protection and security. 2 operating system consists of a collection of objects, hardware or...
TRANSCRIPT
Protection and Security
2
Protection and Security
• Operating system consists of a collection of objects, hardware or software
• Each object has a unique name and can be accessed through a well-defined set of operations (hopefully)
• Protection and security problem - ensure that each object is accessed correctly and only by those processes of authorized users that are allowed to do so
3
Protection and Security – cont.
• OS designer faces challenge of creating a protection scheme that cannot be bypassed by any software that may be created in the future
• Networking adds to the problem as it allows access to a computer and its resources without being in the same physical location
• See next frame
4
Protection – Internal Access Authorization
5
Policy vs. Mechanism
• An organization’s security policy defines the rules for authorizing access to its computers and information resources– A particular strategy that dictates the way a
mechanism is used to achieve specific goals
• Protection mechanisms are tools for implementing the organization’s security policy
6
Policy & Mechanism
• A security policy is a strategy that dictates the way a mechanism is used to achieve a specific goal– Accountants have access to payroll files– OS processes have access to the page table– Client process has access to information provided by a
server
• A protection mechanism is a set of components used to implement any one of different sets of strategies– Authentication– Authorization– Cryptography
7
Policy & Mechanism – cont.
• Example - Computers in lab– Policy: can only be used by students registered
for graduate classes– Mechanism: authentication via username and
password; set up via class list and request
– Policy: students may only have N bytes of storage space
– Mechanism: establish a quota system on disk
8
Policy & Mechanism – cont.
• The security policy specifies the ways resources should be shared among members of the organization and with members external to the organization
• The mechanism is the specific steps and tools provided by the system to enforce the policy
9
Security Goals
Resource X
Resource W
Resource Y
Resource Z
Process A
Process B
Process C
• Authentication• Authorization
read
read/write read
read/write
Machine X
Machine Y
10
Implementing Policy & Mechanism
• Policies selected by system administrators – after the OS and protection mechanisms have been designed and implemented
• OS designer must foresee all the policies that may be selected and implement the mechanisms accordingly
• Very difficult task – usually handled by sending out patches as security holes are found
11
The Security Problem
• Security must consider external environment of the system, and protect it from– unauthorized access.– malicious modification or destruction– accidental introduction of inconsistency.
• Easier to protect against accidental than malicious misuse
12
Authentication Mechanisms
• Basis of most protection mechanisms
• Two types of authentication– External: verify the user
• Usually username/password combination
• May require two passwords or other identification
– Internal: verify the process• Don’t allow one users process to appear to be that of
another user
• Network access accentuates the problem– Is the computer who it says it is?
13
User Authentication
• Three types of authentication:– Something a user knows
• e.g. a password, a combination, answers to personal questions
– Something a user has• e.g. a badge, a smart card, a key
– Something a user is• e.g. fingerprint, signature, voice print, hand geometry,
retinal blood vessel pattern
14
Authentication
• User identity most often established through passwords, can be considered a special case of either keys or capabilities.
• Passwords must be kept secret.– Frequent change of passwords.– Use of “non-guessable” passwords.– Log all invalid access attempts.
• Encryption
15
User Authentication
• Possible mechanisms– Recognize repeated login attempts
• Disconnect after some threshold is reached
• Disregard correct passwords after some threshold of failures has been reached
• Make login process slow – handle computer generated attempts
16
Network Authentication
• Need to be able to communicate between computers without significantly increasing the overhead involved
• Most typical access is for file transport– Email– Messages– File downloading– Obtaining network services
17
Program Threats
• Trojan Horse– Code segment that misuses its environment.– Exploits mechanisms for allowing programs
written by users to be executed by other users.
• Trap Door– Specific user identifier or password that
circumvents normal security procedures.– Could be included in a compiler.
18
System Threats
• Worms – use spawn mechanism; standalone program• Internet worm
– Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs.
– Grappling hook program uploaded main worm program.
• Viruses – fragment of code embedded in a legitimate program.– Mainly effect microcomputer systems.– Downloading viral programs from public bulletin boards or
exchanging floppy disks containing an infection.– Safe computing.
19
The Morris Internet Worm
20
The confinement problem
• How do we prevent a program from leaking information to others?
• It is not as simple as preventing IPC and I/O
• A covert channel is a hidden means of communication information– e.g. sending bits by manipulating the CPU load
21
Threat Monitoring
• Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing.
• Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures.
