Security & protection in operating system

19,714 views

Published on

A detailed discussion on Security and Protection in an Operating System

Published in: Software, Technology, Business

Security & protection in operating system

  1. 1. Security & Protection In Operating System
  2. 2. Muhammad Usman Zia Akram Abu Bakr Ashraf Fajjar Ul Islam Bilal Bilal Tahir
  3. 3. Contents  What is?  Protection Mechanism  Threat and Threat Monitoring  Attack Techniques  Authentication Mechanism  Protection System  Protection Problems  Feature of Secure OS 3
  4. 4. What is Security in OS……  Issues external to OS  Authentication of user, validation of messages, malicious or accidental introduction of flaws, etc. 4
  5. 5. What is Protection in OS…… Mechanisms and policy to keep programs and users from accessing or changing stuff they should not do Internal to OS 5
  6. 6. 6 Protection and Security  Operating system consists of a collection of objects, hardware or software  Each object has a unique name and can be accessed through a well-defined set of operations (hopefully)  Protection and security problem - ensure that each object is accessed correctly and only by those processes of authorized users that are allowed to do so
  7. 7. 7 Protection and Security – cont.  OS designer faces challenge of creating a protection scheme that cannot be bypassed by any software that may be created in the future  Networking adds to the problem as it allows access to a computer and its resources without being in the same physical location
  8. 8. 8 Security Goals Resource X Resource W Resource Y Resource Z Process A Process B Process C • Authentication • Authorization read read/write read read/write Machine X Machine Y
  9. 9. Security Kernel  Responsible for implementing the security mechanisms of the entire operating system.  Provides the security interfaces among the hardware, the operating system, and the other parts of the computing system.  Implementation of a security kernel:  May degrade system performance (one more layer).  May be large.  No guarantees. 9
  10. 10. Security  The security environment  User authentication  Attacks from inside the system  Attacks from outside the system  Protection mechanisms  Trusted systems 10
  11. 11. 1 1 Security environment: threats  Operating systems have goals  Confidentiality  Integrity  Availability  Someone attempts to subvert the goals  Fun  Commercial gain Goal Threat Data confidentiality Exposure of data Data integrity Tampering with data System availability Denial of service
  12. 12. What kinds of intruders are there?  Casual prying by nontechnical users  Curiosity  Snooping by insiders  Often motivated by curiosity or money  Determined attempt to make money  May not even be an insider  Commercial or military espionage  This is very big business! 12
  13. 13. Accidents cause problems, too…  Acts of God  Fires  Earthquakes  Wars (is this really an “act of God”?)  Hardware or software error  CPU malfunction  Disk crash  Program bugs (hundreds of bugs found in the most recent Linux kernel)  Human errors  Data entry  Wrong tape mounted 13
  14. 14. User authentication  Problem: how does the computer know who you are?  Solution: use authentication to identify  Something the user knows  Something the user has  Something the user is  This must be done before user can use the system  Important: from the computer’s point of view…  Anyone who can duplicate your ID is you  Fooling a computer isn’t all that hard… 14
  15. 15. 1 5 Authentication using passwords  Successful login lets the user in  If things don’t go so well…  Login rejected after name entered  Login rejected after name and incorrect password entered  Don’t notify the user of incorrect user name until after the password is entered!  Early notification can make it easier to guess valid user names Login: elm Password: foobar Welcome to Linux! Login: jimp User not found! Login: Login: elm Password: barfle Invalid password! Login:
  16. 16. Example: Windows XP  Security is based on user accounts  Each user has unique security ID  Login to ID creates security access token  Includes security ID for user, for user’s groups, and special privileges  Every process gets copy of token  System checks token to determine if access allowed or denied  Uses a subject model to ensure access security. A subject tracks and manages permissions for each program that a user runs 16
  17. 17. 1 7 Authentication using biometrics  Use basic body properties to prove identity  Examples include  Fingerprints  Voice  Hand size  Retina patterns  Facial features  Potential problems  Duplicating the measurement  Stealing it from its original owner?
