Upload
arthur-darrell-potter
View
239
Download
2
Tags:
Embed Size (px)
Citation preview
Chapter 4 – Protection in General Chapter 4 – Protection in General Purpose Operating SystemsPurpose Operating Systems
Protection features provided by Protection features provided by general-purpose operating systems—general-purpose operating systems—protecting memory, files, and the protecting memory, files, and the execution environmentexecution environment
Controlled access to objectsControlled access to objects User authenticationUser authentication
Protected Objects and Methods of Protected Objects and Methods of ProtectionsProtections
1rst OS were simple utilities – 1rst OS were simple utilities – executivesexecutives Multiprogramming OS required Multiprogramming OS required monitorsmonitors
which oversaw each program’s executionwhich oversaw each program’s execution Protected objectsProtected objects
• MemoryMemory• Sharable I/O devices (disks)Sharable I/O devices (disks)• Serially reusable devices (printers)Serially reusable devices (printers)• Shareable programs & subproceduresShareable programs & subprocedures• NetworksNetworks• Shareable DataShareable Data
Security Methods of Operating SystemsSecurity Methods of Operating Systems
Physical Separation Physical Separation (different processes (different processes use different objects)use different objects)
Temporal Separation Temporal Separation (processes executed (processes executed at different times)at different times)
Logical Separation Logical Separation (process appears to be (process appears to be alone)alone)
Cryptographic Separation Cryptographic Separation (processes (processes conceal data and computations)conceal data and computations)
Security Methods of Operating SystemsSecurity Methods of Operating Systems
Want to be able to share resources Want to be able to share resources without compromising securitywithout compromising security• Do not protectDo not protect• Isolate different processesIsolate different processes• Share all or nothingShare all or nothing• Share via access limitation Share via access limitation (granularity)(granularity)
• Share by capabilitiesShare by capabilities• Limit use of an objectLimit use of an object
Memory & Address ProtectionMemory & Address Protection
Fence Fence – confines user to one side of boundary– confines user to one side of boundary
• Use predefined memory addressesUse predefined memory addresses• Can protect OS, but not one user from anotherCan protect OS, but not one user from another
Relocation Relocation – changes all addresses of – changes all addresses of program using offsetprogram using offset
Base/Bounds RegistersBase/Bounds Registers• Uses variable fence register (base Uses variable fence register (base
register) to provide lower boundregister) to provide lower bound• Uses bounds register for upper addressUses bounds register for upper address
Memory & Address ProtectionMemory & Address Protection
Tagged ArchitectureTagged Architecture• Every word of machine memory has extra bits Every word of machine memory has extra bits
to indicate access rights (expensive)to indicate access rights (expensive) Segmentation Segmentation (program divided into pieces)(program divided into pieces)
• Each segment has name & offsetEach segment has name & offset Each address reference is checked for protectionEach address reference is checked for protection Different classes of data can be assigned different levels of Different classes of data can be assigned different levels of
protectionprotection Users can share access to segmentsUsers can share access to segments User cannot access an unpermitted segmentUser cannot access an unpermitted segment
Paging Paging (program uses equal sized “pages”; (program uses equal sized “pages”; memory divided into equal sized page frames)memory divided into equal sized page frames)
Control of Access to General Control of Access to General ObjectsObjects
MemoryMemory File/data setFile/data set Program in memoryProgram in memory Directory of filesDirectory of files Hardware deviceHardware device Data structure (stack)Data structure (stack) Operating system tableOperating system table Instructions (privileged)Instructions (privileged) Passwords / user authentication mechanismPasswords / user authentication mechanism Protection mechanismProtection mechanism
Goals in protecting objectsGoals in protecting objects
Check every accessCheck every access Enforce least privilegeEnforce least privilege Verify acceptable usageVerify acceptable usage
Directory mechanismDirectory mechanism
Each user (subject) has a file Each user (subject) has a file directory, which lists all files directory, which lists all files accessible by useraccessible by user
List can become too large if many List can become too large if many shared objectsshared objects
Cannot revoke rights of everyone to Cannot revoke rights of everyone to an objectan object
File names for different owners may File names for different owners may be differentbe different
Access Control ListAccess Control List
One list for each object with list One list for each object with list showing all subjects & their access showing all subjects & their access rightsrights
Can use wildcards to limit size of ACLCan use wildcards to limit size of ACL Access Control MatrixAccess Control Matrix
• Rows for subjectsRows for subjects• Columns for objectsColumns for objects• Sparse matrix of triples <subjects, Sparse matrix of triples <subjects,
objects, rights>objects, rights>
CapabilityCapability
Unforgeable token that gives Unforgeable token that gives possessor rights to an objectpossessor rights to an object
Predecessor of KerberosPredecessor of Kerberos Can propagate capabilities to other Can propagate capabilities to other
