Slide 14-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 5

Operating Systems: A Modern Perspective, Chapter 5

Slide 14-1

Copyright © 2004 Pearson Education, Inc.


Slide 14-2


14Protectionand Security


Slide 14-3


Allowing Only Authorized Access

UnauthorizedAccess

AuthorizedAccess

AuthenticationAuthorization

SecureEntity

Subject

Subject


Slide 14-4


Policy & Mechanism

• Protection mechanisms are tools used to implement security policies– Authentication– Authorization– Cryptography

• A security policy reflects an organization’s strategy for authorizing access to the computer’s resources only to authenticated parties– Accountants have access to payroll files– OS processes have access to the page table– Client process has access to information provided by a

server


Slide 14-5


Cryptographically Protected Information

SecureElement

SecureElement

Secure Environment Secure Environment

Secure Container


Slide 14-6


Windows 2000 Logon

Security Reference Monitor(SRM)

Security Reference Monitor(SRM)

NetlogonNetlogon

ActiveDirectory

ActiveDirectory

LSA*Server

LSA*Server

SAM**Server

SAM**Server

Local Security Authority Subsystem(Lsass)

* Local Security Authority** Security Accounts Manager (SAM)

SAMSAMActiveDirectory

ActiveDirectory

LSAPolicy

LSAPolicy

Winlogonprocess

Winlogonprocess

User Space

Supervisor Space

Authentic.Authentic.

Network


Slide 14-7


Security Goals

Resource X

Resource W

Resource Y

Resource ZProcess A

Process B

Process C

• Authentication• Authorization

read

read/write read

read/write

Machine X

Machine Y


Slide 14-8


Authentication

• User/process authentication– Is this user/process who it claims to be?

• Passwords

• More sophisticated mechanisms

• Authentication in networks– Is this computer who it claims to be?

• File downloading

• Obtaining network services

• The Java promise


Slide 14-9


Authorization

• Is this user/process allowed to access the resource under the current policy?

• What type of access is allowable?– Read– Write– Execute– Append


Slide 14-10


Lampson’s Protection Model

• Active parts (e.g., processes)– Operate in different domains– Subject is a process in a domain

• Passive parts are called objects• Want mechanism to implement different

security policies for subjects to access objects– Many different policies must be possible– Policy may change over time


Slide 14-11


A Protection System

Subjects

XS

Objects

•S desires access to X


Slide 14-12


A Protection System

Subjects

XS

Objects

ProtectionState

•S desires access to X•Protection state reflects current ability to access X


Slide 14-13


A Protection System

Subjects

XS

Objects

ProtectionState

StateTransition•S desires access to X

•Protection state reflects current ability to access X•Authorities can change


Slide 14-14


A Protection System

Subjects

XS

Objects

ProtectionState

StateTransition

Rules

•S desires access to X•Protection state reflects current ability to access X•Authorities can change•What are rules for changing authority?


Slide 14-15


A Protection System

Subjects

XS

Objects

ProtectionState

StateTransition

Rules

Policy

•S desires access to X•Protection state reflects current ability to access X•Authorities can change•What are rules for changing authority?•How are the rules chosen?


Slide 14-16


Protection System Example

S X

•S desires access to X


Slide 14-17



S

X

Access matrix

S X

•S desires access to X•Captures the protection state


Slide 14-18



S

X

Access matrix

SAccess

authentication

(S,

, X)

X

•S desires access to X•Captures the protection state•Generates an unforgeable ID


Slide 14-19



S

X

SAccess

authenticationMonitor

(S,

, x)

X

•S desires access to X•Captures the protection state•Generates an unforgeable ID•Checks the access against the protection state


Slide 14-20


Protection State Example

S1

S2

S3

S1 S2 S3 F1 F2 D1 D2

control

control

control

blockwakeupowner

controlowner

stop

delete executeowner

owner update owner seek*

read*write*

seek owner


Slide 14-21


A Protection System

Subjects

XS

Objects

ProtectionState

StateTransition

Rules

Policy

Handling state changes


Slide 14-22


Policy Rules Example

S1

S2

S3

S1 S2 S3 F1 F2 D1 D2

control

control

control

blockwakeupowner

controlowner

stop

delete executeowner

owner update owner seek*

read*write*

seek owner

Rule Command by S0 Authorization Effect1 transfer(|*) to (S, X) *A[S0, X] A[S, X] = A[S, X]{|*}2 grant(|*) to (S, X) ownerA[S0, X] A[S, X] = A[S, X]{|*}3 delete from (S, X) controlA[S0, S] A[S, X] = A[S, X]-{}

orownerA[S0, X]

