Operating system security models
|
|
- Ruth Shepherd
- 5 years ago
- Views:
Transcription
1 Operating system security models Unix security model Windows security model MEELIS ROOS 1
2 General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects are identified by name Several concurrent names are possible for any object (because of links) Discretionary access control (DAC): each object has a owner who decides the access rights for the object MEELIS ROOS 2
3 Unix security model Access control subjects are users Objects belong to users Users delegate access to their objects to other subjects Users run processes to do things. Processes belong to users Processes run by user have the same privileges as the user does Internally, users are identified by numeric user ID (UID) There are no other ways for accessing objects Hardware protection Protected operating system with well-defined interface to user programs MEELIS ROOS 3
4 Root user Has UID 0 Can bypass access controls Has other rights in the system (capabilities) can configure devices, network stack, mount filesystems etc Can change the ownership of current process (login!) Can change file ownership Can arbitrarily change file groups Can create and remove users and groups Can install and modify any software Target for attackers gain root privileges from normal user account by some security vulnerability MEELIS ROOS 4
5 Setuid and setgid programs Normal users need a gateway to privileged operations (e.g. change your password in system password database) Normally processes run with the rights of executing user, independent of whoever owns the file Setuid programs run with the effective UID of the owner of the file (often root) Setgid programs run with effective GID being set to program file s group (whether ot not the user belongs to the group) "Gateways to other user accounts" security critical components Minimize the amount of setuid programs We still need some of them MEELIS ROOS 5
6 Permissions Fixed structure ACL there are always entries for owner, one group of users and the rest of users For each subject in ACL 3 permission bits are present: r read 4 w write 2 x execute 1 r w x r - x = 0750 (octal representation!!!) ACL only protects one object no influence to objects in subdirectories, each of them has their own permission bits MEELIS ROOS 6
7 More permission bits world execute world write world read group execute group read group write owner execute owner read owner write "sticky" bit setgid setuid MEELIS ROOS 7
8 Meaning of permission bits File read, write File execute marks runnable files from data files Executable file sticky bit used to mean no swapping, unused Executable file setuid and setgid change owner of process during run Directory execute access a file or directory by name Directory read list entries (not needed for lookup by name) Directory write any namespace operation (create, rename, remove!!) Directory sticky restricts object removal to object owner Directory setgid determine the group of newly created objects MEELIS ROOS 8
9 umask umask bitmap of permissions that newly created files must not have Example: Process does open("file.txt", O_RDWR, 0666) If umask=000, file would have permissions rw-rw-rw- If umask=027, file would have permissions rw-r----- MEELIS ROOS 9
10 Process credentials Each process has UID, GID ("real UID, real GID") EUID, EGID effective UID and GID Usually the same as UID and GID Setuid/setgid programs affect these ID-s Saved UID, saved GID for switching between 2 ID-s ("drop and regain root privileges in setuid root program") At user logon, root-owned process sets group list and all the UID and GID info for the process (changing EUID last) All threads of the process share the same ownership info Credentials are inherited to subprocesses Other resources are also inherited to subprocesses (file descriptors, environment variables, umask, rlimits, priority etc) MEELIS ROOS 10
11 Unix and ACL-s Try to express the following with Unix permission bits: Owner has rw Group A has also rw Group B has r Others have no permissions Or, a more common example for users public_html directories Owner has rwx Web server user has --x No other users or groups have any permissions So we need more flexible ACL-s (Access Control Lists) MEELIS ROOS 11
12 POSIX ACL-s Halfway standardized ACL model for Unix system (POSIX dropped the standard) Mostly compatible between Unixes (setfacl, getfacl) Example: setfacl -m user:mroos:rw-,mask:rw- file.txt ACL mask for all ACL entries Default ACL-s for directories (copied into ACL-s of newly created objects) Only positive permissions, no denying ACL entries NFS version 4 network file system makes use of Windows-compatible ACL-s with negative ACL entries too and this is also used in some file systems MEELIS ROOS 12
13 Windows security model Subjects (users, groups, computers) are identified by SID (Security ID) S SAM (Security Account Manager) keeps database of users and performs authentication On login, user s SID and SID-s of all his groups are added to his process Process security token contains user and group SID-s, SID of the logon session, list of system-wide privileges granted to user These security tokens are inherited to subprocesses Threads can have different security token (to impersonate remote users for some local services) System privileges MEELIS ROOS 13
14 Windows objects Each named object and some unnamed objects have security descriptor owner, group, ACL-s Lots of different object types, including Files, directories Processes, threads Windows Login sessions Named pipes, semaphores, other IPC Registry keys MEELIS ROOS 14
15 Windows ACL-s Two types of ACL-s: containers and objects Objects in containers inherit their ACL from container ACL is set by the user and delegates access System ACL is set by system administrator and regulates auditing Missing ACL means full access Present but empty ACL means no access ACLs can have negative entries ("no access") Inheritance flags "no ACL here, look at the parent" Directory bypass possible MEELIS ROOS 15
16 Windows Vista and newer: integrity levels First steps in MAC (Mandatory Access Controls) additional restrictions to the standard discretionary ACL Processes have trustworthiness level, objects have integrity level Objects: files, registry keys, windows (for sending window messages for interaction) Can isolate different processes of the same user one from another Internet Explorer protected mode Stored in system ACL MEELIS ROOS 16
17 Group Policy 4 levels local site domain organizational unit NOT enforced by OS kernel Voluntarily used by some applications for further restrictions MEELIS ROOS 17
Secure Architecture Principles
CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from
More informationAccess Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.
