Chapter 9: Protection and Security

„ Goals of Protection „ The Security Problem

Chapter 9: Protection and „ Principles of Protection „ Program Threats

„ Domain of Protection „ System and Network Threats
Security „ Access Matrix „ Cryptography as a Security
„ Implementation of Access Tool
Matrix „ User Authentication
„ Access Control „ Implementing Security
„ Revocation of Access Rights Defenses

„ Capability-Based Systems „ Firewalling to Protect Systems

and Networks
„ Language-Based
g g Protection
„ Computer-Security
C t S it
Classifications
„ An Example: Windows XP

Operating System Concepts – 8th Edition, Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.2 Silberschatz, Galvin and Gagne ©2009

Objectives Goals of Protection

„ Discuss the goals and principles of protection in a modern computer system „ Operating system consists of a collection of objects, hardware or software
„ Explain
E l i h how protection
t ti d domains
i combined
bi d with
ith an access matrix
t i are used
d
to specify the resources a process may access „ Each object has a unique name and can be accessed through a well-
„ Examine capability and language-based protection systems defined set of operations

„ To discuss security threats and attacks

„ Protection problem - ensure that each object is accessed correctly and only
„ To explain the fundamentals of encryption, authentication, and hashing by those processes that are allowed to do so
„ To examine the uses of cryptography in computing
„ To describe the various countermeasures to security attacks

Operating System Concepts – 8th Edition 9.3 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.4 Silberschatz, Galvin and Gagne ©2009
 Principles of Protection Domain Structure
„ Guiding principle – principle of least privilege „ Access-right = <object-name, rights-set>
z Programs, users and
P d systems
t should
h ld bbe given
i jjustt enough
h privileges
i il tto where rights-set is a subset of all valid operations that can be performed on
perform their tasks the object.

„ Domain
D i = sett off access-rights
i ht

Operating System Concepts – 8th Edition 9.5 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.6 Silberschatz, Galvin and Gagne ©2009

Domain Implementation (UNIX) Access Matrix

„ System consists of 2 domains: „ View protection as a matrix (access matrix)
z U
User „ Rows
R representt domains
d i
z Supervisor „ Columns represent objects
Access(i j) is the set of operations that a process executing in Domaini can
„ Access(i,
„ UNIX invoke on Objectj
z Domain = user-id
z Domain switch accomplished via file system
 Each file has associated with it a domain bit (setuid bit)
 When file is executed and setuid = on,
on then user
user-id
id is set to owner of
the file being executed. When execution completes user-id is reset

Operating System Concepts – 8th Edition 9.7 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.8 Silberschatz, Galvin and Gagne ©2009
 Use of Access Matrix Use of Access Matrix (Cont)
„ If a process in Domain Di tries to do “op” on object Oj, then “op” must be in „ Access matrix design separates mechanism from policy
the access matrix z M h i
Mechanism
 Operating system provides access-matrix + rules
„ Can be expanded to dynamic protection
 If ensures that the matrix is only manipulated by authorized agents
z Operations to add, delete access rights and that rules are strictly enforced
z Special access rights: z Policy
 owner of Oi  User dictates policy
 copy op from Oi to Oj  Who can access what object and in what mode
 control – Di can modify
y Dj access rights
g
 transfer – switch from domain Di to Dj

Operating System Concepts – 8th Edition 9.9 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.10 Silberschatz, Galvin and Gagne ©2009

Access Matrix of Figure A With Domains as Objects

Implementation of Access Matrix
„ Each column = Access-control list for one object
Defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read

M
„ Each Row = Capability
p y List ((like a key)
y)
Fore each domain, what operations allowed on what objects.
Object 1 – Read
Object
j 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy

Figure B

Operating System Concepts – 8th Edition 9.11 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.12 Silberschatz, Galvin and Gagne ©2009
 Access Matrix with Copy Rights Access Matrix With Owner Rights

Operating System Concepts – 8th Edition 9.13 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.14 Silberschatz, Galvin and Gagne ©2009

Modified Access Matrix of Figure B Access Control

„ Protection can be applied to non-file resources
„ Solaris
S l i 10 provides
id role-based
l b d access control
t l (RBAC) to
t implement
i l t least
l t
privilege
z Privilege is right to execute system call or use an option within a system
call
z Can be assigned to processes
z Users assigned roles granting access to privileges and programs