subjectssubjects Capabilities must be stored in Capabilities must be stored in
inaccessible memoryinaccessible memory
Procedure-Oriented Access ControlProcedure-Oriented Access Control
Procedure that controls access to Procedure that controls access to objects including what subjects can objects including what subjects can do to objectsdo to objects
File Protection MechanismsFile Protection Mechanisms
All-None ProtectionAll-None Protection• Lack of trustLack of trust• All or nothingAll or nothing• Timesharing issuesTimesharing issues• ComplexityComplexity• File listingsFile listings
File Protection MechanismsFile Protection Mechanisms
Group ProtectionGroup Protection• User cannot belong to two groupsUser cannot belong to two groups• Forces one person to be multiple usersForces one person to be multiple users• Forces user to be put into all groupsForces user to be put into all groups• Files can only be shared within groupsFiles can only be shared within groups
File Protection MechanismsFile Protection Mechanisms
Single PermissionsSingle Permissions• Password/Token for each filePassword/Token for each file
Can be lostCan be lost InconvenientInconvenient Must be protected (if changed, must notify Must be protected (if changed, must notify
all users)all users)
• Temporary Acquired PermissionTemporary Acquired Permission UNIX’s UNIX’s set userid (suid)set userid (suid)
User AuthenticationUser Authentication
Something the user Something the user knowsknows (password, (password, PIN, passphrase, mother’s maiden name)PIN, passphrase, mother’s maiden name)
Something the user Something the user hashas (ID, key, (ID, key, driver’s license, uniform)driver’s license, uniform)
Something the user Something the user isis ((biometricsbiometrics))
Use of PasswordsUse of Passwords
Mutually agreed-upon code words, Mutually agreed-upon code words, assumed known only to user and assumed known only to user and systemsystem
First line of defenseFirst line of defense Loose-Lipped SystemsLoose-Lipped Systems
• WELCOME TO XYZ COMPUTINGWELCOME TO XYZ COMPUTING• ENTER USER ID: summersENTER USER ID: summers• INVALID USER NAMEINVALID USER NAME• ENTER USER ID:ENTER USER ID:
Attack on PasswordsAttack on Passwords
Ask the userAsk the user Search for the system list of passwordsSearch for the system list of passwords
• Find a valid user ID Find a valid user ID • Create a list of possible passwords (encrypt if Create a list of possible passwords (encrypt if
needed) needed) • Rank the passwords from high to low Rank the passwords from high to low
probability probability • Try each password Try each password • If attempt fails, try again (don't exceed If attempt fails, try again (don't exceed
password lockout) password lockout)
Attack on PasswordsAttack on Passwords
Exhaustive Attack (Exhaustive Attack (brute-forcebrute-force))• 18,278 passwords of 3 letters or less18,278 passwords of 3 letters or less• 1 password / millisecond would take 18 1 password / millisecond would take 18
seconds (8 minutes for 4 letters, 3.5 hours for seconds (8 minutes for 4 letters, 3.5 hours for 5 letters)5 letters)
Probable passwords (Probable passwords (dictionary attackdictionary attack))• 80,000 word dictionary would take 80 80,000 word dictionary would take 80
secondsseconds• Expanded “dictionary”Expanded “dictionary”
Attack on PasswordsAttack on Passwords
UK Study UK Study (http://www.cnn.com/2002/TECH/ptech/03/13/dangerous.passwo(http://www.cnn.com/2002/TECH/ptech/03/13/dangerous.passwords/?related)rds/?related)
• 50% passwords were family names50% passwords were family names• Celebrities/soccer stars – 9% eachCelebrities/soccer stars – 9% each• Pets – 8%Pets – 8%• 10% reflect a fantasy10% reflect a fantasy• Only 10% use cryptic combinationsOnly 10% use cryptic combinations
Attack on PasswordsAttack on Passwords Look on desk…Look on desk… Try no passwordTry no password Try user IDTry user ID Try user’s nameTry user’s name Common words Common words (password, private, secret)(password, private, secret) Short dictionaryShort dictionary Complete English word listComplete English word list Common non-English dictionariesCommon non-English dictionaries Dictionary with capitalization and substitutions Dictionary with capitalization and substitutions
(0 for o and 1 for i)(0 for o and 1 for i) Brute force (lowercase alphabet)Brute force (lowercase alphabet) Brute force (full character set)Brute force (full character set)
Attack on PasswordsAttack on Passwords
Plaintext System Password List (MS Plaintext System Password List (MS Windows)Windows)
Encrypted Password List – 1-way Encrypted Password List – 1-way (/etc/passwd)(/etc/passwd)
Shadow Password List (/etc/shadow)Shadow Password List (/etc/shadow) SaltSalt – 12-bit number formed from – 12-bit number formed from
system time and process id; system time and process id; concatenated to passwordconcatenated to password
Password Selection CriteriaPassword Selection Criteria
Use characters other than A-ZUse characters other than A-Z Choose long passwordsChoose long passwords Avoid names and wordsAvoid names and words Choose unlikely passwordChoose unlikely password Change password regularly Change password regularly (don’t reuse)(don’t reuse)
Don’t write it downDon’t write it down Don’t tell anyoneDon’t tell anyone http://www.mit.edu/afs/sipb/project/doc/passwordhttp://www.mit.edu/afs/sipb/project/doc/password
s/passwords.htmls/passwords.html One-time passwordsOne-time passwords
AuthenticationAuthentication
Should be slow (5-10 seconds)Should be slow (5-10 seconds) Should only allow a limited # of Should only allow a limited # of
failures (e.g. 3)failures (e.g. 3) Challenge-Response SystemsChallenge-Response Systems Impersonation of LoginImpersonation of Login Authentication Other than PasswordsAuthentication Other than Passwords