Principles of Operating Systems:

solidseniorΔιακομιστές

9 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

308 εμφανίσεις

Principles of Operating Systems:

Design & Applications

Chapter 21


Principles of Operating System
Security

Objectives


understand the need for authenticating requests
and be familiar with some of the basic
authentication techniques


understand the motivation and risks involved
with user privileges


understand the role played by hardware in
protection

Objectives


be familiar with basic techniques for protecting
named resources, including Access Control
Lists and Capabilities


be familiar with the common types of attack and
the basic ideas behind dealing with them


be familiar with the Orange Book classification
of levels of trust

Objectives


understand the basic operation of both
symmetric and public key encryption


understand the operation of the Diffie
-
Hellman
Key Exchange


be familiar with the general operation of RSA
Key Generation


understand some basic security elements of
Multics, Inferno, and Linux

Principles of Operating Systems: Design & Applications

5

Security Wisdom

The only secure system is one that is powered off,
cast in a block of concrete and sealed in a lead
-
lined room with armed guards


and even then I
have my doubts.


Gene Spafford (spaf)


Principles of Operating Systems: Design & Applications

6

Security Objectives


Allocate scarce resources


Resource protection


Prevent unauthorized access


Support exclusive access


Protect against both accidental and malicious
access

Principles of Operating Systems: Design & Applications

7

User Authentication


Permissions based on user identity


Users identify themselves as part of logging in


Identities must be verified, a process called
authentication

Principles of Operating Systems: Design & Applications

8

Passwords


Words or phrases typed as part of the login
process


Shared secrets between user and system


Often one
-
way encrypted:


Entered password is encrypted


Encrypted password compared to stored encrypted
password


Encryption is sometimes done with a cryptographic
hashing function

Principles of Operating Systems: Design & Applications

9

Callbacks


Limit use of misappropriated passwords


User contacts system and presents identification


User and system disconnect


System contacts user at predefined location


User presents password

Principles of Operating Systems: Design & Applications

10

Challenge/Response


Playback attack


Eavesdropper records user name/password
dialogue


Replaying the dialogue logs in successfully


Decreases risk of playback attack


System presents a random string


User processes string, often with encryption


User sends back result


System compares the result to the correct one

Principles of Operating Systems: Design & Applications

11

One
-
Time Passwords


Scheme to use a different password on each
login


S/KEY is a common technique


Start with shared secret


Secure hashing function:


Compute


Server starts with


User sends


Server receives computes and compares
to previous password

P
0
H
P
1
=
H
P
0
,
P
2
=
H
P
1
,
,
P
n
=
H
P
n

1
P
n
P
n

1
,
P
n

2
,
,
P
1
P
i
H
P
i
Principles of Operating Systems: Design & Applications

12

Biometric Authentication


Verify user identity with biological
characteristics


Common traits:


Fingerprints


Retinal patterns


Iris patterns

Principles of Operating Systems: Design & Applications

13

Privileged Users


System administration requires unrestricted
access


Administrative users are given special
privileges:


Superuser: no permission checking (e.g. UNIX
-
like
systems)



Set of assignable privileges (e.g. VMS and
Windows NT)



Access I/O devices


Modify user properties


Access all files


Console
-
only (e.g. early Plan
9
)


Principles of Operating Systems: Design & Applications

14

Resource Protection


Special CPU features


Normally accessible only in kernel mode when
handling interrupts and system calls


Memory


MMUs allow processes to access only memory
allocated to them


Files and other resources in the name space


Simple protection codes


Access control lists


Capabilities

Principles of Operating Systems: Design & Applications

15

Simple Protection Codes


Files have both user and group ownership


Permissions defined for owner, for group, and
for world


Possible permissions:


Read, write, execute, delete, etc.


Example:


File name: foo, owner: Rachel, group: class


Permissions: rwer
-
e
--
e mean


Rachel can read, write and execute


Group class can read and execute


Everyone else can only execute

Principles of Operating Systems: Design & Applications

16

Access Control Lists (ACLs)



More fine
-
grained than simple protection


For each file:


List of entity (user or group)/permission pairs


Example:


(Louis,RW) (Sandra,RW) (CS
342
,R) (*,
-
)


Principles of Operating Systems: Design & Applications

17

Capabilities


Dual of ACLs


For each entity:


List of resource/permission pairs


Example:


(documents,rw) (
21
.ppt,r) (testprog,rwx) (*,
-
)



Can often be granted and revoked

Principles of Operating Systems: Design & Applications

18

Type of Threats


Often called malware


Man
-
in
-
the
-
middle:


Two parties believe they're talking to each other,
but are really talking to an eavesdropper


The eavesdropper can relay data correctly, or can
relay false data


Trojan horse


Masquerades as a legitimate program


Lures a user into unintentionally compromising
security

Principles of Operating Systems: Design & Applications

19

Types of Threats (cont.)



Trapdoor


Also called backdoor


Mechanism for allowing more privileged access,
often for debugging purposes


Logic bomb


Malware that remains idle until some condition
occurs


Time bomb


Malware that remains idle until a prescribed time

Principles of Operating Systems: Design & Applications

20

Types of Threats (cont.)



Virus


Malware that resides within another program or
data file


Spreads by being inserted into a file on another
system or copying an infected file


Worm


Stand
-
alone malware program


Spreads by copying itself to other systems

Principles of Operating Systems: Design & Applications

21

Types of Threats (cont.)



