Protection and Security

Protection and Security

Daniel Fernandez

Student Presentation

1CS5204 – Operating Systems


Outline

Protection Goals Principle of least privilege and protection

mechanisms Protection domains Access Matrix and Access Control Formal methods of a Protection system Security components and threats Summary

CS5204 – Operating Systems 2


Protection

Goals: Prevent mischievous, intentional violation of an

access restriction by a user. Ensure each active program component uses

system resources only in ways consistent with policies.

Improve reliability Provide a mechanism for enforcement of policies governing

resource use.



Principles of Protection Principle of least privilege

Dictates that programs, users, and even systems be given just enough privileges to perform their tasks.

Failure or compromise of a component does minimum damage and allows recovery from damage. Ex: security guard with a passkey

Separate user accounts (RBAC). Provides mechanisms to enable privileges when

needed and remove when not needed. Does not always provide a more secure environment.

Example: Windows 2000



Protection Mechanisms

Mechanism Description

No Protection Sensitive procedures run at separate times.

Isolation Each process runs separately from others.

Share all or nothing Object declared public or private.

Share via access limitation

OS checks permissibility of each access by user.

Share via dynamic capabilities

Dynamic creation of sharing rights for objects.

Limit use of an object

Limits access as well as use of object.


• Policies and Mechanisms – Different things!• Separation of policies and mechanism


Protection Domain Structure

The set of access rights is the domain. Access right = <object-name, rights-set>

Rights-set is a set of all valid operations that can be performed on an object.

Need-to-know principle Static and dynamic associations.



Domain Example: Unix

Domain is associated with the user. Domain switching requires changing user ID

temporarily: An owner identification and a domain bit (setuid bit) are associated

with each file. When setupid is on, and a user executes that file, the user ID is set to

that of the owner of the file; when setupid is off, user ID does not change.

Example: User A executes file owned by user B, whose setuid is off, the userID of the process is set to A. If setuid is on, the userID is set to B.

Userful when an otherwise priveleged facility needs to be made available to general users.



Access Matrix

Consists of sets of objects (O) and subjects (S).

r(s, o) belongs to set of rights (R).


From: “Protection in Operating Systems”, Harrison and Ruzzo, 1976.


Implementation of Access Matrix

Two most used approaches: Access Control Lists

Capability Lists


Objects (Files)

Users File1 File2 File3

user1 RWX RX RW

user2 --- RWX R

R (Read)W (Write)X (Execute)

Users

user1 File1:RWX File2:RX File3:RW

user2 File1:--- File2:RWX File3:R


Access Control

Role-Based Access Control (RBAC). Revolves around privileges, where a privilege is the right

to execute a system call or use a system option.



Formal Protection System Model

Configuration of protection system: (S, O, P) P = access matrix

P[s,o] = subset of generic rights, R Consists of 1)R and 2)commands


command a(X1, X2,…,Xk) if r1 in (Xs1, Xo1) and r2 in (Xs2, Xo2) and ….. rm in (Xsm, Xom) then op1

op2

…. opn

end

or if m is zero,

command a(X1, X2,…,Xk) op1

op2

…. opn

end


Formal Protection System Model(cont.)

(S, O, P) op(S’, O’, P’) Examples:

1) Process creates new file:

Rule:

op = create object o’

o’ not in O, S’ = S, O’ = O U{o’}

command CREATE(process, file)

create object file

enter own into (process, file)

end

2) Owner revokes another subject’s access rights to file:

Rule:

op = delete r from (s,o)

S = S’, O = O’, and P’[s, o] = P[s, o] – {r}

command REMOVEr(owner, exfriend, file)

if own in (owner, file) and

r in (exfriend, file)

then delete r from (exfriend, file)

end



Language-Based Protection

Protection systems focused also on functional nature of an access to an object.

Polices vary depending on the application. Applications designers user protection as a tool,

as well. Protection in Java

Java virtual machine (JVM) has many built-in protection mechanisms. JVM may be from different sources and not be equally trusted. As a

result, protection in all areas of the JVM is necessary. JVM assigns a loaded class to a protection domain.



What is Security in an Operating System

Security in an operating system resolves around 4 elements: Confidentiality Integrity Availability Authenticity

Security Threats Interception Interruption Modification Fabrication

Protection is internal problem. Security is external.



Implementing Security Defenses

Security Policy Vulnerability Assessment Intrusion Detection Virus Protection Auditing, Accounting, and Logging



Spyware

Description: Malware that is loaded onto a PC without owner’s knowledge. Runs in background doing things behind owner’s back. Gathers info from owner and communicates it back to its distant

master.

Actions against Spyware Anti-spyware programs (Spybot, Ad-aware, Spyware Doctor). Security practices to prevent infection.

Avoid using Internet Explorer. Use firewalls to block certain websites. Surf and download more safely

May require reinstallation of operating system.



Summary

Protection Internal problem Role of protection is to provide a mechanism for enforcement of

policies. Protection domain specifies the resources that a process may access. Access matrix is representation of protection domains model.

Security External problem Systems have to protect against threats in the form of interception,

interruption, modification, and fabrication. Security defenses to fight off threats.


Documents

Protection and Security