• Scan the system periodically for security holes; done when the computer is relatively unused.
22
Threat Monitoring – cont.
• Check for:– Short or easy-to-guess passwords
– Unauthorized set-uid programs
– Unauthorized programs in system directories
– Unexpected long-running processes
– Improper directory protections
– Improper protections on system data files
– Dangerous entries in the program search path (Trojan horse)
– Changes to system programs: monitor checksum values
23
Kerberos Network Authentication
• A set of network protocols used to authen-ticate access to a computer by a user at a different computer using an unsecure network
• Assumes information over network could be tampered with
• Does not assume OS on either machine is secure
• Developed at MIT in 80’s; widely used
24
Kerberos
AuthenticationServer
Client
Server• Client asks authentication server for credentials of the server process
25
Kerberos
AuthenticationServer
Client
Server
Client ID
Session Key
Session Key
Encrypted for clientEncrypted for server
Ticket
• Authentication server returns the credentials as ticket & session key with key encrypted using client key
26
Kerberos
AuthenticationServer
Client
Server
Client ID
Session Key
Session Key
Encrypted for clientEncrypted for server
Ticket Session Key
• Client decrypts ticket & key; keeps copy of session key• Sends copy of ticket to server
27
Kerberos
Client
Server
Client ID
Session Key
Session Key
Encrypted for clientEncrypted for server
Ticket
Client ID
Session Key
Ticket
Session Key
Client ID
Session Key
• Server decrypts copy of ticket to obtain secure copy of client ID and session key
AuthenticationServer
28
Kerberos Authentication
• Once these steps completed, client and server processes both have copy of session key and can begin secure communication
• Authentication server MUST be trusted– It has copy of client’s ID, knows how to encrypt
info that only client can decrypt, knows how to encrypt info that only server can decrypt, and can create unique session key
29
Authorization
• Is this user/process allowed to access the resource under the current policy?
• What type of access is allowable?– Read– Write– Execute– Append
30
Internal Access Authorization
• Internal authorization is part of the task of managing resource sharing– The goal is to protect one process’s resources
from the actions of other processes
31
Protection Problems
• Sharing parameters– Process calls procedure in another process’s
address space, which then modifies parameters, so that when original process regains control, variables in its address space have been changed
• Confinement– Contain all rights to resources so that they do not
propagate outside some chosen set of processes
32
Protection Problems – cont.
• Allocating rights– A process provides another process with specific
rights to use its resources; should be a temporary allocation; but what if 2nd process passes those rights on to other processes without knowledge or permission of original process (the owner of the resource)
• Trojan horse– Special case of allocating rights: client process
invokes a service program which then takes advantage of the client’s process rights
33
Lampson’s Protection Model
• Active parts (e.g., processes or threads)– Act on behalf of users– Operate in different protection domains
• The set of rights a process has at any given time
– Subject is a process executing in a specific domain
• Passive parts are called objects– Correspond to resources– NOTE: not related to OOP terminology
34
Model
• Want mechanism to implement different security policies for subjects to access objects– Many different policies must be possible– Policy may change over time
35
Protection System
• Composed of– Set of objects– Set of subjects– Set of rules specifying protection policy
• Represents accessibility of objects by subjects
• Guarantees that the protection state is checked for each access of an object by a subject
36
A Protection System
Subjects
XS
Objects
• S desires access to X
37
A Protection System
Subjects
XS
Objects
ProtectionState
• S desires access to X• Protection state reflects current ability to access X
38
A Protection System
Subjects
XS
Objects
ProtectionState
StateTransition• S desires access to X
• Protection state reflects current ability to access X• Authorities can change
39
A Protection System
Subjects
XS
Objects
ProtectionState
StateTransition
Rules
• S desires access to X• Protection state reflects current ability to access X• Authorities can change• What are rules for changing authority?
40
A Protection System
Subjects
XS
Objects
ProtectionState
StateTransition
Rules
Policy
• S desires access to X• Protection state reflects current ability to access X• Authorities can change• What are rules for changing authority?•How are the rules chosen?
41
Access Matrix
• The protection state can be represented using an access matrix– An access matrix A has one row for each subject and one
column for each object• Note: subjects are also objects (processes controlling processes)
– Each entry A[S, X] is a set that describes the access rights held by subject S to object X
• Access authentication– If subject S initiates type access to X then
if A[S,X], the access is valid. If a A[S, X], the access is invalid.
