View
216
Download
0
Embed Size (px)
Citation preview
What we will cover…
Protection and Security in OS
1-1
Difference between Protection & Security Protection: Mostly, mechanism for controlling access to
system resources by processes. This includes a means of specifying controls and a means of enforcing the controls. This is an internal problem.
Security: Mostly, assuring the integrity of system resources and data. Protection is the enforcement aspect of security. Security must also consider the external environment in which the system operates.
1-2
Domain of Protection
Who needs protection? System resources need protection
resources include both hardware and software examples of software resources: files, programs,
buffers, semaphores etc. examples of hardware resources: CPU, memory
segments, printers, disks etc. think of each resource as an object accessible only
through associated operations
Protection From whom? Other users (user domain) Other processes (process domain)
Principle of Protection
Guiding principle – principle of least privilege Programs, users and systems should be
given just enough privileges to perform their tasks
Also known as “need-to-know” principle
Domain Structure Implement protection domain a process has an associated protection domain and
operates within this domain a protection domain is a set of ordered pairs each ordered pair consists of an object and a set of access rights
(permitted operations)
Access-right = <object-name, rights-set>where rights-set is a subset of all valid operations that can be performed on the object.
Domain = set of access-rights
Protection Domain Structure The association between a process and a domain can be
fixed (static) or can change as process executed (dynamic)
Static association is easier to implement while dynamic association is more complex Which one is better?
• Static association may violate need-to-know principle
Dynamic association change association dynamically by either (1) modifying the
domain, or (2) switching to a different domain
Domain Implementation (MULTICS)
Let Di and Dj be any two domain rings.
If j < i Di Dj
Disadvantages: Too complicated Violating need-to-know
principle
Domain Implementation (UNIX) System consists of 2 domains:
User mode Kernel mode
UNIX Domain = user-id Domain switch accomplished via file system.
• Each file has associated with it a domain bit (setuid bit).
• When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset.
Domain Implementation (UNIX)
Is it safe?
10
Domain Example
Processes move back and forth between user mode, (i.e., user domain) and kernel mode, (i.e., kernel domain).
Unix setuid
shellowner=100setuid bit=0
a.outowner=100setuid bit=1
real user id = 201effective user id = 201
exec(“shell”)
real user id = 201effective user id = 201
exec(“a.out”)
load
100load
User mode
process
Kernel mode
Access Matrix
View protection as a matrix (access matrix)
Rows represent domains
Columns represent objects
Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj
Access Matrix
Visualizing access matrix for UNIX
1-13
-rwxr-xr-x 1 John students 14839 May 14 07:15 chatter-rw-r----- 1 John students 998 May 14 08:27 guru.c-rwxr-xr-- 2 John students 4096 May 17 11:59 data
Domain/object
chatter guru.c data
Owner Read, write, execute
Read, write Read, write, execute
group Read, execute Read Read, execute
world Read, execute Read
Use of Access Matrix
If a process in Domain Di tries to do “op” on object Oj, then “op” must be in the access matrix.
Can be expanded to dynamic protection. Special operations to change content of
access matrix Change access rights:
• copy an access right from one domain to another• owner rights
Access Matrix with Copy Rights
Access Matrix With Owner Rights
Use of Access Matrix (Cont.)
Access matrix design separates mechanism from policy.
Policy• User dictates policy.• Who can access what object and in what mode.
Mechanism • Operating system provides access-matrix + rules.• It ensures that the matrix is only manipulated by
authorized agents and that rules are strictly enforced.
Security
1-18
The Security Problem Security must consider external environment of the system,
and protect the system resources
Intruders (crackers) attempt to breach security (malicious access): Unauthorized reading of data Unauthorized modifications of data Unauthorized destruction of data Preventing legitimate use of the systems (denial of service)
User Authentication
Protection (earlier discussed) majorly dependent on user authentication
Based on use of Passwords
Biometrics is another option but Still not implemented Not cost-effective yet
Use of Passwords
Passwords are mutually agreed-upon code words, assumed to be known only to the user and the system.
The use of passwords is fairly straightforward. A user enters some piece of identification, such as a name or an assigned user ID, if the identification matches that on file for the user, the user is authenticated to the system.
If the identification match fails, the user is rejected by the system.
Attacks on Passwords
Try all possible passwords exhaustive or brute force attack Is this impossible to create?
Try many probable passwords Users do not likely select a password
uncommon, hard to spell or pronounce, very long
Try passwords likely for the user Password generally is meaningful to the user
Attacks on Passwords (cont’)
Encrypted password (used in UNIX) Flaw was user tends to select a meaningful password (a
word in the dictionary) System encrypts the word and stores the encrypted
version The process is irreversible, so apparently secure
Dictionary attack Off-line cluster attack
Many Password Selection Criteria Use characters other than just A-Z Choose long passwords Avoid actual names or words Choose an unlikely password Change the password regularly Don’t write it down Don’t tell anyone else
The Authentication Process
Intentionally slow This makes exhaustive attack infeasible
Identify intruder from the normal user Some who continuously fails to login may
not be an authorized user. System disconnect a user after three to five
failed logins
What is the flaw?
Program Threats Trojan Horse
Code segment that misuses its environment Exploits mechanisms for allowing programs written by users to
be executed by other users Spyware, pop-up browser windows, covert channels PWSteal.Tarno.Q - registers itself as a browser helper (key
logger)
Trap Door Specific user identifier or password that circumvents normal
security procedures Could be included in a program Combination of trojan horse and trap door even fatal
• Trojan.Lodeight.A opens a Back-door on TCP port 1084
How to defend against such program threats
Analyze the execution patterns of the Trojan Horses & Trapdoors1. The malicious code is executed without user intervention.2. The malicious code may be directed by a remote attacker once a connection is
made.3. Resources used by the malicious code, such as file names and network addresses,
are hard-coded in the binary.4. OS resources (processes, memory) used by the malicious code may be consumed for
the purpose of degrading performance. A key characteristic of Trojan Horses and Trapdoors is that they cannot be
invoked by the attacker and are autonomous – at least until a connection is made.
Program Threats (contd.) Stack and Buffer Overflow
Exploits a bug in a program (overflow either the stack or memory buffers)
Simple example code
#include <string.h> void foo (char *bar){ char c[12]; strcpy(c, bar); // no bounds checking...} int main (int argc, char **argv){ foo(argv[1]); }
Stack Buffer Overflow
Before data is copied. "hello" is the first command line
argument.
"A A A A A A A A A A A A A A A A A A A A \x08 \x35 \xC0 \x80" is the first command line argument.
System and Network Threats Worms – use spawn mechanism; standalone program Morris worm
Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs
Grappling hook program uploaded main worm program
System and Network Threats
Denial of Service Easier than penetration attacks Overload the targeted computer preventing
it from doing any useful work Distributed denial-of-service (DDOS) come
from multiple sites at once
Open tcp connection (never closing one)
Security Through Domain Separation Via Firewall