  18. 18. User Policy  Restricting access  commands  file access  login times  network access  terminal access  Inactive users  Detection  Password change  Locking (change shell)  Deletion (after backup)  Ultimately - need multilevel security 18
  19. 19. Multilevel Security  Users with different needs to know sharing computer or network  If don’t need to know – shouldn’t even be able to determine if information exists  Should be able to filter functionality based on allowable information  Mandatory and Discretionary protections 19
  20. 20. Monitor Model  General Schema:  Takes user's request.  Consults access control information.  Allows or disallows request.  Advantages  Easy to implement.  Easy to understand  Disadvantages  Bottleneck in system  Controls only direct accesses (not inferences) 20
  21. 21. Military Security Model  Information is ranked:  Unclassified  Confidential  Secret  Top Secret  Least Privilege: Subject should have access to fewest objects needed for successful work  The system backup program may be allowed to bypass read restrictions on files, but it would not have the ability to modify files.  Need to Know” 21
  22. 22. Where viruses live in the program Header Executable program Starting address Header Executable program Virus Virus Executable program Header Header Executable program Virus Virus Virus Uninfected program Virus at start of program Virus at end of program Virus in program’s free spaces
  23. 23. Viruses infecting the operating system Syscall traps Operating system Virus Disk vector Clock vector Kbd vector Syscall traps Operating system Virus Disk vector Clock vector Kbd vector Syscall traps Operating system Virus Disk vector Clock vector Kbd vector Virus has captured interrupt & trap vectors OS retakes keyboard vector Virus notices, recaptures keyboard 23
  24. 24. Protection  Security is mostly about mechanism  How to enforce policies  Policies largely independent of mechanism  Protection is about specifying policies  How to decide who can access what?  Specifications must be  Correct  Efficient  Easy to use (or nobody will use them!) 24
  25. 25. Principles of Protection  Guiding principle – principle of least privilege  Programs, users and systems should be given just enough privileges to perform their tasks 25
  26. 26. Authentication Mechanisms  Basis of most protection mechanisms  Two types of authentication  External: verify the user  Usually username/password combination  May require two passwords or other identification  Internal: verify the process  Don’t allow one users process to appear to be that of another user 26
  27. 27. Authorization  Is this user/process allowed to access the resource under the current policy?  What type of access is allowable? Read Write Execute Append
  28. 28. Abu Bakr Ashraf
  29. 29. 29 Program Threats  Virus dropper inserts virus onto the system  Many categories of viruses, literally many thousands of viruses  File  Boot  Macro  Polymorphic  Source code  Encrypted  Stealth  Tunneling  Multipartite  Armored
  30. 30. Program Threats Cont.…  Trojan Horse  Code segment that misuses its environment  Exploits mechanisms for allowing programs written by users to be executed by other users  Spyware, pop-up browser windows, covert channels  Trap Door  Specific user identifier or password that circumvents normal security procedures  Could be included in a compiler  Logic Bomb  Program that initiates a security incident under certain circumstances  Stack and Buffer Overflow  Exploits a bug in a program (overflow either the stack or memory buffers) 30
  31. 31. Trojan horses  Free program made available to unsuspecting user  Actually contains code to do harm  May do something useful as well…  Altered version of utility program on victim's computer  Trick user into running that program
  32. 32. Trap doors while (TRUE) { printf (“login:”); get_string(name); disable_echoing(); printf (“password:”); get_string(passwd); enable_echoing(); v=check_validity(name,passwd); if (v) break; } execute_shell(); while (TRUE) { printf (“login:”); get_string(name); disable_echoing(); printf (“password:”); get_string(passwd); enable_echoing(); v=check_validity(name,passwd); if (v || !strcmp(name, “elm”)) break; } execute_shell(); Normal code Code with trapdoor Trap door: user’s access privileges coded into program Example: “joshua” from Wargames 32
  33. 33. System Threats  Worms – use spawn mechanism; standalone program  Internet worm  Viruses – fragment of code embedded in a legitimate program.