Access Control CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Access Control Describe the permissions available to computing processes
More informationSecure Architecture Principles
CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from
More informationSecure Architecture Principles
CS 155 Spring 2017 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Secure Architecture Principles Isolation
More information? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week
Announcements Access control John Mitchell u Homework Due today. Next assignment out next week u Graders If interested in working as grader, send email to Anupam u Projects Combine some of the project
More informationFreeBSD Advanced Security Features
FreeBSD Advanced Security Features Robert N. M. Watson Security Research Computer Laboratory University of Cambridge 19 May, 2007 Introduction Welcome! Introduction to some of the advanced security features
More informationIS 2150 / TEL 2810 Information Security and Privacy
IS 2150 / TEL 2810 Information Security and Privacy James Joshi Professor, SIS Access Control OS Security Overview Lecture 2, Sept 6, 2016 1 Objectives Understand the basics of access control model Access
More informationWe ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?
We ve seen: Protection: ACLs, Capabilities, and More Some cryptographic techniques Encryption, hashing, types of keys,... Some kinds of attacks Viruses, worms, DoS,... And a distributed authorization and
More informationOperating system security
Operating system security Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline Access control models in operating systems: 1. Unix 2. Windows Acknowledgements: This
More informationSecure Architecture Principles
Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel 1 Secure
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 3.2: OS Security Access Control Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Bogdan Carbunar (FIU)
More informationUser Commands chmod ( 1 )
NAME chmod change the permissions mode of a file SYNOPSIS chmod [-fr] absolute-mode file... chmod [-fr] symbolic-mode-list file... DESCRIPTION The chmod utility changes or assigns the mode of a file. The
More informationAn Overview of Security in the FreeBSD Kernel. Brought to you by. Dr. Marshall Kirk McKusick
An Overview of Security in the FreeBSD Kernel Brought to you by Dr. Marshall Kirk McKusick 2013 BSDCan Conference May 17, 2013 University of Ottawa Ottawa, Canada Copyright 2013 Marshall Kirk McKusick.
