1 / 128

Chapter 5a

Chapter 5a. Operating Systems Security Stallings chapters 4,10,23,24. Protecting Hardware / System Resources. Hardware : Memory, CPU, I/O System Identity (Authentication) Processes and address spaces Files Network (penetration, messages) Databases, Web sites. Hardware security.

paniz
Télécharger la présentation

Chapter 5a

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 5a Operating Systems Security Stallings chapters 4,10,23,24

  2. Protecting Hardware / System Resources • Hardware: • Memory, CPU, I/O • System • Identity (Authentication) • Processes and address spaces • Files • Network (penetration, messages) • Databases, Web sites

  3. Hardware security • The lowest and most basic level • Affects all other levels • Without minimal support, no security is possible

  4. Protecting Memory • Base and Bound Registers • Segmented memory • Protection keys • Virtual (Paged) memory • Segmented and Paged Virtual memory • Tagged architecture (capabilities) Prof. Ehud Gudes Security Ch5

  5. Memory Protection (basic) Was also used in Intel 808X Base Limit user 0 ModeBit Supervisor mode can load B / L registers Prof. Ehud Gudes Security Ch5

  6. Protection Keys (IBM 360 - History) • PSW had 4 bits protection key • Each memory partition had 4 bits protection key (total 16 possible partitions) • To access: • PSW key = Memory key • Key 0 (OS) can access partition with any other key! Prof. Ehud Gudes Security Ch5

  7. Memory Protection - Paging • Memory protection implemented by associating protection bit with each frame. • Valid-invalid bit attached to each entry in the page table: • “valid” indicates that the associated page is in the process’ logical address space, and is thus a legal page. • “invalid” indicates that the page is not in the process’ logical address space. • different than in/out of memory! Prof. Ehud Gudes Security Ch5

  8. Address Translation Architecture Prof. Ehud Gudes Security Ch5

  9. Valid (v) or Invalid (i) Bit In A Page Table Prof. Ehud Gudes Security Ch5

  10. Segmentation • One-dimensional address space with growing tables • One table may bump into another Prof. Ehud Gudes Security Ch5

  11. Segmentation cont. Allows each table to grow or shrink, independently Prof. Ehud Gudes Security Ch5

  12. Segmentation – primitive form – Intel 286 (old PC) • Data segment and Code segment • Fixed size – 64K each Prof. Ehud Gudes Security Ch5

  13. Implementation of Pure Segmentation (a)-(d) Development of checkerboarding (e) Removal of the checkerboarding by compaction Prof. Ehud Gudes Security Ch5

  14. Segmentation Architecture (Cont.) • Protection. With each entry in segment table associate: • validation bit = 0  illegal segment • read/write/execute privileges • Protection bits associated with segments; code sharing occurs at segment level. • Since segments vary in length, memory allocation is a dynamic storage-allocation problem. • A segmentation example is shown in the following diagram Prof. Ehud Gudes Security Ch5

  15. Example of Segmentation Prof. Ehud Gudes Security Ch5

  16. Segmentation vs. Paging Comparison of paging and segmentation Prof. Ehud Gudes Security Ch5

  17. Segmentation with Paging: MULTICS (1) • Descriptor segment points to page tables • Segment descriptor – numbers are field lengths Prof. Ehud Gudes Security Ch5

  18. Into Descriptor Segment Segmentation with Paging: MULTICS (2) A 34-bit MULTICS virtual address Prof. Ehud Gudes Security Ch5

  19. Segmentation with Paging: MULTICS (3) Conversion of a 2-part MULTICS address into a main memory address

  20. Segmentation with Paging: MULTICS (4) • Simplified version of the MULTICS TLB • Existence of 2 page sizes makes actual TLB more complicated Prof. Ehud Gudes Security Ch5

  21. Privilege level (0-3) 0 = GDT/ 1 = LDT 13 1 2 Index Paged segmentation on the INTEL 80386 • 16k segments, each up to 1G (32bit words) • 2 types of segment descriptors • Local Descriptor Table (LDT), for each process • Global (GDT) system etc. • access by loading a 16bit selector to one of the 6 segment registers: CS, DS, SS, (holding the 16bit selector during run time, 0 means not-in-use) • Selector points to segment descriptor (8 bytes) Prof. Ehud Gudes Security Ch5

  22. Segmentation with Paging: Pentium (3) Conversion of a (selector, offset) pair to a linear address Prof. Ehud Gudes Security Ch5

  23. Segmentation with Paging: Pentium (4) Mapping of a linear address onto a physical address Prof. Ehud Gudes Security Ch5

  24. Intel 30386 Address Translation Prof. Ehud Gudes Security Ch5

  25. Protecting CPU/Processes • User vs. Kernel (supervisor) mode • Amplification – System calls (Trap, SVC) • Protection rings Prof. Ehud Gudes Security Ch5

  26. Privileged Instructions User / Supervisor Mode Instructions SVC - Supervisor mode can execute all the instructions - User mode can execute non-privileged instructions only - One must trust the supervisor Prof. Ehud Gudes Security Ch5

  27. Basic policies • Isolation—a process must be protected from other processes. • Controlled sharing—processes must be able to share resources in a controlled way. Prof. Ehud Gudes Security Ch5

  28. Execution states or modes • At least two modes of operation are needed to have any security. • Most hardware architectures use a supervisor and a user mode. In the user mode some intructions, called privileged instructions, cannot be executed directly. In supervisor mode all the instructions can be executed. The state of a process is kept in a Program Status Word. Prof. Ehud Gudes Security Ch5

