chapter 4 protection in general-purpose operating systems (c) by syed ardi syed yahya kamal, utm...

CHAPTER 4

Protection in General-Purpose Operating Systems

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

1

Objectives


2

Identify protection features provided by the operating system

Explain the need for protection and controls in the OS

Define memory and address protection define in general OS

Explain about file protection mechanism in OS Discuss what is user authentication and

understand the needs for authentication in general OS

Protected Objects and Methods of Protection


3

A bit of history .. Once upon a time, there were no OS. Executive design to assist individual

programmers and to smooth transition from one user to another.

Monitors maintained control over all resources.

Protected Objects


4

The rise of multiprogramming means several aspects required protection. Memory Sharable I/O devices, such as disks Serially reusable I/O devices, such as printers Sharable programs Network Sharable data

Security Methods of OS


5

Basic of protection is separation: keeping one user’s objects separate from other user.

Several ways can occur: physical separation , in which different processes use

different physical objects, such as separate printers for output requiring different levels of security

temporal separation , in which processes having different security requirements are executed at different times

logical separation , in which users operate under the illusion that no other processes exist, as when an operating system constrains a program's accesses so that the program cannot access objects outside its permitted domain

cryptographic separation , in which processes conceal their data and computations in such a way that they are unintelligible to outside processes

Security Methods of OS (cont)


6

Levels of protection: Do not protect Isolate Share all or share nothing Share via access limitation Share by capability Limit use of an object

Memory and Address Protection

Fence Introduced in single-

user OS. To prevent a faulty

user program from destroying part of the residents portion of the OS.

Fence Register – location of fence could be changed.


7

User Program Space

OS

Addresses0

n

n + 1

High

Memory and Address Protection (cont)


8

Relocation Process of taking a program written as if it began

at address 0 and changing all addresses to reflect the actual address at which the program is located in memory.


Base/Bounds Registers Provide base or

starting address. All addresses inside a

program are offsets from base address.


9

Operating System

User AProgram Space

User BProgram Space

User CProgram Space

Base Register

Bounds Register


Tagged Architecture Every word of

machine memory has one or more bits to identify the access rights to that word.

Access bits are set only by OS instructions.

Tag Memory Word

R 0001

RW 0137

X

RW 4091


10


Segmentation Dividing a program

into separate pieces. Each pieces has a

logical unit – relationship among all code or data values.

Advantages and benefits ???


11

OS Segments

SUB

MAIN

SEG_A

DATA_SEG

SUB

MAIN

SEG_A

DATA_SEG



12

Paging Alternative to segmentation. Program divided into equally sizes pieces called

pages. Fixed sized means no fragmentation problem. Refers to figure 4-9 page 195.

Control of Access to General Objects


13

Objects to protect: Memory File or data on an auxiliary storage device Hardware device A table of the OS Data structure such as stack Protection mechanism itself etc.

Control of Access to General Objects (cont)


14

Complementary goals in protecting objects: Check every access – revoke user’s privilege Enforce least privilege – least task of every user Verify acceptable usage – yes-no decision



15

Directory Protect object by using file directory mechanism. No user allowed to write in the file directory – to

forge access to a file. OS maintain all file directories, under commands

from owners of files. Read, write and execute.


Access Control List List of who should access to the object and what

their access is. Use Access control matrix to maintain.

Bibliog.c Help.txt Printer Sys_Clock

User A ORW R W R

User S R R W R

Sys_Mgr - RW O ORW


16

File Protection Mechanism


17

Basic Forms of Protection All-None Protection

File become public. User can read, modify and delete. Unacceptable – lack of trust, complexity etc.

Group Protection Identifying groups of users that have relationship. All unauthorized users separated into group. Introduced new difficulties – multiple personalities,

limited sharing.

File Protection Mechanism (cont)


18

Single Permissions Password or Other Token

Form of password protection to a file. User accesses are limited to one who supply the correct

password. Suffer difficulties – loss, time consuming, disclosure by

other party (unauthorized user). Temporary Acquired Permission

Use by UNIX – set user id (suid). Three-level user-group-world hierarchy.

