operating system security andy wang cop 5611 advanced operating systems
TRANSCRIPT
![Page 1: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/1.jpg)
Operating System Security
Andy Wang
COP 5611
Advanced Operating Systems
![Page 2: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/2.jpg)
Outline
Introduction Threats Basic security principles Security on a single machine Distributed systems security
Data communications security
![Page 3: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/3.jpg)
Introduction
Security is an engineering problem Always a tradeoff between safety, cost, and
inconvenience Not much solid theory in the field Hard to provide any real guarantees
Because making mistakes is easy And the nature of the problem implies that
mistakes are always exploited
![Page 4: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/4.jpg)
History of Security Problem
Originally, there was no security problem Later, there was a problem, but nobody cared Now, there are increasing problems, and
people are beginning to care Automation Action at a distance Technique propagation
![Page 5: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/5.jpg)
Constraints of Practical Computer Security Security costs
If too much, it won’t be used If it isn’t easy, it won’t be used Misuse often makes security measures
useless Fit the stringency of the measure to the threat
being countered
![Page 6: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/6.jpg)
Security is as Strong as the Weakest Link Opponents will attack the weakest point Putting an expensive lock on a cheap door
doesn’t help much Must look on security problems as part of an
integrated system Not just a single component
![Page 7: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/7.jpg)
Security Threats
Extremely wide range of threats From a wide variety of sources Requiring a wide variety of countermeasures Generally, countering any threat costs
something So people counter as few as they can afford
![Page 8: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/8.jpg)
Physical Security
Some threats involve access to the equipment itself
Such as theft,
destruction
tampering Physical threats usually require physical
prevention methods
![Page 9: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/9.jpg)
Social Engineering and Security
Computer security easily subverted by bad human practices E.g., giving key out over the phone to anyone who
asks Social engineering attacks tend to be cheap,
easy, effective So all our work may be for naught
![Page 10: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/10.jpg)
A Classification of Threats
Viewed as types of attacks on normal service So what is normal service?
InformationSource
InformationDestination
![Page 11: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/11.jpg)
Classification of Threat Types Secrecy Integrity Availability Exclusivity
![Page 12: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/12.jpg)
Interruption
InformationSource
InformationDestination
![Page 13: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/13.jpg)
Interruption Threats
Denial of service Prevents source from sending information to
receiver Or receiver from sending request to source A threat to availability
![Page 14: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/14.jpg)
How Does an Interruption Threat Occur? Destruction of HW/SW Interference with communications channel Overloading a shared resource
![Page 15: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/15.jpg)
Interception
Information Source
UnauthorizedThird Party
Information Destination
![Page 16: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/16.jpg)
Another Type of Interception
Information Source
UnauthorizedThird Party
Information Destination
![Page 17: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/17.jpg)
Interception Threats
Data or services provided to unauthorized party
Either in conjunction with or independent of authorized access
A threat to secrecy Also a threat to exclusivity
![Page 18: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/18.jpg)
How Do Interception Threats Occur? Eavesdropping Masquerading Break-ins Illicit data copying
![Page 19: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/19.jpg)
Modification
Information Source
UnauthorizedThird Party
Information Destination
![Page 20: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/20.jpg)
Another Type of Modification Threat
Information Source
UnauthorizedThird Party
Information Destination
12
3
![Page 21: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/21.jpg)
Modification Threats
Unauthorized parties modify data Either on the way to the users Or permanently at the servers A threat to integrity
![Page 22: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/22.jpg)
How Do Modification Threats Occur? Interception of data requests Masquerading Illicit access to servers/services
![Page 23: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/23.jpg)
Fabrication
Information Source
UnauthorizedThird Party
Information Destination
![Page 24: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/24.jpg)
Fabrication Threats
Unauthorized party inserts counterfeit objects into the system
Causing improper changes in data Or improper use of system resources A threat of integrity
![Page 25: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/25.jpg)
How Do Fabrication Threats Occur? Masquerading Bypassing protection measures Duplication of legitimate requests
