Chapter 4 Protection in General-Purpose Operating Systems

Transcription

1 Chapter 4 Protection in General-Purpose Operating Systems Charles P. Pfleeger & Shari Lawrence Pfleeger, Security in Computing, 4 th Ed., Pearson Education, An operating system has two goals: controlling shared access implementing an interface to allow that access Underneath those goals are support activities, iti including identification and authentication, naming, filing objects, scheduling, communication among processes, and reclaiming i and reusing objects 2

2 Operating system functions can be categorized as access control identity and credential management if information flow audit and integrity protection Each of these activities iti has security implications Protected Objects and Methods of Protection Protected Objects the rise of multiprogramming i meant that several aspects of a computing system required protection: memory sharable I/O devices, such as disks serially reusable I/O devices, such as printers and tape drives sharable programs and subprocedures networks sharable data 4

3 Security Methods of Operating Systems The basis of protection is separation: keeping one user's objects separate from other users. physical separation, in which h different processes use different physical objects temporal separation, in which processes having different security requirements are executed at different times logical separation, in which users operate under the illusion that no other processes exist, as when an operating system constrains a program's accesses so that the program cannot access objects outside its permitted domain cryptographic separation, in which processes conceal their data and computations in such a way that they are unintelligible to outside processes 5 Security Methods of Operating Systems (Cont d) An operating system can support separation and sharing in several ways, offering protection at any of several levels. Do not protect. toperating systems with no protection ti are appropriate when sensitive procedures are being run at separate times. Isolate. When an operating system provides isolation, different processes running concurrently are unaware of the presence of each other. Each process has its own address space, files, and other objects. The operating system must confine each process somehow so that the objects of the other processes are completely concealed. 6

4 Security Methods of Operating Systems (Cont d) An operating system can support separation and sharing in several ways, offering protection at any of several levels (Cont d) Share all or share nothing. The owner of an object declares it to be public or private. A public object is available to all users, whereas a private object is available only to its owner. Share via access limitation. With protection by access limitation, the operating system checks the allowability of each user's potential access to an object. That is, access control is implemented for a specific user and a specific object. 7 Security Methods of Operating Systems (Cont d) An operating system can support separation and sharing in several ways, offering protection at any of several levels (Cont d) Share by capabilities. An extension of limited it access sharing, this form of protection allows dynamic creation of sharing rights for objects. The degree of sharing can depend on the owner or the subject, on the context of the computation, or on the object itself. Limit use of an object. Limits not just the access to an object but the use made of that object after it has been accessed. For example, a user may be allowed to view a sensitive document, but not to print a copy of it. 8

5 4.2. Memory y and Address Protection Fence - a method to confine users to one side of a boundary. 9 Fence register - used a hardware register containing the address of the end of the operating system. The fence cannot protect t one user from another user 10

6 Relocation - the process of taking a program written as if it began at address 0 and changing all addresses to reflect the actual address at which the program is located in memory. 11 Base/Bounds Registers With two or more users, none can know in advance where a program will be loaded for execution. The relocation register solves the problem by providing a base or starting address. A variable ibl fence register it is generally known as a base register. A bounds register is an upper address limit. 12

7 Base/Bounds Registers (Cont d) 13 Base/Bounds Registers (Cont d) 14

8 Tagged Architecture In some cases you may want to protect some data values but not all Tagged architecture t Every word of machine memory has one or more extra bits to identify the access rights to that word. These access bits can be set only by privileged (operating system) instructions. The bits are tested every time an instruction accesses that location. 15 Tagged Architecture (Cont d) 16

9 Segmentation Involves the simple notion of dividing diidi a program into separate pieces Each piece has a logical l unity, exhibiting a relationship among all of its code or data values. Each segment has a unique name. A code or data item within a segment is addressed as the pair <name, offset>, where name is the name of the segment containing the data item and offset is its location within the segment 17 Segmentation (Cont d) 18

