Outline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution

Similar documents
Identity-based Access Control

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Operating systems and security - Overview

Operating systems and security - Overview

Inline Reference Monitoring Techniques

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Introduction to Security and User Authentication

The security mechanisms of Java

Cryptographic Hash Functions. Secure Software Systems

Protection Goals of Protection Principles of Protection principle of least privilege Domain Structure need to know principle

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

The Java Language Implementation

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Java Security. A Brief Introduction. Fred Long. The University of Wales, Aberystwyth UK. U.W. Aberystwyth CS25610/CHM5610. Java Security p.

Security Philosophy. Humans have difficulty understanding risk

Authentication Objectives People Authentication I

Password. authentication through passwords

Outline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Advantages of Multi-level Page Tables

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

Security and Authentication

Java Security HotJava to Netscape and Beyond

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 4

User Authentication. Modified By: Dr. Ramzi Saifan

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Separating Access Control Policy, Enforcement, and Functionality in Extensible Systems. Robert Grimm University of Washington

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Influential OS Research Security. Michael Raitza

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Distributed Systems. Lecture 14: Security. 5 March,

Computer Security Course. Midterm Review

User Authentication. Modified By: Dr. Ramzi Saifan

Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S

Final Examination CS 111, Fall 2016 UCLA. Name:

Jérôme Kerviel. Dang Thanh Binh

19.1. Security must consider external environment of the system, and protect it from:

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Confinement (Running Untrusted Programs)

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

CS 5460/6460 Operating Systems

Zing Vision. Answering your toughest production Java performance questions

5. Authentication Contents

CSC 474 Network Security. Authentication. Identification

Operating Systems Security Access Control

Chapter 14: Protection. Operating System Concepts 9 th Edition

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

ELEC 377 Operating Systems. Week 1 Class 2

CS Paul Krzyzanowski

Computer Security Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Protection. Thierry Sans

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

CS 416: Operating Systems Design April 22, 2015

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

MODULE NO.28: Password Cracking

User Authentication Protocols

SPIN Operating System

Chapter 13: Protection. Operating System Concepts Essentials 8 th Edition

Today. Instance Method Dispatch. Instance Method Dispatch. Instance Method Dispatch 11/29/11. today. last time

CSE484 Final Study Guide

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

CS 161 Computer Security

(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

Labels and Information Flow

TFS WorkstationControl White Paper

CIS 5373 Systems Security

The Security Problem

Future Work. Build applications that use extensions to optimize performance. Interface design.

TDDI04, K. Arvidsson, IDA, Linköpings universitet Operating System Structures. Operating System Structures Overview. Operating System Services

Symbol Tables. ASU Textbook Chapter 7.6, 6.5 and 6.3. Tsan-sheng Hsu.

Dashlane Security Whitepaper

Chapter 4. Protection in General-Purpose Operating Systems. ch. 4 1

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

Administrative Details. CS 140 Final Review Session. Pre-Midterm. Plan For Today. Disks + I/O. Pre-Midterm, cont.

Lecture 15 Designing Trusted Operating Systems

1-7 Attacks on Cryptosystems

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

User Authentication Protocols Week 7

Chapter 2: Operating-System Structures

SECURING SOFTWARE AGAINST LIBRARY ATTACKS

Keys and Passwords. Steven M. Bellovin October 17,

Chapter 3: Operating-System Structures

Network Security and Cryptography. 2 September Marking Scheme

Operating System Services

Overview of Authentication Systems

COS 318: Operating Systems

Short Notes of CS201

Sumy State University Department of Computer Science

COS 318: Operating Systems

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Portland State University ECE 587/687. Virtual Memory and Virtualization

Advanced Systems Security: Multics

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

WHITE PAPER. Secure communication. - Security functions of i-pro system s

Oracle Database Security and Audit. Authentication and authorization

Transcription:

Outline V22.0202-001 Computer Systems Organization II (Honors) (Introductory Operating Systems) Lecture 21 Language-Based Protection Security April 29, 2002 Announcements Lab 6 due back on May 6th Final exam on May 9th, 2:00 3:50pm, 101 WWH Review on May 6th Language-based Protection rationale language-based protection mechanisms examples: software-fault isolation (SFI), type safety, proof-carrying code secure-services using language-based protection capabilities, stack introspection, namespace management pros and cons Security [ Silberschatz/Galvin/Gagne: Section 18.7, Chapter 19] 4/29/2002 2 (Review) Language-based Protection: Rationale Language-based Protection: Solution Protection solutions discussed so far require involvement of OS kernel To validate access rights or capabilities at run time Tend to be high overhead Are inflexible in the objects and operations being protected System-defined functions: e.g., file operations Require hardware support for efficiency E.g., virtual-memory page protection Not generally applicable Current-day OSes need additional flexibility To protect arbitrary (user-defined) objects and operations E.g., a server might want to restrict access to certain services Need these checks to be performed efficiently Solutions involve language features and their trusted implementation Shared resources/services defined as objects Abstract data types Protection enforced on access to an object s methods Goal of protection: Ensure that only allowed methods are invoked Definition of allowed depends on context More generally, the software module that is doing the call Object-oriented languages already provide such support for enforcing abstraction boundaries E.g., private variables and methods are not accessible outside their class Enforced statically by the compiler (e.g., Java) Sometimes, also requires run-time support (e.g., C++) General problem is known as type safety Languages where type-based access is enforceable: safe languages 4/29/2002 3 4/29/2002 4

Language-based Protection: Two Issues Memory protection A program will not access memory or execute code for which it is not authorized Builds on top of language type safety Secure system services A program will not access unauthorized system services (files, graphics, ) Type safety is not sufficient Type safety performs local checks at the call interface Not convenient to enforce global properties such as: Program A can access all files, while program B can only access /tmp Particularly when programs access resources using intermediate modules Solutions for Memory Protection Type safety Compiler/run-time system enforces that only allowed methods are being invoked Based on type of the object handle In Java, the byte-code verifier traces all control flows and can verify at load time that the byte code obeys the restrictions of the Java type system Assumptions Object handle represents the desired set of privileges Note that Java allows a reference to be cast up and down (run-time checks) No way to forge an object reference Byte code verifier only ensures this for Java code running within the JVM Implication: Compiler, Verifier, Run-time system, Operating System, Node hardware are all part of the trusted computing base Generalization: Proof-carrying code 4/29/2002 5 4/29/2002 6 Solutions for Memory Protection (cont d) An alternative scheme: Software fault isolation Instrument the program binary with code that performs checks at runtime Before each load/store instruction, check address Before each call/jmp instruction, check address Example checks From certain functions, only addresses in a specific range are accessed Only certain functions are called Requires a fair bit of work to limit overhead Solutions for Secure System Services Scheme 1: Software capabilities A way of ensuring that pointers to objects cannot be forged Ensured in hardware capability systems using tagged memory A precondition for type-safety based protection Only way of obtaining a software capability is to be explicitly given it Either as part of initialization Or as a result of calling another capability In Java, a capability is just an object reference Type safety prevents an object reference from being forged WHY? Problem: How do you distinguish between two software modules holding the same reference? 4/29/2002 7 4/29/2002 8

Solutions for Secure System Services (cont d) Scheme 2: Stack Introspection Access to services/methods restricted based on program call chain Run-time examination of the stack Typically, from newest to oldest Typical interface enableprivilege: creates an enabled privilege based on user disableprivilege: discards the enabled privilege checkprivilege: searches the stack to see if an enabled privilege exists Solutions for Secure System Services (cont d) Scheme 3: Name space management Idea: Enforce protection by controlling how names in a program are resolved into runtime classes In our example, ensure that in Program B s context, the filesystem class actually resolves to a different object that only permits access to /tmp files Implementation of name space management in Java Modify the Java ClassLoader So that it searches for class implementations in a program-specific fashion In our example Program A s call to the intermediate software module could create an enabled privilege This privilege is later checked by the file system access module 4/29/2002 9 4/29/2002 10 Java Security Java basics Strongly typed language No arbitrary pointers: references act as capabilities Can only manipulate object in restricted ways E.g., only methods can manipulate private data JDK 1.0 (c. 1995) distinguished between trusted and untrusted code (applets) Applets ran in a sandbox Lots of restrictions, enforced using methods of the SecurityManager class Only installed for the applet classloader (namespace management) JDK 1.1 (c. 1997) Some signed applets can be granted total trust Problems: Too little or too much trust 4/29/2002 11 Java Security (cont d) Java 2 permits distinctions at a finer granularity Based on URL from which the class was loaded, any digital signatures Class placed in a protection domain Privileges of a protection domain specified in a policy file Maintained as run-time state Stack introspection algorithm when method M requires permission P Functionality implemented in SecurityManager and AccessController classes Unwind each frame and check if P is allowed for each protection domain Intersection of permissions doprivileged tags caller s frame: algorithm terminates on encountering tag Standard permissions Filesystem, Sockets, System properties Can be extended. Guarded Objects permit access control for individual object instances Above controls access for all instances of a class 4/29/2002 12

