Post on 29-Nov-2014
description
Security & Protection In Operating System
Muhammad Usman Zia AkramAbu Bakr AshrafFajjar Ul Islam BilalBilal Tahir
3
Contents
What is? Protection Mechanism Threat and Threat Monitoring Attack Techniques Authentication Mechanism Protection System Protection Problems Feature of Secure OS
4
What is Security in OS……
Issues external to OS Authentication of user, validation of messages,
malicious or accidental introduction of flaws, etc.
5
What is Protection in OS……
Mechanisms and policy to keep programs and users from accessing or changing stuff they should not do
Internal to OS
6
Protection and Security
Operating system consists of a collection of objects, hardware or software
Each object has a unique name and can be accessed through a well-defined set of operations (hopefully)
Protection and security problem - ensure that each object is accessed correctly and only by those processes of authorized users that are allowed to do so
7Protection and Security – cont.
OS designer faces challenge of creating a protection scheme that cannot be bypassed by any software that may be created in the future
Networking adds to the problem as it allows access to a computer and its resources without being in the same physical location
8
Security Goals
Resource X
Resource W
Resource Y
Resource Z
Process A
Process B
Process C
• Authentication• Authorization
read
read/write read
read/write
Machine X
Machine Y
9Security Kernel
Responsible for implementing the security mechanisms of the entire operating system.
Provides the security interfaces among the hardware, the operating system, and the other parts of the computing system.
Implementation of a security kernel: May degrade system performance (one more
layer).
May be large.
No guarantees.
10
Security
The security environment User authentication Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems
11
Security environment: threats
Operating systems have goals Confidentiality Integrity Availability
Someone attempts to subvert the goals Fun Commercial gain
Goal ThreatData confidentiality Exposure of data
Data integrity Tampering with data
System availability Denial of service
12What kinds of intruders are there?
Casual prying by nontechnical users Curiosity
Snooping by insiders Often motivated by curiosity or money
Determined attempt to make money May not even be an insider
Commercial or military espionage This is very big business!
13
Accidents cause problems, too…
Acts of God
Fires
Earthquakes
Wars (is this really an “act of God”?)
Hardware or software error
CPU malfunction
Disk crash
Program bugs (hundreds of bugs found in the most recent Linux kernel)
Human errors
Data entry
Wrong tape mounted
14
User authentication
Problem: how does the computer know who you are?
Solution: use authentication to identify
Something the user knows
Something the user has
Something the user is
This must be done before user can use the system
Important: from the computer’s point of view…
Anyone who can duplicate your ID is you
Fooling a computer isn’t all that hard…
15
Authentication using passwords
Successful login lets the user in If things don’t go so well…
Login rejected after name entered Login rejected after name and incorrect password entered
Don’t notify the user of incorrect user name until after the password is entered! Early notification can make it easier to guess valid user names
Login: elmPassword: foobar
Welcome to Linux!
Login: jimpUser not found!
Login:
Login: elmPassword: barfleInvalid password!
Login:
16
Example: Windows XP
Security is based on user accounts Each user has unique security ID
Login to ID creates security access token
Includes security ID for user, for user’s groups, and special privileges
Every process gets copy of token
System checks token to determine if access allowed or denied
Uses a subject model to ensure access security. A subject tracks and manages permissions for each program that a user runs
17
Authentication using biometrics
Use basic body properties to prove identity Examples include
Fingerprints
Voice
Hand size
Retina patterns
Facial features
Potential problems Duplicating the measurement
Stealing it from its original owner?
18
User Policy
Restricting access commands
file access
login times
network access
terminal access
Inactive users Detection
Password change
Locking (change shell)
Deletion (after backup)
Ultimately - need multilevel security
19
Multilevel Security
Users with different needs to know sharing computer or network
If don’t need to know – shouldn’t even be able to determine if information exists
Should be able to filter functionality based on allowable information
Mandatory and Discretionary protections
20
Monitor Model
General Schema: Takes user's request. Consults access control information. Allows or disallows request.
Advantages Easy to implement. Easy to understand
Disadvantages Bottleneck in system Controls only direct accesses (not inferences)
21
Military Security Model
Information is ranked: Unclassified Confidential Secret Top Secret
Least Privilege: Subject should have access to fewest objects needed for successful work The system backup program may be allowed to bypass read
restrictions on files, but it would not have the ability to modify files.
Need to Know”
Where viruses live in the program
Header
Executableprogram
Startingaddress
Header
Executableprogram
Virus
Virus
Executableprogram
Header Header
Executableprogram
Virus
Virus
Virus
Uninfectedprogram
Virus atstart of
program
Virus atend of
program
Virus inprogram’sfree spaces
23Viruses infecting the operating system
Syscall traps
Operatingsystem
Virus
Disk vector
Clock vector
Kbd vector
Syscall traps
Operatingsystem
Virus
Disk vector
Clock vector
Kbd vector
Syscall traps
Operatingsystem
Virus
Disk vector
Clock vector
Kbd vector
Virus has capturedinterrupt & trap vectors
OS retakeskeyboard vector
Virus notices,recaptures keyboard
24
Protection
Security is mostly about mechanism How to enforce policies
Policies largely independent of mechanism
Protection is about specifying policies How to decide who can access what?
Specifications must be Correct
Efficient
Easy to use (or nobody will use them!)
25
Principles of Protection
Guiding principle – principle of least privilege Programs, users and systems should be
given just enough privileges to perform their tasks
26Authentication Mechanisms
Basis of most protection mechanisms Two types of authentication
External: verify the user Usually username/password combination
May require two passwords or other identification
Internal: verify the process Don’t allow one users process to appear to be that of another
user
Authorization
Is this user/process allowed to access the resource under the current policy?
