Transcript QMCS 490 - Class Today - University of St. Thomas

QMCS 490 - Class Today
•
•
•
•
•
Homework collect/return
OS Security/Policy
OS Security/Techniques
Trojan Horse
Encrypting a File/PGP
March 2005
R. Smith - University of St Thomas - Minnesota
1
Security Perimeters/Sharing/Policy
• Pretty good, overall
• Important points
– Distinguish between known agreements and behaviors, and the
rationale behind them
• “They have their own computers, so…” wasn’t asked
• “It’s understood (or not) about sharing” - WAS asked
– Note the features that make protection stronger, like locks and
barriers (doors, walls)
– Being in a room with the door closed is better than being left on a
bench in a public park - GIVEN THE THREATS
• What if threats know your machine has valuable stuff?
• The Antiques Roadshow dilemma - nobody wants to steal it if it’s
priceless but nobody knows
• If there’s no reason to seek it out, it’s safer
– “Tragedy of the Commons”
March 2005
R. Smith - University of St Thomas - Minnesota
2
What IS an operating system?
• Could someone point it out to me, please?
March 2005
R. Smith - University of St Thomas - Minnesota
3
Operating Systems: Policy
• What are we trying to protect?
• What are the operating goals?
March 2005
R. Smith - University of St Thomas - Minnesota
4
Pieces of an OS
• Bootup software - gets things started
• I/O management - controls the hard drives, kb,
mouse, monitor, etc.
• Process management - starts up programs for
users, and for the OS itself
• Memory management - arranges RAM for user
programs and for OS activities
• File management - handles storage on the hard
drive so you can find and store things there
• Operator interface - control the OS and start up
programs
March 2005
R. Smith - University of St Thomas - Minnesota
5
How can an OS protect itself?
• What are the risks?
–
–
–
–
•
•
•
•
User A damaging User B’s files
Program X crashing Program Y
Program X damaging OS data
Program X damaging OS programs on disk
File permissions - the tip of the iceberg
Restrictions on processes
Restrictions on RAM
Protection is layered up through file system
– “Privileged” programs
– Device drivers and kernel mode
– Kernel loadable modules
March 2005
R. Smith - University of St Thomas - Minnesota
6
Windows and Privileged Software
• “Privileges” tied to accounts
– Programs/objects inherit them from user’s process
– Can be granted to a user ID or a group
• Example privileges
–
–
–
–
–
login interactively or over network or as service
Setting the clock or time zone
Shutdown, undock machine
Load device driver
Create special system files, like page file
March 2005
R. Smith - University of St Thomas - Minnesota
7
The Trojan Horse and file hacking
• Transitive trust
• Data leakage and the shared file system
• Diagram!
March 2005
R. Smith - University of St Thomas - Minnesota
8
Creative Commons License
This work is licensed under the Creative
Commons Attribution-Share Alike 3.0 United
States License. To view a copy of this license,
visit http://creativecommons.org/licenses/bysa/3.0/us/ or send a letter to Creative
Commons, 171 Second Street, Suite 300, San
Francisco, California, 94105, USA.
March 2005
R. Smith - University of St Thomas - Minnesota
9