Title: Chapter%204%20
1Chapter 4 Protection in General Purpose
Operating Systems
- Protection features provided by general-purpose
operating systemsprotecting memory, files, and
the execution environment - Controlled access to objects
- User authentication
2Protected Objects and Methods of Protections
- 1rst OS were simple utilities executives
- Multiprogramming OS required monitors which
oversaw each programs execution - Protected objects
- Memory
- Sharable I/O devices (disks)
- Serially reusable devices (printers)
- Shareable programs subprocedures
- Networks
- Shareable Data
3Security Methods of Operating Systems
- Physical Separation (different processes use
different objects) - Temporal Separation (processes executed at
different times) - Logical Separation (process appears to be alone)
- Cryptographic Separation (processes conceal data
and computations)
4Security Methods of Operating Systems
- Want to be able to share resources without
compromising security - Do not protect
- Isolate different processes
- Share all or nothing
- Share via access limitation (granularity)
- Share by capabilities
- Limit use of an object
5Memory Address Protection
- Fence confines user to one side of boundary
- Use predefined memory addresses
- Can protect OS, but not one user from another
- Relocation changes all addresses of program
using offset - Base/Bounds Registers
- Uses variable fence register (base register) to
provide lower bound - Uses bounds register for upper address
6Memory Address Protection
- Tagged Architecture
- Every word of machine memory has extra bits to
indicate access rights (expensive) - Segmentation (program divided into pieces)
- Each segment has name offset
- Each address reference is checked for protection
- Different classes of data can be assigned
different levels of protection - Users can share access to segments
- User cannot access an unpermitted segment
- Paging (program uses equal sized pages memory
divided into equal sized page frames)
7Control of Access to General Objects
- Memory
- File/data set
- Program in memory
- Directory of files
- Hardware device
- Data structure (stack)
- Operating system table
- Instructions (privileged)
- Passwords / user authentication mechanism
- Protection mechanism
8Goals in protecting objects
- Check every access
- Enforce least privilege
- Verify acceptable usage
9Directory mechanism
- Each user (subject) has a file directory, which
lists all files accessible by user - List can become too large if many shared objects
- Cannot revoke rights of everyone to an object
- File names for different owners may be different
10Access Control List
- One list for each object with list showing all
subjects their access rights - Can use wildcards to limit size of ACL
- Access Control Matrix
- Rows for subjects
- Columns for objects
- Sparse matrix of triples ltsubjects, objects,
rightsgt
11Capability
- Unforgeable token that gives possessor rights to
an object - Predecessor of Kerberos
- Can propagate capabilities to other subjects
- Capabilities must be stored in inaccessible memory
12Procedure-Oriented Access Control
- Procedure that controls access to objects
including what subjects can do to objects
13File Protection Mechanisms
- All-None Protection
- Lack of trust
- All or nothing
- Timesharing issues
- Complexity
- File listings
14File Protection Mechanisms
- Group Protection
- User cannot belong to two groups
- Forces one person to be multiple users
- Forces user to be put into all groups
- Files can only be shared within groups
15File Protection Mechanisms
- Single Permissions
- Password/Token for each file
- Can be lost
- Inconvenient
- Must be protected (if changed, must notify all
users) - Temporary Acquired Permission
- UNIXs set userid (suid)
16User Authentication
- Something the user knows (password, PIN,
passphrase, mothers maiden name) - Something the user has (ID, key, drivers
license, uniform) - Something the user is (biometrics)
17Use of Passwords
- Mutually agreed-upon code words, assumed known
only to user and system - First line of defense
- Loose-Lipped Systems
- WELCOME TO XYZ COMPUTING
- ENTER USER ID summers
- INVALID USER NAME
- ENTER USER ID
18Attack on Passwords
- Ask the user
- Search for the system list of passwords
- Find a valid user ID
- Create a list of possible passwords (encrypt if
needed) - Rank the passwords from high to low probability
- Try each password
- If attempt fails, try again (don't exceed
password lockout)
19Attack on Passwords
- Exhaustive Attack (brute-force)
- 18,278 passwords of 3 letters or less
- 1 password / millisecond would take 18 seconds (8
minutes for 4 letters, 3.5 hours for 5 letters) - Probable passwords (dictionary attack)
- 80,000 word dictionary would take 80 seconds
- Expanded dictionary
20Attack on Passwords
- UK Study (http//www.cnn.com/2002/TECH/ptech/03/13
/dangerous.passwords/?related) - 50 passwords were family names
- Celebrities/soccer stars 9 each
- Pets 8
- 10 reflect a fantasy
- Only 10 use cryptic combinations
21Attack on Passwords
- Look on desk
- Try no password
- Try user ID
- Try users name
- Common words (password, private, secret)
- Short dictionary
- Complete English word list
- Common non-English dictionaries
- Dictionary with capitalization and substitutions
(0 for o and 1 for i) - Brute force (lowercase alphabet)
- Brute force (full character set)
22Attack on Passwords
- Plaintext System Password List (MS Windows)
- Encrypted Password List 1-way (/etc/passwd)
- Shadow Password List (/etc/shadow)
- Salt 12-bit number formed from system time and
process id concatenated to password
23Password Selection Criteria
- Use characters other than A-Z
- Choose long passwords
- Avoid names and words
- Choose unlikely password
- Change password regularly (dont reuse)
- Dont write it down
- Dont tell anyone
- http//www.mit.edu/afs/sipb/project/doc/passwords/
passwords.html - One-time passwords
24Authentication
- Should be slow (5-10 seconds)
- Should only allow a limited of failures (e.g.
3) - Challenge-Response Systems
- Impersonation of Login
- Authentication Other than Passwords