What type of access is allowable?ReadWriteExecuteAppend
Abu Bakr Ashraf
29
Program Threats
Virus dropper inserts virus onto the system Many categories of viruses, literally many thousands of
viruses File Boot Macro Polymorphic Source code Encrypted Stealth Tunneling Multipartite Armored
30
Program Threats Cont.…
Trojan Horse Code segment that misuses its environment Exploits mechanisms for allowing programs written by users to be
executed by other users Spyware, pop-up browser windows, covert channels
Trap Door Specific user identifier or password that circumvents normal security
procedures Could be included in a compiler
Logic Bomb Program that initiates a security incident under certain circumstances
Stack and Buffer Overflow Exploits a bug in a program (overflow either the stack or memory
buffers)
Trojan horses
Free program made available to unsuspecting user Actually contains code to do harm May do something useful as well…
Altered version of utility program on victim's computer Trick user into running that program
32
Trap doorswhile (TRUE) { printf (“login:”); get_string(name); disable_echoing(); printf (“password:”); get_string(passwd); enable_echoing(); v=check_validity(name,passwd); if (v) break;}execute_shell();
while (TRUE) { printf (“login:”); get_string(name); disable_echoing(); printf (“password:”); get_string(passwd); enable_echoing(); v=check_validity(name,passwd); if (v || !strcmp(name, “elm”)) break;}execute_shell();
Normal code Code with trapdoor
Trap door: user’s access privileges coded into programExample: “joshua” from Wargames
System Threats
Worms – use spawn mechanism; standalone program
Internet worm Viruses – fragment of code embedded in a
legitimate program.
Threat Monitoring
Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing.
Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures.
Scan the system periodically for security holes; done when the computer is relatively unused.
Threat Monitoring – Cont.
Check for: Short or easy-to-guess passwords Unauthorized set-uid programs Unauthorized programs in system directories Unexpected long-running processes Improper directory protections Improper protections on system data files Dangerous entries in the program search path (Trojan horse) Changes to system programs: monitor checksum values
Kerberos Network Authentication
A set of network protocols used to authenticate access to a computer by a user at a different computer using an unsecure network
Assumes information over network could be tampered with
Does not assume OS on either machine is secure Developed at MIT in 80’s; widely used
Kerberos
AuthenticationServer
Client
Server• Client asks authentication server for credentials of the server process
38Kerberos
AuthenticationServer
Client
Server
Client ID
Session Key
Session Key
Encrypted for clientEncrypted for server
Ticket
• Authentication server returns the credentials as ticket & session key with key encrypted using client key
39Kerberos
AuthenticationServer
Client
Server
Client ID
Session Key
Session Key
Encrypted for clientEncrypted for server
Ticket Session Key
• Client decrypts ticket & key; keeps copy of session key• Sends copy of ticket to server
40Kerberos
Client
Server
Client ID
Session Key
Session Key
Encrypted for clientEncrypted for server
Ticket
Client ID
Session Key
Ticket
Session Key
Client ID
Session Key
• Server decrypts copy of ticket to obtain secure copy of client ID and session key
AuthenticationServer
41Services, Mechanisms, Attacks(OSI Security Architecture)
Attack – action that compromises the security of information owned by an organization
Mechanisms – detect, prevent or recover from a security attack
Services – enhance the security of data processing systems and xfers – counter security attacks
42Security Attacks
Informationsource
Informationdestination
Normal Flow
43Security Attacks
Informationsource
Informationdestination
Interruption
• Attack on availability
44Security Attacks
Informationsource
Informationdestination
Interception
• Attack on confidentiality
45Security Attacks
Informationsource
Informationdestination
Modification
• Attack on integrity
46Security Attacks
Informationsource
Informationdestination
Fabrication
• Attack on authenticity
47Security Attacks
Release of message contents
Trafficanalysis
Passive threats
48Security Attacks
Masquerade Denial ofservice
• some modification of the data stream
Active threats
Replay Modification of message contents
49Security Attacks
On the Internet, nobody knows you’re a dog- by Peter Steiner, New York, July 5, 1993
Fajjar ul Islam Bilal
51
Protection System
Set of objects Set of subjects Set of rules specifying protection policy
Represents accessibility of objects by subjects
Guarantees that the protection state is checked for each access of an object by a subject
52A Protection System
Subjects
XS
Objects
• S desires a access to X
a
53A Protection System
Subjects
XS
Objects
ProtectionState
• S desires a access to X• Protection state reflects current ability to access X
54A Protection System
Subjects
XS
Objects
ProtectionState
StateTransition
• S desires a access to X• Protection state reflects current ability to access X• Authorities can change
55A Protection System
Subjects
XS
Objects
ProtectionState
StateTransition
Rules
• S desires a access to X• Protection state reflects current ability to access X• Authorities can change• What are rules for changing authority?
56A Protection System
Subjects
XS
Objects
ProtectionState
StateTransition
Rules
Policy
• S desires a access to X• Protection state reflects current ability to access X• Authorities can change• What are rules for changing authority?•How are the rules chosen?
57Lampson’s Protection Model
Active parts (e.g., processes or threads) Act on behalf of users
Operate in different protection domains The set of rights a process has at any given time
Subject is a process executing in a specific domain
Passive parts are called objects Correspond to resources
NOTE: not related to OOP terminology
Questions……..