Outline • Introduction Operating System Security • Memory protection CS 239 • Interprocess communications protection • File protection Computer Security February 16, 2005 Lecture 10 Lecture 10 Page 1 Page 2 CS 239, Winter 2005 CS 239, Winter 2005 Introduction Why Is OS Security So Important? • The OS controls access to application • Operating systems provide the lowest layer memory of software visible to users • The OS controls scheduling of the processor • Operating systems are close to the hardware • The OS ensures that users receive the – Often have complete hardware access resources they ask for • If the operating system isn’t protected, the • If the OS isn’t doing these things securely, machine isn’t protected practically anything can go wrong • Flaws in the OS generally compromise all • So almost all other security systems must security at higher levels assume a secure OS at the bottom Lecture 10 Lecture 10 Page 3 Page 4 CS 239, Winter 2005 CS 239, Winter 2005 Single User Vs. Multiple User Server Machines Vs. General Machines Purpose Machines • The majority of today’s computers usually • Most server machines provide only limited support a single user services – Sometimes one at a time, sometimes only – Web page access one ever – File access • Some computers are still multi-user – DNS lookup – Mainframes • Security problems are simpler for them – Servers • Some machines still provide completely – Network-of-workstation machines general service, though • Single user machines often run multiple • And many server machines can run general processes, though services . . . Lecture 10 Lecture 10 Page 5 Page 6 CS 239, Winter 2005 CS 239, Winter 2005 1
Downloadable Code and Single Mechanisms for Secure User Machines Operating Systems • Applets and other downloaded code • Most operating system security is should run in a constrained mode based on separation • Using access control on a finer –Keep the bad guys away from the granularity than the user good stuff • Essentially the same protection –Since you don’t know who’s bad, problem as multiple users separate most things Lecture 10 Lecture 10 Page 7 Page 8 CS 239, Winter 2005 CS 239, Winter 2005 Separation Methods The Problem of Sharing • Physical separation • Separating stuff is actually pretty easy – Different machines • The hard problem is allowing • Temporal separation controlled sharing – Same machine, different times • How can the OS allow users to share • Logical separation exactly what they intend to share? – HW/software enforcement –In exactly the ways they intend • Cryptographic separation Lecture 10 Lecture 10 Page 9 Page 10 CS 239, Winter 2005 CS 239, Winter 2005 Levels of Sharing Protection Protecting Memory • Most general purpose systems provide some • None memory protection • Isolation – Logical separation of processes that run • All or nothing concurrently • Access limitations • Usually through virtual memory methods • Limited use of an object • Originally arose mostly for error containment, not security Lecture 10 Lecture 10 Page 11 Page 12 CS 239, Winter 2005 CS 239, Winter 2005 2
Security Aspects of Paging Protection of Pages • Each process is given a page table • Main memory is divided into page frames – Translation of logical addresses into • Every process has an address space divided physical locations into logical pages • All addressing goes through page table • For a process to use a page, it must reside in – At unavoidable hardware level a page frame • If the OS is careful about filling in the page • If multiple processes are running, how do tables, a process can’t even name other we protect their frames? processes’ pages Lecture 10 Lecture 10 Page 13 Page 14 CS 239, Winter 2005 CS 239, Winter 2005 Security Issues of Page Frame Special Interfaces to Memory Reuse • A common set of page frames is shared by • Some systems provide a special interface to all processes memory • The OS switches ownership of page frames • If the interface accesses physical memory, as necessary – And doesn’t go through page table • When a process acquires a new page frame, protections, it used to belong to another process – Attackers can read the physical memory – Can the new process read the old data? – Then figure out what’s there and find what they’re looking for Lecture 10 Lecture 10 Page 15 Page 16 CS 239, Winter 2005 CS 239, Winter 2005 Protecting Interprocess IPC Protection Issues Communications • How hard it is depends on what you’re • Operating systems provide various kinds of worried about interprocess communications • For the moment, let’s say we’re worried – Messages about one process improperly using IPC to – Semaphores get info from another – Shared memory – Process A wants to steal information from process B – Sockets • How would process A do that? • How can we be sure they’re used properly? Lecture 10 Lecture 10 Page 17 Page 18 CS 239, Winter 2005 CS 239, Winter 2005 3
Message Security How Can B Get the Secret? Process A Process B • He can convince the system he’s A Gimme your secret – A problem for authentication • He can break into A’s memory That’s probably – That doesn’t use message IPC not going to work – And is handled by page tables • He can forge a message from someone else to get the secret Can process B use message- • He can “eavesdrop” on someone else who based IPC to steal the secret? gets the secret Lecture 10 Lecture 10 Page 19 Page 20 CS 239, Winter 2005 CS 239, Winter 2005 Forging An Identity Operating System Protections Process A Process B • The operating system knows who each I’m C, gimme your secret process belongs to • It can tag the message with the identity of the sender Process C Will A • If the receiver cares, he can know the know B is identity lying? Lecture 10 Lecture 10 Page 21 Page 22 CS 239, Winter 2005 CS 239, Winter 2005 How About Eavesdropping? What’s Really Going on Here? Process A Process B • On a single machine, what is a message send, really? • A message is copied from a process buffer I’m C, gimme to an OS buffer your secret – Then from the OS buffer to another Process C Can process B process’ buffer “listen in” on • If attacker can’t get at processes’ internal this message? buffers and can’t get at OS buffers, he can’t “eavesdrop” Lecture 10 Lecture 10 Page 23 Page 24 CS 239, Winter 2005 CS 239, Winter 2005 4
Other Forms of IPC So When Is It Hard? • Always possible that there’s a bug in the • Semaphores, sockets, shared memory, RPC operating system • Pretty much all the same – Allowing masquerading, eavesdropping, – Use system calls for access etc. – Which belong to some process – Or, if the OS itself is compromised, all – Which belongs to some principal bets are off • What if the OS has to prevent cooperating – OS can check principal against access processes from sharing information? control permissions at syscall time Lecture 10 Lecture 10 Page 25 Page 26 CS 239, Winter 2005 CS 239, Winter 2005 Dangers for Operating System The Hard Case Security Process A Process B • Bugs in the OS –Not checking security, allowing access to protected resources, etc. • Privileged users and roles Process A wants to tell the secret to process B –Superusers often can do anything But the OS has been instructed to prevent that • Untrusted applications and overly Can the OS prevent A and B from colluding broad security domains to get the secret to B? Lecture 10 Lecture 10 Page 27 Page 28 CS 239, Winter 2005 CS 239, Winter 2005 File Protection Unix File Protection • How do we apply these access protection • A model for protecting files developed mechanisms to a real system resource? in the 1970s • Files are a common example of a typically • Still in very wide use today shared resource –With relatively few modifications • If an OS supports multiple users, it needs to • But not very flexible address the question of file protection Lecture 10 Lecture 10 Page 29 Page 30 CS 239, Winter 2005 CS 239, Winter 2005 5
Recommend
More recommend
