OS Slide Master
Download
Report
Transcript OS Slide Master
Protection and Security
Daniel Fernandez
Student Presentation
CS5204 – Operating Systems
1
Protection and Security
Outline
Protection Goals
Principle of least privilege and protection
mechanisms
Protection domains
Access Matrix and Access Control
Formal methods of a Protection system
Security components and threats
Summary
CS5204 – Operating Systems
2
Protection and Security
Protection
Goals:
Prevent mischievous, intentional violation
of an access restriction by a user.
Ensure each active program component
uses system resources only in ways
consistent with policies.
Improve reliability
Provide a mechanism for enforcement of policies governing
resource use.
CS5204 – Operating Systems
3
Protection and Security
Principles of Protection
Principle of least privilege
Failure or compromise of a component does
minimum damage and allows recovery from damage.
Dictates that programs, users, and even systems be given just enough
privileges to perform their tasks.
Ex: security guard with a passkey
Separate user accounts (RBAC).
Provides mechanisms to enable privileges when
needed and remove when not needed.
Does not always provide a more secure environment.
Example: Windows 2000
CS5204 – Operating Systems
4
Protection and Security
Protection Mechanisms
Mechanism
Description
No Protection
Sensitive procedures run at separate times.
Isolation
Each process runs separately from others.
Share all or nothing
Object declared public or private.
Share via access
limitation
OS checks permissibility of each access by user.
Share via dynamic
capabilities
Dynamic creation of sharing rights for objects.
Limit use of an
object
Limits access as well as use of object.
•Policies and Mechanisms – Different things!
•Separation of policies and mechanism
CS5204 – Operating Systems
5
Protection and Security
Protection Domain Structure
The set of access rights is the domain.
Access right = <object-name, rights-set>
Rights-set is
a set of all valid operations that can be
performed on an object.
Need-to-know principle
Static and dynamic associations.
CS5204 – Operating Systems
6
Protection and Security
Domain Example: Unix
Domain is associated with the user.
Domain switching requires changing user ID
temporarily:
An owner identification and a domain bit (setuid bit) are associated with
each file.
When setupid is on, and a user executes that file, the user ID is set to that
of the owner of the file; when setupid is off, user ID does not change.
Example: User A executes file owned by user B, whose setuid is off, the
userID of the process is set to A. If setuid is on, the userID is set to B.
Userful when an otherwise priveleged facility needs
to be made available to general users.
CS5204 – Operating Systems
7
Protection and Security
Access Matrix
Consists of sets of objects (O) and
subjects (S).
r(s, o) belongs to set of rights (R).
From: “Protection in Operating Systems”, Harrison and
Ruzzo, 1976.
CS5204 – Operating Systems
8
Protection and Security
Implementation of Access Matrix
Two most used approaches:
Access Control Lists
Objects (Files)
Users
File1
File2
File3
user1
RWX
RX
RW
user2
---
RWX
R
R (Read)
W (Write)
X (Execute)
Capability Lists
Users
user1
File1:RWX
File2:RX
File3:RW
user2
File1:---
File2:RWX
File3:R
CS5204 – Operating Systems
9
Protection and Security
Access Control
Role-Based Access Control (RBAC).
Revolves around privileges, where a privilege is the
right to execute a system call or use a system
option.
CS5204 – Operating Systems
10
Protection and Security
Formal Protection System Model
Configuration of protection system: (S, O, P)
P = access matrix
P[s,o] = subset of generic rights, R
Consists of 1)R and 2)commands
command a(X1, X2,…,Xk)
if r1 in (Xs1, Xo1) and
r2 in (Xs2, Xo2) and
…..
rm in (Xsm, Xom)
then
op1
op2
….
opn
end
or if m is zero,
command a(X1, X2,…,Xk)
op1
op2
….
opn
end
CS5204 – Operating Systems
11
Protection and Security
Formal Protection System Model(cont.)
(S, O, P) op(S’, O’, P’)
Examples:
1) Process creates new file:
Rule:
op = create object o’
o’ not in O, S’ = S, O’ = O U{o’}
command CREATE(process, file)
create object file
enter own into (process, file)
end
2) Owner revokes another subject’s access rights to file:
Rule:
op = delete r from (s,o)
S = S’, O = O’, and P’[s, o] = P[s, o] – {r}
command REMOVEr(owner, exfriend, file)
if own in (owner, file) and
r in (exfriend, file)
then delete r from (exfriend, file)
end
CS5204 – Operating Systems
12
Protection and Security
Language-Based Protection
Protection systems focused also on functional
nature of an access to an object.
Polices vary depending on the application.
Applications designers user protection as a tool,
as well.
Protection in Java
Java virtual machine (JVM) has many built-in protection mechanisms.
JVM may be from different sources and not be equally trusted. As a
result, protection in all areas of the JVM is necessary.
JVM assigns a loaded class to a protection domain.
CS5204 – Operating Systems
13
Protection and Security
What is Security in an Operating System
Security in an operating system resolves around 4 elements:
Confidentiality
Integrity
Availability
Authenticity
Security Threats
Interception
Interruption
Modification
Fabrication
Protection is internal problem. Security is external.
CS5204 – Operating Systems
14
Protection and Security
Implementing Security Defenses
Security Policy
Vulnerability Assessment
Intrusion Detection
Virus Protection
Auditing, Accounting, and Logging
CS5204 – Operating Systems
15
Protection and Security
Spyware
Description:
Malware that is loaded onto a PC without owner’s knowledge.
Runs in background doing things behind owner’s back.
Gathers info from owner and communicates it back to its distant
master.
Actions against Spyware
Anti-spyware programs (Spybot, Ad-aware, Spyware Doctor).
Security practices to prevent infection.
Avoid using Internet Explorer.
Use firewalls to block certain websites.
Surf and download more safely
May require reinstallation of operating system.
CS5204 – Operating Systems
16
Protection and Security
Summary
Protection
Internal problem
Role of protection is to provide a mechanism for enforcement of
policies.
Protection domain specifies the resources that a process may access.
Access matrix is representation of protection domains model.
Security
External problem
Systems have to protect against threats in the form of interception,
interruption, modification, and fabrication.
Security defenses to fight off threats.
CS5204 – Operating Systems
17