COMP 3000 Operating Systems
Security and Additional OS Topics (part 1)
Lianying Zhao
Security is a Key Consideration in OS Designs
• The OS creates and enforces all the abstractions to applications, whose security we care about
• Our focus is on OS mechanisms
• Aspects to be considered:
• Hardware mechanisms the OS relies on, e.g., the NX bit (no-execute)
• OS features that serve security as a byproduct, e.g., virtual memory • OS features specially designed for security, e.g., seccomp
• Dedicated security modules/components, e.g., SELinux, AppArmor
COMP 3000 (Winter 2021) 2
Terminology
• Threat model (aka. Trust model or attack model) • Wherethreatscomefrom
• Who is trusted, who is malicious, who is curious, etc.
• Security goals: • Integrity
• Confidentiality • Availability
• Tamper-evident vs. tamper-resistant vs. tamper-responding • TCB (Trusted Computing Base)
• The set of hardware/software components that are assumed and must be trusted for a security goal
COMP 3000 (Winter 2021) 3
Shift of Threat Model
• Revisiting the OS history
• Before multitasking and time-sharing
• Physical threats, e.g., addressed by isolated server rooms • Pre-PC era (pre-Internet)
• Multiple users sharing a computer: how to protect from each other
• Data and communication-intensive era • Influences from various inputs
• Network security
COMP 3000 (Winter 2021) 4
Cryptography vs. Hardening or Access Control
• Mathematical tools to ensure certain binding or unavailability • Encryption
• Digital signatures
• Message digests (cryptographic hash functions)
• Software hardening (with or without hardware support) • Logical
• Enforced by program control flow
• E.g.,if(password!=“abc123”)
COMP 3000 (Winter 2021) 5
Cryptography
• Symmetric vs. asymmetric (public key) crypto • Plaintext vs. ciphertext
• One-way functions
• No security by obscurity • Kerckhoffs’ principle
COMP 3000 (Winter 2021) 6
What Can Go Wrong, and How?
• The nontrivialness and challenge of security lies in the fact that the defender needs to shut all attack vectors and the adversary only needs one to succeed
• In theory and ideally, software can contain no bugs • Two types of problems:
• Design flaws
• When things have been perfectly implemented as designed • Caused by threats not taking into account
• Implementation errors • Vulnerability vs. Exploit
COMP 3000 (Winter 2021) 7