Chapter 4 (Part 1)Network Security
Chapter 4 – Protection in General-Purpose Operating Systems
Section 4.1 Protected Objects and Methods of ProtectionSection 4.2 Memory and Address Protection
4.3 Control of Access to General Objects4.4 File Protection Mechanisms
In this SectionMemory Protection
FenceBase/BoundSegmentationPageSegmentation/Page
Object ControlDirectoryAccess Control ListAccess Control MatrixKerberos
File Protection Mechanisms
Protection in General-Purpose OSSome program are insecure just based upon the
nature of the programProblem Children: Operating Systems and Databases
(require access by many different “privileged” users)OS General Goal: Controlling Shared Access and
Interface.OS Function (each have much security concern)
Access ControlIdentification and CredentialsInformation flow
Need to separate levels of security for particular users
Projected Objects and Methods of Protection
In the beginning there was no OS…. Programs were just inputted – cards/switches and the human hand were the OS
Early OS was just a utility called an executive and only handled a single user - system resources managed by user
Multiprogrammed OS allowed for more than one user – system resources managed by the monitor
Early day protection was easy – you protected the user from themselves but today you must protect all users of an OS from each other and Malory
Protected ObjectsIn a multiprogram environment many objects
need protection:MemorySharable I/O devicesSerially/Parallel reusable I/O devicesSharable programs and subproceduresNetworksSharable Data
Notice the single correlation of all these “Shared”
Security Methods of Operating SystemsBasis of protections is separation (keeping
user objects away from other users)Methods of Separation:
Physical – nothing sharedTemporal – operating things a different timesLogical – running together but can’t access
each otherCryptographic - running together but
concealed
Levels of Share Protection Do not Prevent – no protection when procedure are being run
at different timesIsolate – running concurrently but aware of each other;
separate space, objects and filesShare all or share nothing – owner of objects declare it
public or private (all or none)Share via access limitation – each user is checked for access
availability of an objectShare by compatibilities- dynamic creation of shared objectsLimit use of an object- user has varying access to an object
Each has a varying level of granularity - Greater granularity creates greater access control
Fence/Fence Register – Memory and Address Protection
Simplest of all protectionConfine the user to one side of a boundaryUsed to separate OS and Program (wasteful use of space)Protects a user from an OS but not a user from another user
Base/Bound RegisterCreated for a multiuser environmentBase Register – variable fence register (lower bound)Bound Register – the upper address limit
Tagged ArchitectureIn base/bound, it is an all or nothing on the sharing of data. It
is hard to manage because of it contiguous data space.Tagged Architecture- every word of machine memory has
one extra bits to identify access right
Segmentation Segmentation – notion of dividing a program into
separate pieces – each has a logical unityCode for a procedure, sub procedure, array Unlimited number of base/bound registers <name, offset>
SegmentationSegment Address Table is created for each
program used to determine the true memory address of an instruction or data
PagingProgram divided into equal size chunks called pages and
inserted into page frames; <page, offset>Unlike segmentation all pages are the same size removing
most fragmentation slight sifting of data can cause security problems
Paging-SegmentationCombing the benefits of Paging and
Segmentation
Control of Access to General ObjectObjects to Protect
MemoryFile or data on storage deviceExecuting program in memoryDirectory of filesHardware deviceData structureTables of the OSInstructions, privileged instructionsPasswords - AuthenticationThe protection mechanism
Goals to Protecting ObjectsCheck every access – able to revoke a right
to an object
Enforce least privilege – user/object should have access to the smallest number of objects necessary to perform some task
Verify acceptable usage – Not just access an object but check to see if its use of the object is acceptable
Directory AccessEach user has a list to determine access to an objectProblem – large lists, revocation of access, and multiple entries of the
same name
Access Control ListA single list for each objectLots of advantages over Directory Access
Access Control MatrixEach row represents a subject and each
column represents a object. Each entry is the set of access rights
Table 4-1 in textbook
CapabilityCapability is an unforgettable token that gives rights to
an objectSometimes a user must have a ticket; Domain useage
KerberosKerberos is an implementation of a ticket
based system with authenticationAuthentication Server (AS) – authenticates
the userTicket Granting Server (TGS) – provides the
ticketKey Distribution Center (KDC) – is made up
of the AS and TGS
File Protection MechanismsAll-None System (Unacceptable)
Lack of TrustToo CourseRise of SharingComplexityFile Listings
Group Protection (has problems)Group AffiliationMultiple PersonalitiesAll GroupsLimited Sharing