Chapter 14: Protection

Operating System Concepts with Java – 8th Edition 14.1 Silberschatz, Galvin and Gagne ©2009
 Chapter 14: Protection

 Goals of Protection
 Principles of Protection
 Domain of Protection
 Access Matrix
 Implementation of Access Matrix
 Access Control

Operating System Concepts with Java – 8th Edition 14.2 Silberschatz, Galvin and Gagne ©2009
 Goals of Protection

 Operating system consists of a collection of

objects, hardware or software
 Each object has a unique name and can be
accessed through a well-defined set of
operations
 Protection problem - ensure that each object is
accessed correctly and only by those
processes that are allowed to do so

Operating System Concepts with Java – 8th Edition 14.3 Silberschatz, Galvin and Gagne ©2009
 Principles of Protection

 Guiding principle – principle of least privilege

 Programs, users and systems should be
given just enough privileges to perform
their tasks

Operating System Concepts with Java – 8th Edition 14.4 Silberschatz, Galvin and Gagne ©2009
 Domain Structure

 Access-right = <object-name, rights-set>

where rights-set is a subset of all valid operations that
can be performed on the object.
 Domain = set of access-rights

Operating System Concepts with Java – 8th Edition 14.5 Silberschatz, Galvin and Gagne ©2009
 Domain Implementation (UNIX)
 System consists of 2 domains:
 User
 Supervisor
 UNIX
 Domain = user-id
 Domain switch accomplished via file system
Each file has associated with it a domain bit (setuid
bit)
When file is executed and setuid = on, then user-id is
set to owner of the file being executed. When
execution completes user-id is reset

Operating System Concepts with Java – 8th Edition 14.6 Silberschatz, Galvin and Gagne ©2009
 Access Matrix

 View protection as a matrix (access matrix)

 Rows represent domains
 Columns represent objects
 Access(i, j) is the set of operations that a
process executing in Domaini can invoke on
Objectj

Operating System Concepts with Java – 8th Edition 14.7 Silberschatz, Galvin and Gagne ©2009
 Access Matrix

Operating System Concepts with Java – 8th Edition 14.8 Silberschatz, Galvin and Gagne ©2009
 Use of Access Matrix

 If a process in Domain Di tries to do “op” on object Oj,

then “op” must be in the access matrix
 Can be expanded to dynamic protection
 Operations to add, delete access rights
 Special access rights:
owner of Oi
copy op from Oi to Oj
control – Di can modify Dj access rights
transfer – switch from domain Di to Dj

Operating System Concepts with Java – 8th Edition 14.9 Silberschatz, Galvin and Gagne ©2009
 Use of Access Matrix (Cont)

 Access matrix design separates mechanism from policy

 Mechanism
Operating system provides access-matrix + rules
If ensures that the matrix is only manipulated by
authorized agents and that rules are strictly
enforced
 Policy
User dictates policy
Who can access what object and in what mode

Operating System Concepts with Java – 8th Edition 14.10 Silberschatz, Galvin and Gagne ©2009
 Implementation of Access Matrix
 Each column = Access-control list for one object
Defines who can perform what operation.

Domain 1 = Read, Write

Domain 2 = Read
Domain 3 = Read


 Each Row = Capability List (like a key)
Fore each domain, what operations allowed on what
objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
Operating System Concepts with Java – 8th Edition 14.11 Silberschatz, Galvin and Gagne ©2009
 Access Matrix of Figure A With Domains as Objects

Figure B

Operating System Concepts with Java – 8th Edition 14.12 Silberschatz, Galvin and Gagne ©2009
 Access Matrix with Copy Rights

Operating System Concepts with Java – 8th Edition 14.13 Silberschatz, Galvin and Gagne ©2009
 Access Matrix With Owner Rights

Operating System Concepts with Java – 8th Edition 14.14 Silberschatz, Galvin and Gagne ©2009
 Modified Access Matrix of Figure B

Operating System Concepts with Java – 8th Edition 14.15 Silberschatz, Galvin and Gagne ©2009
 Access Control

 Protection can be applied to non-file resources

 Solaris 10 provides role-based access control
(RBAC) to implement least privilege
 Privilege is right to execute system call or use an
option within a system call
 Can be assigned to processes
 Users assigned roles granting access to privileges
and programs

Operating System Concepts with Java – 8th Edition 14.16 Silberschatz, Galvin and Gagne ©2009
 Role-based Access Control in Solaris 10

Operating System Concepts with Java – 8th Edition 14.17 Silberschatz, Galvin and Gagne ©2009
 Chapter 15: Security

Operating System Concepts with Java – 8th Edition 14.18 Silberschatz, Galvin and Gagne ©2009
 Chapter 15: Security

