Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Domain Structure Operating System Concepts

advertisement 
Domain Structure
Operating System Concepts
•
Access-right = <object-name, rights-set>
Rights-set is a subset of all valid operations that can be performed
on the object.
•
Domain = set of access-rights
•
Domain = user, process, or procedure
MODULE 10: PROTECTION & SECURITY
Andrzej Bednarski, Ph.D. student
Department of Computer and Information Science
Linköping University, Sweden
E-mail: andbe@ida.liu.se
URL: http://www.ida.liu.se/~andbe
The lecture notes are mainly based on Silberschatz’s, Galvin’s and Gagne’s book (“Operating System Concepts”, 6th ed.,
Addison-Wesley, 2002). No part of the lecture notes may be reproduced in any form, due to the copyrights reserved by
Addison-Wesley. These lecture notes should only be used for internal teaching purposes at the Linköping University.
10.1
TDDB63 – Operating System Concepts –
TDDB63 – Operating System Concepts –
A. Bednarski
10.4
Protection
Domain Implementation
•
•
•
•
•
•
•
•
System consists of 2 domains:
+ User
+ Supervisor
•
UNIX
+ Domain = user-id
+ Domain switch accomplished via file system.
Each file has associated with it a domain bit (setuid bit).
When file is executed and setuid = on, then user-id is set to
owner of the file being executed. When execution
completes user-id is reset.
Goals of Protection
Domain of Protection
Access Matrix
Implementation of Access Matrix
Revocation of Access Rights
Capability-Based Systems
Language-Based Protection
TDDB63 – Operating System Concepts –
A. Bednarski
10.2
Protection
A. Bednarski
10.5
Multics Rings
•
Operating system consists of a collection of objects, hardware or
software
•
Each object has a unique name and can be accessed through a
well-defined set of operations.
•
Protection problem - ensure that each object is accessed correctly
and only by those processes that are allowed to do so.
•
Need-to-know principle = at any time a process should only be
able to access only resources that it currently requires to
complete its task
TDDB63 – Operating System Concepts –
TDDB63 – Operating System Concepts –
A. Bednarski
•
•
Let Di and Dj be any two domain rings.
If j < i Ÿ Di  Dj
Violates the need-to-know principle
10.3
TDDB63 – Operating System Concepts –
A. Bednarski
10.6
1
Access Matrix
Implementation of Access Matrix
1. Global table
- Large, require I/O, grouping is limited
2. Each column = Access-control list for one object
Defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read
3. Each Row = Capability List (like a key)
Fore each domain, what operations allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
Figure 1
TDDB63 – Operating System Concepts –
A. Bednarski
4. Lock mechanisms (lock and key)
10.7
TDDB63 – Operating System Concepts –
A. Bednarski
10.10
Matrix with Domains as Objects
Use of Access Matrix
•
If a process in Domain Di tries to do “op” on object Oj, then “op”
must be in the access matrix.
•
Can be expanded to dynamic protection.
+ Operations to add, delete access rights.
+ Special access rights:
owner of Oi
copy op from Oi to Oj
control – Di can modify Djs access rights
transfer – switch from domain Di to Dj
Figure 2
TDDB63 – Operating System Concepts –
A. Bednarski
10.8
Use of Access Matrix (Cont.)
•
TDDB63 – Operating System Concepts –
A. Bednarski
10.11
Access Matrix with Copyrights
Access matrix design separates mechanism from policy.
+ Mechanism
Operating system provides Access-matrix + rules.
OS ensures that the matrix is only manipulated by
authorized agents and that rules are strictly enforced.
+ Policy
User dictates policy.
Who can access what object and in what mode.
TDDB63 – Operating System Concepts –
A. Bednarski
10.9
TDDB63 – Operating System Concepts –
A. Bednarski
10.12
2
Access Matrix With Owner Rights
TDDB63 – Operating System Concepts –
A. Bednarski
Language-Based Protection
10.13
Modified Access Matrix of Figure 2
•
Specification of protection in a programming language allows the
high-level description of policies for the allocation and use of
resources.
•
Language implementation can provide software for protection
enforcement when automatic hardware-supported checking is
unavailable.
•
Interpret protection specifications to generate calls on whatever
protection system is provided by the hardware and the operating
system.
TDDB63 – Operating System Concepts –
A. Bednarski
10.17
A. Bednarski
10.18
Security
•
•
•
•
•
•
TDDB63 – Operating System Concepts –
A. Bednarski
10.14
The Security Problem
Authentication
Program Threats
System Threats
Threat Monitoring
Encryption
TDDB63 – Operating System Concepts –
Revocation of Access Rights
The Security Problem
•
•
•
Security must consider external environment of the system, and
protect it from:
+ unauthorized access.
+ malicious modification or destruction
+ accidental introduction of inconsistency.
•
Easier to protect against accidental than malicious misuse.
