chap4: protection in general- purpose operating systems
TRANSCRIPT
SE571Security in Computing
Chap4: Protection in General-Purpose Operating Systems
SE571 Security in Computing Dr. Ogara2
Objectives Protection features provided by
general-purpose operating systems: protecting memory, files, and the execution environment
Controlled access to objects User authentication
SE571 Security in Computing Dr. Ogara3
Operating System Functions
• access control • identity and credential management • information flow • audit and integrity protection
Each of these activities has security implications
SE571 Security in Computing Dr. Ogara4
Memory Protection Protection can be built into the
hardware mechanisms that control efficient use of memory
SE571 Security in Computing Dr. Ogara5
Memory Protection Types of memory protection
• Fences• Relocation• Base/bound registers• Tagged architecture• Segmentation• Paging• Combined paging with segmentation
SE571 Security in Computing Dr. Ogara6
Types of Memory Protection
Fence• Used to confine users to one side of a
boundary• Simplest form of memory protection was
introduced in single-user operating systems • Provide a lower bound (a starting address)
but not an upper one• Fences may be fixed or variable
SE571 Security in Computing Dr. Ogara7
Types of Memory Protection
• Problem very restrictive because a predefined amount of
space was always reserved for the operating system, whether it was needed or not. If less than the predefined space was required, the excess space was wasted. Conversely, if the operating system needed more space, it could not grow beyond the fence boundary.
SE571 Security in Computing Dr. Ogara8
Types of Memory Protection
Fixed Fence• Used to confine users to one side of a
boundary• simplest form of memory protection was
introduced in single-user operating systems
SE571 Security in Computing Dr. Ogara9
Types of Memory Protection
Variable Fence• Uses fence register containing the address
of the end of the operating system.• location of the fence can be changed• A fence register protects only in one
direction. In other words, an operating system can be protected from a single user, but the fence cannot protect one user from another user
SE571 Security in Computing Dr. Ogara10
Figure 4-1 Fixed Fence.
SE571 Security in Computing Dr. Ogara11
Figure 4-2 Variable Fence Register.
SE571 Security in Computing Dr. Ogara12
Types of Memory Protection
Relocation• process of taking a program written as if it
began at address 0 and changing all addresses to reflect the actual address at which the program is located in memory
SE571 Security in Computing Dr. Ogara13
Types of Memory Protection
Base/Bounds Registers /Second Registers• Upper address limit, in the same way that a
base or fence register is a lower address limit
• Provides an upper bound that can be useful in knowing how much space is allotted and in checking for overflows into “forbidden” areas
• Protects outside users from errors in any other user’s program
SE571 Security in Computing Dr. Ogara14
Figure 4-3 Pair of Base/Bounds Registers.
SE571 Security in Computing Dr. Ogara15
Types of Memory Protection
Tagged Architecture • every word of machine memory has one or
more extra bits to identify the access rights to that word
SE571 Security in Computing Dr. Ogara16
Figure 4-5 Example of Tagged Architecture.
SE571 Security in Computing Dr. Ogara17
Types of Memory Protection
Segmentation• Involves the simple notion of dividing a
program into separate pieces. Each piece has a logical unity, exhibiting a relationship among all of its code or data values
• Allows a program to be divided into many pieces having different access rights
• Each segment has a unique name
SE571 Security in Computing Dr. Ogara18
Types of Memory Protection
Segmentation• Security benefits
Segmentation offers these security benefits: Each address reference is checked for
protection. Many different classes of data items can be
assigned different levels of protection. Two or more users can share access to a
segment, with potentially different access rights. A user cannot generate an address or access to
an unpermitted segment.
