Date post: | 02-Apr-2015 |
Category: |
Documents |
Upload: | koby-seabourn |
View: | 221 times |
Download: | 3 times |
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-1
Copyright © 2004 Pearson Education, Inc.
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-2
Copyright © 2004 Pearson Education, Inc.
14Protectionand Security
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-3
Copyright © 2004 Pearson Education, Inc.
Allowing Only Authorized Access
UnauthorizedAccess
AuthorizedAccess
AuthenticationAuthorization
SecureEntity
Subject
Subject
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-4
Copyright © 2004 Pearson Education, Inc.
Policy & Mechanism
• Protection mechanisms are tools used to implement security policies– Authentication– Authorization– Cryptography
• A security policy reflects an organization’s strategy for authorizing access to the computer’s resources only to authenticated parties– Accountants have access to payroll files– OS processes have access to the page table– Client process has access to information provided by a
server
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-5
Copyright © 2004 Pearson Education, Inc.
Cryptographically Protected Information
SecureElement
SecureElement
Secure Environment Secure Environment
Secure Container
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-6
Copyright © 2004 Pearson Education, Inc.
Windows 2000 Logon
Security Reference Monitor(SRM)
Security Reference Monitor(SRM)
NetlogonNetlogon
ActiveDirectory
ActiveDirectory
LSA*Server
LSA*Server
SAM**Server
SAM**Server
Local Security Authority Subsystem(Lsass)
* Local Security Authority** Security Accounts Manager (SAM)
SAMSAMActiveDirectory
ActiveDirectory
LSAPolicy
LSAPolicy
Winlogonprocess
Winlogonprocess
User Space
Supervisor Space
Authentic.Authentic.
Network
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-7
Copyright © 2004 Pearson Education, Inc.
Security Goals
Resource X
Resource W
Resource Y
Resource ZProcess A
Process B
Process C
• Authentication• Authorization
read
read/write read
read/write
Machine X
Machine Y
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-8
Copyright © 2004 Pearson Education, Inc.
Authentication
• User/process authentication– Is this user/process who it claims to be?
• Passwords
• More sophisticated mechanisms
• Authentication in networks– Is this computer who it claims to be?
• File downloading
• Obtaining network services
• The Java promise
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-9
Copyright © 2004 Pearson Education, Inc.
Authorization
• Is this user/process allowed to access the resource under the current policy?
• What type of access is allowable?– Read– Write– Execute– Append
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-10
Copyright © 2004 Pearson Education, Inc.
Lampson’s Protection Model
• Active parts (e.g., processes)– Operate in different domains– Subject is a process in a domain
• Passive parts are called objects• Want mechanism to implement different
security policies for subjects to access objects– Many different policies must be possible– Policy may change over time
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-11
Copyright © 2004 Pearson Education, Inc.
A Protection System
Subjects
XS
Objects
•S desires access to X
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-12
Copyright © 2004 Pearson Education, Inc.
A Protection System
Subjects
XS
Objects
ProtectionState
•S desires access to X•Protection state reflects current ability to access X
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-13
Copyright © 2004 Pearson Education, Inc.
A Protection System
Subjects
XS
Objects
ProtectionState
StateTransition•S desires access to X
•Protection state reflects current ability to access X•Authorities can change
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-14
Copyright © 2004 Pearson Education, Inc.
A Protection System
Subjects
XS
Objects
ProtectionState
StateTransition
Rules
•S desires access to X•Protection state reflects current ability to access X•Authorities can change•What are rules for changing authority?
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-15
Copyright © 2004 Pearson Education, Inc.
A Protection System
Subjects
XS
Objects
ProtectionState
StateTransition
Rules
Policy
•S desires access to X•Protection state reflects current ability to access X•Authorities can change•What are rules for changing authority?•How are the rules chosen?
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-16
Copyright © 2004 Pearson Education, Inc.
Protection System Example
S X
•S desires access to X
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-17
Copyright © 2004 Pearson Education, Inc.
Protection System Example
S
X
Access matrix
S X
•S desires access to X•Captures the protection state
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-18
Copyright © 2004 Pearson Education, Inc.
Protection System Example
S
X
Access matrix
SAccess
authentication
(S,
, X)
X
•S desires access to X•Captures the protection state•Generates an unforgeable ID
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-19
Copyright © 2004 Pearson Education, Inc.
Protection System Example
S
X
SAccess
authenticationMonitor
(S,
, x)
X
•S desires access to X•Captures the protection state•Generates an unforgeable ID•Checks the access against the protection state
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-20
Copyright © 2004 Pearson Education, Inc.
Protection State Example
S1
S2
S3
S1 S2 S3 F1 F2 D1 D2
control
control
control
blockwakeupowner
controlowner
stop
delete executeowner
owner update owner seek*
read*write*
seek owner
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-21
Copyright © 2004 Pearson Education, Inc.
A Protection System
Subjects
XS
Objects
ProtectionState
StateTransition
Rules
Policy
Handling state changes
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-22
Copyright © 2004 Pearson Education, Inc.
Policy Rules Example
S1
S2
S3
S1 S2 S3 F1 F2 D1 D2
control
control
control
blockwakeupowner
controlowner
stop
delete executeowner
owner update owner seek*
read*write*
seek owner
Rule Command by S0 Authorization Effect1 transfer(|*) to (S, X) *A[S0, X] A[S, X] = A[S, X]{|*}2 grant(|*) to (S, X) ownerA[S0, X] A[S, X] = A[S, X]{|*}3 delete from (S, X) controlA[S0, S] A[S, X] = A[S, X]-{}
orownerA[S0, X]
Rules for a Particular Policy
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-23
Copyright © 2004 Pearson Education, Inc.