Covert channel


Technique or mechanism for transmitting data
outside intended communication channels


Often in the form of steganography


Denial of service


Renders a system incapable of providing its
intended service


Often in the form of overwhelming the system with
requests

Principles of Operating Systems: Design & Applications

22

Orange Book


Released in
1983


Officially named
Department of Defense
Trusted Computer System Evaluations Criteria


More recently supplanted by the common
criteria


Divides trust into four divisions: A, B, C, and D

Principles of Operating Systems: Design & Applications

23

Orange Book (cont.)



Division D: Minimal protection


No requirements


Any system that doesn't meet the requirements for
a higher class

Principles of Operating Systems: Design & Applications

24

Orange Book (cont.)



Division C: Discretionary protection


Two classes: C
1
and C
2


Requires user names and passwords


Requires simple protection codes


Requires separation between OS and users


Requires documentation of security features


C
2
additionally requires


Old data cannot be seen when a resource is reused


Auditing

Principles of Operating Systems: Design & Applications

25

Orange Book (cont.)



Division B: Mandatory protection


Divided into three classes: B
1
, B
2
, and B
3


Requires labels for data and users


Class B
2
adds:


Label change notification


Trusted login path


Formal security model


Class B
3
adds:


ACLs or equivalent


More extensive auditing


Design shown consistent with formal model

Principles of Operating Systems: Design & Applications

26

Orange Book (cont.)



Division A: Verified protection


Formal top
-
level specification


Combination of formal and informal techniques to
show specification is consistent with model


Trusted distribution path

Principles of Operating Systems: Design & Applications

27

Encryption


Symmetric encryption


Encryption and decryption functions: and


Use the same key

shared secret


On plaintext message sender computes
cyphertext


Receiver computes


Often we also have

E
x
D
x
m
c
=
E
m
m
=
D
c
=
D
E
m
m
=
E
D
m
Principles of Operating Systems: Design & Applications

28

One
-
Time Pad


Essentially unbreakable form of symmetric
encryption


Key is a random string the same length as the
message


Encryption and decryption are symbol
-
by
-
symbol combinations of message and key, e.g.,
modular addition and subtraction


Key distribution is nearly as difficult as message
transmission

Principles of Operating Systems: Design & Applications

29

Symmetric Encryption Standards


Data Encryption Standard (DES)



Advanced Encryption Standard (AES)



International Data Encryption Algorithm (IDEA)



RC
4
used in:


Secure Sockets Layer (SSL)



Wired Equivalent Privacy (WEP)


Principles of Operating Systems: Design & Applications

30

Diffie
-
Hellman Key Exchange


Public key technique to establish a shared
secret without ever transmitting the secret


Two numbers, and where is prime are
publicly known

1.
Alice generates random number and Bob
generates random number

2.
Alice transmits to Bob and Bob transmits
to Alice

3.
Alice and Bob compute

g
p
p
a
b
g
a
mod
p
g
b
mod
p
g
b
a
mod
p
=
g
ab
mod
p
=
g
a
b
mod
p
Principles of Operating Systems: Design & Applications

31

Public Key Encryption


Asymmetric: different keys for encryption and
decryption


No shared secret


Encryption key is public and decryption key is
private


Anyone can encrypt a message for anyone
else, but only the intended recipient can read it

Principles of Operating Systems: Design & Applications

32

RSA Key Generation

1.
Pick large random numbers and

2.
Let

3.
Compute

4.
Pick relative prime to

5.
Find such that

6.
Publish and , is kept private




p
q
n
=
pq
n
=
p

1
q

1
e
n
d
ed
=
1
mod
n
e
n
d
E
x
=
x
e
mod
n
D
X
=
x
d
mod
n
x
=
E
D
x
=
D
E
x
=
x
ed
mod
n
Principles of Operating Systems: Design & Applications

33

Signatures


In PKC, how do we know the sender is real?


Answer: append a signature that can only come
from the purported sender:

1.
Let recipient be and the sender



computes



computes where is a cryptographic
hashing function



sends

1.
Only can read and only could have sent

a
b
b
c
=
E
a
m
b
s
=
H
m
H
b
c
,
D
b
s
a
c
b
D
b
s
Principles of Operating Systems: Design & Applications

34

Certificates


How does a sender know it has the right public
key for a recipient?


Answer: a certificate from a mutually trusted
party called a certifying authority (CA)



CA answers queries with a certificate containing
the public key in question and a signature from
the CA

Principles of Operating Systems: Design & Applications

35

Security in Multics


First to be evaluated as Orange Book class B
2


File system uses ACLs


Rings provide protection:


Each ring has a bracket: (i,j,k)


Principles of Operating Systems: Design & Applications

36

Security in Multics (cont.)



From ring r, access to


Data segment



Read and write if


Read only if


No access if


Code segment


Allowed for and code runs in


Allowed for and code runs in


Allowed for only through call gates


Not allowed for

r

i
j
=
k
i
r

j
r
k
r
i
i
i

r

j
r
j
r

k
r
k
Principles of Operating Systems: Design & Applications

37

Security in Inferno


Virtual machine design obviates need for MMU


Styx supports encryption with RC
4
, DES, AES,
and IDEA


Encryption keys are exchanged with Diffie
Hellman


Authentication uses public key techniques with
a CA

Principles of Operating Systems: Design & Applications

38

Security in Linux


Includes traditional UNIX features


Superuser


Set UID and set GID flags


ACLs in some file systems


Security enhanced Linux (SELinux) adds
mandatory protection

Principles of Operating Systems: Design & Applications

39

Summary


Security is increasingly important


Basic authentication and protection techniques
are well
-
established


There exist trust criteria


Public key encryption techniques are adding a
new level of security and are included in Inferno


Multics rings are well
-
structured but not
frequently replicated

Principles of Operating Systems: Design & Applications

40