Khoa học máy tính - Chapter 15: Security and protection

Chapter 15Security and ProtectionCopyright © 20081Operating Systems, by Dhananjay Dhamdhere*IntroductionOverview of Security and ProtectionSecurity AttacksFormal Aspects of SecurityEncryptionAuthentication and Password SecurityProtection StructuresProtection DomainCapabilitiesClassifications of Computer SecurityCase Studies in Security and Protection2Operating Systems, by Dhananjay Dhamdhere*Overview of Security and ProtectionA threat is a possible form of interferenceSecurity: threats to resources from nonusersProtection: threats from users3Operating Systems, by Dhananjay Dhamdhere*Overview of Security and Protection (continued)4Operating Systems, by Dhananjay Dhamdhere*Overview of Security and Protection (continued)5Operating Systems, by Dhananjay Dhamdhere*Goals of Security and ProtectionOnly privacy is exclusively a protection concernControlled sharing based on need-to-know principle6Operating Systems, by Dhananjay Dhamdhere*Security and Protection ThreatsExamples of security threats:Threats raised by data and programs downloaded from the InternetExamples of protection threats:Illegal access to a resource or a service by a processAn attempt to tamper with messagesSecurity threats can arise more easily in a distributed OS7Operating Systems, by Dhananjay Dhamdhere*Security AttacksSecurity attack: attempt to breach security of a systemTerminology: security attacks, adversary, intruderTwo common forms of security attacks are:Masquerading: assume identity of a registered user through illegitimate meansDenial of service (DoS)Prevent users from accessing resources for which they possess access privilegesNetwork DoS attack, distributed DoS attackOther types of attacks:Message eavesdroppingTampering with messages8Operating Systems, by Dhananjay Dhamdhere*Trojan Horses, Viruses, and WormsTrojan horses, viruses, and worms contain code that can launch a security attack when activated9Operating Systems, by Dhananjay Dhamdhere*Trojan Horses, Viruses, and Worms (continued)A virus typically sets up a back door that can be exploited for a destructive purpose at a later dateE.g., executable virus, boot-sector virus, e-mail virusWorms may spread using buffer overflow techniqueMeasures to foil security attacks:Using caution while loading new programs into a computerUsing antivirus programsPlugging security holes10Operating Systems, by Dhananjay Dhamdhere*The Buffer Overflow Technique11Operating Systems, by Dhananjay Dhamdhere*Formal Aspects of SecurityTo formally prove a system is secure, we need:A security model comprising security policies and mechanismsA list of threatsA list of fundamental attacksA proof methodologyManual procedures can discover security flawsBut procedures become less reliable as systems growFormal approach constructs feasible sequences of operations and deduces their consequencesBut hard to develop specification of a system and threats12Operating Systems, by Dhananjay Dhamdhere*EncryptionEncryption: application of an algorithmic transformation to dataCryptography deals with encryption techniquesPlaintext is transformed to encrypted/ciphertext formConfidentiality provided through encryption also helps to verify integrity of dataTwo types: symmetric and asymmetric13Operating Systems, by Dhananjay Dhamdhere*14Operating Systems, by Dhananjay Dhamdhere*15Operating Systems, by Dhananjay Dhamdhere*Attacks on Cryptographic SystemsAn attack on a cryptographic system consists of a series of attempts to find the decryption function DkQuality of encryption: ability to withstand attacksAim: perform high-quality encryption at a low costEncryption quality is best if Ek is a one-way functionAttacks:Exhaustive attackCiphertext only attackKnown plaintext attackChosen plaintext attack16Operating Systems, by Dhananjay Dhamdhere*Encryption TechniquesSimplest encryption technique: substitution cipherCan be broken using a frequency analysisHow to mask features of plaintext during encryption? Use Shannon’s principles ofConfusionDiffusion17Block cipher:A block of plaintext replaced by a block of ciphertextExtension of the classical substitution cipherSimple to implementVulnerable to:Frequency analysis Known plaintext Chosen plaintext attacksOperating Systems, by Dhananjay Dhamdhere*Encryption Techniques (continued)18Operating Systems, by Dhananjay Dhamdhere*Encryption Techniques (continued)Stream cipher:Transformation involves a few bits of the plaintext and an equal number of bits of the encryption keyFaster than a block cipherExamples: vernam cipher, one-time pad, ciphertext autokey, self-synchronizing cipher, RC419Operating Systems, by Dhananjay Dhamdhere*Encryption Techniques (continued)Data Encryption Standard (DES)56-bit key to encrypt 64-bit data blocksCipher block chaining (CBC) mode used to overcome problem of poor diffusionSteps: permutation, transformation, permutationTriple DES contains three applications of DES20Operating Systems, by Dhananjay Dhamdhere*Encryption Techniques (continued)Advanced Encryption Standard (AES)Variant of RijndaelUses only substitutions and permutationsBlock size of 128 bits Keys of 128, 192, or 256 bitsEach round consists of:Byte substitutionShifting of rowsMixing of columnsKey addition21Operating Systems, by Dhananjay Dhamdhere*Authentication and Password SecurityAuthentication typically performed using passwords22Operating Systems, by Dhananjay Dhamdhere*Protection StructuresProtection