42
Protection System Example
S X
• S desires access to X
43
Protection System Example
S
X
Access matrix
S X
• S desires access to X• Captures the protection state
44
Protection System Example
S
X
Access matrix
SAccess
authentication
(S,
, X)
X
• S desires access to X• Captures the protection state• Generates an unforgeable ID
45
Protection System Example
S
X
SAccess
authenticationMonitor
(S,
, x)
X
• S desires access to X• Captures the protection state• Generates an unforgeable ID• Checks the access against the protection state
46
Example
• Suppose simple system– Subjects = {S1, S2, S3}
– Objects = subjects {F1, F2, D1, D2}• F represent files, D devices
• Let the access matrix be
S1
S2
S3
S1 S2 S3 F1 F2 D1 D2
control
control
control
blockwakeupowner
controlowner
stop
delete executeowner
owner update owner seek*
read*write*
seek owner
47
Example – cont.
• The * is called a copy flag
• It allows the process to transfer an access right to another process
48
Example – cont.
• If S2 attempts to update access to F2
– It initiates access– Causing protection system to create record of
form (S2, update, F2)
– Record given to monitor for F2
– Monitor checks access table
– Since access is valid, S2 is allowed to update F2
49
Example – cont.
• If S2 attempts execute access to F2
– It initiates access– Causing protection system to create record of
form (S2, execute, F2)
– Record given to monitor for F2
– Monitor checks access table
– Since access is invalid, S2 is not allowed to execute F2
– Violation is reported to OS
50
Changing Protection State
Subjects
XS
Objects
ProtectionState
StateTransition
Rules
Policy
Handling state changes
51
Policy Rules Example
S1
S2
S3
S1 S2 S3 F1 F2 D1 D2
control
control
control
blockwakeupowner
controlowner
stop
delete executeowner
owner update owner seek*
read*write*
seek owner
Rule Command by S0 Authorization Effect1 transfer(|*) to (S, X) *A[S0, X] A[S, X] = A[S, X]{|*}2 grant(|*) to (S, X) ownerA[S0, X] A[S, X] = A[S, X]{|*}3 delete from (S, X) controlA[S0, S] A[S, X] = A[S, X]-{}
orownerA[S0, X]
Rules for a Particular Policy
52
Policy Rules Example• The policy rules determine who controls the
propagation of the various types of access• Access may be
– Transferred: process must have copy flag for right– Granted: process must be owner of object
» Don’t need copy flag
– Deleted: process must own or control object• Example: rule 1 determines what rights can be
transferred from one process to another• Command: transfer(|*) to (S, X)• Authorization: *A[S0, X]
– S1 can transfer read or read* access to S2 or S3 for F1 because S1 has the copy flag set
53
Protection State
• The copy flag and rules are designed to prevent indiscriminate propagation of access rights among subjects
• Right can only be propagated when owner transfers copy flag to another subject– Subject may then transfer right with or without
copy flag– This transfer may be nondestructive (first subject
keeps access) or destructive (first subject loses access)
54
Results of Rules
• These rules (along with a few others) define a protection system that addresses the problems mentioned earlier:– Masquerading: subject must be authenticated and
given unforgeable signature– Confinement and allocating rights: rights are
restricted to a designated set of subjects• An untrusted subsystem must be memoryless
(confined with respect to its ability to retain information or leak it to other subjects)
55
Results of Rules – cont.
– Sharing of parameters: allow only indirect access to objects by untrusted subjects
• Create gatekeeper subject to protect object from unwanted accesses by untrusted subjects
– Trojan horses: problem caused by process assuming rights of another while acting on its behalf
• this model distinguishes between two processes using the same rights on different subjects
• Many rule sets may solve problem for specific policies, but don’t guarantee solution independent of policy
56
Cost of Protection Mechanisms
• Basic protection model requires that each resource access be passed through a monitor before request can be granted
• This may introduce a substantial performance cost
• Need to decide if performance hit is justified
• If information MUST be secure, the cost of performance is not an issue
57
Implementing Internal Authorization
• Protection model describes logical set of components that can be used– What implementations are cost effective?– How can an access matrix be implemented efficiently?
• Need to consider– Access matrix not only possible representation– Access matrix must be secured; only read and written by
selected processes– Goal is to route all accesses through protection monitor– Protection system should be able to authenticate the
source of each request– Monitor must be protected process to implement the rules
• Must not be possible for other subjects to compromise monitor
58
Protection Domain
• The particular set of rights a process has at any given time
• Two level domain architecture– Supervisor domain: has more rights than user– User domain: fewer rights than supervisor
User domain
Supervisor domain
59
Protection Domains
• The two-level domain can be generalized to a set of N concentric rings– Domain ring architecture for protection
R0
RS+1
RN-1
The innermost rings have more rights thanthe outermost ones
60
Protection Domains – cont.