10 Segmentation (Cont d) Translation of Segment Address. 19 Segmentation (Cont d) Translation of Segment Address (Cont d) The operating system can place any segment at any location or move any segment to any location, even after the program begins to execute. A segment can be removed from main memory (and stored on an auxiliary device) if it is not being used currently. Every address reference passes through the operating system, so there is an opportunity to check each one for protection. 20

11 Segmentation (Cont d) Segmentation offers these security benefits: Each address reference is checked for protection. Many different classes of data items can be assigned different levels of protection. Two or more users can share access to a segment, with potentially different access rights. A user cannot generate an address or access to an unpermitted segment. 21 Paging The program is divided id d into equal-sized pieces called pages. The memory is divided into equal-sized units called page frames. 22

12 Paging 23 Combined Paging with Segmentation Paging offers implementation i efficiency, i while segmentation offers logical protection characteristics The IBM 390 family of mainframe systems used a form of paged segmentation 24

13 Combined Paging with Segmentation (Cont d) Control of Access to General Objects Directory 26

14 Directory (Cont d) Several difficulties i can arise. The list becomes too large if many shared objects Revocation of access - If owner A has passed to user B the right to read file F, an entry for F is made in the directory for B. If A later questions that trust, A may want to revoke the access right of B. Then. Pseudonyms. Owners A and B may have two different files named F, and they may both want to allow access by S. The directory for S cannot contain two entries under the same name for different files. 27 Access Control List There is one such list for each object, and the list shows all subjects who should have access to the object and what their access is. 28

15 Access Control List (Cont d) 29 Access Control Matrix - a table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object. 30

16 Access Control Matrix (Cont d) BIBLIOG TEMP F HELP.TXT C_COMP LINKER SYS_CLOCK PRINTER USER A ORW ORW ORW R X X R W USER B R R X X R W USER S RW R R X X R W USER T R X X R W SYS_MGR RW OX OX ORW O USER_SVCSSVCS O X X R W 31 Capability - an unforgeable token that gives the possessor certain rights to an object. One possible access right to an object is transfer or propagate. A subject having this right can pass copies of capabilities to other subjects. In turn, each of these capabilities also has a list of permitted types of accesses, one of which might also be transfer. 32

17 33 Kerberos Kerberos implements both authentication i and access authorization i by means of capabilities, called tickets, secured with symmetric cryptography Kerberos requires two systems, called the authentication server (AS) and the ticket-granting t server (TGS), which h are both part of the key distribution center (KDC) A user presents an authenticating ti ti credential (such as a password) to the authentication server and receives a ticket showing that the user has passed authentication. ti ti 34

18 Kerberos (Cont d) Suppose Joe wants to access a resource R (for example, a file, printer, or network port). Joe sends the TGS his authenticated ti t ticket t and a request to use R. Assuming Joe is allowed access, the TGS returns to Joe two tickets: One shows Joe that t his access to R has been authorized The second is for Joe to present to R in order to access R. 35 Procedure-Oriented Access Control Ensure that accesses to an object be made through h a trusted interface Role-Based Access Control Associate privileges il with groups 36

19 4.4. File Protection Mechanisms Basic Forms of Protection All-None Protection Unacceptable for several reasons Lack of trust Too coarse Rise of sharing Complexity File listings 37 Basic Forms of Protection (Cont d) Group Protection Focused on identifying groups of users who had some common relationship. All authorized users are separated into groups. A group may consist of several members working on a common project, a department, a class, or a single user. The basis for group membership is need to share. A key advantage of the group protection approach is its ease of implementation. 38

20 Basic Forms of Protection (Cont d) Group Protection (Cont d) Group affiliation. A single user cannot belong to two groups. Multiple personalities. To overcome the one-person one-group restriction, certain people might obtain multiple accounts, permitting them, in effect, to be multiple users. All groups. To avoid multiple personalities, the system administrator may decide that Tom should have access to all his files any time he is active. Limited sharing. Files can be shared only within groups or with the world. 39 Basic Forms of Protection (Cont d) Idiid Individual Permissions i Persistent Permission Temporary Acquired Permission Unix+ operating systems provide an interesting permission scheme based on a three-level user-group-world hierarchy. The Unix designers added a permission called set userid (suid) Per-Object and Per-User Protection 40

