Chapter 4 pProtection in General-Purpose Operating Systems

Ch l P Pfl & Sh i L Pfl S i i C i Charles P. Pfleeger & Shari Lawrence Pfleeger, Security in Computing, 4th Ed., Pearson Education, 2007 1

An operating system has two goals: lli h d controlling shared access

implementing an interface to allow that access U d th th l t ti iti i l di id tifi ti Underneath those goals are support activities, including identification and authentication, naming, filing objects, scheduling,

i ti d l i i d i communication among processes, and reclaiming and reusing objects

2

Operating system functions can be categorized as laccess control

identity and credential managementi f ti flinformation flowaudit and integrity protection

E h f th ti iti h it i li ti Each of these activities has security implications.

3

4 1 Protected Objects and Methods of 4.1. Protected Objects and Methods of Protection

Protected Objectsh i f l i i h l f the rise of multiprogramming meant that several aspects of a

computing system required protection:memorysharable I/O devices, such as disksserially reusable I/O devices, such as printers and tape drivesy , p psharable programs and subproceduresnetworkssharable data

4

Security Methods of Operating SystemsTh b i f i i i k i ' bj The basis of protection is separation: keeping one user's objects separate from other users.

h i l ti i hi h diff t diff t h i l bj tphysical separation, in which different processes use different physical objectstemporal separation, in which processes having different security requirements are executed at different timesqlogical separation, in which users operate under the illusion that no other processes exist, as when an operating system constrains a program's accesses so that the program cannot access objects outside its permitted domaincryptographic separation, in which processes conceal their data and computations in such a way that they are unintelligible to outside processescomputations in such a way that they are unintelligible to outside processes

5

Security Methods of Operating Systems (Cont’d)A i i d h i i l An operating system can support separation and sharing in several ways, offering protection at any of several levels.

D t t t O ti t ith t ti i t h Do not protect. Operating systems with no protection are appropriate when sensitive procedures are being run at separate times.Isolate. When an operating system provides isolation, different processes p g y p , prunning concurrently are unaware of the presence of each other. Each process has its own address space, files, and other objects. The operating system must confine each process somehow so that the objects of the other processes are completely concealed.

6

Security Methods of Operating Systems (Cont’d)A i i d h i i l An operating system can support separation and sharing in several ways, offering protection at any of several levels (Cont’d)

Sh ll h thi Th f bj t d l it t b bli Share all or share nothing. The owner of an object declares it to be public or private. A public object is available to all users, whereas a private object is available only to its owner.yShare via access limitation. With protection by access limitation, the operating system checks the allowability of each user's potential access to an object. That is, access control is implemented for a specific user and a specific object.

7

Security Methods of Operating Systems (Cont’d)A i i d h i i l An operating system can support separation and sharing in several ways, offering protection at any of several levels (Cont’d)

Sh b biliti A t i f li it d h i thi f f Share by capabilities. An extension of limited access sharing, this form of protection allows dynamic creation of sharing rights for objects. The degree of sharing can depend on the owner or the subject, on the context of the g p j ,computation, or on the object itself.Limit use of an object. Limits not just the access to an object but the use made of that object after it has been accessed. For example, a user may be allowed to view a sensitive document, but not to print a copy of it.

8

4.2. Memory and Address ProtectionyFence - a method to confine users to one side of a boundary.

9

Fence register - used a hardware register containing the address of the d f h i end of the operating system.

Th f t t t f th The fence cannot protect one user from another user10

Relocation - the process of taking a program written as if it began at dd 0 d h i ll dd fl h l dd address 0 and changing all addresses to reflect the actual address at

which the program is located in memory.

11

Base/Bounds RegistersWi h k i d h With two or more users, none can know in advance where a program will be loaded for execution. Th l ti i t l th bl b idi b The relocation register solves the problem by providing a base or starting address.A i bl f i t i ll k b i tA variable fence register is generally known as a base register.A bounds register is an upper address limit.

12

Base/Bounds Registers (Cont’d)

13

Base/Bounds Registers (Cont’d)

14

Tagged ArchitectureI d l b In some cases you may want to protect some data values but not allT d hit t Tagged architecture

Every word of machine memory has one or more extra bits to identify the access rights to that word access rights to that word. These access bits can be set only by privileged (operating system) instructions. The bits are tested every time an instruction accesses that location.

15

Tagged Architecture (Cont’d)

16

SegmentationI l h i l i f di idi i Involves the simple notion of dividing a program into separate pieces E h i h l i l it hibiti l ti hi ll f Each piece has a logical unity, exhibiting a relationship among all of its code or data values. E h t h i Each segment has a unique name. A code or data item within a segment is addressed as the pair

ff t h i th f th t <name, offset>, where name is the name of the segment containing the data item and offset is its location within the

tsegment17

Segmentation (Cont’d)

18

Segmentation (Cont’d)T l i f S AddTranslation of Segment Address.

19

Segmentation (Cont’d)T l i f S Add (C ’d)Translation of Segment Address (Cont’d)

The operating system can place any segment at any location or move any segment to any location even after the program begins to execute segment to any location, even after the program begins to execute. A segment can be removed from main memory (and stored on an auxiliary device) if it is not being used currently.Every address reference passes through the operating system, so there is an opportunity to check each one for protection.