More informationDiscretionary Access Control
Operating System Security Discretionary Seong-je Cho ( 조성제 ) (sjcho at dankook.ac.kr) Fall 2018 Computer Security & Operating Systems Lab, DKU - 1-524870, F 18 Discretionary (DAC) Allows the owner of the
More informationIntroduction to Security
IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Secure Design Principles OS Security Overview Lecture 2 September 4, 2012 1 Objectives Understand the basic principles of
More informationData Security and Privacy. Unix Discretionary Access Control
Data Security and Privacy Unix Discretionary Access Control 1 Readings for This Lecture Wikipedia Filesystem Permissions Other readings UNIX File and Directory Permissions and Modes http://www.hccfl.edu/pollock/aunix1/filepermissions.htm
More informationModule 4: Access Control
Module 4: Access Control Dr. Natarajan Meghanathan Associate Professor of Computer Science Jackson State University, Jackson, MS 39232 E-mail: natarajan.meghanathan@jsums.edu Access Control In general,
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 13: Operating System Security Department of Computer Science and Engineering University at Buffalo 1 Review Previous topics access control authentication session
More informationExercise 4: Access Control and Filesystem Security
Exercise 4: Access Control and Filesystem Security Introduction Duration: 90 min Maximum Points: 30 Note: The solutions of theorethical assignments should be handed out before the practical part in the
More informationIntroduction to Security
IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Secure Design Principles OS Security Overview Lecture 1 September 2, 2008 1 Objectives Understand the basic principles of
More informationSecure Architecture Principles
Computer Security Course. Secure Architecture Principles Slides credit: John Mitchell Basic idea: Isolation A Seaman's Pocket-Book, 1943 (public domain) http://staff.imsa.edu/~esmith/treasurefleet/treasurefleet/watertight_compartments.htm
More informationInformation Security Theory vs. Reality
Information Security Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 4: Access Control Eran Tromer 1 Slides credit: John Mitchell, Stanford course CS155, 2010 Access control Assumptions System knows
More informationPrivileges: who can control what
Privileges: who can control what Introduction to Unix May 24, 2008, Morocco Hervey Allen Goal Understand the following: The Unix security model How a program is allowed to run Where user and group information
More informationGeneral Access Control Model for DAC
General Access Control Model for DAC Also includes a set of rules to modify access control matrix Owner access right Control access right The concept of a copy flag (*) Access control system commands General
More informationOS Security III: Sandbox and SFI
1 OS Security III: Sandbox and SFI Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 VMs on lab machine Extension? 3 Users and processes FACT: although ACLs use users as subject, the OS
More informationFile Access Control Lists (ACLs)
File Access Control Lists (ACLs) Exercise Setup These exercises assume you are using RHEL 7.2 or CentOS 7.2 Create the following users and assignment passwords if these users do not already exist on your
More informationTEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control
TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control Version 1.0, Last Edited 09/20/2005 Name of Students: Date of Experiment: Part I: Objective The objective of the exercises
More informationCIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017
CIS 5512 - Operating Systems File Systems Security Professor Qiang Zeng Fall 2017 Previous class File and directory Hard link and soft link Mount Layered structure File system design Naïve: linked list
More informationOutline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components
UNIX security Ulf Larson (modified by Erland Jonsson/Magnus Almgren) Computer security group Dept. of Computer Science and Engineering Chalmers University of Technology, Sweden Outline UNIX security ideas
More informationOutline. Last time. (System) virtual machines. Virtual machine technologies. Virtual machine designs. Techniques for privilege separation
Outline CSci 5271 Introduction to Computer Security Day 9: OS security basics Stephen McCamant University of Minnesota, Computer Science & Engineering Last time (System) virtual machines Restrict languages,
More information412 Notes: Filesystem
412 Notes: Filesystem A. Udaya Shankar shankar@cs.umd.edu December 5, 2012 Contents 1 Filesystem interface 2 2 Filesystem implementation 3 3 FAT (mostly from Wikepedia) 5 4 UFS (mostly from Wikepedia)
More informationChapter 4: Access Control
(DAC) Chapter 4: Comp Sci 3600 Security Outline (DAC) 1 2 (DAC) 3 4 5 Attribute-based control (DAC) The prevention of unauthorized use of a resource, including the prevention of use of a resource in an
More informationProtection Kevin Webb Swarthmore College April 19, 2018
Protection Kevin Webb Swarthmore College April 19, 2018 xkcd #1200 Before you say anything, no, I know not to leave my computer sitting out logged in to all my accounts. I have it set up so after a few
More information5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9
File Security, Setting and Using Permissions Chapter 9 To show the three protection and security mechanisms that UNIX provides To describe the types of users of a UNIX file To discuss the basic operations
More informationIT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao
IT Service Delivery And Support Week Four - OS IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 What is an Operating System (OS)? OS is a software that designed to run on specific hardware
More informationCS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms
CS 392/681 - Computer Security Module 5 Access Control: Concepts and Mechanisms Course Policies and Logistics Midterm next Thursday!!! Read Chapter 2 and 15 of text 10/15/2002 Module 5 - Access Control
More informationOutline. Security. Security Ratings. TCSEC Rating Levels. Key Requirements for C2. Met B-Level Requirements
Outline Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik Ratings System Components 2 Ratings TCSEC Rating Levels National Computer Center (NCSC) part of US Department of Defense
More informationSecurity. Outline. Security Ratings. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik
Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik Outline Ratings System Components Logon Object (File) Access Impersonation Auditing 2 Ratings National Computer Center (NCSC) part
More informationUnix, History