SE571 Security in Computing Dr. Ogara19
Types of Memory Protection
Paging• program is divided into equal-sized pieces
called pages, and memory is divided into equal-sized units called page frames
• all pages in the paging approach are of the same fixed size, so fragmentation is not a problem
• Each page can fit in any available page in memory, and thus there is no problem of addressing beyond the end of a page
SE571 Security in Computing Dr. Ogara20
Types of Memory Protection
Combined Paging with Segmentation • Combines two approaches• Paging offers implementation efficiency,
while segmentation offers logical protection characteristics
SE571 Security in Computing Dr. Ogara21
Control of Access to General Objects
Objects which need protection • memory • a file or data set on an auxiliary storage
device • an executing program in memory • a directory of files • a hardware device • a data structure, such as a stack
SE571 Security in Computing Dr. Ogara22
Control of Access to General Objects
Objects which need protection • a table of the operating system • instructions, especially privileged
instructions • passwords and the user authentication
mechanism • the protection mechanism itself
SE571 Security in Computing Dr. Ogara23
Control of Access to General Objects
Directory• Works like file directory • Listing of objects accessible by a single
subject• Each user has a file directory, which lists all
the files to which that user has access.• Every file has a unique owner who
possesses “control” access rights• Rights to files: read, write, and execute
SE571 Security in Computing Dr. Ogara24
Figure 4-10 Directory Access.
SE571 Security in Computing Dr. Ogara25
Control of Access to General Objects
Access Control List • A table identifying subjects that can access
a single object • Each object and the list shows all subjects
who should have access to the object and what their access is
• Each object has one access control list• Directory is created for each object
SE571 Security in Computing Dr. Ogara26
Figure 4-12 Access Control List.
SE571 Security in Computing Dr. Ogara27
Control of Access to General Objects
Access Control Matrix • A table in which each row represents a
subject, each column represents an object, and each entry is the set of access rights for that subject to that object
• Most subjects do not have access rights to most objects
• Implementation is rarely used
SE571 Security in Computing Dr. Ogara28
Control of Access to General Objects
Capability • Is an unforgeable token that gives the
possessor certain rights to an object• Is a ticket that gives permission to a subject
to have a certain type of access to an object• For the capability to offer solid protection,
the ticket must be unforgeable
SE571 Security in Computing Dr. Ogara29
Control of Access to General Objects
Kerberos • Kerberos implements both authentication
and access authorization by means of capabilities, called tickets, secured with symmetric cryptography
• Requires two systems, called the authentication server (AS) and the ticket-granting server (TGS), which are both part of the key distribution center (KDC)
SE571 Security in Computing Dr. Ogara30
Control of Access to General Objects
Kerberos • A user presents an authenticating credential
(a password) to the authentication server and receives a ticket (encrypted) showing that the user has passed authentication
• Uses shared encryption keys• Implements single sign-on
user signs on once and after that user’s actions are authorized without the user signing on again.
SE571 Security in Computing Dr. Ogara31
Control of Access to General Objects
Procedure-Oriented Access Control • Procedure that controls access to objects• Procedure forms a capsule around the
object, permitting only certain specified accesses
• Implements the principle of information hiding because implementing an object are known only to the object’s control procedure
SE571 Security in Computing Dr. Ogara32
Control of Access to General Objects
Role-Based Access Control • Allows us to associate privileges with
groups, for example, administrators vs. regular users (lower privilege)
SE571 Security in Computing Dr. Ogara33
File Protection Mechanisms Forms of Protection
• All-none protection User can read, modify, or delete a file belonging
to any other user/OS files
SE571 Security in Computing Dr. Ogara34
File Protection Mechanisms Forms of Protection
• Group protection Identify group of users, for example, Windows
Administrators Power users Users Guests
A user is recognized by two identifiers (usually numbers): a user ID and a group ID
SE571 Security in Computing Dr. Ogara35
File Protection Mechanisms Individual Permissions
• Persistent permissions• Temporary acquired permissions• Per-object and per-user protection
SE571 Security in Computing Dr. Ogara36
User Authentication Authentications in organizations and
systems• Documents• Voice recognition• Fingerprint• Retina matching
SE571 Security in Computing Dr. Ogara37
User Authentication Authentications uses any of three qualities to
confirm a user’s identity• Something the user knows - Passwords, PIN numbers,
passphrases, a secret handshake, and mother’s maiden name are examples of what a user may know.
• Something the user has- Identity badges, physical keys, a driver’s license, or a uniform are common examples of things people have that make them recognizable.
• Something the user is(biometrics) - are based on a physical characteristic of the user, such as a fingerprint, the pattern of a person’s voice, or a face (picture).