Protection in General-Purpose Operating Systems
Download
Report
Transcript Protection in General-Purpose Operating Systems
Chapter 4 – Protection in General
Purpose Operating Systems
Protection features provided by
general-purpose operating systems—
protecting memory, files, and the
execution environment
Controlled access to objects
User authentication
Protected Objects and Methods of
Protections
1rst OS were simple utilities – executives
Multiprogramming OS required monitors
which oversaw each program’s execution
Protected objects
•
•
•
•
•
•
Memory
Sharable I/O devices (disks)
Serially reusable devices (printers)
Shareable programs & subprocedures
Networks
Shareable Data
Security Methods of Operating Systems
Physical Separation
(different processes
use different objects)
Temporal Separation
(processes executed
at different times)
Logical Separation
(process appears to be
alone)
Cryptographic Separation
conceal data and computations)
(processes
Security Methods of Operating Systems
Want to be able to share resources
without compromising security
• Do not protect
• Isolate different processes
• Share all or nothing
• Share via access limitation (granularity)
• Share by capabilities
• Limit use of an object
Memory & Address Protection
Fence
– confines user to one side of boundary
• Use predefined memory addresses
• Can protect OS, but not one user from another
Relocation
Base/Bounds Registers
– changes all addresses of
program using offset
• Uses variable fence register (base
register) to provide lower bound
• Uses bounds register for upper address
Memory & Address Protection
Tagged Architecture
• Every word of machine memory has extra bits
to indicate access rights (expensive)
Segmentation
(program divided into pieces)
• Each segment has name & offset
Each address reference is checked for protection
Different classes of data can be assigned different levels of
protection
Users can share access to segments
User cannot access an unpermitted segment
Paging (program uses equal sized “pages”;
memory divided into equal sized page frames)
Control of Access to General
Objects
Memory
File/data set
Program in memory
Directory of files
Hardware device
Data structure (stack)
Operating system table
Instructions (privileged)
Passwords / user authentication mechanism
Protection mechanism
Goals in protecting objects
Check every access
Enforce least privilege
Verify acceptable usage
Directory mechanism
Each user (subject) has a file
directory, which lists all files
accessible by user
List can become too large if many
shared objects
Cannot revoke rights of everyone to
an object
File names for different owners may
be different
Access Control List
One list for each object with list
showing all subjects & their access
rights
Can use wildcards to limit size of ACL
Access Control Matrix
• Rows for subjects
• Columns for objects
• Sparse matrix of triples <subjects,
objects, rights>
Capability
Unforgeable token that gives
possessor rights to an object
Predecessor of Kerberos
Can propagate capabilities to other
subjects
Capabilities must be stored in
inaccessible memory
Procedure-Oriented Access Control
Procedure that controls access to
objects including what subjects can
do to objects
File Protection Mechanisms
All-None Protection
• Lack of trust
• All or nothing
• Timesharing issues
• Complexity
• File listings
File Protection Mechanisms
Group Protection
• User cannot belong to two groups
• Forces one person to be multiple users
• Forces user to be put into all groups
• Files can only be shared within groups
File Protection Mechanisms
Single Permissions
• Password/Token for each file
Can be lost
Inconvenient
Must be protected (if changed, must notify
all users)
• Temporary Acquired Permission
UNIX’s set userid (suid)
User Authentication
Something the user knows (password,
PIN, passphrase, mother’s maiden name)
Something the user has (ID, key,
driver’s license, uniform)
Something the user is (biometrics)
Use of Passwords
Mutually agreed-upon code words,
assumed known only to user and
system
First line of defense
Loose-Lipped Systems
• WELCOME TO XYZ COMPUTING
• ENTER USER ID: summers
• INVALID USER NAME
• ENTER USER ID:
Attack on Passwords
Ask the user
Search for the system list of passwords
•
•
•
•
•
Find a valid user ID
Create a list of possible passwords (encrypt if
needed)
Rank the passwords from high to low
probability
Try each password
If attempt fails, try again (don't exceed
password lockout)
Attack on Passwords
Exhaustive Attack (brute-force)
•
•
18,278 passwords of 3 letters or less
1 password / millisecond would take 18
seconds (8 minutes for 4 letters, 3.5 hours
for 5 letters)
Probable passwords (dictionary attack)
•
•
80,000 word dictionary would take 80
seconds
Expanded “dictionary”
Attack on Passwords
UK Study
(http://www.cnn.com/2002/TECH/ptech/03/13/dangerous.pass
words/?related)
•
•
•
•
•
50% passwords were family names
Celebrities/soccer stars – 9% each
Pets – 8%
10% reflect a fantasy
Only 10% use cryptic combinations
Attack on Passwords
Look on desk…
Try no password
Try user ID
Try user’s name
Common words (password, private, secret)
Short dictionary
Complete English word list
Common non-English dictionaries
Dictionary with capitalization and substitutions
(0 for o and 1 for i)
Brute force (lowercase alphabet)
Brute force (full character set)
Attack on Passwords
Plaintext System Password List (MS
Windows)
Encrypted Password List – 1-way
(/etc/passwd)
Shadow Password List
(/etc/shadow)
Salt – 12-bit number formed from
system time and process id;
concatenated to password
Password Selection Criteria
Use characters other than A-Z
Choose long passwords
Avoid names and words
Choose unlikely password
Change password regularly (don’t reuse)
Don’t write it down
Don’t tell anyone
http://www.mit.edu/afs/sipb/project/doc/passwor
ds/passwords.html
One-time passwords
Authentication
Should be slow (5-10 seconds)
Should only allow a limited # of
failures (e.g. 3)
Challenge-Response Systems
Impersonation of Login
Authentication Other than Passwords