Operating systems Examples from Unix, VMS, Windows NT on user authentication, memory protection and file and object protection. Trusted Operating Systems, example from PitBull Unix, History Unix, History
More informationA Survey of Access Control Policies. Amanda Crowell
A Survey of Access Control Policies Amanda Crowell What is Access Control? Policies and mechanisms that determine how data and resources can be accessed on a system. The Players Subjects Objects Semi-objects
More informationHardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users
Operating System Security Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Computer System Components Hardware Provides basic computing resources (CPU, memory, I/O devices). Operating system Controls
More informationCSE543 - Introduction to Computer and Network Security. Module: Operating System Security
CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1 OS Security An secure OS should provide (at least) the following mechanisms Memory protection
More informationOperating systems fundamentals - B10
Operating systems fundamentals - B10 David Kendall Northumbria University David Kendall (Northumbria University) Operating systems fundamentals - B10 1 / 12 Introduction Basics of protection and security
More informationCS 290 Host-based Security and Malware. Christopher Kruegel
CS 290 Host-based Security and Malware Christopher Kruegel chris@cs.ucsb.edu Windows Windows > 90 % of all computers run Windows when dealing with security issues, it is important to have (some) knowledge
More informationUnix Basics. UNIX Introduction. Lecture 14
Unix Basics Lecture 14 UNIX Introduction The UNIX operating system is made up of three parts; the kernel, the shell and the programs. The kernel of UNIX is the hub of the operating system: it allocates
More informationCSE 380 Computer Operating Systems
CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms 1 Policy vs. Mechanism q Access control policy is a specification
More informationOperating System Security
Operating System Security Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Computer System Components Hardware Provides basic computing resources (CPU, memory, I/O devices). Operating system
More informationProtection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger
Protection CSE473 - Spring 2008 Professor Jaeger www.cse.psu.edu/~tjaeger/cse473-s08/ Protection Protect yourself from untrustworthy users in a common space They may try to access your resources Or modify
More informationCS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms
CS 392/681 - Computer Security Module 6 Access Control: Concepts and Mechanisms Course Policies and Logistics Midterm grades Thursday. Read Chapter 2 and 15 th of text Lab 4 postponed - due next week.
More informationAccess Control. Steven M. Bellovin September 13,
Access Control Steven M. Bellovin September 13, 2016 1 Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware
More informationcs642 /operating system security computer security adam everspaugh
cs642 computer security /operating system security adam everspaugh ace@cs.wisc.edu principles Principles of Secure Designs Compartmentalization / Isolation / Least privilege Defense-in-depth / Use more
More informationIntroduction to Computer Security
Introduction to Computer Security UNIX and Windows Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service)
More informationFiles (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1
Files (review) and Regular Expressions Todd Kelley kelleyt@algonquincollege.com CST8207 Todd Kelley 1 midterms (Feb 11 and April 1) Files and Permissions Regular Expressions 2 Sobel, Chapter 6 160_pathnames.html
More informationOS Security. Authorization. Radboud University Nijmegen, The Netherlands. Winter 2015/2016
OS Security Authorization Radboud University Nijmegen, The Netherlands Winter 2015/2016 A short recap Authentication establishes a mapping between entities (users) and intended operations Typical approach:
More informationDatasäkerhet/Data security EDA625 Lect5
Ch. 6 Unix security Datasäkerhet/Data security EDA625 Lect5 Understand the security features of a typical operating system Users/passwords login procedure user superuser (root) access control (chmod) devices,
More informationComputer Security Operating System Security & Access Control. Dr Chris Willcocks
Computer Security Operating System Security & Access Control Dr Chris Willcocks Lecture Content Access Control ACMs ACLs Introduction to *NIX security - we ll cover this more due to server popularity -
More informationPolicy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems
Policy vs. Mechanism CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms q Access control policy is a specification
More informationCSE361 Web Security. Access Control. Nick Nikiforakis
CSE361 Web Security Access Control Nick Nikiforakis nick@cs.stonybrook.edu Access Control: introduction How do we protect our confidential data from unauthorized usage? Two important cases: An attacker
More informationTEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control
TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control Version 2.0, Last Edited 10/1/2006 Students Name: Date of Experiment: Part I: Objective The objective of the exercises
More informationInformation Security CS 526
Information Security CS 526 s Security Basics & Unix Access Control 1 Readings for This Lecture Wikipedia CPU modes System call Filesystem Permissions Other readings UNIX File and Directory Permissions
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path TCP wrappers Race conditions NOTE: filenames may differ between OS/distributions
More informationP1L5 Access Control. Controlling Accesses to Resources
P1L5 Access Control Controlling Accesses to Resources TCB sees a request for a resource, how does it decide whether it should be granted? Authentication establishes the source of a request Authorization
More informationFall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li
Securing Linux Hyungjoon Koo and Anke Li Outline Overview Background: necessity & brief history Core concepts LSM (Linux Security Module) Requirements Design SELinux Key elements Security context: identity
More informationOutline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines
Outline Operating System Security CS 239 Computer Security February 23, 2004 Introduction Memory protection Interprocess communications protection File protection Page 1 Page 2 Introduction Why Is OS Security
More informationSecure Architecture Principles
Computer Security Course. Secure Architecture Principles Slides credit: Dan Boneh What Happens if you can t drop privilege? In what example scenarios does this happen? A service loop E.g., ssh Solution?
