Protection and Security

Protection and Security

Operating system consists of a collection of
objects, hardware or software
Each object has a unique name and can be
accessed through a well-defined set of
operations (hopefully)
Protection and security problem - ensure that
each object is accessed correctly and only by
those processes of authorized users that are
allowed to do so
2
 Protection and Security cont.
OS designer faces challenge of creating a
protection scheme that cannot be bypassed
by any software that may be created in the
future
Networking adds to the problem as it allows
access to a computer and its resources
without being in the same physical location
See next frame

3
Protection Internal Access Authorization

4
 Policy vs. Mechanism
An organizations security policy defines the
rules for authorizing access to its computers
and information resources
A particular strategy that dictates the way a
mechanism is used to achieve specific goals
Protection mechanisms are tools for
implementing the organizations security
policy

5
 Policy & Mechanism
A security policy is a strategy that dictates the way
a mechanism is used to achieve a specific goal
Accountants have access to payroll files
OS processes have access to the page table
Client process has access to information provided by a
server
A protection mechanism is a set of components
used to implement any one of different sets of
strategies
Authentication
Authorization
Cryptography
6
 Policy & Mechanism cont.
Example - Computers in lab
Policy: can only be used by students registered
for graduate classes
Mechanism: authentication via username and
password; set up via class list and request

Policy: students may only have N bytes of

storage space
Mechanism: establish a quota system on disk

7
 Policy & Mechanism cont.
The security policy specifies the ways
resources should be shared among members
of the organization and with members
external to the organization
The mechanism is the specific steps and tools
provided by the system to enforce the policy

8
 Security Goals
Machine X

Resource W
Process A
Resource X Resource Y
read
Resource Z

read/write read
Process B
read/write

Authentication Machine Y
Authorization
Process C

9
 Implementing Policy & Mechanism

Policies selected by system administrators

after the OS and protection mechanisms have
been designed and implemented
OS designer must foresee all the policies that
may be selected and implement the
mechanisms accordingly
Very difficult task usually handled by
sending out patches as security holes are
found
10
 The Security Problem
Security must consider external environment
of the system, and protect it from
unauthorized access.
malicious modification or destruction
accidental introduction of inconsistency.
Easier to protect against accidental than
malicious misuse

11
 Authentication Mechanisms
Basis of most protection mechanisms
Two types of authentication
External: verify the user
Usually username/password combination
May require two passwords or other identification
Internal: verify the process
Dont allow one users process to appear to be that of
another user
Network access accentuates the problem
Is the computer who it says it is?
12
 User Authentication
Three types of authentication:
Something a user knows
e.g. a password, a combination, answers to personal
questions
Something a user has
e.g. a badge, a smart card, a key
Something a user is
e.g. fingerprint, signature, voice print, hand geometry,
retinal blood vessel pattern

13
 Authentication
User identity most often established through
passwords, can be considered a special case
of either keys or capabilities.
Passwords must be kept secret.
Frequent change of passwords.
Use of non-guessable passwords.
Log all invalid access attempts.
Encryption

14
 User Authentication
Possible mechanisms
Recognize repeated login attempts
Disconnect after some threshold is reached
Disregard correct passwords after some threshold of
failures has been reached
Make login process slow handle computer
generated attempts

15
 Network Authentication
Need to be able to communicate between
computers without significantly increasing
the overhead involved
Most typical access is for file transport
Email
Messages
File downloading
Obtaining network services

16
 Program Threats
Trojan Horse
Code segment that misuses its environment.
Exploits mechanisms for allowing programs
written by users to be executed by other users.
Trap Door
Specific user identifier or password that
circumvents normal security procedures.
Could be included in a compiler.

17
 System Threats
Worms use spawn mechanism; standalone program
Internet worm
Exploited UNIX networking features (remote access) and
bugs in finger and sendmail programs.
Grappling hook program uploaded main worm program.
Viruses fragment of code embedded in a legitimate
program.
Mainly effect microcomputer systems.
Downloading viral programs from public bulletin boards or
exchanging floppy disks containing an infection.
Safe computing.

