Security & Protection

1

Protection

The processes in an operating system must be protected from one another’s activities.

For that purpose, various mechanisms can be used to ensure that the files, memory segments, CPU, and other resources can be operated on by only those processes that have gained proper authorization from the operating system.

Protection refers to a mechanism for controlling the access of programs, processes, or users to the resources defined by a computer system.

2

Goals of Protection

Modern protection concept have evolved to increase the reliability of any complex system that makes use of shared resources.

We need to provide protection for several reasons. First reason is that need of prevent mischievous, intentional violation of an access restriction by a user.

Another importance is that need to ensure that each program component active in a system uses system resources only in ways consistent with stated policies.

3

• An unprotected resource cannot defend against use by an unauthorized user.

• A protection oriented system provides means to distinguish between authorized and unauthorized usage.

• The role of protection in a computer system is to provide a mechanism for the enforcement of the policies governing resource use.

4

5

• These polices can be established in a variety of ways, some are fixed in the design of the system and others are formulated by the management of a system.

•Policies for resource use may vary by application, and they may change over time.

• Policy is distinct from mechanism. Mechanism determine how something will be done, policy decide what will be done.

•The separation of policy and mechanism is important for flexibility.

•Policies are likely to change from place to place or time to time.

6

Domain of Protection

A computer system is a collection of processes and objects. By objects, we mean both hardware objects (such as CPU, memory segments, printer, disks, and tape drives), and software objects (such as files, programs, and semaphores). Each object has a unique name that differentiates it from all other objects in the system, and each can be accessed only through well-defined and meaningful operations. A process should be allowed to access only those resources for which it has authorization. Furthermore, at any time, a process should be able to access only those resources that it currently requires to complete its task.

7

Domain Structure To facilitate this scheme, a process operates within a

protection domain, which specifies the resources that the process may access.

Each domain defines a set of objects and the types of operations that may be invoked on each object.

The ability to execute an operation on an object is an access right.

A domain is a collection of access rights, each of which is an ordered pair < object-name, rights-set>.

For example, if domain D has the access right < file F, { read, write}>, then a process executing in domain D can both read and write file F; it cannot, however, perform any other operation on that object.

8

Domains do not joint to be disjoint; they may share access rights.

For example, in figure, we have three domains: D1, D2, and D3. The access right <O4, {print}> is shared by both D2 and D3, implying that a process executing in either of these two domains can print object O4.

Note that a process must be executing in domain D1 to

read and write object O1. On the other hand, only processes in domain D3 may execute object O1.

9

Each user may be a domain. In this case, the set of objects that can be accessed depends on the identity of the user. Domain switching occurs when the user is changed – generally when one user logs out and another user logs in.

Each process may be a domain. In this case, the set of objects that be accessed depends on the identity of the process. Domain switching corresponds to one process sending a message to another process, and then waiting for a response.

Each procedure may be a domain. In this case, the set of objects that can be accessed corresponds to the local variables defined within the procedure. Domain switching occurs when a procedure call is made

10

Access Matrix ( Reference from I. A. Dhotre)

Access matrix is used to implement the protection. Access matrix is implemented in various ways. Domain is represented by rows and access matrix. Object is represented by columns of access matrix. Each matrix consists of a set of access rights.

11

12

The access matrix consists of four domains, four objects, three files and one printer. The summary of access matrix is as follows.

1)

2)

3)

4)

Process in domain D1 can read file F1 and file F3.

Process in domain D2 can only use printer.

Process in domain D3 can read file F1 and execute file F3.

Process in domain D4 can read and write file F1 and

file F3

• Separates access mechanism from access policy. The mechanism consists of implementing the access matrix. Both hardware and software objects are included in the access matrix. Users normally decide the contents of the access matrix entries

13

When a user creates a new object Oj, the column Oj

is added to the access matrix. Blank entries indicate no access rights. A process is switched from one domain to another domain by executing switch operation on the object.

Domain switching in controlled by user or operating system. Each entry in the access matrix may be modified individually. Domain switch is only possible if and only if the access right switch access (i,j).

Figure( on next slide) shows the access matrix with domains as objects. A process executing in any domain can switch to any domain. In figure process change the domain as follows.

14

1)

2)

3)

Process in domain D2 can switch to domain D3 and domain D4.

Process in domain D4 can switch to domain D1.

Process in domain D1 can switch to domain D2.

15

Access matrix are inefficient for storage of access rights in computer system because they tend to be large and sparse.

Column oriented list is called and access control list (ACL). Unix uses access control list for the file protection. Row oriented list is called a capability list. List kept with the subjects.

