Operating Systems Lecture 11a
Dr Ronald Grau School of Engineering and Informatics Spring term 2018
Previously 1 File systems and I/O
Today 2 Security
Terminology
Cryptography Authentication Access Control Vulnerabilities Design
What is security? 3 Keywords that describe aspects of security
Freedom / Protection (from harm, damage, threat, anxiety, …) Resilience (against attack, or unwanted change)
Control (of access to goods / resources)
What is security? 4 Strategies, measures and tools to ensure security in computer systems
Confidentiality: keep data secret
Integrity: prevent tampering with data Availability: keep data accessible
What is security? 5 Strategies, measures and tools to ensure security in computer systems
Confidentiality: keep data secret
Integrity: prevent tampering with data Availability: keep data accessible
Security threats:
Data leak
Manipulation of data
Denial-of-service attack →security violations
What is security? 6
Security policy
Assigns roles to users
Roles have well-defined privileges
Violations:
Internal: abusing one’s role / negligence
→trust problem in assigning roles External: transgressing one’s role
→technical problem in securing the system Where is security important in an OS?
How to secure a system? 7 Attacks:
Attempt to acquire privileges →Assume someone else’s identity →Exploit a security vulnerability
Deliberately overload or damage a system
How to secure a system? 8 Defenses:
Authentication: identify users
Accounting: log user activities
Access control: restrict user permissions
Isolation: detect and lock out potentially malicious users
Asymmetric Cryptography 9 a.k.a. Public-key cryptography
Two keys: public key P and private key R (secret) Cryptographic algorithm f
Encryption: d = f (P,m)
Decryption: m = f (R,d)
Signing: d = f (R,m), send (m,d)
Signature verification: m = f (P,d)
Works because it is difficult to compute R given P, m and d
Examples: RSA, elliptic curves, . . . Applications: PGP, GPG, SSL, Bitcoin, . . .
Symmetric Cryptography 10
Shared secret key K
Cryptographic algorithm f
Encryption: d = f (K,m)
Decryption: m = f -1(K,d)
Works because it is difficult to compute m given d (without knowing K)
Example: 3DES, AES, Blowfish, . . . Problem: key exchange
→ use asymmetric cryptography to exchange keys, e.g. SSL Advantage: faster than asymmetric cryptography
Cryptographic Hash Functions 11 One-way function h with
Input: message m
Output: digest d
Pre-image resistance: Given d, it is difficult to compute m = h-1(d)
Second-pre-image resistance: Given m1, find an m2 such that h(m1) = h(m2) Collision resistance: Find m1 and m2 such that h(m1) = h(m2)
Examples: MD5, SHA-1, BLAKE, . . .
Applications in verifying data integrity, source code management systems, . . .
Authentication 12 User
Identity in the system (username, . . . ) Authentication by
Something that the user is (e.g., biometric features)
Something that the user has (e.g., token, smartphone, key card, …) Something that the user knows (e.g., password, pin,…)
Authentication 13 Example: password
Hashed and checked against stored hash in user database Linux: /etc/shadow, e.g. SHA-512
Example 2: Two-factor authentication (TFA)
Password + time-based one-time password (TOTP)
Access Control 14 Protection domain
Specifies the objects (resources) and access permissions Statically or dynamically assigned (“role”)
Examples:
User, user group, network segment, . . . Process, thread, procedure, . . . →large variety of mechanisms
Access Matrix 15 Specification of protection domains
Implementation: Access Control List (ACL) 16 Store each user’s permissions for every object
Implementation: Capability List 17 Store each object’s user permission for every user
Mechanism vs. Policy 18 Mechanism
Operating system provides way to specify rules for protection domains Operating system ensures that rules are enforced
Policy
Users define policy:
Who is allowed to access which object?
System intrusion 19
Exploit user’s weakness
Social engineering (phishing, . . . ) Make user run a malicious program Password cracking
Exploit technical weakness (vulnerability) Software bugs
Misconfigured systems
Attack weak cryptography
Ultimate goal: get control over system
Malware 20 Software with malicious functionality
Steal data (e.g. key logger)
Manipulate data
Unwanted encryption (ransomware) Launch a denial-of-service attack
Malware 21 Types of malware:
Virus: malicious code hidden in program, copies itself into other programs
Worm: malicious program that replicates itself over the network
Trojan Horse: malicious code hidden in a program
Logic Bomb: malicious program that activates itself on certain conditions
Backdoor: hidden way to get control of the system bypassing authentication
Vulnerabilities 22 Example: Buffer overflow, e.g. strcpy(buffer, argv[1]) in C
Defenses:
Stack protection
(e.g., canaries, NX bits, randomisation)
Safe programming languages (e.g. Java)
Other vulnerabilities:
SQL injection, cross-site scripting, etc.
https://cve.mitre.org/
Design for Security 23
Open design (not: “security by obscurity”):
Open source code of security mechanisms increases chance to find and patch vulnerabilities
Principle of least privilege:
e.g. default setting: no permissions
Economy of mechanisms:
Simplicity reduces number of possible bugs
Acceptability:
e.g. must not impact availability
Summary 24
Security goals (“CIA”) Confidentiality
Integrity
Availability
Defenses
Authentication Accounting
Access control Isolation
Threat, attack, vulnerability, exploit, violation
Read 25 Tanenbaum & Bos., Modern Operating Systems
Chapter 5
Silberschatz et al., Operating System Concepts Chapter 14 & 15
Next Lecture
26
Introduction
Operating System Architectures Processes
Threads – Programming
Process Scheduling – Evaluation Process Synchronisation
Deadlocks
Memory Management File Systems
Input / Output
Security
Virtualisation