18
 The confinement problem
How do we prevent a program from leaking
information to others?
It is not as simple as preventing IPC and I/O
A covert channel is a hidden means of
communication information
e.g. sending bits by manipulating the CPU load

19
 Threat Monitoring
Check for suspicious patterns of activity
i.e., several incorrect password attempts may
signal password guessing.
Audit log records the time, user, and type of
all accesses to an object; useful for recovery
from a violation and developing better
security measures.
Scan the system periodically for security
holes; done when the computer is relatively
unused.
20
 Threat Monitoring cont.
Check for:
Short or easy-to-guess passwords
Unauthorized set-uid programs
Unauthorized programs in system directories
Unexpected long-running processes
Improper directory protections
Improper protections on system data files
Dangerous entries in the program search path (Trojan
horse)
Changes to system programs: monitor checksum values

21
 Authorization
Is this user/process allowed to access the
resource under the current policy?
What type of access is allowable?
Read
Write
Execute
Append

22
 Internal Access Authorization
Internal authorization is part of the task of
managing resource sharing
The goal is to protect one processs resources
from the actions of other processes

23
 Protection Problems
Sharing parameters
Process calls procedure in another processs
address space, which then modifies parameters,
so that when original process regains control,
variables in its address space have been changed
Confinement
Contain all rights to resources so that they do not
propagate outside some chosen set of processes

24
 Protection Problems cont.
Allocating rights
A process provides another process with specific
rights to use its resources; should be a temporary
allocation; but what if 2nd process passes those
rights on to other processes without knowledge or
permission of original process (the owner of the
resource)
Trojan horse
Special case of allocating rights: client process
invokes a service program which then takes
advantage of the clients process rights
25
 Lampsons Protection Model
Active parts (e.g., processes or threads)
Act on behalf of users
Operate in different protection domains
The set of rights a process has at any given time
Subject is a process executing in a specific
domain
Passive parts are called objects
Correspond to resources
NOTE: not related to OOP terminology
26
 Model
Want mechanism to implement different
security policies for subjects to access
objects
Many different policies must be possible
Policy may change over time

27
 Protection System
Composed of
Set of objects
Set of subjects
Set of rules specifying protection policy
Represents accessibility of objects by
subjects
Guarantees that the protection state is
checked for each access of an object by a
subject

28
 A Protection System

Subjects Objects

S
X

S desires access to X

29
 A Protection System

Subjects Objects
Protection
S State X

S desires access to X
Protection state reflects
current ability to access X

30
 A Protection System

Subjects Objects
Protection
S State X

State
S desires access to X
Transition
Protection state reflects
current ability to access X
Authorities can change

31
 A Protection System

Subjects Objects
Protection
S State X

State
S desires access to X
Transition
Protection state reflects
current ability to access X
Authorities can change
Rules
What are rules for
changing authority?

32
 A Protection System

Subjects Objects
Protection
S State X

State
S desires access to X
Transition
Protection state reflects
current ability to access X
Authorities can change
Rules
What are rules for
changing authority?
How are the rules chosen?
Policy 33
 Access Matrix
The protection state can be represented using an
access matrix
An access matrix A has one row for each subject and one
column for each object
Note: subjects are also objects (processes controlling processes)
Each entry A[S, X] is a set that describes the access rights
held by subject S to object X
Access authentication
If subject S initiates type access to X then
if A[S,X], the access is valid. If a A[S, X], the
access is invalid.
34
 Protection System Example

S X

S desires access to X

35
 Protection System Example

S X

S desires access to X S
Captures the protection state

Access matrix

36
 Protection System Example

(S, , X)
Access
S X
authentication
X

S desires access to X S
Captures the protection state
Generates an unforgeable ID
Access matrix

37
 Protection System Example

(S, , x)
Access
S Monitor X
authentication
X

S desires access to X S
Captures the protection state
Generates an unforgeable ID
Checks the access against the
protection state

38
 Example
Suppose simple system
Subjects = {S1, S2, S3}
Objects = subjects {F1, F2, D1, D2}
F represent files, D devices
Let the access matrix be
S1 S2 S3 F1 F2 D1 D2
S1 control block control read* seek owner
wakeup owner write*
owner
S2 control stop owner update owner seek*