 The Security Problem

 Program Threats
 System and Network Threats
 Cryptography as a Security Tool
 User Authentication
 Implementing Security Defenses
 Firewalling to Protect Systems and Networks
 Computer-Security Classifications
 An Example: Windows XP

Operating System Concepts with Java – 8th Edition 14.19 Silberschatz, Galvin and Gagne ©2009
 Objectives
 To discuss security threats and attacks
 To explain the fundamentals of encryption, authentication, and hashing
 To examine the uses of cryptography in computing
 To describe the various countermeasures to security attacks

Operating System Concepts with Java – 8th Edition 14.20 Silberschatz, Galvin and Gagne ©2009
 The Security Problem

 Security must consider external environment of the

system, and protect the system resources
 Intruders (crackers) attempt to breach security
 Threat is potential security violation
 Attack is attempt to breach security
 Attack can be accidental or malicious
 Easier to protect against accidental than malicious
misuse

Operating System Concepts with Java – 8th Edition 14.21 Silberschatz, Galvin and Gagne ©2009
 Security Violations
 Categories
 Breach of confidentiality
 Breach of integrity
 Breach of availability
 Theft of service
 Denial of service
 Methods
 Masquerading (breach authentication)
 Replay attack
 Message modification
 Man-in-the-middle attack
 Session hijacking

Operating System Concepts with Java – 8th Edition 14.22 Silberschatz, Galvin and Gagne ©2009
 Standard Security Attacks

Operating System Concepts with Java – 8th Edition 14.23 Silberschatz, Galvin and Gagne ©2009
 Security Measure Levels
 Security must occur at four levels to be effective:
 Physical

 Human
Avoid social engineering, phishing, dumpster
diving
 Operating System
 Network

 Security is as weak as the weakest link in the

chain

Operating System Concepts with Java – 8th Edition 14.24 Silberschatz, Galvin and Gagne ©2009
 Program Threats
 Trojan Horse
 Code segment that misuses its environment
 Exploits mechanisms for allowing programs written by users to be executed by
other users
 Spyware, pop-up browser windows, covert channels
 Trap Door
 Specific user identifier or password that circumvents normal security
procedures
 Could be included in a compiler
 Logic Bomb
 Program that initiates a security incident under certain circumstances
 Stack and Buffer Overflow
 Exploits a bug in a program (overflow either the stack or memory buffers)

Operating System Concepts with Java – 8th Edition 14.25 Silberschatz, Galvin and Gagne ©2009
 C Program with Buffer-overflow Condition

#include <stdio.h>
#define BUFFER SIZE 256
int main(int argc, char *argv[])
{
char buffer[BUFFER SIZE];
if (argc < 2)
return -1;
else {
strcpy(buffer,argv[1]);
return 0;
}
}

Operating System Concepts with Java – 8th Edition 14.26 Silberschatz, Galvin and Gagne ©2009
 Layout of Typical Stack Frame

Operating System Concepts with Java – 8th Edition 14.27 Silberschatz, Galvin and Gagne ©2009
 Modified Shell Code
#include <stdio.h>
int main(int argc, char *argv[])
{
execvp(‘‘\bin\sh’’,‘‘\bin \sh’’, NULL);
return 0;
}

Operating System Concepts with Java – 8th Edition 14.28 Silberschatz, Galvin and Gagne ©2009
 Hypothetical Stack Frame

Before attack After attack

Operating System Concepts with Java – 8th Edition 14.29 Silberschatz, Galvin and Gagne ©2009
 Program Threats (Cont.)
 Many categories of viruses, literally many thousands of viruses
 File
 Boot
 Macro
 Source code
 Polymorphic
 Encrypted
 Stealth
 Tunneling
 Multipartite

Operating System Concepts with Java – 8th Edition 14.30 Silberschatz, Galvin and Gagne ©2009
 A Boot-sector Computer Virus

Operating System Concepts with Java – 8th Edition 14.31 Silberschatz, Galvin and Gagne ©2009
 System and Network Threats
 Worms – use spawn mechanism; standalone program
 Internet worm
 Exploited UNIX networking features (remote access) and bugs in
finger and sendmail programs
 Grappling hook program uploaded main worm program
 Port scanning
 Automated attempt to connect to a range of ports on one or a
range of IP addresses
 Denial of Service
 Overload the targeted computer preventing it from doing any
useful work
 Distributed denial-of-service (DDOS) come from multiple sites at
once

Operating System Concepts with Java – 8th Edition 14.32 Silberschatz, Galvin and Gagne ©2009
 The Morris Internet Worm

Operating System Concepts with Java – 8th Edition 14.33 Silberschatz, Galvin and Gagne ©2009
 End of Chapter 15

Operating System Concepts with Java – 8th Edition 14.34 Silberschatz, Galvin and Gagne ©2009