Language-based Protection: Pros and Cons Pros Precision and flexibility: Only some software modules can have privileges Rights amplification: As required, rights can be increased/decreased E.g., an object s method can have access to its private members Security: Static checking can enforce more general security policies E.g., a lock that is being acquired will always be released Efficiency Security Cons Need for a trusted compiler and run-time system Particularly, in the presence of multiple sources Single language restriction Garbage collection: What happens to deallocated pointers? Revocation Performance of regular code 4/29/2002 13 Protection vs. Security Protection is concerned with attack from within Security is concerned with attack from outside The motivations can be malicious or accidental Typical concerns are unauthorized access to... modification of... destruction of...... information Domains of Security Typically physical includes the protection of the system from physical attack human access must be limited based on specific authorizations Degree vs. Cost investment in security measures depends on sensitivity of data e.g. software theft, exam peeking, money theft 4/29/2002 15 4/29/2002 16

Authentication Protection mechanisms depend on ability to identify executing programs and processes typically associated with the user ID How does the system identify (authenticate) legitimate users? done popularly via passwords also via more elaborate schemes physical characteristics: e.g. handwriting (more generally, biometrics) location: e.g. a particular terminal possession of a key or a card Levels single-level: one-time authentication (at first application) multiple-levels: authentication required for sub-systems Problems with Passwords Passwords are subject to being guessed systematic repetitive testing (all words in the system dictionary) observed over someone s shoulder over the network: several programs transmit passwords in plain-text format stolen e.g. fake login program Passwords must be stored somewhere this file or program must also be secure 4/29/2002 17 4/29/2002 18 Password Encryption Technical Help: One-way functions there exist functions f(x) such that computing their inverse is impossibly time-consuming example f(x) = permutebits(x) mod p p is a prime number Unix uses an encryption function f (f may be known) for each user U with password P the OS stores (U, f(p)) in the password file an attacker may discover the code for f break into the password file but still not be able to compute any of the Ps by reversing the encryption process Management Precautions However, encryption does not prevent somebody from guessing the password and checking if the guess is correct By encrypting the guessed password A 1990 study showed that 25% of the passwords of ~14,000 accounts could be obtained by simple guesses Permuting the user/account name Dictionary words Myths and legends, characters from literature To reduce chance of password discovery system management may hide the password entries restrict space of passwords require long passwords involving at least one numeric character disallow use of dictionary words require passwords to be changed frequently 4/29/2002 19 4/29/2002 20

More Elaborate Schemes: Password Salting Concatenate each password with a random number before encrypting Random number typically stored in the clear in the password file What Does the Salt Do? Prevents duplicate passwords from being visible in the password file Since different users are likely to have different salts salt password 12 bits 56 bits crypt(3) 64 bits (11 chars) User id salt E pwd [salt, 0] Increases the effective size of passwords A 12-bit salt makes it 4096 times harder to crack a password How true is this statement? If the attacker pre-encrypts a dictionary of guessed passwords If the attacker manages to obtain the password file where the salt is stored in plaintext (as is usually the case) Prevents use of hardware implementations of the encryption routine Given current technology, software implementations are limited in how many guesses they can try Based on DES 4/29/2002 21 4/29/2002 22 More Elaborate Schemes: One-time Passwords Definition: A secure hash function f f takes a variable length string and produces a fixed-length string Hard to reverse: given output, difficult to determine input Collision-free: hard to find two inputs that hash to same output Given a secure hash function f, and a shared secret s, the passwords correspond to f N (s), f N-1 (s), f N-2 (s),, f N-i (s), authentication server initially stores p 0 client sends p i+1, server verifies that p i = f(p i+1 ) Properties of secure hash functions prevent computing the inverse note that the secret s is never transmitted Variants of this scheme (some less robust) Code books: a sequence of passwords, each used exactly once 4/29/2002 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback