P rot ect ion � Prot ect ing processes/ users f rom each 17: P rot ect ion/ Securit y ot her is one of t he core OS responsibilit ies � Cont rol access of processes or users t o resources of t he comput er syst em (HW Last Modif ied: and SW) 7/ 3/ 2004 1:48:28 PM � Ensur e r esour ces ar e oper at ed on my only t hose pr ocesses t hat have gained pr oper aut hor izat ion � Enf or cing r esour ce limit s -1 -2 Cross-cut t ing issue How t o do prot ect ion? � CPU Scheduling � Fr om t hat br ief sur vey of OS t opics it is clear � P rot ect ion by t imer int errupt s and OS scheduling policy t hat pr ot ect ion can be accomplished in many ways � Pr ocess Management � P rot ect ion can be based on t he design of t he syst em which makes access impossible (can’t even name t hings � P rot ect ion by access cont rol and enf orcement of you shouldn’t access) r esour ce limit s (most OS?) • E.g. VM � Vir t ual Memor y � P rot ect ion can be cont rollable by an OS wide policy (OS � P rot ect ion by inabilit y t o name ot her processes memory cont rols resource allocat ion) space • E.g. t imer int errupt s � File Syst em � P rot ect ion can be cont rolled by user def inable access cont rols � User def ined access cont rols per f ile/ direct ory • E.g. User can set FS access cont r ols � Not e: Synchr onizat ion mor e volunt ar y pr ot ect ion � I mplies abilit y t o deny aut hor ized access! Abilit y by obser ving r ules wit hin a set of t o enf or ce t he policy! pr ocesses/ t hr eads t hat shar e dat a (Monit or s maybe pr ot ect ion?) -3 -4 P rinciples Policy vs Mechanism � Mechanism says “what t ypes of access ar e � Generally t he more rest rict ive t he syst em t he possible” and “def ines t he means f or ident if ying mor e pr ot ect ion aut hor ized vs unaut hor ized access” � “Need t o know” pr inciple says only gr ant t hose � Policy says “which pr ocesses/ user s should have r ight s absolut ely necessar y t o accomplish a t ask which kinds of access” � St art out grant ing none and see where it breaks, add t he � When building syst em best t o make mechanism smallest new privileges as possible mat ch t he pr oblem domain r at her t han a par it uclar � Ex. I f a process only needs t o read/ writ e one specif ic desir ed policy f ile t hen don’t give it access t o all t he user’s f iles � More f lexible if separat e mechanism f rom policy! � Ex. Don’t give f ull root privileges j ust because need t o � Example: if your mechanism does not dist inguish open a por t < 1024 bet ween r ead and execut e r ight s t hen impossible t o hand out one wit hout t he ot her ; if mechanism does dist inguish t hen policy may never choose t o hand out one wit hout t he ot her but it could -5 -6 1
Types of access P rot ect ion Domain � The possible t ypes of access depend on t he � Once we det ermine all t he possible resource resources in t he syst em and all t he possible t ypes of access t o t hose � CPUs can be execut ed upon resources, t he next is t o t hink about all � File can be r ead/ wr it t en/ execut ed t he possible ent it ies t o whom we would like � Dir ect or ies can be r ead/ inser t ed int o/ delet ed t o grant / deny right s f r om/ t r aver sed wit hout displaying all � Tape dr ives can be r ead/ wr it t en/ r ewound � Associat e wit h each ent it y a “prot ect ion � Begin by t hinking about all t he possible domain” act ions you might want t o allow/ disallow on � Def ine a pr ot ect ion domain as a collect ion an obj ect of access right s t o specif ied obj ect s -7 -8 Typical Domain Granularit ies Recall: Kernel/ User Mode � One domain f or OS; one domain f or USER � Har dwar e needs t o be able t o dist inguish t he OS f r om user apps � Domain per user � Cont rols abilit y t o execut e privileged inst ruct ions et c � Domain per process � Most ar chit ect ur es have a “mode” value in a � Domain per procedure pr ot ect ed r egist er � When user applicat ions execut e, t he mode value is set t o � … one t hing � When t he OS kernel execut es, t he mode value set t o somet hing else � I f code running in user mode, an at t empt t o execut e prot ect ed inst ruct ions will generat e an except ion � Swit ching t he mode value must of course be prot ect ed -9 -10 I s Kernel/ User dist inct ion Syst em Call I llust rat ed enough? File.open(“/ home/ README”) Resume applicat ion wit h f ile opened or er r or � Not if want t o dist inguish bet ween users! � How can we dist inguish bet ween user s? � I s user t he best t hing t o base domain on? Syst emCall (SYS_OPEN, “/ home/ README”) � Do you want all pr ocesses you r un t o have your User mode f ull privileges? Kernel mode � Do you ever need special pr ivileges but not all Save user r egist er s and mode, lookup of root access? SYS_OPEN in a t able of syst em call pr ocedur es, Change mode bit , j ump t o t he ker nelOpen procedure Rest ore user mode and applicat ion’s kernelOpen(“/ home/ README”, regist ers et c. t his applicat ions access right s) -11 -12 2
Dist inguishing users: Logging in Ot her at t acks? � When a user logs in, t hey supply a passwor d which � Dict ionar y at t ack? is checked against a passwor d list � Compile a list of common passwords (all English words f or example) and comput e hash(password) on all of t hem � I n UNI X, passwor ds st or ed in f ile / et c/ passwd � Compare cont ent s of password list t o t his dict ionary list � What is in t his f ile? � Solut ion? Salt � Naïve appr oach: f ile wit h ever yone’s passwor d in it � P assword f ile ent ry = hash (salt +password) (but what if t hat f ile is compr omised) � St ore salt in clear � Bet t er : keep a f ile wit h hash(passwor d) � Bad guy can’t j ust use a pre- generat ed dict ionary f ile – � One way hash f unct ion makes it hard t o get f rom has t o have a dif f erent one f or each person’s salt hash(password) t o password but easy t o go password t o � UNI X uses a 12- bit salt hash(password) • so need 2 12 dif f erent dict ionary f iles – one f or each salt � Now can dist ribut e t he password f ile in plain t ext and • I s 4096 t imes har der har d enough? passwords not revealed -13 -14 Bet t er passwords? Dist inguishing users (con’t) � Words in English dict ionary? 250,000 � Some syst ems allow ot her machines t o vouch f or t he ident if y of a user � http://www.askoxford.com/asktheexperts/faq/about � Ex. Rsh/ r cpy et c allow user t o specif y a list of words/numberwords user s and machines allowed t o act like t hem � Possible 8 charact er passwords if j ust (wit hout a passwor d) let t ers: 52 8 = 53,459,728,531,456 � Example: .rhost s says allow j nm @ * t o log in as me � I f add digit s: 62 8 � Then if t here is an j nm account on any machine it can act like me � I f add punct uat ion (32 punct uat ion � Even if is says j nm @ mymachine ot her machines can charact ers??): 94 8 masquerage as mymachine � Bad st uf f ! -15 -16 Logging in User’s processes � Recall: in last st ages of boot pr ocess, OS cr eat es � OS will keep maint ain memory prot ect ion a pr ocess called init (even amongst processes belonging t o t he � I nit does var ious impor t ant housecleaning same user) act ivit ies including maint aining a pr ocess f or each � OS will also check f ile permissions f or all t er minal por t (t t y) � Get t y t hen execut es t he login pr ogr am on t hat t t y f iles t he process at t empt s t o � Login get s user name/ passwor d f r om user , r eads access/ creat e / et c/ passwor d, comput es hash(salt +passwor d) and � More on f ile permissions lat er.. compar es � I f login successf ul, login will spawn a shell pr ocess f or t he user � Shell and all it s childr en r un wit h t hat user ’s pr ivileges -17 -18 3
Recommend
More recommend