![Page 26: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/26.jpg)
Active Threats vs. Passive Threats Passive threats are forms of eavesdropping
No modifications, injections of requests, etc. occur Active threats are more aggressive Passive threats are mostly to secrecy Active threats are to availability, integrity,
exclusivity
![Page 27: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/27.jpg)
What Are We Protecting
Hardware Software Data Communications lines and networks Economic values
![Page 28: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/28.jpg)
Basic Security Principles
Terms and concepts Mechanisms
![Page 29: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/29.jpg)
Security and Protection
Security is a policy E.g., “no unauthorized user may access this file”
Protection is a mechanism E.g., “the system checks user identity against
access permissions” Protection mechanisms implement security
policies
![Page 30: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/30.jpg)
Design Principles for Secure Systems Economy Complete mediation Open design Least privilege Least common mechanism Acceptability Fail-safe defaults
![Page 31: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/31.jpg)
Economy in Security Design
Economical to develop And to use
Should add little of no overhead Should do only what needs to be done Generally, try to keep it simple and small
![Page 32: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/32.jpg)
Complete Mediation
Apply security on every access to an object that a mechanism is meant to protect E.g., each read of a file, not just the open
Does not necessarily require actual checking on each access
![Page 33: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/33.jpg)
Open Design
Don’t rely on “security through obscurity” Assume all potential intruders know
everything about the design And completely understand it
![Page 34: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/34.jpg)
Separation of Privileges
Provide mechanisms that separate the privileges used for one purpose from those used for another
To allow flexibility in the security system E.g., separate access control on each file
![Page 35: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/35.jpg)
Least Privilege
Give bare minimum access rights required to complete a task
Require another request to perform another type of access
E.g., don’t give write permission if he only asked for read
![Page 36: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/36.jpg)
Least Common Mechanism
Avoid sharing parts of the security mechanism among different users E.g. passwords
Coupling users leads to possibilities for them to breach the system
![Page 37: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/37.jpg)
Acceptability
Mechanism must be simple to use Simple enough that people will use it
automatically Example
Cashier register sticker “If you don’t get a receipt, your meal is free”
Must rarely or never prevent permissible accesses
![Page 38: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/38.jpg)
Fail-Safe Designs
Default to lack of access So if something goes wrong/is forgotten/isn’t
done, no security is lost If important mistakes are made, you’ll find out
about them Without loss of security
![Page 39: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/39.jpg)
Sharing Security Spectrum
No protection Isolation Share all or nothing Share with access limitations Share with dynamic capabilities
![Page 40: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/40.jpg)
Important Security Mechanisms
Authentication Encryption Passwords Other authentication mechanisms Access control mechanisms
![Page 41: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/41.jpg)
Authentication
If a system supports more than one user, it must be able to tell who’s doing what I.e.: all requests to the system must be tagged
with user identity Authentication is required to assure system
that the tags are valid
![Page 42: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/42.jpg)
Encryption
Various algorithms can be used to make data unreadable to intruders
This process is called encryption Typically, encryption uses a secret key known
only to legitimate users of the data Without the key, decrypting the data is
computationally infeasible
![Page 43: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/43.jpg)
Encryption Example
M is the plaintext (text to be encrypted) E is the encryption algorithm Ke is the key C is the ciphertext (encrypted text)
C = E(M, Ke)
![Page 44: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/44.jpg)
Decrypting the Ciphertext
C is the ciphertext D is the decryption algorithm Kd is the decryption key
M = D(C, Kd)
![Page 45: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/45.jpg)
Symmetrical Encryption
Many common encryption algorithms are symmetrical I.e.: E = D and Ke = Kd
Some important encryption algorithms are not symmetrical, however
![Page 46: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/46.jpg)
Encryption Security Assumptions Assume that someone trying to break the
encryption knows: The algorithms E and D Arbitrary amounts of matching plaintext and
ciphertext M and C
But does not know the keys Ke and Kd
![Page 47: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/47.jpg)
Evaluating Security of Encryption Given these assumptions, and a new piece of
ciphertext Cn, how hard is it to discover Mn?
Either by figuring out Kd or some other method
What if Mn matches one of the known pieces of plaintext?
