Protection and Security

CSCI 444/544 Operating Systems

Fall 2008

Agenda

• Protection goals and principle

• User authentication and access control

• Security vulnerabilities

• Cryptography as a security tool

Goals

Protection more important as computer systems develop• Multiple users have access to same resources• Computers connected to network• Increasing importance to electronic commerce

Goals: Ensure users only do what they are supposed to do• Prevent accidental misuse

– Example: Mistakenly overwrite command interpreter.

– Relatively easy to solve by making hard to do

• Prevent malicious abuse– Example: Break into accounting system and transfer $1million

– Hard to completely eliminate

Principle of Protection

Guiding principle – principle of least privilege• Programs, users and systems should be given just

enough privileges to perform their tasks

Components of Protection Mechanism

Authentication• Make sure system knows who are you

Authorization • Determine what the user is and is not allowed to do

Access enforcement• Make sure no loopholes in the system

Auditing• Record what users and programs are doing for later

analysis/prosecution

Authentication

How do you prove who you are?Passwords

• Secret piece of information known only by user• System should not store in readable form

– One-way transformations must be used when check

• Disadvantage: Relatively easy to crack– Humans choose poor passwords

• Short passwords are easy to find with brute force• Common words found in dictionaries

Key• Physical possession of item proves identity• Should not be forgeable or able to be copied• Advantage: If stolen, user is aware• Disadvantage: Relatively expensive to make

Authorization Determination

Access rights represented with access matrix• One domain (e.g., user) per row• One resource (e.g., files) per column• Each entry indicates privileges of domain for resource

File A File B File C File D

User 1 RW RW RW RW

User 2 RW RW - -

User 3 RW R - -

User 4 RW R RW -

User 5 RW R RW -

Representation of Access Matrix

Access matrix is sparsely populated• Condense information by expressing in two forms

– Access control list: Per column

– Capability: Per row

Access Control Lists

Access Control Lists: (ACLs)• For each resource, indicate users that can perform operations

– General form: Each resource has list of <user, privilege> pairs

• Disadvantage– Tedious to have separate entry for every user

• Optimization– Group users into classes

– UNIX example: • Three classes of users: self, group, everyone else• Three privileges: read, write, execute

• Advantage: Easy to revoke privileges

Access Control Lists

Use of access control lists for managing file access

R

CapabilitiesCapabilities

• For each user, indicate resources that can be accessed– General form: Each user has list of <resource, privilege> pairs

• Compare against ACL– May built-in with handle to resources– More efficient access right checking

• Important concern– a user should not be able to tamper its capabilities

• Disadvantage– Difficult to revoke capabilities, since they are distributed

throughout the system

Implementing Capabilities

Kernel-space capability list (C-list)– User programs use handles (e.g. file descriptor) to refer to

them

Implementing Capabilities

Tagged architecture• Memory words containing capabilities are tagged

– user programs can only read those words– Only kernel can change those words

Cryptographically-protected capabilities• C-list is in user space, but

– capability is formed cryptographically so that user cannot

tamper it.– does not require hardware support

Access Control

Protection can be applied to non-file resources

Solaris 10 provides role-based access control to implement least privilege• Privilege is right to execute system call or use an option

within a system call• Can be assigned to processes• Users assigned roles granting access to privileges and

programs

Role-based Access Control in Solaris

Revocation of Access Rights

Access List – Delete access rights from access list.• Simple • Immediate

Capability List – Scheme required to locate capability in the system before capability can be revoked.

Access Enforcement

Responsibilities of security kernel• Protecting identification and authorization information• Enforcing access controls

Requirements• Must run in protected mode• As small and simple as possible

Paradox• More powerful protection mechanism -->

Larger and more complex security kernel -->More likely to have implementation bugs -->More security holes

The Security Problem

Security must consider external environment of the system, and protect the system resources

Intruders (crackers) attempt to breach security

Threat is potential security violation

Attack is attempt to breach security

Attack can be accidental or malicious

Easier to protect against accidental than malicious misuse

Security Violations

Categories• Breach of confidentiality• Breach of integrity• Breach of availability• Theft of service• Denial of service

Methods• Masquerading (breach authentication)• Replay attack

– Message modification

• Man-in-the-middle attack• Session hijacking

Program Threats

Trojan Horse• Code segment that misuses its environment• Exploits mechanisms for allowing programs written by users to be

executed by other users• Spyware, pop-up browser windows, covert channels

Trap Door• Specific user identifier or password that circumvents normal security

procedures• Could be included in a compiler

Logic Bomb• Program that initiates a security incident under certain circumstances

Stack and Buffer Overflow• Exploits a bug in a program (overflow either the stack or memory buffers)

System and Network ThreatsVirus

• fragment of malicious code embedded in legitimate code• spread by copying infected program over network or floppy disk

Worm• Capable of spreading itself from machine to machine• Grappling hook program uploaded main worm program

Port scanning• Automated attempt to connect to a range of ports on one or a range of IP

addresses

Denial of Service• Overload the targeted computer preventing it from doing any useful work• Distributed denial-of-service (DDOS) come from multiple sites at once

Security Services

Authentication

Access Control

Confidentiality

Integrity

Security Mechanisms

Cryptography• Encryption/Decryption

– Symmetric Key

– Asymmetric Key (Public-key system)

• Entity or Message Authentication – Public-key and Hash function

• Digital Signature

• Key distribution