system security i introduction
play

System Security I: Introduction TDDD17 Information Security, Second - PowerPoint PPT Presentation

Sep 07, 2023 •276 likes •838 views

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University System Security 2 Security in computer systems Hardware (System)

  1. System Security I: Introduction TDDD17 – Information Security, Second Course Ulf Kargén Department of Computer and Information Science Linköping University

  2. System Security 2 • Security in computer systems – Hardware – (System) software Today’s agenda: • – Hardware basics (recap) – Operating System (OS) access control concepts and fundamentals – Memory protection – OS interface (system calls, etc.) – Shortcomings of traditional OS and hardware security Some slides are marked as ”extra reading”. These are not mandatory to read for the Extra exam, but will provide more Reading in-depth understanding and fill in some “blanks”.

  3. Hardware Basics: The Memory Hierarchy 3 • Memory in computers are organized in a hierarchy – Large but slow at the bottom – Small but extremely fast at the top

  4. Hardware Basics: The Memory Hierarchy 4 Hard disk drive (HDD) or solid state drive (SSD) • Size: ~100 – 1000 GB • Access time: milliseconds • Persistent storage after poweroff • Stores program code and data

  5. Hardware Basics: The Memory Hierarchy 5 Random access memory (RAM) • Size: ~10 GB • Access time: ~100 nanoseconds • Too slow to operate on data or code directly from HDD/SSD • Data and code must be loaded into RAM before it can be used • RAM is a limited resource – Must take care to only load data that is actually needed at the moment (more on this later). • Not persistent – data is lost on power off

  6. Hardware Basics: The Memory Hierarchy 6 Cache memory • Size: A few megabytes • Access time: ~10 nanoseconds • Modern CPUs can do billions of operations per second • RAM speed is still a bottleneck! • Keep frequently used parts of RAM in a cache inside CPU • CPU transparently handles fetching/updating data in cache, and write-back to RAM • Code always reference memory through address in RAM

  7. Hardware Basics: The Memory Hierarchy 7 Registers • Size: A few bytes • Access time: < 1 nanosecond (same as CPU itself) • Registers are used to hold data while computations are performed on it in CPU • Typically: Read from memory address A into register R Do operation on data in R Write contents of R back to address A

  8. Hardware Basics: The Memory Hierarchy 8 Registers • Value of registers define the current state of the CPU • All CPUs have some registers with special purposes • Most important is the instruction pointer (IP) register • Always points at the address in memory where the currently executing machine code instruction is located

  9. Hardware Basics: Architecture 9 • The CPU communicates with the RAM and other hardware using several buses (essentially electrical wires) • Modern computers typically have several different buses for memory, graphics cards, hard drives, input devices, etc. Source : https://commons.wikimedia.org/wiki/File:Computer_system_bu s.svg#/media/File:Computer_system_bus.svg

  10. Hardware Basics: Booting 10 Typical startup sequence of a PC: 1. BIOS code executes. – BIOS (Basic Input Output System) is a program stored on a read- only memory chip (ROM) on the motherboard. – Does some hardware checks, and loads the boot loader code into RAM. – Boot loader is stored at a fixed location (Master Boot Record) on hard drive. 2. BIOS transfers execution to boot loader. – Boot loader in turn loads the operating system kernel into memory, and transfers execution to the kernel.

  11. Hardware Basics: Booting 11 3. OS kernel loads device drivers – code to handle communication with hardware – and initializes the hardware, filesystems, networking, etc. – The kernel is the central piece of system software in a computer – Responsible for managing hardware, enforcing access control, mediating programs’ access to resources, etc . 4. Kernel loads programs to handle user interaction, login, graphical interfaces, etc. 5. The computer is ready for use