S3 control delete execute

owner 39
 Example cont.
The * is called a copy flag
It allows the process to transfer an access
right to another process

40
 Example cont.
If S2 attempts to update access to F2
It initiates access
Causing protection system to create record of
form (S2, update, F2)
Record given to monitor for F2
Monitor checks access table
Since access is valid, S2 is allowed to update F2

41
 Example cont.
If S2 attempts execute access to F2
It initiates access
Causing protection system to create record of
form (S2, execute, F2)
Record given to monitor for F2
Monitor checks access table
Since access is invalid, S2 is not allowed to
execute F2
Violation is reported to OS
42
 Changing Protection State

Subjects Objects
Protection
S State X

State
Transition

Handling state changes Rules

Policy 43
 Policy Rules Example
S1 S2 S3 F1 F2 D1 D2
S1 control block control read* seek owner
wakeup owner write*
owner
S2 control stop owner update owner seek*

S3 control delete execute

owner

Rules for a Particular Policy

Rule Command by S0 Authorization Effect
1 transfer(|*) to (S, X) *A[S0, X] A[S, X] = A[S, X]{|*}
2 grant(|*) to (S, X) ownerA[S0, X] A[S, X] = A[S, X]{|*}
3 delete from (S, X) controlA[S0, S] A[S, X] = A[S, X]-{}
or
ownerA[S0, X] 44
 Policy Rules Example
The policy rules determine who controls the
propagation of the various types of access
Access may be
Transferred: process must have copy flag for right
Granted: process must be owner of object
Dont need copy flag
Deleted: process must own or control object
Example: rule 1 determines what rights can be
transferred from one process to another
Command: transfer(|*) to (S, X)
Authorization: *A[S0, X]
S1 can transfer read or read* access to S2 or S3 for F1
because S1 has the copy flag set

45
 Protection State
The copy flag and rules are designed to
prevent indiscriminate propagation of access
rights among subjects
Right can only be propagated when owner
transfers copy flag to another subject
Subject may then transfer right with or without
copy flag
This transfer may be nondestructive (first subject
keeps access) or destructive (first subject loses
access)
46
 Results of Rules
These rules (along with a few others) define a
protection system that addresses the
problems mentioned earlier:
Masquerading: subject must be authenticated and
given unforgeable signature
Confinement and allocating rights: rights are
restricted to a designated set of subjects
An untrusted subsystem must be memoryless
(confined with respect to its ability to retain
information or leak it to other subjects)
47
 Results of Rules cont.
Sharing of parameters: allow only indirect access
to objects by untrusted subjects
Create gatekeeper subject to protect object from
unwanted accesses by untrusted subjects
Trojan horses: problem caused by process
assuming rights of another while acting on its
behalf
this model distinguishes between two processes using
the same rights on different subjects
Many rule sets may solve problem for specific
policies, but dont guarantee solution independent of
policy

48
 Cost of Protection Mechanisms
Basic protection model requires that each
resource access be passed through a monitor
before request can be granted
This may introduce a substantial performance
cost
Need to decide if performance hit is justified
If information MUST be secure, the cost of
performance is not an issue

49
Implementing Internal Authorization
Protection model describes logical set of
components that can be used
What implementations are cost effective?
How can an access matrix be implemented efficiently?
Need to consider
Access matrix not only possible representation
Access matrix must be secured; only read and written by
selected processes
Goal is to route all accesses through protection monitor
Protection system should be able to authenticate the
source of each request
Monitor must be protected process to implement the rules
Must not be possible for other subjects to compromise monitor

50
 Protection Domain
The particular set of rights a process has at
any given time
Two level domain architecture
Supervisor domain: has more rights than user
User domain: fewer rights than supervisor

User domain

Supervisor domain

51
 Protection Domains
The two-level domain can be generalized to a
set of N concentric rings
Domain ring architecture for protection