User Authentication


19

Authentication mechanisms use any of three qualities to confirm user’s identity: Something the user knows – password, PIN

numbers, mother’s name. Something the user has – identity badges,

physical keys, driver’s license. Something the user is – called biometrics.


20

passwords suffer from some difficulties of use: Loss. Depending on how the passwords are implemented,

it is possible that no one will be able to replace a lost or forgotten password. if the user loses the password, a new one must be assigned.

Use. Supplying a password for each access to a file can be inconvenient and time consuming.

Disclosure. If a password is disclosed to an unauthorized individual, the file becomes immediately accessible. If the user then changes the password to reprotect the file, all the other legitimate users must be informed of the new password because their old password will fail.

Revocation. To revoke one user's access right to a file, someone must change the password, thereby causing the same problems as disclosure.

Additional Authentication Information


21

Using additional authentication information is called multifactor authentication

Requires the true user to be present and to make use of

something he/she knows or has Something you have+ something you know

E.g. Credit card+ PIN code Something you know+ something you are

E.g. Password+ fingerprint Something you have+ something you are

E.g. smart card+iris recognition

User Authentication (cont)


22

Attacks on passwords: Try all possible password. Try many probable password. Try passwords likely for the user. Search for the system list of password. Ask the user.

Loose-Lipped Systems


23

Some systems help the attacker to break in more quickly

Better systems give no information until the end of the dialogue:

User Authentication (cont)


24

Password selection criteria: Use characters other than just A-Z. Choose long password. Avoid actual names or words. Choose an unlikely password. Change the password regularly. Don’t write it down. Don’t tell anyone else.

Biometrics: Authentication Not Using Passwords


25

Biometrics are biological authenticators, based on some physical characteristic of the human body.

Problems with Biometrics


26

Biometrics are relatively new, and some people find their use intrusive. Hand geometry and face recognition (which can be done from a camera across the room) are scarcely invasive, but people have real concerns about peering into a laser beam or sticking a finger into a slot. (See [SCH06a] for some examples of people resisting biometrics.)

Biometric recognition devices are costly, although as the devices become more popular, their costs go down. Still, outfitting every user's workstation with a reader can be expensive for a large company with many employees.

All biometric readers use sampling and establish a threshold for when a match is close enough to accept. The device has to sample the biometric, measure often hundreds of key points, and compare that set of measurements with a template. There is normal variability if, for example, your face is tilted, you press one side of a finger more than another, or your voice is affected by an infection. Variation reduces accuracy.

Biometrics can become a single point of failure. Consider a retail application in which a biometric recognition is linked to a payment scheme: As one user puts it, "If my credit card fails to register, I can always pull out a second card, but if my fingerprint is not recognized, I have only that one finger." Forgetting a password is a user's fault; failing biometric authentication is not.

Although equipment is improving, there are still false readings. We label a "false positive" or "false accept" a reading that is accepted when it should be rejected (that is, the authenticator does not match) and a "false negative" or "false reject" one that rejects when it should accept. Often, reducing a false positive rate increases false negatives, and vice versa. The consequences for a false negative are usually less than for a false positive, so an acceptable system may have a false positive rate of 0.001 percent but a false negative rate of 1 percent.

The speed at which a recognition must be done limits accuracy. We might ideally like to take several readings and merge the results or evaluate the closest fit. But authentication is done to allow a user to do something: Authentication is not the end goal but a gate keeping the user from the goal. The user understandably wants to get past the gate and becomes frustrated and irritated if authentication takes too long.

Although we like to think of biometrics as unique parts of an individual, forgeries are possible. The most famous example was an artificial fingerprint produced by researchers in Japan [MAT02]. Although difficult and uncommon, forgery will be an issue whenever the reward for a false positive is high enough.

chapter 4 protection in general-purpose operating systems (c) by syed ardi syed yahya kamal, utm...

Documents