More informationAccess Control. Steven M. Bellovin September 2,
Access Control Steven M. Bellovin September 2, 2014 1 Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware
More informationAnnouncements. is due Monday April 1 needs to include a paragraph write-up about the results of using the two different scheduling algorithms
Announcements Reading Chapter 11 (11.1-11.5) Programming Project #3 is due Monday April 1 needs to include a paragraph write-up about the results of using the two different scheduling algorithms Midterm
More informationImproving the Granularity of Access Control for Windows 2000
Improving the Granularity of Access Control for Windows 2000 MICHAEL M. SWIFT and ANNE HOPKINS University of Washington and PETER BRUNDRETT, CLIFF VAN DYKE, PRAERIT GARG, SHANNON CHAN, MARIO GOERTZEL,
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define access control and list the four access control models Describe logical access control
More information6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.
6.858 Lecture 4 OKWS Administrivia: Lab 1 due this Friday. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS. Privilege separation
More informationCase Studies in Access Control
Joint software development Mail 1 / 38 Situations Roles Permissions Why Enforce Access Controls? Unix Setup Windows ACL Setup Reviewer/Tester Access Medium-Size Group Basic Structure Version Control Systems
More informationPre-Assessment Answers-1
Pre-Assessment Answers-1 0Pre-Assessment Answers Lesson 1 Pre-Assessment Questions 1. What is the name of a statistically unique number assigned to all users on a Windows 2000 system? a. A User Access
More informationOperating Systems Security Access Control
Authorization and access control Operating Systems Security Access Control Ozalp Babaoglu From authentication to authorization Once subjects have been authenticated, the next problem to confront is authorization
More informationComputer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More informationCSE 390a Lecture 4. Persistent shell settings; users/groups; permissions
CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller and Ruth Anderson http://www.cs.washington.edu/390a/ 1 2 Lecture summary
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path Race conditions NOTE: filenames may differ between OS/distributions Principals
More informationCase Study: Access Control. Steven M. Bellovin October 4,
Case Study: Access Control Steven M. Bellovin October 4, 2015 1 Case Studies in Access Control Joint software development Mail Steven M. Bellovin October 4, 2015 2 Situations Small team on a single machine
More informationIntroduction to Computer Security
Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability,
More informationSecure Architecture Principles
Secure Architecture Principles Isola3on and Least Privilege Access Control Concepts Opera3ng Systems Browser Isola3on and Least Privilege Original slides were created by Prof. John Mitchel Secure Architecture
More informationLinux System Administration
System Processes Objective At the conclusion of this module, the student will be able to: Describe and define a process Identify a process ID, the parent process and the child process Learn the PID for
More informationFile Security Lock Down Your Data. Brian Reames January 22, 2012
File Security Lock Down Your Data Brian Reames January 22, 2012 Table of Contents 1.0 Basic Linux Permissions...4 1.1 Determining Permissions... 5 1.2 File Permissions vs. Directory Permissions... 6 1.3
More informationCSE 127: Computer Security. Security Concepts. Kirill Levchenko
CSE 127: Computer Security Security Concepts Kirill Levchenko October 3, 2014 Computer Security Protection of systems against an adversary Secrecy: Can t view protected information Integrity: Can t modify
More informationOperating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07
0Handouts: Lesson 1 Quiz 1. What is the working definition of authentication? a. The ability for a person or system to prove identity. b. Protection of data on a system or host from unauthorized access.