  12. OS Access Control: Processes 12 The process is the basic entity to which access control is applied in operating systems • Acts as a “proxy” on behalf of e.g. a “real life” user • Whenever a process attempts to access a resource, e.g. a file, the OS checks if the user ID associated with the process is allowed to access the resource. • A process can start other processes, which inherits the user ID of their parent process. OSes typically have a concept of a “ superuser ”, which has access to “everything” • – root user (Unix) – SYSTEM and Administrator users (Windows) • The superuser account is necessary for maintenance and configuration of the system, and for running important system-level services

  13. OS Access Control: Login 13 Process creation at login proceeds (conceptually) as follows: 1. When the kernel has finished initialization, it will launch a login process, running as superuser, e.g. root (Unix) or SYSTEM (Windows) – Can be a GUI login screen in a graphical environment, or simply a login prompt in a text-based interface 2. The user provides some credentials e.g. username and password Since the login process runs as superuser, it has access to the list of users on – the system, and their credentials. 3. Login process checks credentials, and if they match, it will launch a shell process running as the authenticated user – Uses a special OS mechanism (only available to superuser) to switch the user ID of the launched shell from superuser to the given “regular” user 4. The shell process has a user interface for launching programs . Each time a program is launched, a new process is started, running with the user ID of the logged in user Shell can be a desktop environment in a GUI system, or simply a command – interpreter in a text-based (non-GUI) system

  14. OS Access Control: Process Tree Example 14 root Alice Bob Alice Alice Alice Bob Bob Alice Bob Bob Bob Bob Note: Only one process can execute on one CPU (core) at a time! • OS rapidly switches between processes to Tab 3 Tab 2 Tab 1 create the “illusion” of multitasking • Details later …

  15. OS Access Control: Access Control Models 15 OS needs some model to assign access permissions to resources, e.g. files • All general-purpose OSes support Discretionary Access Control (DAC) – Users can assign permission at their own discretion – Example: Alice marks some files as readable and writable by herself, and read-only for everyone else – The Unix read/write/execute permissions for owner/group/others is a well-known example of a DAC model

  16. OS Access Control: Access Control Models 16 More advanced/powerful models: • Mandatory Access Control (MAC) – Apart from DAC rules, access is also restricted according to system-wide security policy – Example policy: Files in users’ home directories should never be writable by anyone other than the owner and the root user (overrides DAC rules set by users) • Role-Based Access Control (RBAC) – Access determined by the role of a subject (one subject can have several roles) Example: 1. The manager role has access to personnel files, but not to web server configuration. 2. Webmaster role has access to web configuration, but not to personnel files But: If manager and webmaster is the same person, he/she has access to both

  17. OS Access Control: Enforcement 17 Central question: How are access controls actually enforced in an OS? • What if processes have direct (physical) access to the hard drive?  Processes can request data at arbitrary positions on the hard drive  Nothing prevents one of Alice’s processes from accessing files created by Bob!  No way for OS to apply e.g. DAC!

  18. OS Access Control: Enforcement 18 What if all processes share the physical memory (RAM)? •  Processes must “play nice”, e.g. not overwriting other processes data or code, or using up all memory for themselves Nothing prevents one of Alice’s processes from accessing data  loaded by one of Bob’s processes  Even if file-system access can somehow be restricted, Alice can still read Bob’s confidential data once it is loaded into memory! There are also serious performance issues with this approach • • What if Bob starts a bunch of memory hungry processes, and then goes home for the weekend. • Now there is no memory left for Alice to launch a process, even if Bob’s processes aren’t actually doing anything!

  19. OS Access Control: Enforcement 19 Conclusions: Each process should only have access to its own code/data • • Functionality of system should not depend on processes “playing nice”  Memory sharing should be handled transparently by kernel Processes should not “see” the memory layout of other processes   Requires strong isolation between processes’ memory space! • Processes must not be allowed to access hardware (e.g. hard drive) directly  Process must ask OS kernel to access hardware on its behalf. Kernel checks if access is allowed before proceeding.  Need a robust interface for this!

