Protection & Security
Download
Report
Transcript Protection & Security
What we will cover…
Protection and Security in OS
1-1
Difference between Protection & Security
Protection: Mostly, mechanism for controlling access to
system resources by processes. This includes a means of
specifying controls and a means of enforcing the controls.
This is an internal problem.
Security: Mostly, assuring the integrity of system resources
and data. Protection is the enforcement aspect of security.
Security must also consider the external environment in
which the system operates.
1-2
Domain of Protection
Who needs protection?
System resources need protection
resources include both hardware and software
examples of software resources: files, programs,
buffers, semaphores etc.
examples of hardware resources: CPU, memory segments,
printers, disks etc.
think of each resource as an object accessible only
through associated operations
Protection From whom?
Other users (user domain)
Other processes (process domain)
Principle of Protection
Guiding principle – principle of least
privilege
Programs, users and systems should be given
just enough privileges to perform their tasks
Also known as “need-to-know” principle
Domain Structure
Implement protection domain
a process has an associated protection domain and operates
within this domain
a protection domain is a set of ordered pairs
each ordered pair consists of an object and a set of access rights
(permitted operations)
Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can
be performed on the object.
Domain = set of access-rights
Protection Domain Structure
The association between a process and a domain can be
fixed (static) or
can change as process executed (dynamic)
Static association is easier to implement while dynamic
association is more complex
Which one is better?
• Static association may violate need-to-know principle
Dynamic association
change association dynamically by either (1) modifying the
domain, or (2) switching to a different domain
Domain Implementation
(MULTICS)
Let Di and Dj be any two domain rings.
If j < i Di Dj
Disadvantages:
Too complicated
Violating need-to-know
principle
Domain Implementation (UNIX)
System consists of 2 domains:
User mode
Kernel mode
UNIX
Domain = user-id
Domain switch accomplished via file system.
• Each file has associated with it a domain bit (setuid bit).
• When file is executed and setuid = on, then user-id is
set to owner of the file being executed. When execution
completes user-id is reset.
Domain Implementation (UNIX)
Is it safe?
Domain Example
Processes move back and forth between user mode, (i.e.,
user domain) and kernel mode, (i.e., kernel domain).
User mode
Kernel mode
process
Unix setuid
shell
owner=100
setuid bit=0
a.out
owner=100
setuid bit=1
load
real user id = 201
effective user id = 201
exec(“shell”)
load
real user id = 201
effective user id = 201
exec(“a.out”)
100
10
Access Matrix
View protection as a matrix (access
matrix)
Rows represent domains
Columns represent objects
Access(i, j) is the set of operations that a
process executing in Domaini can invoke on
Objectj
Access Matrix
Visualizing access matrix for UNIX
-rwxr-xr-x 1 John students 14839 May 14 07:15 chatter
-rw-r----- 1 John students 998 May 14 08:27 guru.c
-rwxr-xr-- 2 John students 4096 May 17 11:59 data
Domain/object
chatter
guru.c
data
Owner
Read, write,
execute
Read, write
Read, write,
execute
group
Read, execute
Read
Read, execute
world
Read, execute
Read
1-13
Use of Access Matrix
If a process in Domain Di tries to do “op”
on object Oj, then “op” must be in the
access matrix.
Can be expanded to dynamic protection.
Special operations to change content of access
matrix
Change access rights:
• copy an access right from one domain to another
• owner rights
Access Matrix with Copy Rights
Access Matrix With Owner Rights
Use of Access Matrix (Cont.)
Access matrix design separates mechanism
from policy.
Policy
• User dictates policy.
• Who can access what object and in what mode.
Mechanism
• Operating system provides access-matrix + rules.
• It ensures that the matrix is only manipulated by
authorized agents and that rules are strictly
enforced.
Security
1-18
The Security Problem
Security must consider external environment of the system, and
protect the system resources
Intruders (crackers) attempt to breach security (malicious access):
Unauthorized reading of data
Unauthorized modifications of data
Unauthorized destruction of data
Preventing legitimate use of the systems (denial of service)
User Authentication
Protection (earlier discussed) majorly
dependent on user authentication
Based on use of Passwords
Biometrics is another option but
Still not implemented
Not cost-effective yet
Use of Passwords
Passwords are mutually agreed-upon code words, assumed to
be known only to the user and the system.
The use of passwords is fairly straightforward. A user
enters some piece of identification, such as a name or an
assigned user ID, if the identification matches that on file
for the user, the user is authenticated to the system.
If the identification match fails, the user is rejected by the
system.
Attacks on Passwords
Try all possible passwords
exhaustive or brute force attack
Is this impossible to create?
Try many probable passwords
Users do not likely select a password
uncommon, hard to spell or pronounce, very long
Try passwords likely for the user
Password generally is meaningful to the user
Attacks on Passwords (cont’)
Encrypted password (used in UNIX)
Flaw was user tends to select a meaningful password (a word
in the dictionary)
System encrypts the word and stores the encrypted version
The process is irreversible, so apparently secure
Dictionary attack
Off-line cluster attack
Many Password Selection Criteria
Use characters other than just A-Z
Choose long passwords
Avoid actual names or words
Choose an unlikely password
Change the password regularly
Don’t write it down
Don’t tell anyone else
The Authentication Process
Intentionally slow
This makes exhaustive attack infeasible
Identify intruder from the normal user
Some who continuously fails to login may not be
an authorized user.
System disconnect a user after three to five
failed logins
What is the flaw?
Program Threats
Trojan Horse
Code segment that misuses its environment
Exploits mechanisms for allowing programs written by users to be
executed by other users
Spyware, pop-up browser windows, covert channels
PWSteal.Tarno.Q - registers itself as a browser helper (key logger)
Trap Door
Specific user identifier or password that circumvents normal
security procedures
Could be included in a program
Combination of trojan horse and trap door even fatal
• Trojan.Lodeight.A opens a Back-door on TCP port 1084
How to defend against such program threats
Analyze the execution patterns of the Trojan Horses & Trapdoors
1.
2.
3.
4.
The malicious code is executed without user intervention.
The malicious code may be directed by a remote attacker once a connection is made.
Resources used by the malicious code, such as file names and network addresses, are hardcoded in the binary.
OS resources (processes, memory) used by the malicious code may be consumed for the
purpose of degrading performance.
A key characteristic of Trojan Horses and Trapdoors is that they cannot be invoked
by the attacker and are autonomous – at least until a connection is made.
Program Threats (contd.)
Stack and Buffer Overflow
Exploits a bug in a program (overflow either the stack or memory
buffers)
Simple example code
#include <string.h>
void foo (char *bar)
{
char c[12];
strcpy(c, bar); // no bounds checking...
}
int main (int argc, char **argv)
{
foo(argv[1]);
}
Stack Buffer Overflow
Before data is copied.
"hello" is the first
command line argument.
"AAAAAAAAAAAAAAA
AAAAA\x08\x35\xC0\
x80" is the first
command line argument.
System and Network Threats
Worms – use spawn mechanism; standalone program
Morris worm
Exploited UNIX networking features (remote access) and bugs
in finger and sendmail programs
Grappling hook program uploaded main worm program
System and Network Threats
Denial of Service
Easier than penetration attacks
Overload the targeted computer preventing it
from doing any useful work
Distributed denial-of-service (DDOS) come
from multiple sites at once
Open tcp connection (never closing one)
Security Through Domain Separation Via Firewall