Outline • Announcements • Protection and security
advertisement
Outline
• Announcements
• Protection and security
Announcements
• Lab 3 is due tomorrow at your demonstration
time
– You have three minutes for preparation and three
minutes to give a demonstration which needs to
convince others and myself that:
• You have implemented the APIs correctly
• Note the penalty for missing an API is 15 points
– Because of the time limit, you better use a script
file of some kind to do your demonstration
5/29/2016
COP4610
2
Announcements – cont.
• Final exam will be on 5:30 - 7:30 pm, Dec. 11,
2003
– Here in LOV 101
• I will have office hours on Sunday, Dec. 7, 2003
– From 10:00am – 5:30 pm except a lunch break
– Unfortunately, I need to attend a conference from
Dec. 8 to Dec. 11 in Canada
– I will be back on Dec. 11 late that night
– I will have another professor to proctor the final
exam
5/29/2016
COP4610
3
Protection and Security
• Operating system consists of a collection of
objects, hardware or software
• Each object has a unique name and can be
accessed through a well-defined set of
operations
• Protection and security problem - ensure that
each object is accessed correctly and only by
those processes of authorized users that are
allowed to do so
5/29/2016
COP4610
4
Allowing Only Authorized Access
Subject
Authorized
Access
Subject
Unauthorized
Access
5/29/2016
Authentication
Authorization
Secure
Entity
COP4610
5
Protection and Security – cont.
-Authentication
- Internal
- External
- Authorization
-Network security
- Secure entity is not
copied or accessed
during its transit
- Cryptography
5/29/2016
COP4610
6
Policy vs. Mechanism
• An organization’s security policy defines the
rules for authorizing access to its computers
and information resources
– A particular strategy that dictates the way a
mechanism is used to achieve specific goals
• Protection mechanisms are tools for
implementing the organization’s security
policy
5/29/2016
COP4610
7
Internal Access Authorization
• Internal authorization is part of the task of
managing resource sharing
– The goal is to protect one process’s resources
from the actions of other processes
5/29/2016
COP4610
8
Hardware protection mechanisms
• Processor modes and privileged instructions
only valid in system mode
• Memory protection
• Devices, and in particular disks, are protected
with processor modes and/or memory
protection
5/29/2016
COP4610
9
Software protection mechanisms
• Hardware resources are protected by
hardware protection mechanisms
• Logical resources are only accessed through
system calls
• All system calls must be authorized by a
protection monitor
– The protection monitor accesses the protection
database to make decisions
5/29/2016
COP4610
10
Protection monitors for file access
5/29/2016
COP4610
11
Protection monitors in an OS
5/29/2016
COP4610
12
A Protection System
5/29/2016
COP4610
13
A Protection System
Subjects
Objects
S
a
X
•S desires a access to X
5/29/2016
COP4610
14
A Protection System
Subjects
Objects
S
Protection
State
X
•S desires a access to X
•Protection state reflects
current ability to access X
5/29/2016
COP4610
15
A Protection System
Subjects
Objects
S
•S desires a access to X
•Protection state reflects
current ability to access X
•Authorities can change
5/29/2016
Protection
State
X
State
Transition
COP4610
16
A Protection System
Subjects
Objects
S
•S desires a access to X
•Protection state reflects
current ability to access X
•Authorities can change
•What are rules for
changing authority?
5/29/2016
Protection
State
X
State
Transition
Rules
COP4610
17
A Protection System
Subjects
Objects
S
•S desires a access to X
•Protection state reflects
current ability to access X
•Authorities can change
•What are rules for
changing authority?
•How are the rules chosen?
5/29/2016
Protection
State
X
State
Transition
Rules
Policy
COP4610
18
Protection System Example
a
X
S
•S desires a access to X
5/29/2016
COP4610
19
Protection System Example
X
S
X
•S desires a access to X
•Captures the protection state
S
a
Access matrix
5/29/2016
COP4610
20
S
Access
authentication
(S, a, X)
Protection System Example
X
X
•S desires a access to X
•Captures the protection state
•Generates an unforgeable ID
S
a
Access matrix
5/29/2016
COP4610
21
S
Access
authentication
(S, a, x)
Protection System Example
Monitor
X
X
•S desires a access to X
•Captures the protection state
•Generates an unforgeable ID
•Checks the access against
the protection state
5/29/2016
S
COP4610
a
22
Access Matrix
• The protection state can be represented using
an access matrix
– An access matrix A has one row for each subject
and one column for each object
– Each entry A[S, X] is a set that describes the
access rights held by subject S to object X
• Access authentication
– If subject S initiates type a access to X then
if a A[S,X], the access is valid. If a A[S, X],
the access is invalid.