Rules for a Particular Policy


Slide 14-23


Protection Domains

• Lampson model uses processes and domains -- how is a domain implemented?– Supervisor/user hardware mode bit– Software extensions -- rings

• Inner rings have higher authority– Ring 0 corresponds to supervisor mode– Rings 1 to S have decreasing protection, and

are used to implement the OS– Rings S+1 to N-1 have decreasing protection,

and are used to implement applications


Slide 14-24


Protection Domains (cont)• Ring crossing is a domain change• Inner ring crossing rights amplification

– Specific gates for crossing– Protected by an authentication mechanism

• Outer ring crossing uses less-protected objects– No authentication– Need a return path– Used in Multics and Intel 80386 (& above)

hardware


Slide 14-25


A Two-level Domain Architecture

Supv

User


Slide 14-26


The General Ring Architecture

R0

R1

R2

…

Ri

…


Slide 14-27


Implementing the Access Matrix• Usually a sparse matrix

– Too expensive to implement as a table– Implement as a list of table entries

• Column oriented list is called an access control list (ACL)– List kept at the object– UNIX file protection bits are one example

• Row oriented list is a called a capability list– List kept with the subject (i.e., process)– Kerberos ticket is a capability– Mach mailboxes protected with capabilities


Slide 14-28


Access Control Lists Derived from an Access Matrix

Res

ourc

e D

escr

ipto

r

S

X

X

X

X

X

X

• Store the Access Matrix by columns

• Each ACL is kept at the object

• UNIX file protection bits are one example

• Windows resource managers also use ACLs for protection

Res

ourc

e D

escr

ipto

r

Res

ourc

e D

escr

ipto

r


Slide 14-29


Capability Lists Derived from an Access Matrix

• Store the Access Matrix by rows

• List kept with the subject (i.e., process)

• Examples– Ticket to a concert

– Kerberos ticket

– Mach mailboxes

S

X

S

S

S

Process Descriptor

Process Descriptor

Process Descriptor

S

S


Slide 14-30


More on Capabilities

• Provides an address to object from a very large address space

• Possession of a capability represents authorization for access

• Implied properties:– Capabilities must be very difficult to guess– Capabilities must be unique and not reused– Capabilities must be distinguishable from

randomly generated bit patterns


Slide 14-31


Cryptography

• Information can be encoded using a key when it is written (or transferred) -- encryption

• It is then decoded using a key when it is read (or received) -- decryption

• Very widely used for secure network transmission


Slide 14-32


More on Cryptography

plaintext ciphertext

encryption

decryption


Slide 14-33



plaintext plaintextEncryptEncrypt DecryptDecrypt

Ke Kd

C = EKe(plaintext)


Slide 14-34



plaintext EncryptEncrypt DecryptDecrypt

Ke Kd

C = EKe(plaintext)

InvaderInvaderSide information plaintext

plaintext


Slide 14-35


Cryptographic Systems

Cryptographic Systems

Conventional Systems Modern Systems

Private Key Public Key

•Ke and Kd are essentially the same

•Ke and Kd are private

•Ke is public•Kd is private


Slide 14-36


KerberosAuthentication

Server

Client

Server


Slide 14-37



Server

Client

Server

Client ID

Session Key

Session Key

Encrypted for clientEncrypted for server

Ticket


Slide 14-38



Server

Client

Server

Client ID

Session Key

Session Key


Ticket Session Key


Slide 14-39



Server

Client

Server

Client ID

Session Key

Session Key


Ticket

Client ID

Session Key

Ticket

Session Key

Client ID

Session Key


Slide 14-40


The DES AlgorithmPlainText

PlainText

64-bit Block64-bit Block


Lj-1Lj-1 Rj-1

Rj-1

IPIP

ff Kj = (K, j)

Rj-1Rj-1Rj-1

Rj-1



IP-1IP-1


Slide 14-41


A Digital Rights Management System

InTransit

Raw

Consumable

Serve

Translate

Distribute

ContentRepository

Playback

RightsEditor

Query

Rights

Publisher

Consumer

AP

I

API

Admin

Distributor, etcStyleEditor

Style

Server

Client

•Other parties may contribute to rights spec

Documents

Slide 14-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 5