![Page 48: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/48.jpg)
Practical Security of Encryption Most encryption algorithms can be broken Goal is to make breaking them too expensive
to bother How do we protect our encryption?
![Page 49: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/49.jpg)
Key Issues in Encryption
Security often depends on length of key Long keys give better security But slows down encryption
The more data sent with a given key, the greater the chance of compromise The more data sent with a given key, the greater
the value of deducing it
![Page 50: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/50.jpg)
Encryptions not Enough
Limited possibilities: E(“Buy”, K), E(“Sell”, K) Reordering of encrypted blocks
Alice sends Bob some encrypted blocks E(“L”, K), E(“I”, K), E(“V”, K), E(“E”, K)
Eve intercepts and rearranges blocks Bob deciphers it
EVIL
Statistical regularities If plaintext repeats, cipher text may too
![Page 51: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/51.jpg)
Stream, Block Ciphers
M = B1B2…with Bi of fixed length Block cipher
E(M, K) = E(B1, K)E(B2, K)…
Stream cipher K = K1K2…
E(M, K) = E(B1, K1)E(B2, K2)…
DES Bi = 64 bits, K = 56 bits
![Page 52: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/52.jpg)
One-Time Pads
Theoretically unbreakable security A symmetrical encryption system Use one bit of key for each bit of plaintext Never reuse any key bits Generate key bits truly randomly
![Page 53: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/53.jpg)
Advantages of One-Time Pads Proved secure (in information theoretic
sense) Encryption is computationally cheap
XOR message with key Required procedures for proper use well
understood
![Page 54: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/54.jpg)
Problems with One-Time Pads They burn keys like crazy Need to keep key usage in sync If the keys aren’t truly random, patterns can
be deduced in the bits Distribution of pads
![Page 55: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/55.jpg)
Passwords
A fundamental authentication mechanism A user proves his identity by supplying a
secret Either at login or other critical time
The secret is the password
![Page 56: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/56.jpg)
Password Security
Password selection Password storage and handling Password aging
![Page 57: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/57.jpg)
Selecting a Password
Desirable characteristics include: Unguessable Easy to remember (and type) Not in a dictionary Too long to search exhaustively
![Page 58: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/58.jpg)
Password Storage and Handling Passwords are secrets, so their security
depends on careful handling But seemingly the system must store the
password To compare when users log in
If system storage is compromised, so is all authentication
![Page 59: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/59.jpg)
Securely Storing Passwords
Store only in encrypted form To check a password, encrypt it and compare
to the encrypted version Encrypted version can be stored in a file But there are tricky issues
![Page 60: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/60.jpg)
Tricky Issues in Storing Encrypted Passwords What do I encrypt them with?
If I use single key to encrypt them all, what if the key is compromised?
That key must be stored in the system What if two people choose the same
password?
![Page 61: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/61.jpg)
Example: The UNIX Password File Each password has an associated salt UNIX encrypts a block of zeros
Key built from password plus 12-bit salt Encryption done with DES
Stored information = E(zero, salt + password) To check password, repeat operations
![Page 62: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/62.jpg)
How Does This Help the Problems? No single key for encryption
So can’t crack that key And needn’t ever store it
Each encryption (probably) performed with a different key So two people with the same password have
different encrypted versions
![Page 63: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/63.jpg)
Does this solve the problem?