Operating System Concepts – 8th Edition 9.15 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.16 Silberschatz, Galvin and Gagne ©2009
 Revocation of Access Rights Capability-Based Systems
„ Access List – Delete access rights from access list „ Hydra
z Si l
Simple z Fi d sett off access rights
Fixed i ht known
k to
t and
d interpreted
i t t d by
b the
th system
t
z Immediate z Interpretation of user-defined rights performed solely by user's program;
system provides access protection for use of these rights
„ Capability List – Scheme required to locate capability in the system before
capability can be revoked „ Cambridge CAP System
z Reacquisition z Data capability - provides standard read
read, write
write, execute of individual
z Back-pointers storage segments associated with object

z Indirection z Software capability -interpretation left to the subsystem, through its

protected procedures
z Keys

Operating System Concepts – 8th Edition 9.17 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.18 Silberschatz, Galvin and Gagne ©2009

Language-Based Protection The Security Problem

„ Specification of protection in a programming language allows the high-level „ Security must consider external environment of the system, and protect the
description of policies for the allocation and use of resources system resources
„ Intruders (crackers) attempt to breach security
„ Language implementation can provide software for protection enforcement „ Threat is potential security violation
when
h automatic
t ti hardware-supported
h d t d checking
h ki iis unavailable
il bl
„ Attack is attempt to breach security

„ Interpret protection specifications to generate calls on whatever protection „ Attack can be accidental or malicious
system is provided by the hardware and the operating system „ Easier to protect against accidental than malicious misuse

Operating System Concepts – 8th Edition 9.19 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.20 Silberschatz, Galvin and Gagne ©2009
 Security Violations Standard Security Attacks
„ Categories
z B
Breach
h off confidentiality
fid ti lit
z Breach of integrity
z Breach of availability
z Theft of service
z Denial of service
„ Methods
z Masquerading (breach authentication)
z Replay attack
 Message modification
z Man-in-the-middle attack
z Session hijacking

Operating System Concepts – 8th Edition 9.21 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.22 Silberschatz, Galvin and Gagne ©2009

Security Measure Levels Program Threats

„ Security must occur at four levels to be effective: „ Trojan Horse
z Ph i l
Physical z Code segment that misuses its environment
z Exploits mechanisms for allowing programs written by users to be executed by
z Human
other users
 Avoid social engineering
engineering, phishing
phishing, dumpster diving z S
Spyware, pop-up browser
b windows,
i d covertt channels
h l
z Operating System „ Trap Door
z Network z Specific user identifier or password that circumvents normal security procedures
„ Security is as weak as the weakest link in the chain z Could be included in a compiler
„ Logic Bomb
z Program that initiates a security incident under certain circumstances
„ Stack and Buffer Overflow
z Exploits a bug in a program (overflow either the stack or memory buffers)

Operating System Concepts – 8th Edition 9.23 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.24 Silberschatz, Galvin and Gagne ©2009
 Program Threats (Cont.) Program Threats (Cont.)
„ Viruses „ Virus dropper inserts virus onto the system
z C d ffragmentt embedded
Code b dd d iin llegitimate
iti t program „ Many
M categories
t i off viruses,
i literally
lit ll many th
thousands
d off viruses
i
z Very specific to CPU architecture, operating system, applications z File
z Usually borne via email or as a macro z Boot
 Visual Basic Macro to reformat hard drive z Macro
Sub AutoOpen() z Source code
Dim oFS z Polymorphic
Set oFS = CreateObject(’’Scripting.FileSystemObject’’)
z Encrypted
vs = Shell(
Shell(’’c:command.com
c:command.com /k format c:’’,vbHide)
c: ,vbHide)
z Stealth
End Sub
z Tunneling
z Multipartite
z Armored

Operating System Concepts – 8th Edition 9.25 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.26 Silberschatz, Galvin and Gagne ©2009

