OS Security: Memory, File, and Access Control in Computer Systems, Study notes of Computer Science

A set of lecture notes from a computer and network security course at penn state university, focusing on the mechanisms an secure operating system should provide for memory protection, file protection, general object protection, and access authentication. It also discusses the concept of trust and security in operating systems and the use of access control lists (acls) for discretionary access control in unix and windows systems.

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-fwl
koofers-user-fwl 🇺🇸

5

(1)

9 documents

1 / 28

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
CSE 543 - Computer Security
Lecture 11 - OS Security
October 2, 2007
URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c

Partial preview of the text

Download OS Security: Memory, File, and Access Control in Computer Systems and more Study notes Computer Science in PDF only on Docsity!

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

CSE 543 - Computer Security

Lecture 11 - OS Security

October 2, 2007

URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1

OS Security

  • An secure OS should provide the following mechanisms - Memory protection - File protection - General object protection - Access authentication
  • How do we go about designing a trusted OS?
  • “Trust” in this context means something different from “Secure”

Access Control Lists

  • ACL: a list of the principals that are authorized to have access to some object.
  • Eg., O 2 S 1 Y S 2 Y S 3 Y
  • Or more correctly: O 1

: S

1 O 2

: S

1

, S

2

, S

3 O 3

: S

3

  • We are going to see a lot of examples of these throughout the semester.

ACL in systems

  • ACLs are typically used to implement discretionary access control
  • For example: you define the UNIX file system ACLs using the chmod utility ….

UNIX filesystem rights …

  • There are three rights in the UNIX filesystem
    • READ - allows the subject (process) to read the contents of the file.
    • WRITE - allows the subject (process) to alter the contents of the file.
    • EXECUTE - allows the subject (process) to execute the contents of the file (e.g., shell program, executable, …)
  • Q: why is execute a right?
  • Q: does the right to read a program implicitly give you the right to execute it?

The UNIX FS access policy

  • Really, this is a bit string encoding an access matrix
  • E.g., rwx rwx rwx
  • And a policy is encoded as “r”, “w”, “x” if enabled, and “-” if not, e.g, rwxrw--x
  • Says user can read, write and execute, group can read and write, and world can execute only. World Group Owner

Windows 2000 Security Model

  • Windows uses an ACL model too
    • But, its model is more general
  • Subjects
    • Tokens: Can describe users, groups, arbitrary privileges and retract privileges (restricted contexts)
  • Objects
    • Types: An extensible set of object types can be defined
  • Operations
    • General operations : Fixed set supported by all types
    • Per type operations : Operations with semantics specific to the type may be defined
  • Negative rights
  • Result : Any combination of rights can be described

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Tokens

  • Like the UID/GID in a UNIX process
    • User
    • Group
    • Aliases
    • Privileges (predefined sets of rights)
  • May be specific to a domain
  • Composed into global SID
  • Subsequent processes inherit access tokens
    • Different processes may have different rights 11

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Access Checking with ACEs

  • Example 13

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Window Vista Integrity

  • Integrity protection for writing
  • Defines a series of protection level of increasing protection - untrusted (lowest) - low (Internet) - medium (user) - high (admin) - system - installer (highest)
  • Semantics: If the subject’s (process’s) integrity level dominates the object’s integrity level, then the write is allowed 14

UID Transition: Setuid

  • A special bit in the mode bits
  • Execute file
    • Resulting process has the effective (and fs) UID/GID of file owner
  • Enables a user to escalate privilege
    • For executing a trusted service
  • Downside: User defines execution environment
    • e.g., Environment variables, input arguments, open descriptors, etc.
  • Service must protect itself or user can gain root access
  • All UNIX services involves root processes -- many via setuid

/tmp Vulnerability

  • creat(pathname, mode)
  • O_EXCL flag
    • if file already exists this is an error
  • Potential attack
    • Attacker creates file in shared space (/tmp)
    • Give it a filename used by a higher authority service
    • Make sure that service has permission to the file
    • If creat is used without O_EXCL, then can share the file with the higher authority process

Sandboxing

  • An execution environment for programs that contains a limited set of rights - A subset of your permissions (meet secrecy and integrity goals) - Cannot be changed by the running program (mandatory)

UNIX Chroot

  • Create a domain in which a process is confined
    • Process can only read/write within file system subtree
    • Applies to all descendant processes
    • Can carry file descriptors in ‘chroot jail’