Chapter 4 (Part 1)Network Security

Chapter 4 – Protection in General-Purpose Operating Systems

Section 4.1 Protected Objects and Methods of ProtectionSection 4.2 Memory and Address Protection

4.3 Control of Access to General Objects4.4 File Protection Mechanisms

In this SectionMemory Protection

FenceBase/BoundSegmentationPageSegmentation/Page

Object ControlDirectoryAccess Control ListAccess Control MatrixKerberos

File Protection Mechanisms

Protection in General-Purpose OSSome program are insecure just based upon the

nature of the programProblem Children: Operating Systems and Databases

(require access by many different “privileged” users)OS General Goal: Controlling Shared Access and

Interface.OS Function (each have much security concern)

Access ControlIdentification and CredentialsInformation flow

Need to separate levels of security for particular users

Projected Objects and Methods of Protection

In the beginning there was no OS…. Programs were just inputted – cards/switches and the human hand were the OS

Early OS was just a utility called an executive and only handled a single user - system resources managed by user

Multiprogrammed OS allowed for more than one user – system resources managed by the monitor

Early day protection was easy – you protected the user from themselves but today you must protect all users of an OS from each other and Malory

Protected ObjectsIn a multiprogram environment many objects

need protection:MemorySharable I/O devicesSerially/Parallel reusable I/O devicesSharable programs and subproceduresNetworksSharable Data

Notice the single correlation of all these “Shared”

Security Methods of Operating SystemsBasis of protections is separation (keeping

user objects away from other users)Methods of Separation:

Physical – nothing sharedTemporal – operating things a different timesLogical – running together but can’t access

each otherCryptographic - running together but

concealed

Levels of Share Protection Do not Prevent – no protection when procedure are being run

at different timesIsolate – running concurrently but aware of each other;

separate space, objects and filesShare all or share nothing – owner of objects declare it

public or private (all or none)Share via access limitation – each user is checked for access

availability of an objectShare by compatibilities- dynamic creation of shared objectsLimit use of an object- user has varying access to an object

Each has a varying level of granularity - Greater granularity creates greater access control

Fence/Fence Register – Memory and Address Protection

Simplest of all protectionConfine the user to one side of a boundaryUsed to separate OS and Program (wasteful use of space)Protects a user from an OS but not a user from another user

Base/Bound RegisterCreated for a multiuser environmentBase Register – variable fence register (lower bound)Bound Register – the upper address limit

Tagged ArchitectureIn base/bound, it is an all or nothing on the sharing of data. It

is hard to manage because of it contiguous data space.Tagged Architecture- every word of machine memory has

one extra bits to identify access right

Segmentation Segmentation – notion of dividing a program into

separate pieces – each has a logical unityCode for a procedure, sub procedure, array Unlimited number of base/bound registers <name, offset>

SegmentationSegment Address Table is created for each

program used to determine the true memory address of an instruction or data

PagingProgram divided into equal size chunks called pages and

inserted into page frames; <page, offset>Unlike segmentation all pages are the same size removing

most fragmentation slight sifting of data can cause security problems

Paging-SegmentationCombing the benefits of Paging and

Segmentation

Control of Access to General ObjectObjects to Protect

MemoryFile or data on storage deviceExecuting program in memoryDirectory of filesHardware deviceData structureTables of the OSInstructions, privileged instructionsPasswords - AuthenticationThe protection mechanism

Goals to Protecting ObjectsCheck every access – able to revoke a right

to an object

Enforce least privilege – user/object should have access to the smallest number of objects necessary to perform some task

Verify acceptable usage – Not just access an object but check to see if its use of the object is acceptable

Directory AccessEach user has a list to determine access to an objectProblem – large lists, revocation of access, and multiple entries of the

same name

Access Control ListA single list for each objectLots of advantages over Directory Access

Access Control MatrixEach row represents a subject and each

column represents a object. Each entry is the set of access rights

Table 4-1 in textbook

CapabilityCapability is an unforgettable token that gives rights to

an objectSometimes a user must have a ticket; Domain useage

KerberosKerberos is an implementation of a ticket

based system with authenticationAuthentication Server (AS) – authenticates

the userTicket Granting Server (TGS) – provides the

ticketKey Distribution Center (KDC) – is made up

of the AS and TGS

File Protection MechanismsAll-None System (Unacceptable)

Lack of TrustToo CourseRise of SharingComplexityFile Listings

Group Protection (has problems)Group AffiliationMultiple PersonalitiesAll GroupsLimited Sharing