operating systems security
DESCRIPTION
Operating Systems Security. Design Objectives Protection by separation Memory and address protection Access control for general objects Directory Access control lists, matrix Capability File protection mechanisms User authentication, passwords Trusted OS. Design Objectives. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/1.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
1
Operating Systems Security•Design Objectives•Protection by separation•Memory and address protection•Access control for general objects•Directory•Access control lists, matrix•Capability•File protection mechanisms•User authentication, passwords•Trusted OS
![Page 2: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/2.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
2
Design Objectives
• Access to resources• Controlling unintentional and
intentional corruption of data• Protection of one user’s
computation from interference from other users– Memory protection– File protection– General control of access to objects– User authentication
![Page 3: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/3.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
3
Protection by separation
• Physical separation: use of different objects
• Temporal separation: use of different times
• Logical separation: limiting program access to domains
• Cryptographic separation: concealment of data and computations
![Page 4: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/4.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
4
Memory and address protection• Fence, Fence register
– Can protect operating system from one user, but not users from each other
• Relocation (relocation factor)• Base/Bounds register (variable fence
register/upper address limit register)– For instructions code and for data space
• Tagged architecture: every word of machine memory has extra bits identifying access rights. Only OS instructions can set them.
![Page 5: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/5.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
5
Memory and address protection II
• Segmentation: program divided into segments represented as pair <name, offset>. OS maintains a table of segment names and true addresses in memory. Segments can be non-contiguous, and stored on auxiliary devices. Protection can be checked each time it is referenced. Fragmentation can be a problem
• Paging: programs divided into equal sized page frames represented as pair <page, offset>
• Paging and segmentation
![Page 6: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/6.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
6
Access control for general objects
• Objects: memory, files, executing program in memory, directory, hardware device, data structures, table of the OS, instructions, passwords/user authentication mechanism, protection mechanism itself.
• Goals:– Check every access– Enforce least privilege– Verify acceptable usage
![Page 7: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/7.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
7
Directory
• File directory (problems) (Fig 4-10 and 4-11)– Shared objects (list becomes too long)– Revocation of access– Pseudonyms (two different files with the
same name)
![Page 8: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/8.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
8
Access control list, matrix
• One list for each object (Fig 4-12)
• Access Control Matrix(Table 4-1)
![Page 9: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/9.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
9
Capability
• A ticket giving permission to a subject to have certain type of access to an object– Server holds tickets on behalf of users– Encrypt capabilities under a key available only
to the access control mechanism
• Domain or name space: each process/procedure operates in a domain
![Page 10: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/10.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
10
File Protection Mechanisms
• All-or-none protection
• Group protection
• Single permissions (password protection for files)
![Page 11: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/11.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
11
User Authentication
• Passwords– Brute force– Probable passwords– Dictionary– Social engineering
![Page 12: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/12.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
12
Passwords
• Password selection criteria– Non-alphabetic (mixed)– Long– Avoid actual names– Change regularly– Don’t write it down– Don’t tell any one– One-time passwords
![Page 13: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/13.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
13
Designing Trusted Operating Systems
• An OS is trusted if we have confidence that it provides the four services in a consistent and effective way– Memory protection– File protection– General object access control– User authentication
![Page 14: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/14.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
14
Trusted vs. Secure Systems
Secure TrustedEither-or Graded
Property of presenter
Property of receiver
Asserted based on product characteristics
Judged based on evidence & analysis
Absolute Relative
A goal A characteristic
![Page 15: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/15.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
15
Security Policies I
• Military security policy– Top secret, Secret, Confidential,
Restricted, Un classified
• Compartment: contains information associated with a project
• Combination <rank, compartments> is called a class or classification of information
• A person seeking access to information must be cleared
![Page 16: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/16.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
16
Security Policies II• Dominance:
For subject s and object o,
s 0 if and only if
rank s rank o and
compartments s compartments o
We say, o dominates s.
![Page 17: Operating Systems Security](https://reader035.vdocuments.mx/reader035/viewer/2022080917/56812fef550346895d95662b/html5/thumbnails/17.jpg)
04/19/23 Acc661 Aud of Adv Acctg Systems, Spring 2003 (Gangolly)
17
Security Policies III• A subject can read an object only
if:
– The clearance level of the subject is at least as high as the clearance level of the information
– The subject has a need to know about all compartments for which the information is classified