Protection Domains
• Lampson model uses processes and domains -- how is a domain implemented?– Supervisor/user hardware mode bit– Software extensions -- rings
• Inner rings have higher authority– Ring 0 corresponds to supervisor mode– Rings 1 to S have decreasing protection, and
are used to implement the OS– Rings S+1 to N-1 have decreasing protection,
and are used to implement applications
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-24
Copyright © 2004 Pearson Education, Inc.
Protection Domains (cont)• Ring crossing is a domain change• Inner ring crossing rights amplification
– Specific gates for crossing– Protected by an authentication mechanism
• Outer ring crossing uses less-protected objects– No authentication– Need a return path– Used in Multics and Intel 80386 (& above)
hardware
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-25
Copyright © 2004 Pearson Education, Inc.
A Two-level Domain Architecture
Supv
User
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-26
Copyright © 2004 Pearson Education, Inc.
The General Ring Architecture
R0
R1
R2
…
Ri
…
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-27
Copyright © 2004 Pearson Education, Inc.
Implementing the Access Matrix• Usually a sparse matrix
– Too expensive to implement as a table– Implement as a list of table entries
• Column oriented list is called an access control list (ACL)– List kept at the object– UNIX file protection bits are one example
• Row oriented list is a called a capability list– List kept with the subject (i.e., process)– Kerberos ticket is a capability– Mach mailboxes protected with capabilities
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-28
Copyright © 2004 Pearson Education, Inc.
Access Control Lists Derived from an Access Matrix
Res
ourc
e D
escr
ipto
r
S
X
X
X
X
X
X
• Store the Access Matrix by columns
• Each ACL is kept at the object
• UNIX file protection bits are one example
• Windows resource managers also use ACLs for protection
Res
ourc
e D
escr
ipto
r
Res
ourc
e D
escr
ipto
r
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-29
Copyright © 2004 Pearson Education, Inc.
Capability Lists Derived from an Access Matrix
• Store the Access Matrix by rows
• List kept with the subject (i.e., process)
• Examples– Ticket to a concert
– Kerberos ticket
– Mach mailboxes
S
X
S
S
S
Process Descriptor
Process Descriptor
Process Descriptor
S
S
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-30
Copyright © 2004 Pearson Education, Inc.
More on Capabilities
• Provides an address to object from a very large address space
• Possession of a capability represents authorization for access
• Implied properties:– Capabilities must be very difficult to guess– Capabilities must be unique and not reused– Capabilities must be distinguishable from
randomly generated bit patterns
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-31
Copyright © 2004 Pearson Education, Inc.
Cryptography
• Information can be encoded using a key when it is written (or transferred) -- encryption
• It is then decoded using a key when it is read (or received) -- decryption
• Very widely used for secure network transmission
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-32
Copyright © 2004 Pearson Education, Inc.
More on Cryptography
plaintext ciphertext
encryption
decryption
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-33
Copyright © 2004 Pearson Education, Inc.
More on Cryptography
plaintext plaintextEncryptEncrypt DecryptDecrypt
Ke Kd
C = EKe(plaintext)
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-34
Copyright © 2004 Pearson Education, Inc.
More on Cryptography
plaintext EncryptEncrypt DecryptDecrypt
Ke Kd
C = EKe(plaintext)
InvaderInvaderSide information plaintext
plaintext
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-35
Copyright © 2004 Pearson Education, Inc.
Cryptographic Systems
Cryptographic Systems
Conventional Systems Modern Systems
Private Key Public Key
•Ke and Kd are essentially the same
•Ke and Kd are private
•Ke is public•Kd is private
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-36
Copyright © 2004 Pearson Education, Inc.
KerberosAuthentication
Server
Client
Server
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-37
Copyright © 2004 Pearson Education, Inc.
KerberosAuthentication
Server
Client
Server
Client ID
Session Key
Session Key
Encrypted for clientEncrypted for server
Ticket
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-38
Copyright © 2004 Pearson Education, Inc.
KerberosAuthentication
Server
Client
Server
Client ID
Session Key
Session Key
Encrypted for clientEncrypted for server
Ticket Session Key
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-39
Copyright © 2004 Pearson Education, Inc.
KerberosAuthentication
Server
Client
Server
Client ID
Session Key
Session Key
Encrypted for clientEncrypted for server
Ticket
Client ID
Session Key
Ticket
Session Key
Client ID
Session Key
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-40
Copyright © 2004 Pearson Education, Inc.
The DES AlgorithmPlainText
PlainText
64-bit Block64-bit Block
64-bit Block64-bit Block
Lj-1Lj-1 Rj-1
Rj-1
IPIP
ff Kj = (K, j)
Rj-1Rj-1Rj-1
Rj-1
64-bit Block64-bit Block
64-bit Block64-bit Block
IP-1IP-1
Operating Systems: A Modern Perspective, Chapter 5
Slide 14-41
Copyright © 2004 Pearson Education, Inc.
A Digital Rights Management System
InTransit
Raw
Consumable
Serve
Translate
Distribute
ContentRepository
Playback
RightsEditor
Query
Rights
Publisher
Consumer
AP
I
API
Admin
Distributor, etcStyleEditor
Style
Server
Client
•Other parties may contribute to rights spec