A Boot-sector Computer Virus System and Network Threats

„ Worms – use spawn mechanism; standalone program
„ Internet
I t t worm
z Exploited UNIX networking features (remote access) and bugs in finger
and sendmail programs
z Grappling hook program uploaded main worm program
„ Port scanning
z Automated attempt to connect to a range of ports on one or a range of
IP addresses
„ Denial of Service
z Overload the targeted computer preventing it from doing any useful
work
z Di t ib t d d
Distributed denial-of-service
i l f i (DDOS) come ffrom multiple
lti l sites
it att once

Operating System Concepts – 8th Edition 9.27 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.28 Silberschatz, Galvin and Gagne ©2009
 The Morris Internet Worm Cryptography as a Security Tool
„ Broadest security tool available
z S
Source anddd
destination
ti ti off messages cannott be
b trusted
t t d without
ith t
cryptography
z Means to constrain potential senders (sources) and / or receivers
(destinations) of messages
„ Based on secrets (keys)

Operating System Concepts – 8th Edition 9.29 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.30 Silberschatz, Galvin and Gagne ©2009

Secure Communication over Insecure Medium Encryption

„ Encryption algorithm consists of
z Set of K keys
z Set of M Messages
z Set of C ciphertexts (encrypted messages)
z ) That is,, for each k ∈ K,, E(k)
A function E : K → ((M→C). ( ) is a function for g
generating
g
ciphertexts from messages
 Both E and E(k) for any k should be efficiently computable functions
z A function D : K → (C → M). That is, for each k ∈ K, D(k) is a function for generating
messages from ciphertexts
 Both D and D(k) for any k should be efficiently computable functions
„ An encryption algorithm must provide this essential property: Given a ciphertext c ∈ C, a computer
can compute m such that E(k)(m) = c only if it possesses D(k).
z Thus, a computer holding D(k) can decrypt ciphertexts to the plaintexts used to produce
them, but a computer not holding D(k) cannot decrypt ciphertexts
z Since ciphertexts are generally exposed (for example, sent on the network), it is important
( ) from the ciphertexts
that it be infeasible to derive D(k) p

Operating System Concepts – 8th Edition 9.31 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.32 Silberschatz, Galvin and Gagne ©2009
 Symmetric Encryption Asymmetric Encryption
„ Same key used to encrypt and decrypt „ Public-key encryption based on each user having two keys:
z E(k) can b
be d
derived
i d ffrom D(k),
D(k) and
d vice
i versa z public
bli kkey – published
bli h d kkey used
d tto encryptt d
data
t
„ DES is most commonly used symmetric block-encryption algorithm (created z private key – key known only to individual user used to decrypt data
by US Govt) „ Must be an encryption scheme that can be made public without making it
z Encrypts a block of data at a time easy to figure out the decryption scheme
„ Triple-DES considered more secure z Most common is RSA block cipher
„ Advanced Encryption Standard (AES), twofish up and coming z Efficient algorithm for testing whether or not a number is prime
„ RC4 is most common symmetric stream cipher, but known to have z No efficient algorithm is know for finding the prime factors of a number
vulnerabilities
z Encrypts/decrypts a stream of bytes (i.e wireless transmission)
z Key is a input to psuedo-random-bit generator
 Generates an infinite keystream

Operating System Concepts – 8th Edition 9.33 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.34 Silberschatz, Galvin and Gagne ©2009

Asymmetric Encryption (Cont.) Asymmetric Encryption Example

„ Formally, it is computationally infeasible to derive D(kd , N) from E(ke „ For example. make p = 7and q = 13
N) and so E(ke , N) need not be kept secret and can be widely
, N), „ We
W then
th calculate
l l t N = 7‫כ‬13
7 13 = 91 and
d ((p−1)(q−1)
1)( 1) = 72
disseminated „ We next select ke relatively prime to 72 and< 72, yielding 5
z ( e , N)) (or
E(k ( just
j ke) is the p
public key
y „ Finally,we
Finally we calculate kd such that kekd mod 72 = 1,
1 yielding 29
z D(kd , N) (or just kd) is the private key „ We how have our keys
z N is the product of two large, randomly chosen prime numbers p z Public key, ke,, N = 5, 91
and q (for example, p and q are 512 bits each) z Private key, kd , N = 29, 91
z Encryption algorithm is E(ke , N)(m) = mke mod N, where ke „ Encrypting the message 69 with the public key results in the cyphertext 62
satisfies kekd mod (p
(p−1)(q
1)(q −1)
1) = 1 „ Cyphertext can be decoded with the private key
z The decryption algorithm is then D(kd , N)(c) = ckd mod N z Public key can be distributed in cleartext to anyone who wants to
communicate with holder of ppublic key y

