Outline Operating System Security Introduction CS 239 Memory - PDF document

Outline Operating System Security • Introduction CS 239 • Memory protection • Interprocess communications protection Security for Networks and • File protection System Software • Authentication May 20, 2002 Lecture 13 Lecture 13 Page 1 Page 2 CS 239, Spring 2002 CS 239, Spring 2002 Single User Vs. Multiple User Introduction Machines • The majority of today’s computers usually • Threats to single machines are of the support a single user same character as threats to network – Sometimes one at a time communications – Sometimes only one ever • But very different in their mechanisms • Some computers are still multi-user and solutions – Mainframes – Servers – Network-of-workstation machines Lecture 13 Lecture 13 Page 3 Page 4 CS 239, Spring 2002 CS 239, Spring 2002 Server Machines Vs. General Embedded Systems Purpose Machines • Most server machines provide only limited • An increasingly large number of services objects contain embedded computers – Web page access –With limited capabilities and access – File access • The future will undoubtedly see – DNS lookup security problems for them • Security problems are simpler for them –First for embedded processors in • Some machines still provide completely security systems, probably general service, though Lecture 13 Lecture 13 Page 5 Page 6 CS 239, Spring 2002 CS 239, Spring 2002 1

Downloadable Code and Single Mechanisms for Secure User Machines Operating Systems • Applets and other downloaded code • Most operating system security is should run in a limited mode based on separation • Using access control on a finer –Keep the bad guys away from the granularity than the user good stuff • Essentially the same protection –Since you don’t know who’s bad, problem as multiple users separate most things Lecture 13 Lecture 13 Page 7 Page 8 CS 239, Spring 2002 CS 239, Spring 2002 Separation Methods The Problem of Sharing • Physical separation • Separating stuff is actually pretty easy – Different machines • The hard problem is allowing • Temporal separation controlled sharing – Same machine, different times • How can the OS allow users to share • Logical separation exactly what they intend to share? – HW/software enforcement –In exactly the ways they intend • Cryptographic separation Lecture 13 Lecture 13 Page 9 Page 10 CS 239, Spring 2002 CS 239, Spring 2002 Levels of Sharing Protection Protecting Memory • Most general purpose systems provide some • None memory protection • Isolation – Logical separation of processes that run • All or nothing concurrently • Access limitations • Usually through virtual memory methods • Limited use of an object • Originally arose mostly for error containment, not security Lecture 13 Lecture 13 Page 11 Page 12 CS 239, Spring 2002 CS 239, Spring 2002 2

Security Aspects of Paging Protection of Pages • Main memory is divided into page frames • Each process is given a page table – Translation of logical addresses into • Every process has an address space divided physical locations into logical pages • All addressing goes through page table • For a process to use a page, it must reside in – At unavoidable hardware level a page frame • If the OS is careful about filling in the page • If multiple processes are running, how do tables, a process can’t even name other we protect their frames? processes’ pages Lecture 13 Lecture 13 Page 13 Page 14 CS 239, Spring 2002 CS 239, Spring 2002 Security Issues of Page Frame Special Interfaces to Memory Reuse • A common set of page frames is shared by • Some systems provide a special interface to all processes memory • The OS switches ownership of page frames • If the interface accesses physical memory, as necessary – And doesn’t go through page table • When a process acquires a new page frame, protections, it used to belong to another process • Attackers can read the physical memory – Can the new process read the old data? – Then figure out what’s there and find what they’re looking for Lecture 13 Lecture 13 Page 15 Page 16 CS 239, Spring 2002 CS 239, Spring 2002 Protecting Interprocess IPC Protection Issues Communications • How hard it is depends on what you’re • Operating systems provide various kinds of worried about interprocess communications • For the moment, let’s say we’re worried – Messages about one process improperly using IPC to – Semaphores get info from another – Shared memory – Process A wants to steal information – Sockets from process B • How would process A do that? • How can we be sure they’re used properly? Lecture 13 Lecture 13 Page 17 Page 18 CS 239, Spring 2002 CS 239, Spring 2002 3

Message Security How Can B Get the Secret? Process A Process B • He can convince the system he’s A Gimme your secret – A problem for authentication • He can break into A’s memory That’s probably – That doesn’t use message IPC not going to work – And is handled by page tables • He can forge a message from someone else to get the secret Can process B use message- • He can “eavesdrop” on someone else who based IPC to steal the secret? gets the secret Lecture 13 Lecture 13 Page 19 Page 20 CS 239, Spring 2002 CS 239, Spring 2002 Forging An Identity Operating System Protections Process A Process B • The operating system knows who each I’m C, gimme your secret process belongs to • It can tag the message with the identity of the sender Process C Will A • If the receiver cares, he can know the know B is identity lying? Lecture 13 Lecture 13 Page 21 Page 22 CS 239, Spring 2002 CS 239, Spring 2002 How About Eavesdropping? What’s Really Going on Here? Process A Process B • On a single machine, what is a message send, really? • A message is copied from a process buffer I’m C, gimme to an OS buffer your secret – Then from the OS buffer to another Process C Can process B process’ buffer “listen in” on • If attacker can’t get at processes’ internal this message? buffers and can’t get at OS buffers, he can’t “eavesdrop” Lecture 13 Lecture 13 Page 23 Page 24 CS 239, Spring 2002 CS 239, Spring 2002 4

Other Forms of IPC So When’s It Hard? • Semaphores, sockets, shared memory, RPC • What if the OS has to prevent • Pretty much all the same cooperating processes from sharing – Need system call to perform them information? – System call to get access belongs to some process – Process belongs to some principal – OS can check principal against access control permissions at syscall time Lecture 13 Lecture 13 Page 25 Page 26 CS 239, Spring 2002 CS 239, Spring 2002 The Hard Case File Protection Process A Process B • How do we apply these access protection mechanisms to a real system resource? • Files are a common example of a typically shared resource Process A wants to tell the secret to process B • If an OS supports multiple users, it needs to But the OS has been instructed to prevent that address the question of file protection Can the OS prevent A and B from colluding to get the secret to B? Lecture 13 Lecture 13 Page 27 Page 28 CS 239, Spring 2002 CS 239, Spring 2002 Unix File Protection Unix File Protection Philosophy • Essentially, Unix uses a limited ACL • A model for protecting files developed • Only three subjects per file in the 1970s – Owner • Still in very wide use today – Group – Other –With relatively few modifications • Limited set of rights specifiable • But not very flexible – Read, write, execute – Special meanings for some file types Lecture 13 Lecture 13 Page 29 Page 30 CS 239, Spring 2002 CS 239, Spring 2002 5