• Inner rings have higher authority– Ring 0 corresponds to supervisor mode– Rings 1 to S have decreasing protection, and
are used to implement the OS– Rings S+1 to N-1 have decreasing protection,
and are used to implement applications
• Lampson model uses processes and domains -- how is a domain implemented?– Supervisor/user hardware mode bit– Software extensions -- rings
61
Protection Domains – cont.
• Ring crossing is a domain change
• Inner ring crossing rights amplification– Specific gates for crossing– Protected by an authentication mechanism
• Outer ring crossing uses less-protected objects– No authentication– Need a return path– Used in Multics and Intel 80386 (& above)
hardware
62
Implementing Access Matrix• Usually a sparse matrix
– Too expensive to implement as a table– Implement as a list of table entries
• Column oriented list is called an access control list (ACL)– List kept at the object– UNIX file protection bits are one example
• Row oriented list is a called a capability list– List kept with the subject (i.e., process)– Kerberos ticket is a capability
63
Unix Protection Scheme
• Mode of access: read, write, execute
• Three classes of users
RWX
a) owner access 7 1 1 1RWX
b) groups access 6 1 1 0
RWX
c) public access 1 0 0 1
64
Protection Domains
• A capability is a unique, global name for an access right to an object in the system
• A protection domain is a set of capabilities to perform certain actions on certain objects
• A process can move from protection domain to protection domain so, at any point, it has exactly the capabilities it needs for the current job (the principle of least privilege)
• This is more flexible than associating capabilities directly with a process
65
More on Capabilities
• Provides an address to object from a very large address space
• Possession of a capability represents authorization for access
• Implied properties:– Capabilities must be very difficult to guess– Capabilities must be unique and not reused– Capabilities must be distinguishable from
randomly generated bit patterns
66
Cryptography
• Even in secure OS, information will sometimes be temporarily unprotected– Ex.: while being transferred from one part of
OS to another, as in Kerberos authentication strategy
• Information can be encoded using a key when it is written (or transferred) -- encryption
• It is then decoded using a key when it is read (or received) -- decryption
67
More on Cryptography
plaintext ciphertext
encryption
decryption
68
Two Basic Strategies
• Details of encryption and decryption are unknown– Functions are complex making it difficult to
guess how translation is accomplished
• Details are known, but the keys are secret and difficult to forge– Difficult to guess a key
69
More on Cryptography
plaintext plaintextEncryptEncrypt DecryptDecrypt
Ke Kd
C = EKe(plaintext)
• Ke = encryption key• Kd = decryption key
70
More on Cryptography
plaintext EncryptEncrypt DecryptDecrypt
Ke Kd
C = EKe(plaintext)
InvaderInvaderSide information plaintext
plaintext
71
Cryptographic Systems
Cryptographic Systems
Conventional Systems Modern Systems
Private Key Public Key
•Ke and Kd are essentially the same
•Ke and Kd are private
•Ke is public•Kd is private
72
Encryption
• Encrypt clear text into cipher text.• Properties of good encryption technique:
– Relatively simple for authorized users to encrypt and decrypt data.
– Encryption scheme depends not on the secrecy of the algorithm but on a parameter of the algorithm called the encryption key
– Extremely difficult for an intruder to determine the encryption key
• Data Encryption Standard substitutes characters and rearranges their order on the basis of an encryption key provided to authorized users via a secure mechanism. Scheme only as secure as the mechanism.
73
Encryption - cont.
• Public-key encryption based on each user having two keys:– public key – published key used to encrypt data.– private key – key known only to individual user used to
decrypt data.
• Must be an encryption scheme that can be made public without making it easy to figure out the decryption scheme.– Efficient algorithm for testing whether or not a number is
prime.– No efficient algorithm is known for finding the prime
factors of a number.
74
Public Key Cryptography
• Clear text encrypted by public key can be decrypted by private key, and vice versa
• Two users can generate authenticated, private communications– Information is signed by user 1 and encrypted
with user 1’s private key– The entire message is then encrypted with user
2’s public key and transmitted– User 2 then decrypts using user 2’s private key
and then with user 1’s public key