Not entirely Passwords exist in plaintext in process
checking them Passwords may be transmitted in plaintext
Especially for remote logins Bluetooth keyboards
![Page 64: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/64.jpg)
Problems with Passwords
People choose bad ones People forget them People reuse them People rarely change them
![Page 65: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/65.jpg)
How to Deal with Bad Passwords Educate users so they choose good ones Automatic password generation Check when changed Periodically run automated cracker Any solution must balance user needs,
password security, and resources
![Page 66: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/66.jpg)
Other Authentication Mechanisms Challenge/response Smartcards Other special hardware Detection of personal characteristics All have some drawbacks Some are combined with passwords
![Page 67: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/67.jpg)
Data Access Control Mechanisms Methods of specifying who can access what
in which ways when Based on assumption that the system has
authenticated the user
![Page 68: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/68.jpg)
Access Matrix
Describes permissible accesses for the system
Subjects access objects with particular access rights
A theoretical concept, never kept in practice
![Page 69: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/69.jpg)
Access Matrix Example
File 1 File 2 Server X Segment 57
User A Read, Write None Query Read
User B Read Write Update None
User C None Read Start, Stop None
User D None None Query None
![Page 70: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/70.jpg)
Types of Access Control
Discretionary access control (DAC) Individual user sets ACL mechanism
Mandatory access control (MAC) System mechanism controls access to object
Originator controlled access control (ORCON) Creator of information control ACL
Role-based access control (RBAC) Bookkeeper has access to financial records
![Page 71: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/71.jpg)
Methods for Implementing Access Matrix Access control lists
Decomposition by columns Capabilities
Decomposition by rows
![Page 72: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/72.jpg)
Access Control Lists
Each object controls who can access it Using an access control list
Add subjects by adding entries Remove subjects by removing entries
+ Easy to determine who can access object
+ Easy to change who can access object
- Hard to tell what someone can access
![Page 73: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/73.jpg)
Access Control List Example
File 1’s ACL User A: Read, Write User B: Read
Segment 57’s ACL User A: Read
![Page 74: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/74.jpg)
Capabilities
Each subject keeps track of what it can access
By keeping a capability for each object Capabilities are like admission tickets+ Easy to tell what a subject can access- Hard to tell who can access an object- Hard to revoke/control access (someone can
keep an extra copy around)
![Page 75: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/75.jpg)
Capability Example
User A’s Capabilities File 1: Read, Write Server X: Query Segment 57: Read
User B’s Capabilities File 1: Read File 2: Write Server A: Update
![Page 76: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/76.jpg)
Other Models of Access Control Military model Information flow models Lattice model of information flow
![Page 77: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/77.jpg)
Bell-LaPadula Model
An example of confidentiality policy Clearance categories
Top secret, secret, confidential, unclassified Users can only create and write top secret
and secret documents Users cannot read documents > their clearance Users cannot write documents < their clearance
![Page 78: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/78.jpg)
Bell-LaPadula Model
Rationale Cannot copy a top secret document over a
unclassified one And email the unclassified one away
Information flows up Problems
Blind writes Classifications cannot change Interacts with capability-based systems (passing a
capability from high clearance to low clearance)
![Page 79: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/79.jpg)
Biba’s Model
An example of integrity policy The higher the level, the more confidence
That a program will execute correctly That data is accurate and/or reliable
Note integrity levels ≠ security levels Assumption
Integrity and trustworthiness
![Page 80: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/80.jpg)
Biba’s Model
Requirements Users use only existing programs Programmers will develop and test programs Program installations are controlled and audited Managers and auditors have access to both the
system state and the system logs
![Page 81: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/81.jpg)
Biba’s Model
Goal: Prevent untrusted software from altering data or
other software Credibility rating based on estimate of software’s
trustworthiness Trusted file systems contain software with a single
credibility level Process has risk level or highest credibility level at which
process can execute Must use run-untrusted command to run software at
lower credibility level
![Page 82: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/82.jpg)
Chinese Wall Model
Problem Tony advises American Bank about investments He is asked to advise Toyland Bank about
investments Conflict of interest
His advice for either bank would affect his advice to the other bank
![Page 83: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/83.jpg)
Chinese Wall Model
Organize entities into conflict of interest classes
Control subject access to each class Control writing to all classes to ensure info is
not passed along in violation of rules Allow sanitized data to be viewed by
everyone
![Page 84: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/84.jpg)
Writing
Anthony, Susan work in the same trading house
Anthony can read Bank 1’s CD, Gas’s CD Susan can read Bank 2’s CD, Gas’s CD If Anthony could write to Gas’s CD, Susan
can read it Hence, indirectly, she can read information from
Bank 1’s CD, a clear conflict of interest
![Page 85: Operating System Security Andy Wang COP 5611 Advanced Operating Systems](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf04e/html5/thumbnails/85.jpg)
Compare to Bell-LaPadula
Bell-LaPadula cannot track changes over time Susan becomes ill, Anna needs to take over