  20. Memory Protection: Virtual Memory 20 Idea: Every process has its own virtual memory (VM) From the point of view of one process, all memory is available to it •  Only sees its own memory • Kernel keeps an internal map of memory regions that are actually used, and which parts of the physical RAM they map to

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Introduction to the Chinese An Introduction to the Chinese Social Security System and the

An Introduction to the Chinese An Introduction to the Chinese Social Security System and the

An Introduction to the Chinese An Introduction to the Chinese Social Security System and the Social Security System and the Participation of Foreigners Adam Livermore Manager Payroll &amp; HR Admin Dezan Shira &amp; Associates Agenda Agenda

649 views • 49 slides
INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

ADVANCED COMPUTER SECURITY INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT IS SECURITY? A systems security policies describe What the system is supposed to do Store and provide access

479 views • 16 slides
Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables http://outflux.net/slides/2013/drupal/tunables.pdf R0Ng DrupalCon Portland 2013 Kees Cook &lt;keescook@google.com&gt; (pronounced Case) Who is

474 views • 33 slides
Outline Elections and their security CSci 5271 Introduction to Computer Security System

Outline Elections and their security CSci 5271 Introduction to Computer Security System

Outline Elections and their security CSci 5271 Introduction to Computer Security System security of electronic voting Electronic voting Announcements intermission Stephen McCamant University of Minnesota, Computer Science &amp; Engineering

420 views • 5 slides
Outline Operating System Security Introduction CS 239 Memory protection

Outline Operating System Security Introduction CS 239 Memory protection

Outline Operating System Security Introduction CS 239 Memory protection Interprocess communications protection Security for Networks and File protection System Software Authentication May 20, 2002 Lecture 13 Lecture

348 views • 12 slides
CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall

CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall

CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall 2013 The Domain Name System Virtually every application uses Root the Domain Name System (DNS). DNS database maps: edu mil ru Name to

923 views • 47 slides
Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction to STIG SUSE STIG Automation Demo Time Whats next? What is SCAP? The Security Content Automation Protocol is a multi-purpose

684 views • 37 slides
INTRODUCTION COMPUTER &amp; NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER &amp; NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER &amp; NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is security? Why is it so hard to achieve? Administrative The security mindset Analyzing a systems security 1. Summarize the system 2.

801 views • 43 slides
System Security Chapter 29 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

System Security Chapter 29 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

System Security Chapter 29 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 29-1 Outline Introduction Policy Networks Users Authentication Processes Files Retrospective Computer Security: Art

951 views • 59 slides
Security and Protection Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica

Security and Protection Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica

Security and Protection Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica de Catalunya (UPC) May 26, 2014 Introduction About security Security components Lectures System administration introduction 1 Operating System

517 views • 35 slides
Introduction Operating System Security, Designing trusted operating systems Continued

Introduction Operating System Security, Designing trusted operating systems Continued

Introduction Operating System Security, Designing trusted operating systems Continued Encapsulated environments CS 239 Security for Networks and System Software May 22, 2002 Lecture 14 Lecture 14 Page 1 Page 2 CS 239, Spring

389 views • 15 slides
HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned

HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned

HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned into two categories: Security issues associated with the design Security issues associated with the system and application data once the

1.13k views • 25 slides
Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Electronic voting System security of electronic voting Stephen McCamant Exercise sets 2

424 views • 10 slides
Information System Security Chapter 1:Introduction Dr. Loai Tawalbeh Faculty of Information

Information System Security Chapter 1:Introduction Dr. Loai Tawalbeh Faculty of Information

Information System Security Chapter 1:Introduction Dr. Loai Tawalbeh Faculty of Information system and Technology, The Arab Academy for Banking and Financial Sciences. Jordan Dr. Loai Tawalbeh summer 2006 Chapter 1 Introduction

253 views • 10 slides
Protection and Security Threat is potential security violation Attack is attempt to breach

Protection and Security Threat is potential security violation Attack is attempt to breach