5/29/2016
COP4610
23
An Access Matrix Example
5/29/2016
COP4610
24
Use of Access Matrix
• If a process in Domain Di tries to do “op” on
object Oj, then “op” must be in the access
matrix.
• Can be expanded to dynamic protection.
– Operations to add, delete access rights.
– Special access rights:
•
•
•
•
5/29/2016
owner of Oi
copy op from Oi to Oj
control – Di can modify Djs access rights
transfer – switch from domain Di to Dj
COP4610
25
Use of Access Matrix - cont.
• Access matrix design separates mechanism
from policy
– Mechanism
• Operating system provides Access-matrix + rules
• If ensures that the matrix is only manipulated by
authorized agents and that rules are strictly enforced
– Policy
• User dictates policy
• Who can access what object and in what mode
5/29/2016
COP4610
26
Domain Structure
• Access-right = <object-name, rights-set>
Rights-set is a subset of all valid operations
that can be performed on the object.
• Domain = set of access-rights that a subject
has at any given time
5/29/2016
COP4610
27
Changing Protection State
5/29/2016
COP4610
28
Protection domains
• A capability is a unique, global name for an access right
to an object in the system
• A protection domain is a set of capabilities to perform
certain actions on certain objects
• A process can move from protection domain to
protection domain so, at any point, it has exactly the
capabilities it needs for the current job (the principle of
least privilege)
• This is more flexible than associating capabilities
directly with a process
5/29/2016
COP4610
29
Ring Architecture for Protection Domains
5/29/2016
COP4610
30
Domain Implementation
• UNIX
– Domain = user-id
– Domain switch accomplished via file system.
• Each file has associated with it a domain bit (setuid bit).
• When file is executed and setuid = on, then user-id is set
to owner of the file being executed. When execution
completes user-id is reset.
5/29/2016
COP4610
31
Implementing the Access Matrix
• Usually a sparse matrix
– Too expensive to implement as a table
– Implement as a list of table entries
• Column oriented list is called an access
control list (ACL)
– List kept at the object
– UNIX file protection bits are one example
• Row oriented list is a called a capability list
– List kept with the subject (i.e., process)
– Kerberos ticket is a capability
– Mach mailboxes protected with capabilities
5/29/2016
COP4610
32
a
5/29/2016
X
X
a
a
a
X
a
Resource Descriptor
X
Resource Descriptor
S
X
X
a
Resource Descriptor
Access Control Lists
Derived from an Access Matrix
• Store the Access
Matrix by columns
• Each ACL is kept at the
object
• UNIX file protection
bits are one example
• Windows resource
managers also use
ACLs for protection
COP4610
33
Access Control Example
S1
S1
S2
S3
control
S2
S3
F1
F2
block
wakeup
owner
control
owner
read*
write*
control
stop
owner
update
control
delete
execute
owner
D1
D2
seek
owner
owner
seek*
Access List of F2
{S2, {update}} {S3,{execute, owner}}
5/29/2016
COP4610
34
Capability Lists
Derived from an Access Matrix
X
S
a
S
a
S
a
S
a
• Store the Access
Matrix by rows
• List kept with the
subject (i.e., process)
• Examples
– Ticket to a concert
– Kerberos ticket
– Mach mailboxes
Process Descriptor
a
S
Process Descriptor
a
S
Process Descriptor
5/29/2016
COP4610
35
Capability List Example
S1
S1
S2
S3
control
S2
S3
F1
F2
block
wakeup
owner
control
owner
read*
write*
control
stop
owner
update
control
delete
execute
owner
D1
D2
seek
owner
owner
seek*
Capability list of S2
{S2, {control}} {S3, {stop}} {F1, {owner}}
{F2, {update}} {D1, {owner}} {D2, seek*}}
5/29/2016
COP4610
36
More on Capabilities
• Provides an address to object from a very
large address space
• Possession of a capability represents
authorization for access
• Implied properties:
– Capabilities must be very difficult to guess
– Capabilities must be unique and not reused
– Capabilities must be distinguishable from
randomly generated bit patterns
5/29/2016
COP4610
37
Revocation of Access Rights
• Access List – Delete access rights from access list.
– Simple
– Immediate
• Capability List – Scheme required to locate
capability in the system before capability can be
revoked.