21 4.5. User Authentication Authentication mechanisms use any of three qualities to confirm a user's identity. i Something the user knows. Passwords, PIN numbers, passphrases, a secret handshake, h and mother's maiden name are examples of what a user may know. Something the user has. Identity badges, physical keys, a driver's license, or a uniform are common examples of things people have that t make them recognizable. Something the user is. These authenticators, called biometrics, are based on a physical characteristic ti of the user, 41 Passwords as Authenticators Use of Passwords Passwords are mutually agreed-upon code words, assumed to be known only to the user and the system. Suffer from some difficulties of use: Loss. Depending on how the passwords are implemented, it is possible that no one will be able to replace a lost or forgotten password Use. Supplying a password for each access to a file can be inconvenient and time consuming. Disclosure. If a password is disclosed to an unauthorized individual, the file becomes immediately accessible. Revocation. 42

22 Passwords as Authenticators Additional i Authentication i Information Using additional authentication information is called multifactor authentication. Two forms of authentication (which is known as two-factor authentication) are better than one, assuming of course that the two forms are strong. But as the number of forms increases, so also does the inconvenience. 43 Passwords as Authenticators Attacks on Passwords Some ways you might be able to determine a user's password, in decreasing order of difficulty. Try all possible passwords. Try frequently used passwords. Try passwords likely for the user. Search for the system list of passwords. Ask the user. 44

23 Passwords as Authenticators Attacks on Passwords (Cont d) Loose-Lipped Systems Eg E.g., WELCOME TO THE XYZ COMPUTING SYSTEMS ENTER USER NAME: adams INVALID USER NAME / UNKNOWN USER ENTER USER NAME: 45 Passwords as Authenticators Attacks on Passwords (Cont d) Loose-Lipped Systems (Cont d) An alternative arrangement of the login sequence is shown below. WELCOME TO THE XYZ COMPUTING SYSTEMS ENTER USER NAME: adams ENTER PASSWORD: john INVALID ACCESS ENTER USER NAME: 46

24 Passwords as Authenticators Attacks on Passwords (Cont d) Loose-Lipped Systems (Cont d) ENTER USER NAME: adams ENTER PASSWORD: john INVALID ACCESS ENTER USER NAME: adams ENTER PASSWORD: johnq WELCOME TO THE XYZ COMPUTING SYSTEMS 47 Passwords as Authenticators Attacks on Passwords (Cont d) Exhaustive Attack In an exhaustive or brute force attack, the attacker tries all possible passwords, usually in some automated fashion Probable Passwords Passwords Likely for a User 48

25 Users' Password Choices 49 Passwords as Authenticators Attacks on Passwords (Cont d) password guessing steps: no password the same as the user ID. is, or is derived from, the user's name common word list (for example, "password," "secret," "private") plus common names and patterns (for example, "asdfg," "aaaaaa") short college dictionary complete English word list 50

26 Passwords as Authenticators Attacks on Passwords (Cont d) password guessing steps: (Cont d) short college dictionary with capitalizations (PaSsWorD) and substitutions (0 for O, and so forth) complete English with capitalizations and substitutions common non-english dictionaries with capitalization and substitutions brute force, lowercase alphabetic character bsrute force, full character set 51 Passwords as Authenticators Attacks on Passwords (Cont d) Plaintext System Password List Encrypted Password File Indiscreet Users - Get it directly from the user! People often tape a password to the side of a terminal or write it on a card just inside the top desk drawer. 52

27 Passwords as Authenticators Password Selection Ci Criteriai Use characters other than just AZ Choose long passwords. Avoid actual names or words. Choose an unlikely password Change the password regularly. Don't write it down. Don't tell anyone else. The easiest attack is social engineering, in which the attacker contacts the system's administrator or a user to elicit the password in some way. 53 Passwords as Authenticators One-Time Passwords Biometrics: Authentication Not Using Passwords Identification vs Ath Authenticationti ti Much reliable, but less effective 54

28 4.6. Summary y of Security y for Users Addressed four topics: memory protection file protection general object access control user authentication. 55