20

Segmentation (Cont’d)S i ff h i b fiSegmentation offers these security benefits:

Each address reference is checked for protection.Many different classes of data items can be assigned different levels of Many different classes of data items can be assigned different levels of protection.Two or more users can share access to a segment, with potentially different access rights.A user cannot generate an address or access to an unpermitted segment.

21

PagingTh i di id d i l i d i ll d The program is divided into equal-sized pieces called pages. The memory is divided into equal-sized units called page frames.

22

Paging

23

Combined Paging with SegmentationP i ff i l i ffi i hil i ff Paging offers implementation efficiency, while segmentation offers logical protection characteristics Th IBM 390 f il f i f t d f f d The IBM 390 family of mainframe systems used a form of paged segmentation

24

Combined Paging with Segmentation (Cont’d)

25

4.3. Control of Access to General ObjectsjDirectory

26

Directory (Cont’d)S l diffi l i i Several difficulties can arise.

The list becomes too large if many shared objects Revocation of access - If owner A has passed to user B the right to read Revocation of access - If owner A has passed to user B the right to read file F, an entry for F is made in the directory for B. If A later questions that trust, A may want to revoke the access right of B. Then ….Pseudonyms. Owners A and B may have two different files named F, and they may both want to allow access by S. The directory for S cannot contain two entries under the same name for different files.

27

Access Control ListTh i h li f h bj d h li h ll bj There is one such list for each object, and the list shows all subjects who should have access to the object and what their access is.

28

Access Control List (Cont’d)

29

Access Control Matrix - a table in which each row represents a bj h l bj d h i h f subject, each column represents an object, and each entry is the set of

access rights for that subject to that object.

30

Access Control Matrix (Cont’d)

BIBLIOG TEMP F HELP.TXT C_COMP LINKER SYS_CLOCK PRINTER

USER A ORW ORW ORW R X X R W

USER B R ‐ ‐ R X X R W

USER S RW ‐ R R X X R W

USER T R X X R WUSER T ‐ ‐ ‐ R X X R W

SYS_MGR ‐ ‐ ‐ RW OX OX ORW O

USER SVCS O X X R WUSER_SVCS ‐ ‐ ‐ O X X R W

31

Capability - an unforgeable token that gives the possessor certain rights bjto an object.

One possible access right to an object is transfer or propagate. A bj t h i thi i ht i f biliti t th A subject having this right can pass copies of capabilities to other subjects. I t h f th biliti l h li t f itt d t In turn, each of these capabilities also has a list of permitted types of accesses, one of which might also be transfer.

32

33

KerberosK b i l b h h i i d h i i Kerberos implements both authentication and access authorization by means of capabilities, called tickets, secured with symmetric

t h cryptography Kerberos requires two systems, called the authentication server (AS) d th ti k t ti (TGS) hi h b th t f (AS) and the ticket-granting server (TGS), which are both part of the key distribution center (KDC)A t th ti ti d ti l ( h d) t A user presents an authenticating credential (such as a password) to the authentication server and receives a ticket showing that the user h d th ti tihas passed authentication.

34

Kerberos (Cont’d)S J R (f l fil Suppose Joe wants to access a resource R (for example, a file, printer, or network port). J d th TGS hi th ti t d ti k t d t t R Joe sends the TGS his authenticated ticket and a request to use R. Assuming Joe is allowed access, the TGS returns to Joe two tickets:

O h J th t hi t R h b th i dOne shows Joe that his access to R has been authorizedThe second is for Joe to present to R in order to access R.

35

Procedure-Oriented Access ControlE h bj b d h h d Ensure that accesses to an object be made through a trusted interface

Role-Based Access ControlA i t i il ith Associate privileges with groups

36

4.4. File Protection MechanismsBasic Forms of Protection

All N P iAll-None ProtectionUnacceptable for several reasons

Lack of trustLack of trustToo coarseRise of sharingComplexityFile listings

37

Basic Forms of Protection (Cont’d)G P iGroup Protection

Focused on identifying groups of users who had some common relationship. All authorized users are separated into groups All authorized users are separated into groups. A group may consist of several members working on a common project, a department, a class, or a single user. The basis for group membership is need to share.A key advantage of the group protection approach is its ease of implementation.

38

Basic Forms of Protection (Cont’d)G P i (C ’d)Group Protection (Cont’d)

Group affiliation. A single user cannot belong to two groups. Multiple personalities To overcome the one-person one-group restriction Multiple personalities. To overcome the one-person one-group restriction, certain people might obtain multiple accounts, permitting them, in effect, to be multiple users.All groups. To avoid multiple personalities, the system administrator may decide that Tom should have access to all his files any time he is active. Limited sharing. Files can be shared only within groups or with the world.

