itself.
• Goals:– Check every access– Enforce least privilege– Verify acceptable usage
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
7
Directory
• File directory (problems) (Fig 4-10 and 4-11)– Shared objects (list becomes too long)– Revocation of access– Pseudonyms (two different files with the
same name)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
8
Access control list, matrix
• One list for each object (Fig 4-12)
• Access Control Matrix(Table 4-1)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
9
Capability
• A ticket giving permission to a subject to have certain type of access to an object– Server holds tickets on behalf of users– Encrypt capabilities under a key available only
to the access control mechanism
• Domain or name space: each process/procedure operates in a domain
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
10
File Protection Mechanisms
• All-or-none protection
• Group protection
• Single permissions (password protection for files)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
11
User Authentication
• Passwords– Brute force– Probable passwords– Dictionary– Social engineering
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
12
Passwords
• Password selection criteria– Non-alphabetic (mixed)– Long– Avoid actual names– Change regularly– Don’t write it down– Don’t tell any one– One-time passwords
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
13
Designing Trusted Operating Systems
• An OS is trusted if we have confidence that it provides the four services in a consistent and effective way– Memory protection– File protection– General object access control– User authentication
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
14
Trusted vs. Secure Systems
Secure TrustedEither-or Graded
Property of presenter
Property of receiver
Asserted based on product characteristics
Judged based on evidence & analysis
Absolute Relative
A goal A characteristic
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
15
Security Policies I
• Military security policy– Top secret, Secret, Confidential,
Restricted, Un classified
• Compartment: contains information associated with a project
• Combination <rank, compartments> is called a class or classification of information
• A person seeking access to information must be cleared
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
16
Security Policies II• Dominance:
For subject s and object o,
s 0 if and only if
rank s rank o and
compartments s compartments o
We say, o dominates s.
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
17
Security Policies III• A subject can read an object only
if:
– The clearance level of the subject is at least as high as the clearance level of the information
– The subject has a need to know about all compartments for which the information is classified