Multiprocessor Memory Allocation
Download
Report
Transcript Multiprocessor Memory Allocation
Operating Systems
CMPSCI 377
Lecture 22: Protection & Security
Emery Berger
University of Massachusetts, Amherst
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Security
Secure if either:
Cost of attacking system > value of protected
resources;
You attack $100 of gold with a $120 attack dog.
Cost can equal the computer or network resources
required to attack the system
Time to attack system longer than time resource has
value
Don’t need to protect time and place of secret event after
event takes place
Time can be processing time to compute correct result
(e.g., guessing a password)
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
2
Protection
Let’s say we have a valuable resource like an O.S.
collection of objects, hardware & software
objects have unique names
accessed through well-defined set of operations
Goal of protection:
Ensure each object accessed correctly & only by
authorized processes according to some policy.
Policy = statement of what states (and operations) are
allowed (i.e., secure/authorized) vs. not allowed (i.e.,
nonsecure/unauthorized) for specific system
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
3
Protection Domains
Access-right = <object-name, rights-set>
Rights-set = subset of all valid operations that can be
performed on the object
(i.e., the policy!)
Domain = set of access-rights
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
4
UNIX: Domain Implementation
Example 1: UNIX
Domain implemented as “user-id”
Files are an example of an object
(we’ll see others, like laser printers and email servers)
Sometimes, OS does domain switching to execute some
task
Each file has associated domain bit (setuid bit)
When file executed and setuid=on,
user-id set to owner of the file being executed
When execution completes, user-id is reset
“ps” is a setuid program, as is “lpr”.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
5
Domain Implementation
MULTICS
Precursor to UNIX, by
MIT & GE
“Ring” protection
system, by Bob Graham
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
6
Multics: Rings
Nested domain structure (“rings”)
Let Di and Dj be any two domain rings
If j < I Di Dj
lower-level =
more privileges
each process
maintains
current ring
number
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
7
Access Matrix
Column = access-control list for one object
Defines who can perform what operation
Row = capability list
Operations allowed on what objects, per-domain
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
8
Use of Access Matrix (Cont.)
Design separates mechanism from policy
Mechanism
Operating system provides access-matrix + rules.
Ensures that the matrix is only manipulated by
authorized agents and that rules are strictly enforced
Policy
User dictates policy:
who can access what object and in what mode
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
9
Dynamic Access Matrices
Extend for dynamic protection:
Operations to add, delete access rights
transfer – switch from domain Di to Dj
owner of Oi
copy op from Oi to Oj
control – Di can modify Dj’s access rights
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
10
Switching Domains
Switching domains: add domains as objects!
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
11
Access Matrix with Copy Rights
Asterisk denotes
that access right
can be copied
within column
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
12
Access Matrix With Owner Rights
Ownership:
can add new
rights, remove
some rights
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
13
Control: Modifying Access Matrix
Control:
process
executing in
one domain can
modify another
domain
Example:
D2 changes
D4
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
14
Implementation of Access Matrix
Global table – <domain, object, right-set>
Access list – <domain, right-set> per object
Too large, no grouping
Simple
Capability List – list of objects + operations
Object name = capability (think: special pointer)
Check in capability list for access
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
15
Revocation of Access Rights
Access-list scheme:
Search for right to be revoked, delete
Immediate, can be selective (just affect some users),
can be partial (just some rights revoked)
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
16
Revocation of Access Rights
Capabilities: more complicated
Reacquisition:
Back-pointers: point from object to capabilities
Expensive (used in MULTICS)
Indirection:
Try to reacquire after deletion
Capability points to entry in table
Not selective
Keys:
One key per capability
Check in global key table
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
17
Language-Based Protection
Specification of protection in programming
language:
Allows high-level description of policies for allocation
and use of resources
Example: Java
Language implementation:
Can provide software for protection enforcement when
automatic hardware-supported checking is unavailable
Interpret protection specifications to generate calls on
whatever protection system provided by hardware and
OS
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
18
Java Security Model
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
19
Security
The Security Problem
Authentication
Program Threats
System Threats
Threat Monitoring
Encryption
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
20
The Security Problem
Security must consider external environment
of the system, and protect it from:
unauthorized access
malicious modification or destruction
accidental introduction of inconsistency
Easier to protect against accidental than
malicious misuse
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
21
Authentication
User identity most often established through
passwords, can be considered a special case of
either keys or capabilities.
Passwords must be kept secret.
Frequent change of passwords
Use of “non-guessable” passwords
Log all invalid access attempts
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
22
Program Threats (“Malware”)
Trojan Horse
Code segment that misuses its environment
Exploits mechanisms for allowing programs
written by users to be executed by other users
Trap Door
Specific user identifier or password that
circumvents normal security procedures.
Could be included in compiler
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
23
System Threats: Worms
Worms – use spawn mechanism; standalone
program
Exploited UNIX networking features
(remote access) and bugs in finger and
sendmail programs
Grappling hook program uploaded main
worm program
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
24
System Threats: Viruses
Viruses – fragment of code embedded in a
legitimate program
Mainly affect PCs, infected via Internet
“Old days”: exchanging floppy disks
containing an infection
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
25
The Morris Internet Worm (1988)
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
26
Threat Monitoring
Check for suspicious patterns of activity
Audit log
i.e., several incorrect password attempts may signal
password guessing
Records time, user, & type of all accesses to object
Useful for recovery from violation, developing better
security measures
Scan system periodically for security holes
Done when the computer is relatively unused
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
27
Threat Monitoring (Cont.)
Check for:
Short or easy-to-guess passwords
Unauthorized setuid programs
Unauthorized programs in system directories
Unexpected long-running processes
Improper directory protections
Improper protections on system data files
Dangerous entries in the program search path (Trojan
horse)
Changes to system programs: monitor checksum values
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
28
Network Security Through Domain
Separation Via Firewall
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
29
Encryption
Encrypt clear text into cipher text, and vice versa
Properties of good encryption technique:
Relatively simple for authorized users to encrypt
and decrypt data
Encryption scheme depends not on secrecy of
algorithm but on parameter of algorithm called
encryption key
Extremely difficult for an intruder to determine the
encryption key
Advanced Encryption Standard now standard (Rijndael)
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
30
Encryption (Cont.)
Public-key encryption based on each user having two keys:
public key – published key used to encrypt data
private key – key known only to individual user used to
decrypt data
Encryption scheme is public, but still strong
No reliance on security through obscurity
Basis of these:
Easy to multiply primes, but hard to factor this product
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
31
Summary
Protection
Protection Domains, Access Matrix,
Revocation of Access Rights, Capability-Based
Systems, Language-Based Protection
Security
Authentication, Program Threats, System
Threats, Threat Monitoring, Encryption
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
32