Protection & Security

Download Report

Transcript Protection & Security

Chapter 14: Protection
Operating System Concepts with Java – 8th Edition
14.1
Silberschatz, Galvin and Gagne ©2009
Chapter 14: Protection
 Goals of Protection
 Principles of Protection
 Domain of Protection
 Access Matrix
 Implementation of Access Matrix
 Access Control
Operating System Concepts with Java – 8th Edition
14.2
Silberschatz, Galvin and Gagne ©2009
Goals of Protection
 Operating system consists of a collection of
objects, hardware or software
 Each object has a unique name and can be
accessed through a well-defined set of
operations
 Protection problem - ensure that each object is
accessed correctly and only by those
processes that are allowed to do so
Operating System Concepts with Java – 8th Edition
14.3
Silberschatz, Galvin and Gagne ©2009
Principles of Protection
 Guiding principle – principle of least privilege
 Programs,
users and systems should be
given just enough privileges to perform
their tasks
Operating System Concepts with Java – 8th Edition
14.4
Silberschatz, Galvin and Gagne ©2009
Domain Structure
 Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that
can be performed on the object.
 Domain = set of access-rights
Operating System Concepts with Java – 8th Edition
14.5
Silberschatz, Galvin and Gagne ©2009
Domain Implementation (UNIX)
 System consists of 2 domains:

User

Supervisor
 UNIX

Domain = user-id

Domain switch accomplished via file system
Each
file has associated with it a domain bit (setuid
bit)
When
file is executed and setuid = on, then user-id is
set to owner of the file being executed. When
execution completes user-id is reset
Operating System Concepts with Java – 8th Edition
14.6
Silberschatz, Galvin and Gagne ©2009
Access Matrix
 View protection as a matrix (access matrix)
 Rows represent domains
 Columns represent objects
 Access(i, j) is the set of operations that a
process executing in Domaini can invoke on
Objectj
Operating System Concepts with Java – 8th Edition
14.7
Silberschatz, Galvin and Gagne ©2009
Access Matrix
Operating System Concepts with Java – 8th Edition
14.8
Silberschatz, Galvin and Gagne ©2009
Use of Access Matrix
 If a process in Domain Di tries to do “op” on object Oj,
then “op” must be in the access matrix
 Can be expanded to dynamic protection

Operations to add, delete access rights

Special access rights:
owner
copy
of Oi
op from Oi to Oj
control
– Di can modify Dj access rights
transfer
– switch from domain Di to Dj
Operating System Concepts with Java – 8th Edition
14.9
Silberschatz, Galvin and Gagne ©2009
Use of Access Matrix (Cont)
 Access matrix design separates mechanism from policy

Mechanism
Operating
system provides access-matrix + rules
If
ensures that the matrix is only manipulated by
authorized agents and that rules are strictly
enforced

Policy
User
dictates policy
Who
can access what object and in what mode
Operating System Concepts with Java – 8th Edition
14.10
Silberschatz, Galvin and Gagne ©2009
Implementation of Access Matrix
 Each column = Access-control list for one object
Defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read

 Each Row = Capability List (like a key)
Fore each domain, what operations allowed on what
objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
Operating System Concepts with Java – 8th Edition
14.11
Silberschatz, Galvin and Gagne ©2009
Access Matrix of Figure A With Domains as Objects
Figure B
Operating System Concepts with Java – 8th Edition
14.12
Silberschatz, Galvin and Gagne ©2009
Access Matrix with Copy Rights
Operating System Concepts with Java – 8th Edition
14.13
Silberschatz, Galvin and Gagne ©2009
Access Matrix With Owner Rights
Operating System Concepts with Java – 8th Edition
14.14
Silberschatz, Galvin and Gagne ©2009
Modified Access Matrix of Figure B
Operating System Concepts with Java – 8th Edition
14.15
Silberschatz, Galvin and Gagne ©2009
Access Control
 Protection can be applied to non-file resources
 Solaris 10 provides role-based access control
(RBAC) to implement least privilege

