What we will cover…

Protection and Security in OS

1-1

Difference between Protection & Security Protection: Mostly, mechanism for controlling access to

system resources by processes. This includes a means of specifying controls and a means of enforcing the controls. This is an internal problem.

Security: Mostly, assuring the integrity of system resources and data. Protection is the enforcement aspect of security. Security must also consider the external environment in which the system operates.

1-2

Domain of Protection

Who needs protection? System resources need protection

resources include both hardware and software examples of software resources: files, programs,

buffers, semaphores etc. examples of hardware resources: CPU, memory

segments, printers, disks etc. think of each resource as an object accessible only

through associated operations

Protection From whom? Other users (user domain) Other processes (process domain)

Principle of Protection

Guiding principle – principle of least privilege Programs, users and systems should be

given just enough privileges to perform their tasks

Also known as “need-to-know” principle

Domain Structure Implement protection domain a process has an associated protection domain and

operates within this domain a protection domain is a set of ordered pairs each ordered pair consists of an object and a set of access rights

(permitted operations)

Access-right = <object-name, rights-set>where rights-set is a subset of all valid operations that can be performed on the object.

Domain = set of access-rights

Protection Domain Structure The association between a process and a domain can be

fixed (static) or can change as process executed (dynamic)

Static association is easier to implement while dynamic association is more complex Which one is better?

• Static association may violate need-to-know principle

Dynamic association change association dynamically by either (1) modifying the

domain, or (2) switching to a different domain

Domain Implementation (MULTICS)

Let Di and Dj be any two domain rings.

If j < i Di Dj

Disadvantages: Too complicated Violating need-to-know

principle

Domain Implementation (UNIX) System consists of 2 domains:

User mode Kernel mode

UNIX Domain = user-id Domain switch accomplished via file system.

• Each file has associated with it a domain bit (setuid bit).

• When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset.

Domain Implementation (UNIX)

Is it safe?

10

Domain Example

Processes move back and forth between user mode, (i.e., user domain) and kernel mode, (i.e., kernel domain).

Unix setuid

shellowner=100setuid bit=0

a.outowner=100setuid bit=1

real user id = 201effective user id = 201

exec(“shell”)

real user id = 201effective user id = 201

exec(“a.out”)

load

100load

User mode

process

Kernel mode

Access Matrix

View protection as a matrix (access matrix)

Rows represent domains

Columns represent objects

Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj

Access Matrix

Visualizing access matrix for UNIX

1-13

-rwxr-xr-x 1 John students 14839 May 14 07:15 chatter-rw-r----- 1 John students 998 May 14 08:27 guru.c-rwxr-xr-- 2 John students 4096 May 17 11:59 data

Domain/object

chatter guru.c data

Owner Read, write, execute

Read, write Read, write, execute

group Read, execute Read Read, execute

world Read, execute Read

Use of Access Matrix

If a process in Domain Di tries to do “op” on object Oj, then “op” must be in the access matrix.

Can be expanded to dynamic protection. Special operations to change content of

access matrix Change access rights:

• copy an access right from one domain to another• owner rights

Access Matrix with Copy Rights

Access Matrix With Owner Rights

Use of Access Matrix (Cont.)

Access matrix design separates mechanism from policy.

Policy• User dictates policy.• Who can access what object and in what mode.

Mechanism • Operating system provides access-matrix + rules.• It ensures that the matrix is only manipulated by

authorized agents and that rules are strictly enforced.

Security

1-18

The Security Problem Security must consider external environment of the system,

and protect the system resources

Intruders (crackers) attempt to breach security (malicious access): Unauthorized reading of data Unauthorized modifications of data Unauthorized destruction of data Preventing legitimate use of the systems (denial of service)

User Authentication

Protection (earlier discussed) majorly dependent on user authentication

Based on use of Passwords

Biometrics is another option but Still not implemented Not cost-effective yet

Use of Passwords

Passwords are mutually agreed-upon code words, assumed to be known only to the user and the system.

The use of passwords is fairly straightforward. A user enters some piece of identification, such as a name or an assigned user ID, if the identification matches that on file for the user, the user is authenticated to the system.

If the identification match fails, the user is rejected by the system.

Attacks on Passwords

Try all possible passwords exhaustive or brute force attack Is this impossible to create?

Try many probable passwords Users do not likely select a password

uncommon, hard to spell or pronounce, very long

Try passwords likely for the user Password generally is meaningful to the user

Attacks on Passwords (cont’)

Encrypted password (used in UNIX) Flaw was user tends to select a meaningful password (a

word in the dictionary) System encrypts the word and stores the encrypted

version The process is irreversible, so apparently secure

Dictionary attack Off-line cluster attack

Many Password Selection Criteria Use characters other than just A-Z Choose long passwords Avoid actual names or words Choose an unlikely password Change the password regularly Don’t write it down Don’t tell anyone else

The Authentication Process

Intentionally slow This makes exhaustive attack infeasible

Identify intruder from the normal user Some who continuously fails to login may

not be an authorized user. System disconnect a user after three to five

failed logins

What is the flaw?

Program Threats Trojan Horse

Code segment that misuses its environment Exploits mechanisms for allowing programs written by users to

be executed by other users Spyware, pop-up browser windows, covert channels PWSteal.Tarno.Q - registers itself as a browser helper (key

logger)

Trap Door Specific user identifier or password that circumvents normal

security procedures Could be included in a program Combination of trojan horse and trap door even fatal

• Trojan.Lodeight.A opens a Back-door on TCP port 1084

How to defend against such program threats

Analyze the execution patterns of the Trojan Horses & Trapdoors1. The malicious code is executed without user intervention.2. The malicious code may be directed by a remote attacker once a connection is

made.3. Resources used by the malicious code, such as file names and network addresses,

are hard-coded in the binary.4. OS resources (processes, memory) used by the malicious code may be consumed for

the purpose of degrading performance. A key characteristic of Trojan Horses and Trapdoors is that they cannot be

invoked by the attacker and are autonomous – at least until a connection is made.

Program Threats (contd.) Stack and Buffer Overflow

Exploits a bug in a program (overflow either the stack or memory buffers)

Simple example code

#include <string.h> void foo (char *bar){ char c[12]; strcpy(c, bar); // no bounds checking...} int main (int argc, char **argv){ foo(argv[1]); }

Stack Buffer Overflow

Before data is copied. "hello" is the first command line

argument.

"A A A A A A A A A A A A A A A A A A A A \x08 \x35 \xC0 \x80" is the first command line argument.

System and Network Threats Worms – use spawn mechanism; standalone program Morris worm

Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs

Grappling hook program uploaded main worm program

System and Network Threats

Denial of Service Easier than penetration attacks Overload the targeted computer preventing

it from doing any useful work Distributed denial-of-service (DDOS) come

from multiple sites at once

Open tcp connection (never closing one)

Security Through Domain Separation Via Firewall