CSC 4103 - Operating Systems The Security Problem Spring 2007 Security must consider external environment of the system, and protect the system resources Lecture - XX Intruders (crackers) attempt to breach security Protection and

195 views • 4 slides
CSE543 - Introduction to Computer and Network Security Module: Operating System Security

CSE543 - Introduction to Computer and Network Security Module: Operating System Security

942 views • 58 slides
Order Statistics We often want to compute a median of a list of values. (It gives a more accurate

Order Statistics We often want to compute a median of a list of values. (It gives a more accurate

Order Statistics We often want to compute a median of a list of values. (It gives a more accurate picture than the average sometimes.) More generally, what element has position k in the sorted list? (For example, for percentiles or trimmed means.)

380 views • 13 slides
Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya Administraci de Sistemes

Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya Administraci de Sistemes

Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya Administraci de Sistemes Operatius System monitoring

657 views • 27 slides
CLICKJACKING &amp; PHISHING CMSC 414 FEB 28 2019 Town Hall tonight CSIC 1115, 5pm-7pm

CLICKJACKING &amp; PHISHING CMSC 414 FEB 28 2019 Town Hall tonight CSIC 1115, 5pm-7pm

CLICKJACKING &amp; PHISHING CMSC 414 FEB 28 2019 Town Hall tonight CSIC 1115, 5pm-7pm There is insufficient space in Iribe Virtually no student group space No TA space Extra space is going to non-CS UMIACS

1.29k views • 110 slides
Simulation-based optimization of information security controls: An adversary-centric approach

Simulation-based optimization of information security controls: An adversary-centric approach

Simulation-based optimization of information security controls: An adversary-centric approach Elmar Kiesling, Andreas Ekelhart, Bernhard Grill, Christine Strau, Christian Stummer December 9, 2013; Washington, DC Funded by the Austrian

1.01k views • 88 slides
XPath and XSLT without the pain! Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam

XPath and XSLT without the pain! Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam

XPath and XSLT without the pain! Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam bdelacretaz@apache.org www.codeconsult.ch slides revision: 2007-05-04 Goal Learning to learn XPath and XSLT because it takes time... What is XML?

777 views • 33 slides
OpenWhisk on Mesos Tyson Norris/Dragos Dascalita Haut, Adobe Systems, Inc. OPENWHISK ON MESOS

OpenWhisk on Mesos Tyson Norris/Dragos Dascalita Haut, Adobe Systems, Inc. OPENWHISK ON MESOS

OpenWhisk on Mesos Tyson Norris/Dragos Dascalita Haut, Adobe Systems, Inc. OPENWHISK ON MESOS SERVERLESS BACKGROUND OPERATIONAL EVOLUTION SERVERLESS BACKGROUND CUSTOMER FOCUSED DEVELOPMENT SERVERLESS BACKGROUND CUSTOMER FOCUSED EXTENSIONS

560 views • 28 slides
Control of Spectrum Switched Optical Networks draft-zhang-ccamp-sson-framework-00.txt CCAMP WG,

Control of Spectrum Switched Optical Networks draft-zhang-ccamp-sson-framework-00.txt CCAMP WG,

Framework for GMPLS and PCE Control of Spectrum Switched Optical Networks draft-zhang-ccamp-sson-framework-00.txt CCAMP WG, IETF 83 FataiZhang@Huawei Young Lee@ Huawei Oscar Gonzlez de Dios@Telefnica Ramon Casellas@ CTTC Daniele

460 views • 9 slides
Microprocessor Systems Project name: Remote Control Switch Created by: Niclas Bewermeier

Microprocessor Systems Project name: Remote Control Switch Created by: Niclas Bewermeier

Microprocessor Systems Project name: Remote Control Switch Created by: Niclas Bewermeier Supervisor: Dr. Mahmoud Date: September 2017 Department of Electrical and Computer Engineering Contents Introduction

767 views • 27 slides

More recommend