Operating System Concepts – 8th Edition 9.35 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.36 Silberschatz, Galvin and Gagne ©2009
 Encryption and Decryption using RSA
Asymmetric Cryptography Cryptography (Cont.)
„ Note symmetric cryptography based on transformations, asymmetric based
on mathematical functions
z Asymmetric much more compute intensive
z Typically not used for bulk data encryption

Operating System Concepts – 8th Edition 9.37 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.38 Silberschatz, Galvin and Gagne ©2009

Authentication Authentication (Cont.)

„ Constraining set of potential senders of a message „ For a message m, a computer can generate an authenticator a ∈ A such
z Complementary and sometimes redundant to encryption that V(k)(m,
V(k)(m a) = true only if it possesses S(k)
z Also can prove message unmodified „ Thus, computer holding S(k) can generate authenticators on messages so
„ Algorithm components that any other computer possessing V(k) can verify them
z A set K of keys „ Computer not holding S(k) cannot generate authenticators on messages
z A set M of messages that can be verified using V(k)
z A set A of authenticators „ Since authenticators are generally exposed (for example, they are sent on
z A function S : K → (M→ A) the network with the messages themselves), it must not be feasible to
derive S(k) from the authenticators
 That is, for each k ∈ K, S(k) is a function for generating authenticators from
messages
 Both S and S(k) for any k should be efficiently computable functions
z A function V : K → (M× A→ {true, false}). That is, for each k ∈ K, V(k) is a
f
function
ti for
f verifying
if i authenticators
th ti t on messages
 Both V and V(k) for any k should be efficiently computable functions

Operating System Concepts – 8th Edition 9.39 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.40 Silberschatz, Galvin and Gagne ©2009
 Authentication – Hash Functions Authentication – Digital Signature
„ Basis of authentication „ Based on asymmetric keys and digital signature algorithm
„ Creates
C t small,
ll fifixed-size
d i bl block
k off d
data
t ((message digest,
di t hhash
h value)
l ) ffrom m „ A th ti t
Authenticators d are digital
produced
d di it l signatures
i t
„ Hash Function H must be collision resistant on m „ In a digital-signature algorithm, computationally infeasible to derive S(ks ) from V(kv)
z V is a one-way function
z Must be infeasible to find an m
m’ ≠ m such that H(m) = H(m
H(m’))
z Thus, kv is the public key and ks is the private key
„ If H(m) = H(m’), then m = m’
„ Consider the RSA digital-signature algorithm
z The message has not been modified
z Similar to the RSA encryption algorithm
algorithm, but the key use is reversed
„ Common message-digest functions include MD5, which produces a 128-bit z Digital signature of message S(ks )(m) = H(m)ks mod N
hash, and SHA-1, which outputs a 160-bit hash
z The key ks again is a pair d, N, where N is the product of two large, randomly
chosen
h prime
i numbers
b p anddq
z Verification algorithm is V(kv)(m, a) ≡ (akv mod N = H(m))
 Where kv satisfies kvks mod (p − 1)(q − 1) = 1

Operating System Concepts – 8th Edition 9.41 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.42 Silberschatz, Galvin and Gagne ©2009

Authentication (Cont.) Key Distribution

„ Why authentication if a subset of encryption? „ Delivery of symmetric key is huge challenge
z F
Fewer computations
t ti (except
( t for
f RSA digital
di it l signatures)
i t ) z S
Sometimes
ti d
done out-of-band
t fb d
z Authenticator usually shorter than message „ Asymmetric keys can proliferate – stored on key ring
z Sometimes want authentication but not confidentiality z Even asymmetric key distribution needs care – man
man-in-the-middle
in the middle attack
 Signed patches et al
z Can be basis for non-repudiation