  29. How the mode is switched • A supervisor/kernel call (trap) switch to an address in the OS address space with the new mode (this is called: Amplification) • Old address and old mode is saved (e.g. in OLD PSW) • When returning the old address and mode are restored (note different than a procedure call because of the mode switch) Prof. Ehud Gudes Security Ch5

  30. Memory protection vs. CPU protection Both are mutually dependent!: • Without CPU protection, anyone can change keys/bound registers! • Without memory protection, anyone can change old PSW and set to Supervisor mode! Both are needed! Prof. Ehud Gudes Security Ch5

  31. Protection rings • Some architectures define in their hardware a set of rings (4 to 32) that correspond to domains of execution with hierarchical levels of trust. Rings are a generalization of the concept of mode of operation. • Crossing of rings is done through gates that check the rights of the crossing process. A process calling a segment in a higher ring must go through a gate. Prof. Ehud Gudes Security Ch5

  32. r0 r1 r2 r3 r4 r5 r6 r7 W – Write R – Read Ex – Execute C – Call R – ring C C Ex W R Rings in Multics Prof. Ehud Gudes Security Ch5

  33. 0 = kernel 1 = OS functions 2 = safe applications 3 3 = untrusted applications 2 1 0 - Calls upward (higher privilege) - Data access toward less privilege - Gate crossings - Protected entry points Prof. Ehud Gudes Security Ch5

  34. Level Protection rings on Intel Pentium Protection on the Pentium Prof. Ehud Gudes Security Ch5

  35. Protecting I/O • I/O privileged instructions • Interrupts vector in protected area • Open file table in protected area • Open requires system call • Example for combined Memory/CPU protection Prof. Ehud Gudes Security Ch5

  36. Security in Multics - Summary • Files on disk – Access Control lists • Files equal segments in Virtual memory! • When segment is called, file is opened and ACL checked. Then segment descriptor is created and protection is via the descriptor. • Process protection using protection rings. • Process control and amplification using Gates. Prof. Ehud Gudes Security Ch5

  37. Access Matrix Model • View protection as a matrix (access matrix) • Rows represent domains (or Subjects) – a subject may be a user, a process, a role, an IP, etc. a Domain is a subject in some context. • Columns represent objects to which access is required • Access(i, j) is the set of operations that a subject executing in Domaini can invoke on Objectj Prof. Ehud Gudes Security Ch5

  38. What’s the Difference Between a Subject and a Domain A subject is usually a process. During its life-time, a subject may acquire rights or lose them. At a particular point in time, a subject has given a set of rights that’s a domain! Prof. Ehud Gudes Security Ch 1

  39. Access Matrix Figure A Prof. Ehud Gudes Security Ch5

  40. Access Matrix of Figure A With Domains as Objects Figure B Prof. Ehud Gudes Security Ch5

  41. Use of Access Matrix • If a process in Domain Ditries to do “op” on object Oj, then “op” must be in the access matrix. • Can be expanded to dynamic protection. • Operations to add, delete access rights. • Special access rights: • owner of Oi • copy op from Oi to Oj • control – Di can modify Dj access rights • transfer – switch from domain Di to Dj • Reminder - the HRU model Prof. Ehud Gudes Security Ch5

  42. Implementation of Access Matrix – Capabilities and Access-control lists • Representing by row – each subject (domain ) with the objects it can access – Capability list • Representation by Column – each object with the list of subjects that can access it (and which type of access) – Access control list (ACL) Prof. Ehud Gudes Security Ch5

  43. Implementation of Access Matrix • Each column = Access-control list for one object Defines who can perform what operation.For File F1 Domain 4 = Read, Write Domain 1 = ReadFor File f2 Domain 2 = Read  • Each Row = Capability List (like a set of keys)Fore each domain, what operations allowed on what objects. For domain 1: File 1 – Read, File 3 - Read For Domain 3: File 2 – Read, File 3 - Execute

  44. Access Control Lists (1) In Unix - the (abstract) ACL is in the Inode Prof. Ehud Gudes Security Ch5

  45. Access Control Lists (2) Two access control lists Prof. Ehud Gudes Security Ch5

  46. Capabilities (1) Each process has a capability list Prof. Ehud Gudes Security Ch5

  47. Implementing Access Matrix - Capability Lists • “Slicing” the protection matrix by rows • Users and processes have capability lists which are lists of permissions for each object appearing in a domain - c-lists. • Hard to revoke access to objects, have to be found in • Capabilities are “special” objects - ticket, never accessible to user space objects - better protection. To get access process must present the “ticket”! • Generic operations on c-lists • Copy capability (from one object to another) • Copy Object (with capability) • Remove capability (an entry of the c-list) Prof. Ehud Gudes Security Ch5

  48. Descriptors • Descriptors are similar to capabilities but are used mainly for accessing memory. • Because the descriptors are used for addressing they are handled by the memory allocation unit of the OS and we need to trust now that unit. • Descriptors and capabilities can be seen as embodiments of rows of the access matrix Prof. Ehud Gudes Security Ch5

  49. Using Capabilities for Addressing - Descriptors Instruction address cap offset Object Length Base i C B B Rights Object L X B+ X RW C Capability The instruction contains pointer to capability instead of a segment address B+ Descriptor Table Memory Prof. Ehud Gudes Security Ch5

  50. RW R RW R F3 D11 F5 F6 F4 F1 D1 RW RW F2 P1 C - list R R D12 RW RW D R R D3 RW R D31 P2 C - list Sharing Using Capabilities D2 Directories Prof. Ehud Gudes Security Ch5

More Related