R0
RS+1
The innermost rings
have more rights than
RN-1 the outermost ones

52
 Protection Domains cont.
Inner rings have higher authority
Ring 0 corresponds to supervisor mode
Rings 1 to S have decreasing protection, and are
used to implement the OS
Rings S+1 to N-1 have decreasing protection,
and are used to implement applications
Lampson model uses processes and domains
-- how is a domain implemented?
Supervisor/user hardware mode bit
Software extensions -- rings
53
 Protection Domains cont.
Ring crossing is a domain change
Inner ring crossing rights amplification
Specific gates for crossing
Protected by an authentication mechanism
Outer ring crossing uses less-protected
objects
No authentication
Need a return path
Used in Multics and Intel 80386 (& above)
hardware
54
 Implementing Access Matrix
Usually a sparse matrix
Too expensive to implement as a table
Implement as a list of table entries
Column oriented list is called an access
control list (ACL)
List kept at the object
UNIX file protection bits are one example
Row oriented list is a called a capability list
List kept with the subject (i.e., process)
Kerberos ticket is a capability
55
 Unix Protection Scheme
Mode of access: read, write, execute
Three classes of users
RWX
a) owner access 7 111
RWX
b) groups access 6 110
RWX
c) public access 1 001

56
 Protection Domains
A capability is a unique, global name for an
access right to an object in the system
A protection domain is a set of capabilities to
perform certain actions on certain objects
A process can move from protection domain to
protection domain so, at any point, it has exactly
the capabilities it needs for the current job (the
principle of least privilege)
This is more flexible than associating capabilities
directly with a process
57
 More on Capabilities
Provides an address to object from a very
large address space
Possession of a capability represents
authorization for access
Implied properties:
Capabilities must be very difficult to guess
Capabilities must be unique and not reused
Capabilities must be distinguishable from
randomly generated bit patterns
58
 Cryptography
Even in secure OS, information will
sometimes be temporarily unprotected
Ex.: while being transferred from one part of
OS to another, as in Kerberos authentication
strategy
Information can be encoded using a key
when it is written (or transferred) --
encryption
It is then decoded using a key when it is
read (or received) -- decryption
59
 More on Cryptography

encryption
plaintext ciphertext
decryption

60
 Two Basic Strategies
Details of encryption and decryption are
unknown
Functions are complex making it difficult to
guess how translation is accomplished
Details are known, but the keys are secret
and difficult to forge
Difficult to guess a key

61
 More on Cryptography

Ke Kd

C = EKe(plaintext)
plaintext Encrypt
Encrypt Decrypt
Decrypt plaintext

Ke = encryption key
Kd = decryption key

62
 More on Cryptography

Ke Kd

C = EKe(plaintext)
plaintext Encrypt
Encrypt Decrypt
Decrypt plaintext

Side information Invader

Invader plaintext

63
 Cryptographic Systems

Cryptographic Systems

Conventional Systems Modern Systems

Ke and Kd are
essentially the Private Key Public Key
same
Ke and Kd are Ke is public
private Kd is private

64
 Encryption
Encrypt clear text into cipher text.
Properties of good encryption technique:
Relatively simple for authorized users to encrypt and decrypt data.
Encryption scheme depends not on the secrecy of the algorithm but on a
parameter of the algorithm called the encryption key
Extremely difficult for an intruder to determine the encryption key
Data Encryption Standard substitutes characters and
rearranges their order on the basis of an encryption key
provided to authorized users via a secure mechanism.
Scheme only as secure as the mechanism.

65
 Encryption - cont.
Public-key encryption based on each user having two
keys:
public key published key used to encrypt data.
private key key known only to individual user used to
decrypt data.
Must be an encryption scheme that can be made
public without making it easy to figure out the
decryption scheme.
Efficient algorithm for testing whether or not a number is
prime.
No efficient algorithm is known for finding the prime
factors of a number.
66
 Public Key Cryptography
Clear text encrypted by public key can be
decrypted by private key, and vice versa
Two users can generate authenticated, private
communications
Information is signed by user 1 and encrypted
with user 1s private key
The entire message is then encrypted with user
2s public key and transmitted
User 2 then decrypts using user 2s private key
and then with user 1s public key
67