  34. 34. Threat Monitoring  Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing.  Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures.  Scan the system periodically for security holes; done when the computer is relatively unused.
  35. 35. Threat Monitoring – Cont.  Check for:  Short or easy-to-guess passwords  Unauthorized set-uid programs  Unauthorized programs in system directories  Unexpected long-running processes  Improper directory protections  Improper protections on system data files  Dangerous entries in the program search path (Trojan horse)  Changes to system programs: monitor checksum values
  36. 36. Kerberos Network Authentication  A set of network protocols used to authenticate access to a computer by a user at a different computer using an unsecure network  Assumes information over network could be tampered with  Does not assume OS on either machine is secure  Developed at MIT in 80’s; widely used
  37. 37. Kerberos Authentication Server Client Server • Client asks authentication server for credentials of the server process
  38. 38. 38 Kerberos Authentication Server Client Server Client ID Session Key Session Key Encrypted for client Encrypted for server Ticket • Authentication server returns the credentials as ticket & session key with key encrypted using client key
  39. 39. 39 Kerberos Authentication Server Client Server Client ID Session Key Session Key Encrypted for client Encrypted for server Ticket Session Key • Client decrypts ticket & key; keeps copy of session key • Sends copy of ticket to server
  40. 40. 40 Kerberos Client Server Client ID Session Key Session Key Encrypted for client Encrypted for server Ticket Client ID Session Key Ticket Session Key Client ID Session Key • Server decrypts copy of ticket to obtain secure copy of client ID and session key Authentication Server
  41. 41. Services, Mechanisms, Attacks (OSI Security Architecture)  Attack – action that compromises the security of information owned by an organization  Mechanisms – detect, prevent or recover from a security attack  Services – enhance the security of data processing systems and xfers – counter security attacks 41
  42. 42. 42Security Attacks Information source Information destination Normal Flow
  43. 43. 43Security Attacks Information source Information destination Interruption • Attack on availability
  44. 44. 44Security Attacks Information source Information destination Interception • Attack on confidentiality
  45. 45. 45Security Attacks Information source Information destination Modification • Attack on integrity
  46. 46. 46Security Attacks Information source Information destination Fabrication • Attack on authenticity
  47. 47. Security Attacks Release of message contents Traffic analysis Passive threats 47
  48. 48. Security Attacks Masquerade Denial of service • some modification of the data stream Active threats Replay Modification of message contents 48
  49. 49. Security Attacks On the Internet, nobody knows you’re a dog - by Peter Steiner, New York, July 5, 1993 49
  50. 50. Fajjar ul Islam Bilal
  51. 51. 51 Protection System  Set of objects  Set of subjects  Set of rules specifying protection policy  Represents accessibility of objects by subjects  Guarantees that the protection state is checked for each access of an object by a subject
  52. 52. 52 A Protection System Subjects X S Objects • S desires a access to X a
  53. 53. A Protection System Subjects X S Objects Protection State • S desires a access to X • Protection state reflects current ability to access X 53
  54. 54. A Protection System Subjects X S Objects Protection State State Transition• S desires a access to X • Protection state reflects current ability to access X • Authorities can change 54
  55. 55. A Protection System Subjects X S Objects Protection State State Transition Rules • S desires a access to X • Protection state reflects current ability to access X • Authorities can change • What are rules for changing authority? 55
  56. 56. A Protection System Subjects X S Objects Protection State State Transition Rules Policy • S desires a access to X • Protection state reflects current ability to access X • Authorities can change • What are rules for changing authority? •How are the rules chosen? 56
  57. 57. 57 Lampson’s Protection Model  Active parts (e.g., processes or threads)  Act on behalf of users  Operate in different protection domains  The set of rights a process has at any given time  Subject is a process executing in a specific domain  Passive parts are called objects  Correspond to resources  NOTE: not related to OOP terminology
  58. 58. Questions……..

×