16

Implementing Access Matrix

It is implemented in several ways. Methods for

implementing access matrix are:

1)

2)

3)

4)

Global table

Access list for objects

Capability

A lock key mechanism

17

Global Table

One of the simplest method of implementation of access matrix. Global table consists of domain, object and right set. The order of syntax is < domain, object, right-set>

If operation P is executed on an object Oj within domain Dj, the global table is searched for a triple < Dj, Oj, Rk > with P € Rk.

If the above triple is found, then opeation is allowed to continue. If suppose the triple is not found then an exception error condition occurs.

18

Limitation of Global table

1)

2)

3)

4)

Global table is large

Global table can not be kept in memory and additional Input / Output is required.

Virtual memory is required

Grouping of object or domain is not easily possible.

19

Access List for Objects

Matrix is decomposed by columns, yielding access control list. For each object, list users and their permitted access rights. Access control list contains a default or public entry. Access list are frequently used in file system. In system that employ access lists, a separate list is maintained for each object.

Only the owner has the authority to modify and define the access list. Deleting the related entry in the access list is possible by owner for grantting to the particular subject or domain.

Drawbacks

20

1)

2)

3)

Searching overhead for verification

Weakens protection by opening the file

In Unix operating system, access lists are reduced to three entries per file, one each for the owner, group and all other user.

21

Capability A capability is a unique,global name for an access right to an

object in a system.Decomposition by rows yields capability

tickets.

A capability is a token or ticket that gives permission to access a

specific object in the specified manner.

A capability list for a domain is a list of object together with the

operation allowed on those object. •Capabilities are used in today operating system to

implement a protection mechanism and to span address

among subjects.

A capability serves two purposes It provides an address for a resource in a very large address space.

Possession of the capability represents the authorization of

the subject to the described object.

22

When a subject obtain a capability, authentication occurs. Once the capability has been issued,it is not necessary for a runtime monitor and access matrix to check each access.

Properties

23

1)

2)

3)

4)

5)

•

The values taken on by a capability must be derived from a large name space.

Capabilities must be very difficult to guess.

Capabilities must be distinguishable from randomly

generated bit patterns

Capabilities must be unique and not reused once they have

been assigned

Capabilities need to be distinguishable from spurious

names

Capabilities are implementing by two ways. Either they

may be wholly implemented within the operating system address space or the hardware may incorporate specialized support for capabilities.

24

Capabilities are usually distinguished from other data in one of two ways.

1.

2.

Each object has a tag to denote its type as either a capability or as accessible data

The address space associated with a program can be split

into two parts. A segmented memory space is useful to support this approach

25

Lock-Key Mechanism

Lock and key method associates a lock with each object in the system and a key that

is held by a domain. This method is a compromise between access list and

capability lists.

There are unique bit patterns with a specific key unlocking a single lock.

When a process tries to access an object, the operating system checks to see if the

domain holds a key for that object.

Keys can be copied from one domain to another or from one object to a domain in a

variety of ways.

26

Comparison

All of theses have advantage and disadvantage. Access lists

are good for the user and are easy to manage. It is easy for an owner to remove access rights to an object for a given domain. If there are lots of domain in the system the access list can get very long. Also there has to be unique access list for every object, on the other hand require far fewer lists in general. However it is much more difficult for an object owner to remove access rights because it would have to check all of the capability lists to see if that domain has access. Key lists are flexible but again key lists can be very

long. Revocation of capabilities may be inefficient. Most systems use a combination of access lists and capabilities.

27

User Authentication

Passwords

Password vulnerabilities

Encrypted passwords

One-time passwords

Biometrics

28

Program Threats

Trojan Horse

a Trojan horse is a malicious program that is disguised as

legitimate software.

Like the gift horse left outside the gates ofTroy by the

Greeks,Trojan Horses appear to be useful or interesting to an unsuspecting user,but are actually harmful

Types of Trojans

erasing or overwriting data on a computer

corrupting files in a subtle way

spreading other malware,such as viruses.In this case theTrojan

horse is called a 'dropper'.

29

setting up networks of zombie computers in order to launch DoS attacks or send Spam.

logging keystrokes to steal information such as passwords and

credit card numbers (known as a key logger)

phish for bank or other account details,which can be used for

criminal activities.

installing a backdoor on a computer system.

30

Virus

A computer virus is a computer program that can copy

itself and infect a computer without permission or knowledge of the user.

“a program that replicates by“infecting”other programs,

so that they contain a copy of the virus”

Worms

Worms are a subset of viruses

The differ in the the method of attachment;rather than

attaching to a file like a virus a worm copies itself across the network without attachment.

Infects the environment rather than specific objects

MorrisWorm,WANK,CHRISTMA EXEC

31