•
•
•
Immediate vs delayed
Selective vs general
+ For some users or for all users
Partial vs total
+ Subset of rights associated with an object
Temporary vs permanent
Capability List – Scheme required to locate capability in the
system before capability can be revoked.
+ Reacquisition: periodic revocation of capabilities
+ Back-pointers: Each object maintains a list of pointer to all
capabilities associated with that object
+ Indirection: indirect pointing to objects via a table (global)
+ Keys
TDDB63 – Operating System Concepts –
A. Bednarski
10.15
TDDB63 – Operating System Concepts –
A. Bednarski
10.19
3
Authentication
Threat Monitoring
•
User identity most often established through passwords, can be
considered a special case of either keys or capabilities.
•
Check for suspicious patterns of activity – i.e., several incorrect
password attempts may signal password guessing.
•
Passwords must be kept secret.
+ Frequent change of passwords.
+ Use of “non-guessable” passwords.
+ Log all invalid access attempts.
•
Audit log – records the time, user, and type of all accesses to an
object; useful for recovery from a violation and developing better
security measures.
•
Threat monitoring - Scan the system periodically for security
holes; done when the computer is relatively unused.
TDDB63 – Operating System Concepts –
A. Bednarski
10.20
TDDB63 – Operating System Concepts –
A. Bednarski
Program Threats
Threat Monitoring (Cont.)
•
Trojan Horse
+ Code segment that misuses its environment.
+ Exploits mechanisms for allowing programs written by users to
be executed by other users.
•
•
Trap Door
+ Specific user identifier or password that circumvents normal
security procedures.
+ Could be included in a compiler.
TDDB63 – Operating System Concepts –
A. Bednarski
10.21
Check for:
+ Short or easy-to-guess passwords
+ Unauthorized set-uid programs
+ Unauthorized programs in system directories
+ Unexpected long-running processes
+ Improper directory protections
+ Improper protections on system data files
+ Dangerous entries in the program search path (Trojan horse)
+ Changes to system programs: monitor checksum values
TDDB63 – Operating System Concepts –
A. Bednarski
10.25
Network Security Through Domain
Separation Via Firewall
System Threats
•
Worms – use spawn mechanism; standalone program
•
Internet worm
+ Exploited UNIX networking features (remote access) and bugs
in finger and sendmail programs.
+ Grappling hook program uploaded main worm program.
•
Viruses – fragment of code embedded in a legitimate program.
+ Mainly effect microcomputer systems.
+ Downloading viral programs from public bulletin boards or
exchanging floppy disks containing an infection.
+ Safe computing.
TDDB63 – Operating System Concepts –
10.24
A. Bednarski
10.22
TDDB63 – Operating System Concepts –
A. Bednarski
10.26
4
Encryption
•
Encrypt clear text into cipher text.
•
Properties of good encryption technique:
+ Relatively simple for authorized users to encrypt and decrypt
data.
+ Encryption scheme depends not on the secrecy of the
algorithm but on a parameter of the algorithm called the
encryption key.
+ Extremely difficult for an intruder to determine the encryption
key.
•
Data Encryption Standard substitutes characters and rearranges
their order on the basis of an encryption key provided to
authorized users via a secure mechanism. Scheme only as secure
as the mechanism.
TDDB63 – Operating System Concepts –
A. Bednarski
10.27
Encryption (Cont.)
•
Public-key encryption based on each user having two keys:
+ public key – published key used to encrypt data.
+ private key – key known only to individual user used to
decrypt data.
•
Must be an encryption scheme that can be made public without
making it easy to figure out the decryption scheme.
+ Efficient algorithm for testing whether or not a number is
prime.
+ No efficient algorithm is know for finding the prime factors of
a number.
TDDB63 – Operating System Concepts –
A. Bednarski
10.28
5
Related documents
Operating-System Structures Operating System Concepts
Operating-System Structures Operating System Concepts
Part C
Part C
Virtual Memory Operating Systems Concepts
Virtual Memory Operating Systems Concepts
Processes Operating System Concepts
Processes Operating System Concepts
Module 1: Introduction Operating System Concepts
Module 1: Introduction Operating System Concepts
Computer-System Structures Operating System Concepts Computer System Operation I/O Structure
Computer-System Structures Operating System Concepts Computer System Operation I/O Structure
Memory Management Operating Systems Concepts Background Logical versus Physical Address Space
Memory Management Operating Systems Concepts Background Logical versus Physical Address Space
IPAD AIR Senior Varsity Athlete Contest
IPAD AIR Senior Varsity Athlete Contest
File-System Interface Operating Systems Concepts File Concept Access Methods
File-System Interface Operating Systems Concepts File Concept Access Methods
Process Synchronization Operating System Concepts Background The Critical-Section Problem
Process Synchronization Operating System Concepts Background The Critical-Section Problem
Download
advertisement