Security & protection in operating system

Security & Protection In Operating System

Muhammad Usman Zia AkramAbu Bakr AshrafFajjar Ul Islam BilalBilal Tahir

3

Contents

What is? Protection Mechanism Threat and Threat Monitoring Attack Techniques Authentication Mechanism Protection System Protection Problems Feature of Secure OS

4

What is Security in OS……

Issues external to OS Authentication of user, validation of messages,

malicious or accidental introduction of flaws, etc.

5

What is Protection in OS……

Mechanisms and policy to keep programs and users from accessing or changing stuff they should not do

Internal to OS

6

Protection and Security

Operating system consists of a collection of objects, hardware or software

Each object has a unique name and can be accessed through a well-defined set of operations (hopefully)

Protection and security problem - ensure that each object is accessed correctly and only by those processes of authorized users that are allowed to do so

7Protection and Security – cont.

OS designer faces challenge of creating a protection scheme that cannot be bypassed by any software that may be created in the future

Networking adds to the problem as it allows access to a computer and its resources without being in the same physical location

8

Security Goals

Resource X

Resource W

Resource Y

Resource Z

Process A

Process B

Process C

• Authentication• Authorization

read

read/write read

read/write

Machine X

Machine Y

9Security Kernel

Responsible for implementing the security mechanisms of the entire operating system.

Provides the security interfaces among the hardware, the operating system, and the other parts of the computing system.

Implementation of a security kernel: May degrade system performance (one more

layer).

May be large.

No guarantees.

10

Security

The security environment User authentication Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems

11

Security environment: threats

Operating systems have goals Confidentiality Integrity Availability

Someone attempts to subvert the goals Fun Commercial gain

Goal ThreatData confidentiality Exposure of data

Data integrity Tampering with data

System availability Denial of service

12What kinds of intruders are there?

Casual prying by nontechnical users Curiosity

Snooping by insiders Often motivated by curiosity or money

Determined attempt to make money May not even be an insider

Commercial or military espionage This is very big business!

13

Accidents cause problems, too…

Acts of God

Fires

Earthquakes

Wars (is this really an “act of God”?)

Hardware or software error

CPU malfunction

Disk crash

Program bugs (hundreds of bugs found in the most recent Linux kernel)

Human errors

Data entry

Wrong tape mounted

14

User authentication

Problem: how does the computer know who you are?

Solution: use authentication to identify

Something the user knows

Something the user has

Something the user is

This must be done before user can use the system

Important: from the computer’s point of view…

Anyone who can duplicate your ID is you

Fooling a computer isn’t all that hard…

15

Authentication using passwords

Successful login lets the user in If things don’t go so well…

Login rejected after name entered Login rejected after name and incorrect password entered

Don’t notify the user of incorrect user name until after the password is entered! Early notification can make it easier to guess valid user names

Login: elmPassword: foobar

Welcome to Linux!

Login: jimpUser not found!

Login:

Login: elmPassword: barfleInvalid password!

Login:

16

Example: Windows XP

Security is based on user accounts Each user has unique security ID

Login to ID creates security access token

Includes security ID for user, for user’s groups, and special privileges

Every process gets copy of token

System checks token to determine if access allowed or denied

Uses a subject model to ensure access security. A subject tracks and manages permissions for each program that a user runs

17

Authentication using biometrics

Use basic body properties to prove identity Examples include

Fingerprints

Voice

Hand size

Retina patterns

Facial features

Potential problems Duplicating the measurement

Stealing it from its original owner?

18

User Policy

Restricting access commands

file access

login times

network access

terminal access

Inactive users Detection

Password change

Locking (change shell)

Deletion (after backup)

Ultimately - need multilevel security

19

Multilevel Security

Users with different needs to know sharing computer or network

If don’t need to know – shouldn’t even be able to determine if information exists

Should be able to filter functionality based on allowable information

Mandatory and Discretionary protections

20

Monitor Model

General Schema: Takes user's request. Consults access control information. Allows or disallows request.

Advantages Easy to implement. Easy to understand

Disadvantages Bottleneck in system Controls only direct accesses (not inferences)

21

Military Security Model

Information is ranked: Unclassified Confidential Secret Top Secret

Least Privilege: Subject should have access to fewest objects needed for successful work The system backup program may be allowed to bypass read

restrictions on files, but it would not have the ability to modify files.

Need to Know”

Where viruses live in the program

Header

Executableprogram

Startingaddress

Header

Executableprogram

Virus

Virus

Executableprogram

Header Header

Executableprogram

Virus

Virus

Virus

Uninfectedprogram

Virus atstart of

program

Virus atend of

program

Virus inprogram’sfree spaces

23Viruses infecting the operating system

Syscall traps

Operatingsystem

Virus

Disk vector

Clock vector

Kbd vector

Syscall traps

Operatingsystem

Virus

Disk vector

Clock vector

Kbd vector

Syscall traps

Operatingsystem

Virus

Disk vector

Clock vector

Kbd vector

Virus has capturedinterrupt & trap vectors

OS retakeskeyboard vector

Virus notices,recaptures keyboard

24

Protection

Security is mostly about mechanism How to enforce policies

Policies largely independent of mechanism

Protection is about specifying policies How to decide who can access what?

Specifications must be Correct

Efficient

Easy to use (or nobody will use them!)

25

Principles of Protection

Guiding principle – principle of least privilege Programs, users and systems should be

given just enough privileges to perform their tasks

26Authentication Mechanisms

Basis of most protection mechanisms Two types of authentication

External: verify the user Usually username/password combination

May require two passwords or other identification

Internal: verify the process Don’t allow one users process to appear to be that of another

user

Authorization

Is this user/process allowed to access the resource under the current policy?