Privilege is right to execute system call or use an
option within a system call

Can be assigned to processes

Users assigned roles granting access to privileges
and programs
Operating System Concepts with Java – 8th Edition
14.16
Silberschatz, Galvin and Gagne ©2009
Role-based Access Control in Solaris 10
Operating System Concepts with Java – 8th Edition
14.17
Silberschatz, Galvin and Gagne ©2009
Chapter 15: Security
Operating System Concepts with Java – 8th Edition
14.18
Silberschatz, Galvin and Gagne ©2009
Chapter 15: Security
 The Security Problem
 Program Threats
 System and Network Threats
 Cryptography as a Security Tool
 User Authentication
 Implementing Security Defenses
 Firewalling to Protect Systems and Networks
 Computer-Security Classifications
 An Example: Windows XP
Operating System Concepts with Java – 8th Edition
14.19
Silberschatz, Galvin and Gagne ©2009
Objectives
 To discuss security threats and attacks
 To explain the fundamentals of encryption, authentication, and hashing
 To examine the uses of cryptography in computing
 To describe the various countermeasures to security attacks
Operating System Concepts with Java – 8th Edition
14.20
Silberschatz, Galvin and Gagne ©2009
The Security Problem
 Security must consider external environment of the
system, and protect the system resources
 Intruders (crackers) attempt to breach security
 Threat is potential security violation
 Attack is attempt to breach security
 Attack can be accidental or malicious
 Easier to protect against accidental than malicious
misuse
Operating System Concepts with Java – 8th Edition
14.21
Silberschatz, Galvin and Gagne ©2009
Security Violations
 Categories

Breach of confidentiality

Breach of integrity

Breach of availability

Theft of service

Denial of service
 Methods

Masquerading (breach authentication)

Replay attack

Message modification

Man-in-the-middle attack

Session hijacking
Operating System Concepts with Java – 8th Edition
14.22
Silberschatz, Galvin and Gagne ©2009
Standard Security Attacks
Operating System Concepts with Java – 8th Edition
14.23
Silberschatz, Galvin and Gagne ©2009
Security Measure Levels
 Security must occur at four levels to be effective:
 Physical
 Human
Avoid
social engineering, phishing, dumpster
diving
 Operating
System
 Network
 Security is as weak as the weakest link in the
chain
Operating System Concepts with Java – 8th Edition
14.24
Silberschatz, Galvin and Gagne ©2009
Program Threats



Trojan Horse

Code segment that misuses its environment

Exploits mechanisms for allowing programs written by users to be executed by
other users

Spyware, pop-up browser windows, covert channels
Trap Door

Specific user identifier or password that circumvents normal security
procedures

Could be included in a compiler
Logic Bomb


Program that initiates a security incident under certain circumstances
Stack and Buffer Overflow

Exploits a bug in a program (overflow either the stack or memory buffers)
Operating System Concepts with Java – 8th Edition
14.25
Silberschatz, Galvin and Gagne ©2009
C Program with Buffer-overflow Condition
#include <stdio.h>
#define BUFFER SIZE 256
int main(int argc, char *argv[])
{
char buffer[BUFFER SIZE];
if (argc < 2)
return -1;
else {
strcpy(buffer,argv[1]);
return 0;
}
}
Operating System Concepts with Java – 8th Edition
14.26
Silberschatz, Galvin and Gagne ©2009
Layout of Typical Stack Frame
Operating System Concepts with Java – 8th Edition
14.27
Silberschatz, Galvin and Gagne ©2009
Modified Shell Code
#include <stdio.h>
int main(int argc, char *argv[])
{
execvp(‘‘\bin\sh’’,‘‘\bin \sh’’, NULL);
return 0;
}
Operating System Concepts with Java – 8th Edition
14.28
Silberschatz, Galvin and Gagne ©2009
Hypothetical Stack Frame
After attack
Before attack
Operating System Concepts with Java – 8th Edition
14.29
Silberschatz, Galvin and Gagne ©2009
Program Threats (Cont.)
 Many categories of viruses, literally many thousands of viruses

File

Boot

Macro

Source code

Polymorphic

Encrypted

Stealth

Tunneling

Multipartite
Operating System Concepts with Java – 8th Edition
14.30
Silberschatz, Galvin and Gagne ©2009
A Boot-sector Computer Virus
Operating System Concepts with Java – 8th Edition
14.31
Silberschatz, Galvin and Gagne ©2009
System and Network Threats
 Worms – use spawn mechanism; standalone program
 Internet worm

Exploited UNIX networking features (remote access) and bugs
in finger and sendmail programs

Grappling hook program uploaded main worm program
 Port scanning

Automated attempt to connect to a range of ports on one or a
range of IP addresses
 Denial of Service

Overload the targeted computer preventing it from doing any
useful work

Distributed denial-of-service (DDOS) come from multiple sites at
once
Operating System Concepts with Java – 8th Edition
14.32
Silberschatz, Galvin and Gagne ©2009
The Morris Internet Worm
Operating System Concepts with Java – 8th Edition
14.33
Silberschatz, Galvin and Gagne ©2009
End of Chapter 15
Operating System Concepts with Java – 8th Edition
14.34
Silberschatz, Galvin and Gagne ©2009