–
–
–
–
Reacquisition
Back-pointers
Indirection
Keys
5/29/2016
COP4610
38
Unix Protection Scheme
• Mode of access: read, write, execute
• Three classes of users
RWX
5/29/2016
a) owner access
7
b) groups access
6
c) public access
1
COP4610
111
RWX
110
RWX
001
39
The Security Problem
• Security must consider external environment
of the system, and protect it from
– unauthorized access.
– malicious modification or destruction
– accidental introduction of inconsistency.
• Easier to protect against accidental than
malicious misuse
5/29/2016
COP4610
40
User authentication
• Three types of authentication:
– Something a user knows
• e.g. a password, a combination, answers to personal
questions
– Something a user has
• e.g. a badge, a smart card, a key
– Something a user is
• e.g. fingerprint, signature, voice print, hand geometry,
retinal blood vessel pattern
5/29/2016
COP4610
41
Authentication
• User identity most often established through
passwords, can be considered a special case
of either keys or capabilities.
• Passwords must be kept secret.
– Frequent change of passwords.
– Use of “non-guessable” passwords.
– Log all invalid access attempts.
• Encryption
5/29/2016
COP4610
42
Program Threats
• Trojan Horse
– Code segment that misuses its environment.
– Exploits mechanisms for allowing programs
written by users to be executed by other users.
• Trap Door
– Specific user identifier or password that
circumvents normal security procedures.
– Could be included in a compiler.
5/29/2016
COP4610
43
System Threats
• Worms – use spawn mechanism; standalone program
• Internet worm
– Exploited UNIX networking features (remote access) and
bugs in finger and sendmail programs.
– Grappling hook program uploaded main worm program.
• Viruses – fragment of code embedded in a legitimate
program.
– Mainly effect microcomputer systems.
– Downloading viral programs from public bulletin boards or
exchanging floppy disks containing an infection.
5/29/2016
COP4610
44
The confinement problem
• How do we prevent a program from leaking
information to others?
• It is not as simple as preventing IPC and I/O
• A covert channel is a hidden means of
communication information
– e.g. sending bits by manipulating the CPU load
5/29/2016
COP4610
45
The Morris Internet Worm
5/29/2016
COP4610
46
Threat Monitoring
• Check for suspicious patterns of activity –
i.e., several incorrect password attempts may
signal password guessing.
• Audit log – records the time, user, and type of
all accesses to an object; useful for recovery
from a violation and developing better
security measures.
• Scan the system periodically for security
holes; done when the computer is relatively
unused.
5/29/2016
COP4610
47
Threat Monitoring – cont.
• Check for:
–
–
–
–
–
–
–
Short or easy-to-guess passwords
Unauthorized set-uid programs
Unauthorized programs in system directories
Unexpected long-running processes
Improper directory protections
Improper protections on system data files
Dangerous entries in the program search path (Trojan
horse)
– Changes to system programs: monitor checksum values
5/29/2016
COP4610
48
Encryption
5/29/2016
COP4610
49
Encryption – cont.
• Encrypt clear text into cipher text.
• Properties of good encryption technique:
– Relatively simple for authorized users to encrypt and decrypt
data.
– Encryption scheme depends not on the secrecy of the
algorithm but on a parameter of the algorithm called the
encryption key
– Extremely difficult for an intruder to determine the
encryption key
5/29/2016
COP4610
50
Cryptography
• Information can be encoded using a key
when it is written (or transferred) -encryption
• It is then decoded using a key when it is
read (or received) -- decryption
• Very widely used for secure network
transmission
5/29/2016
COP4610
51
More on Cryptography
encryption
plaintext
ciphertext
decryption
5/29/2016
COP4610
52
More on Cryptography
Ke
plaintext
5/29/2016
Encrypt
Kd
C = EKe(plaintext)
COP4610
Decrypt
plaintext
53
More on Cryptography
Ke
plaintext
Encrypt
Side information
5/29/2016
Kd
C = EKe(plaintext)
Invader
COP4610
Decrypt
plaintext
plaintext
54
Cryptographic Systems
Cryptographic Systems
Modern Systems
Conventional Systems
•Ke and Kd are
essentially the
same
5/29/2016
Private Key
•Ke and Kd are
private
COP4610
Public Key
•Ke is public
•Kd is private
55
Private Key Cryptography
• Data encryption standard (DES)
– It is a block cipher that crypts 64-bit data blocks
using a 56-bit key
– Two basic operations
• Permutation
• Substitution
– Three stages
• Initial permutation stage
• Complex transformation stage
• Final permutation stage
5/29/2016
COP4610
56
Private Key Cryptography – cont.
5/29/2016
COP4610
57
Private Key Cryptography – cont.