structure: classical name for the authorization databaseAccess privilege (for a file): right to make a specific form of access to the fileAccess descriptor: representation of a collection of access privileges for a fileAccess control information (for a file): collection of access descriptors23Operating Systems, by Dhananjay Dhamdhere*Granularity of ProtectionUsers desire medium- or fine-grained protection Lead to a large size of the protection structureOSs resort to coarse-grained protection to reduce size of the protection structure24Operating Systems, by Dhananjay Dhamdhere*Access Control MatrixAn access control matrix is a protection structure that provides efficient access to:Access privileges of users to various filesAccess control information for files25Operating Systems, by Dhananjay Dhamdhere*Access Control Lists (ACLs)ACL of a file is a representation of its access control informationContains the non-null entries that the file’s column would have contained in the ACM26Operating Systems, by Dhananjay Dhamdhere*Capability Lists (C-lists)A C-list represents access privileges of a user to various files in the systemContains the non-null entries that the user’s row in the ACM would have contained27Operating Systems, by Dhananjay Dhamdhere*Protection DomainUse of access control matrix, ACL, or C-list used to confer access privileges on users achieves secrecyPrivacy goal requires that information should be used only for intended purposesAccess privileges granted to a protection domain A process operates “within” a protection domainIt can switch domains during operation28Operating Systems, by Dhananjay Dhamdhere*CapabilitiesA capability is a token representing some access privileges for an objectAn object is any HW or SW entity in the system29Operating Systems, by Dhananjay Dhamdhere*Capability-Based Computer SystemsCapability-based computer systems implement capability-based addressing and protection for all objects in systemMany capability-based systems built for researchIntel iapx-432 was a capability-based commercial system30Operating Systems, by Dhananjay Dhamdhere*Capability-Based Computer Systems (continued)31Operating Systems, by Dhananjay Dhamdhere*Software CapabilitiesThe OS for a non-capability-based computer can implement capabilities in softwareManipulation and protection of objects performed by part of kernel called object manager (OM)Two problems:Process may be able to bypass the capability-based protection arrangement while accessing objectsIt may be able to tamper with or fabricate capabilitiesProblems solves through encryption of object table and capabilities32Operating Systems, by Dhananjay Dhamdhere*Problem Areas in the Use of CapabilitiesUse of capabilities has three practical problems:Need for garbage collectionConfinement of capabilitiesRevocation of capabilities33Operating Systems, by Dhananjay Dhamdhere*Classifications of Computer Security34Operating Systems, by Dhananjay Dhamdhere*Case Studies in Security and ProtectionMULTICSUnixLinuxSecurity and Protection in Windows35Operating Systems, by Dhananjay Dhamdhere*MULTICS64 protection domains organized as concentric ringsComplex protection structureIncurs substantial execution overhead due to checks made at a procedure call36Operating Systems, by Dhananjay Dhamdhere*UnixEmploys encryption for password securityCan use shadow passwords file accessible only to rootThree user classes: owner, group, and other users3-bit bit-encoded access descriptor for each user classSetuid permits change of protection domain37Operating Systems, by Dhananjay Dhamdhere*LinuxAuthenticates user at login time by adding a “salt” value to password and encrypting result with MD5May use a shadow passwords file only to the rootProvides pluggable authentication modules (PAMs)File access protection based on user id and group id of a processSystem calls fsuid and fsgid can be used by server to temporarily assume identity of its clientSupports Linux security modules (LSM)Security Enhanced Linux (SELinux)38Operating Systems, by Dhananjay Dhamdhere*Security and Protection in WindowsSeveral elements of C2- and B2-class systemsDiscretionary access controlObject reuse protectionAuditing of security-related eventsSecurity reference monitor (SRM) that enforces access controlTrusted path for authenticationDefeats masquerading attacks through a Trojan horseAn object file has a security descriptorID, DACL, and SACL39Operating Systems, by Dhananjay Dhamdhere*Security and Protection in Windows (continued)DACL, SACL are lists of access control entries (ACEs)An ACE allows or disallows certain kinds of accessesSACL is used to generate an audit logClient–server security through access tokensImpersonation feature using impersonation tokensSecurity features added in Vista:Defeats buffer overflow attacks in X-86 architecturesDetecting heap corruptionPreventing access to system codePreventing misuse of privilegesNetwork access protection40Operating Systems, by Dhananjay Dhamdhere*SummarySecurity and protection measures are used to counter interference threatsUse authentication and authorization techniquesThreats launched using Trojan horses, viruses, worms, and exploitation of buffer overflowsEncryption is an algorithmic transformation of dataBlock ciphers and stream ciphersWidely used encryption standards: DES and AESAccess control lists, capability lists, and protection domains are protection structuresTCSEC is a security classification41