Operating System Concepts – 8th Edition 9.43 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.44 Silberschatz, Galvin and Gagne ©2009
 Man-in-the-middle Attack on Asymmetric
Cryptography Digital Certificates
„ Proof of who or what owns a public key
„ Public
P bli kkey di
digitally
it ll signed
i d a ttrusted
t d party
t
„ Trusted party receives proof of identification from entity and certifies that
public key belongs to entity
„ Certificate authority are trusted party – their public keys included with web
browser distributions
z They vouch for other authorities via digitally signing their keys
keys, and so
on

Operating System Concepts – 8th Edition 9.45 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.46 Silberschatz, Galvin and Gagne ©2009

Encryption Example - SSL User Authentication

„ Insertion of cryptography at one layer of the ISO network model (the „ Crucial to identify user correctly, as protection systems depend on user ID
transport layer)
„ User
U id
identity
tit mostt often
ft established
t bli h d th
through
h passwords,
d can be
b considered
id d
„ SSL – Secure Socket Layer (also called TLS) a special case of either keys or capabilities
„ Cryptographic protocol that limits two computers to only exchange
z Also can include something user has and /or a user attribute
messages with each other
„ Passwords must be kept secret
z Very complicated, with many variations
„ Used between web servers and browsers for secure communication (credit z Frequent change of passwords
card
d numbers)
b ) z Use of “non-guessable” passwords
„ The server is verified with a certificate assuring client is talking to correct z Log all invalid access attempts
server
„ Asymmetric cryptography used to establish a secure session key
(symmetric encryption) for bulk of communication during session „ Passwords may also either be encrypted or allowed to be used only once
„ Communication between each computer p theb uses symmetric
y keyy
cryptography

Operating System Concepts – 8th Edition 9.47 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.48 Silberschatz, Galvin and Gagne ©2009
 Implementing Security Defenses Firewalling to Protect Systems and Networks

„ Defense in depth is most common security theory – multiple layers of „ A network firewall is placed between trusted and untrusted hosts
security The firewall limits network access between these two security domains
z
„ Security policy describes what is being secured „ Can be tunneled or spoofed
„ Vulnerability assessment compares real state of system / network Tunneling allows disallowed protocol to travel within allowed protocol
z
compared to security policy (i.e. telnet inside of HTTP)
„ Intrusion detection endeavors to detect attempted or successful intrusions z Firewall rules typically based on host name or IP address which can be
z Signature-based detection spots known bad patterns spoofed
z Anomaly detection spots differences from normal behavior „ Personal firewall is software layer on given host
 Can detect zero-day attacks z Can monitor / limit traffic to and from the host
z False positives and false-negatives
False-positives false negatives a problem „ Application proxy firewall understands application protocol and can control
„ Virus protection them (i.e. SMTP)
„ Auditing, accounting, and logging of all or specific system or network „ System-call firewall monitors all important system calls and apply rules to
activities
ti iti them (i.e.
(i e this program can execute that system call)

Operating System Concepts – 8th Edition 9.49 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.50 Silberschatz, Galvin and Gagne ©2009

Network Security Through Domain Separation Via Firewall Computer Security Classifications
„ U.S. Department of Defense outlines four divisions of computer security: A,
C and D
B C,
B,
„ D – Minimal security
„ C – Provides discretionary protection through auditing
z Divided into C1 and C2
 C1 identifies cooperating users with the same level of protection
 C2 allows user-level access control
„ B – All the properties of C, however each object may have unique sensitivity
labels
z Divided into B1, B2, and B3
„ A – Uses formal design and verification techniques to ensure security

Operating System Concepts – 8th Edition 9.51 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition 9.52 Silberschatz, Galvin and Gagne ©2009
 Example: Windows XP

„ Security is based on user accounts

z Each user has unique security ID
z Login to ID creates security access token
 Includes security ID for user
user, for user’s
user s groups
groups, and special
privileges
 Every process gets copy of token
 System checks token to determine if access allowed or denied
„ Uses a subject model to ensure access security. A subject tracks and
manages permissions for each program that a user runs
„ Each object in Windows XP has a security attribute defined by a
security descriptor
z For example, a file has a security descriptor that indicates the
access permissions for all users

Operating System Concepts – 8th Edition 9.53 Silberschatz, Galvin and Gagne ©2009