More informationUNIX File Hierarchy: Structure and Commands
UNIX File Hierarchy: Structure and Commands The UNIX operating system organizes files into a tree structure with a root named by the character /. An example of the directory tree is shown below. / bin
More informationOperating System. Operating System Overview. Structure of a Computer System. Structure of a Computer System. Structure of a Computer System
Overview Chapter 1.5 1.9 A program that controls execution of applications The resource manager An interface between applications and hardware The extended machine 1 2 Structure of a Computer System Structure
More informationCptS 360 (System Programming) Unit 6: Files and Directories
CptS 360 (System Programming) Bob Lewis School of Engineering and Applied Sciences Washington State University Spring, 2019 Motivation Need to know your way around a filesystem. A properly organized filesystem
More informationCSE 390a Lecture 4. Persistent shell settings; users/groups; permissions
CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller and Ruth Anderson http://www.cs.washington.edu/390a/ 1 2 Lecture summary
More informationMultifactor authentication:
Multifactor authentication: Authenticating people can be based on 2 factors: Something the user KNOWS : e.g. a password or PIN Something the user HAS: e.g. An ATM card, smartcard or hardware token, or
More informationCSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions
CSE 390a Lecture 3 Multi-user systems; remote login; editors; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller and Ruth Anderson http://www.cs.washington.edu/390a/ 1
More informationComputer Security. 02. Operating System Access Control. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 02. Operating System Access Control Paul Krzyzanowski Rutgers University Spring 2018 February 17, 2018 CS 419 2018 Paul Krzyzanowski 1 Protection is essential to security Protection The
More informationOS security mechanisms:
OS security mechanisms: Memory Protection: One of the important aspects of Operating system security is Memory Protection. Memory provides powerful indirect way for an attacker to circumvent security mechanism,
More informationShellbased Wargaming
Shellbased Wargaming Abstract Wargaming is a hands-on way to learn about computer security and common programming mistakes. This document is intended for readers new to the subject and who are interested
More information? Resource. Outline. Lecture 9: Access Control and Operating System Security. Access control. Access control matrix. Two implementation concepts
Outline Lecture 9: Access Control and Operating System Security ECE1776 David Lie Access Control Matrix, ACL, Capabilities Multilevel security (MLS) OS Mechanisms Multics Ring structure Unix File system,
More informationPROCESS CONTROL BLOCK TWO-STATE MODEL (CONT D)
MANAGEMENT OF APPLICATION EXECUTION PROCESS CONTROL BLOCK Resources (processor, I/O devices, etc.) are made available to multiple applications The processor in particular is switched among multiple applications
More informationWhy secure the OS? Operating System Security. Privilege levels in 80X86 processors. The basis of protection: Seperation. Privilege levels - A problem
Why secure the OS? Operating System Security Works directly on the hardware but can be adapted during runtime Data and process are directly visible Application security can be circumvented from lower layers
More informationAccess control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN
Access control Frank Piessens (Frank.Piessens@cs.kuleuven.be) Secappdev 2010 1 Overview Introduction: Lampson s model for access control Classical Access Control Models Discretionary Access Control (DAC)
More informationServer. Client LSA. Winlogon LSA. Library SAM SAM. Local logon NTLM. NTLM/Kerberos. EIT060 - Computer Security 2
Local and Domain Logon User accounts and groups Access tokens Objects and security descriptors The Register Some features in Windows 7 and Windows 8 Windows XP evolved from Windows 2000 Windows 10, 8,
More informationCSE/ISE 311: Systems Administra5on Access Control and Processes
Access Control and Processes Por$ons courtesy Ellen Liu Outline Access control Tradi$onal UNIX access control File system access control; File permissions, Some commands; The root account Modern access
More informationCSI 402 Lecture 11 (Unix Discussion on Files continued) 11 1 / 19
CSI 402 Lecture 11 (Unix Discussion on Files continued) 11 1 / 19 User and Group IDs Ref: Chapter 3 of [HGS]. Each user is given an ID (integer) called uid. (Most system programs use uid instead of the
More informationSecurity. Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018
Security Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018 Basic Security Aspects 1. Systems must be usable by legitimate users only 2. Access is granted on the basis of
More information