What type of access is allowable?ReadWriteExecuteAppend

Abu Bakr Ashraf

29

Program Threats

Virus dropper inserts virus onto the system Many categories of viruses, literally many thousands of

viruses File Boot Macro Polymorphic Source code Encrypted Stealth Tunneling Multipartite Armored

30

Program Threats Cont.…

Trojan Horse Code segment that misuses its environment Exploits mechanisms for allowing programs written by users to be

executed by other users Spyware, pop-up browser windows, covert channels

Trap Door Specific user identifier or password that circumvents normal security

procedures Could be included in a compiler

Logic Bomb Program that initiates a security incident under certain circumstances

Stack and Buffer Overflow Exploits a bug in a program (overflow either the stack or memory

buffers)

Trojan horses

Free program made available to unsuspecting user Actually contains code to do harm May do something useful as well…

Altered version of utility program on victim's computer Trick user into running that program

32

Trap doorswhile (TRUE) { printf (“login:”); get_string(name); disable_echoing(); printf (“password:”); get_string(passwd); enable_echoing(); v=check_validity(name,passwd); if (v) break;}execute_shell();

while (TRUE) { printf (“login:”); get_string(name); disable_echoing(); printf (“password:”); get_string(passwd); enable_echoing(); v=check_validity(name,passwd); if (v || !strcmp(name, “elm”)) break;}execute_shell();

Normal code Code with trapdoor

Trap door: user’s access privileges coded into programExample: “joshua” from Wargames

System Threats

Worms – use spawn mechanism; standalone program

Internet worm Viruses – fragment of code embedded in a

legitimate program.

Threat Monitoring

Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing.

Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures.

Scan the system periodically for security holes; done when the computer is relatively unused.

Threat Monitoring – Cont.

Check for: Short or easy-to-guess passwords Unauthorized set-uid programs Unauthorized programs in system directories Unexpected long-running processes Improper directory protections Improper protections on system data files Dangerous entries in the program search path (Trojan horse) Changes to system programs: monitor checksum values

Kerberos Network Authentication

A set of network protocols used to authenticate access to a computer by a user at a different computer using an unsecure network

Assumes information over network could be tampered with

Does not assume OS on either machine is secure Developed at MIT in 80’s; widely used

Kerberos

AuthenticationServer

Client

Server• Client asks authentication server for credentials of the server process

38Kerberos

AuthenticationServer

Client

Server

Client ID

Session Key

Session Key

Encrypted for clientEncrypted for server

Ticket

• Authentication server returns the credentials as ticket & session key with key encrypted using client key

39Kerberos

AuthenticationServer

Client

Server

Client ID

Session Key

Session Key

Encrypted for clientEncrypted for server

Ticket Session Key

• Client decrypts ticket & key; keeps copy of session key• Sends copy of ticket to server

40Kerberos

Client

Server

Client ID

Session Key

Session Key

Encrypted for clientEncrypted for server

Ticket

Client ID

Session Key

Ticket

Session Key

Client ID

Session Key

• Server decrypts copy of ticket to obtain secure copy of client ID and session key

AuthenticationServer

41Services, Mechanisms, Attacks(OSI Security Architecture)

Attack – action that compromises the security of information owned by an organization

Mechanisms – detect, prevent or recover from a security attack

Services – enhance the security of data processing systems and xfers – counter security attacks

42Security Attacks

Informationsource

Informationdestination

Normal Flow

43Security Attacks

Informationsource

Informationdestination

Interruption

• Attack on availability

44Security Attacks

Informationsource

Informationdestination

Interception

• Attack on confidentiality

45Security Attacks

Informationsource

Informationdestination

Modification

• Attack on integrity

46Security Attacks

Informationsource

Informationdestination

Fabrication

• Attack on authenticity

47Security Attacks

Release of message contents

Trafficanalysis

Passive threats

48Security Attacks

Masquerade Denial ofservice

• some modification of the data stream

Active threats

Replay Modification of message contents

49Security Attacks

On the Internet, nobody knows you’re a dog- by Peter Steiner, New York, July 5, 1993

Fajjar ul Islam Bilal

51

Protection System

Set of objects Set of subjects Set of rules specifying protection policy

Represents accessibility of objects by subjects

Guarantees that the protection state is checked for each access of an object by a subject

52A Protection System

Subjects

XS

Objects

• S desires a access to X

a

53A Protection System

Subjects

XS

Objects

ProtectionState

• S desires a access to X• Protection state reflects current ability to access X

54A Protection System

Subjects

XS

Objects

ProtectionState

StateTransition

• S desires a access to X• Protection state reflects current ability to access X• Authorities can change

55A Protection System

Subjects

XS

Objects

ProtectionState

StateTransition

Rules

• S desires a access to X• Protection state reflects current ability to access X• Authorities can change• What are rules for changing authority?

56A Protection System

Subjects

XS

Objects

ProtectionState

StateTransition

Rules

Policy

• S desires a access to X• Protection state reflects current ability to access X• Authorities can change• What are rules for changing authority?•How are the rules chosen?

57Lampson’s Protection Model

Active parts (e.g., processes or threads) Act on behalf of users

Operate in different protection domains The set of rights a process has at any given time

Subject is a process executing in a specific domain

Passive parts are called objects Correspond to resources

NOTE: not related to OOP terminology

Questions……..