5/29/2016
COP4610
58
Private Key Cryptography – cont.
5/29/2016
COP4610
59
Public Key Cryptography
• Private key cryptography and conventional
cryptographic techniques require the
distribution of secret keys
– Known as the key distribution problem
• Public key cryptography solves the key
distribution problem by making the
encryption procedure and the associated key
available in the public domain
5/29/2016
COP4610
60
Public Key Cryptography – cont.
• Now it is possible for two users to have a
secure communication even they have not
communicated before
• Implementation issues
– One-way functions
5/29/2016
COP4610
61
RSA Method
• The encryption key is a pair (e, n)
• The decryption key is a pair (d, n)
5/29/2016
COP4610
62
RSA Method – cont.
• Generating the private and public key
requires four steps
–
–
–
–
Choose two very large prime numbers, p and q
Compute n = p x q and z = (p – 1) x (q – 1)
Choose a number d that is relatively prime to z
Compute the number e such that e x d = 1 mod z
5/29/2016
COP4610
63
Authentication
• In distributed systems, authentication means
verifying the identity of communicating
entities to each other
– The assumption is that the communication
network is not secure in that an intruder can copy
and play back a message on the network
– The textbook called it “interactive secure
connections”
5/29/2016
COP4610
64
Authentication – cont.
• Authentication based on a shared secret key.
5/29/2016
COP4610
65
Authentication – cont.
• Authentication based on a shared secret key,
but using three instead of five messages.
5/29/2016
COP4610
66
Authentication – cont.
• The reflection attack.
5/29/2016
COP4610
67
Authentication Using Public-Key Cryptography
• Mutual authentication in a public-key cryptosystem.
5/29/2016
COP4610
68
Message Integrity and Confidentiality
• Message integrity means that messages are
protected against modification
• Confidentiality ensures that messages cannot be
intercepted and read by eavesdroppers
• Digital signatures
– A user cannot forge the signature of other users
– A sender of a signed message cannot deny the
validity of his signature on the message
– A recipient of a signed message cannot modify
the signature in the message
5/29/2016
COP4610
69
Digital Signatures
• Digital signing a message using public-key cryptography.
5/29/2016
COP4610
70
Digital Signatures – cont.
5/29/2016
COP4610
71
Digital Signatures – cont.
• Digitally signing a message using a message digest.
5/29/2016
COP4610
72
Kerberos
Authentication
Server
Client
Server
5/29/2016
COP4610
73
Kerberos
Authentication
Server
Encrypted for client
Encrypted for server
Ticket
Client ID
Session Key
Client
Session Key
Server
5/29/2016
COP4610
74
Kerberos
Authentication
Server
Encrypted for client
Encrypted for server
Ticket
Client ID
Session Key
Session Key
Client
Session Key
Server
5/29/2016
COP4610
75
Kerberos
Authentication
Server
Encrypted for client
Encrypted for server
Ticket
Client ID
Session Key
Session Key
Session Key
Client
Ticket
Client ID
Session Key
5/29/2016
COP4610
Server
Client ID
Session Key
76
A Digital Rights Management System
Publisher
Style
Editor
Style
Distributor, etc
Rights
Editor
Raw
Rights
•Other parties may contribute
to rights spec
Translate
API
Server
5/29/2016
Content
Repository
Distribute
Query
API
Admin
Client
Consumer
InTransit
COP4610
Serve
Consumable
Playback
77
Electronic Payment Systems
•
Payment systems based
on direct payment
between customer and
merchant.
a)
b)
c)
Paying in cash.
Using a check.
Using a credit card.
5/29/2016
COP4610
78
Electronic Payment Systems – cont.
• Payment systems based on money transfer between banks.
a) Payment by money order.
b) Payment through debit order.
5/29/2016
COP4610
79
E-cash
5/29/2016
COP4610
80
Windows NT/2000/XP Logon
Winlogon
process
Local Security Authority Subsystem
(Lsass)
LSA*
Netlogon
Server
Authentic.
Network
LSA
Policy
Active
Directory
Active
Directory
SAM**
Server
SAM
User Space
Supervisor Space
Security Reference Monitor
(SRM)
5/29/2016
* Local Security Authority
** Security Accounts
Manager (SAM)
COP4610
81
Summary
• “None of the protection systems that exist
today ... are completely fail-safe. The best we
can do is to make it as difficult as possible for
somebody to break a security device or get
inside
• Authentication
• Authorization
– Access matrix and implementations of access
matrix
5/29/2016
COP4610
82