39

Basic Forms of Protection (Cont’d)I di id l P i iIndividual Permissions

Persistent PermissionTemporary Acquired PermissionTemporary Acquired Permission

Unix+ operating systems provide an interesting permission scheme based on a three-level user-group-world hierarchy. The Unix designers added a permission called set userid (suid)

Per-Object and Per-User Protection

40

4.5. User AuthenticationAuthentication mechanisms use any of three qualities to confirm a

' id iuser's identity.Something the user knows. Passwords, PIN numbers, passphrases, t h d h k d th ' id l f a secret handshake, and mother's maiden name are examples of

what a user may know.S thi th h Id tit b d h i l k d i ' Something the user has. Identity badges, physical keys, a driver's license, or a uniform are common examples of things people have th t k th i blthat make them recognizable.Something the user is. These authenticators, called biometrics, are b d h i l h t i ti f th based on a physical characteristic of the user,

41

Passwords as AuthenticatorsU f P dUse of Passwords

Passwords are mutually agreed-upon code words, assumed to be known only to the user and the systemonly to the user and the system.Suffer from some difficulties of use:

Loss. Depending on how the passwords are implemented, it is possible that no one will be able to replace a lost or forgotten password Use. Supplying a password for each access to a file can be inconvenient and time consuming.Disclosure. If a password is disclosed to an unauthorized individual, the file becomes immediately accessiblefile becomes immediately accessible.Revocation.

42

Passwords as AuthenticatorsAddi i l A h i i I f iAdditional Authentication Information

Using additional authentication information is called multifactor authentication authentication. Two forms of authentication (which is known as two-factor authentication) are better than one, assuming of course that the two forms are strong. But as the number of forms increases, so also does the inconvenience.

43

Passwords as AuthenticatorsA k P dAttacks on Passwords

Some ways you might be able to determine a user's password, in decreasing order of difficultyorder of difficulty.

Try all possible passwords.Try frequently used passwords.Try passwords likely for the user.Search for the system list of passwords.Ask the user.

44

Passwords as AuthenticatorsA k P d (C ’d)Attacks on Passwords (Cont’d)

Loose-Lipped SystemsE gE.g.,

WELCOME TO THE XYZ COMPUTING SYSTEMS ENTER USER NAME: adamsINVALID USER NAME / UNKNOWN USER ENTER USER NAME:

45

Passwords as AuthenticatorsA k P d (C ’d)Attacks on Passwords (Cont’d)

Loose-Lipped Systems (Cont’d)An alternative arrangement of the login sequence is shown belowAn alternative arrangement of the login sequence is shown below.

WELCOME TO THE XYZ COMPUTING SYSTEMS ENTER USER NAME: adamsENTER PASSWORD: john INVALID ACCESS ENTER USER NAME:

46

Passwords as AuthenticatorsA k P d (C ’d)Attacks on Passwords (Cont’d)

Loose-Lipped Systems (Cont’d)ENTER USER NAME: adamsENTER USER NAME: adamsENTER PASSWORD: johnINVALID ACCESS ENTER USER NAME: adamsENTER PASSWORD: johnqWELCOME TO THE XYZ COMPUTING SYSTEMS

47

Passwords as AuthenticatorsA k P d (C ’d)Attacks on Passwords (Cont’d)

Exhaustive AttackIn an exhaustive or brute force attack the attacker tries all possible In an exhaustive or brute force attack, the attacker tries all possible passwords, usually in some automated fashion

Probable Passwords

Passwords Likely for a User

48

49Users' Password Choices

Passwords as AuthenticatorsA k P d (C ’d)Attacks on Passwords (Cont’d)

password guessing steps:no passwordno passwordthe same as the user ID.is, or is derived from, the user's namecommon word list (for example, "password," "secret," "private") plus common names and patterns (for example, "asdfg," "aaaaaa")short college dictionarycomplete English word list

50

Passwords as AuthenticatorsA k P d (C ’d)Attacks on Passwords (Cont’d)

password guessing steps: (Cont’d)short college dictionary with capitalizations (PaSsWorD) and substitutions short college dictionary with capitalizations (PaSsWorD) and substitutions (0 for O, and so forth)complete English with capitalizations and substitutionscommon non-English dictionaries with capitalization and substitutionsbrute force, lowercase alphabetic characterbsrute force, full character set

51

Passwords as AuthenticatorsA k P d (C ’d)Attacks on Passwords (Cont’d)

Plaintext System Password ListEncrypted Password FileEncrypted Password FileIndiscreet Users - Get it directly from the user! People often tape a password to the side of a terminal or write it on a card just inside the top desk drawer.

52

Passwords as AuthenticatorsP d S l i C i iPassword Selection Criteria

Use characters other than just AZChoose long passwordsChoose long passwords.Avoid actual names or words.Choose an unlikely passwordChange the password regularly.Don't write it down.Don't tell anyone else. The easiest attack is social engineering, in which the attacker contacts the system's administrator or a user to elicit the password in some way in some way.

53

Passwords as AuthenticatorsO Ti P dOne-Time PasswordsBiometrics: Authentication Not Using Passwords

Id tifi ti A th ti tiIdentification vs AuthenticationMuch reliable, but less effective

54

4.6. Summary of Security for Usersy yAddressed four topics:

imemory protectionfile protection

l bj t t lgeneral object access controluser authentication.

55