Operating Systems
Lecture 12 Security and Case Studies
Lecture 12
Copyright By PowCoder代写 加微信 powcoder
Security
Case studies
Scheduling
Memory management Virtual memory
Deadlock
File system
Synchronization
Access control
COMP 2432 2021/2022
Lecture 12
Protection and Security
Protection
Mechanisms and policy to keep programs and users from accessing or changing stuff they should not do.
Issues internal to Operating System. Security
Authentication of user, validation of messages, malicious or accidental introduction of flaws, etc.
Issues external to Operating System.
COMP 2432 2021/2022
Lecture 12
System is secure if resources are used and accessed as intended under all circumstances.
Problems:
Intruders (or crackers) attempt to breach security. A threat is a potential security violation.
An attack is an attempt to breach security.
Attack can be accidental or malicious.
It is easier to protect against accidental than
malicious misuse.
More to be covered in COMP 3334. COMP 2432 2021/2022
Security Violation Categories
Breach of confidentiality
Unauthorized reading of data.
Breach of integrity
Unauthorized modification of data.
Breach of availability
Unauthorized destruction of data.
Theft of service
Unauthorized use of resources.
Denial of service (DOS)
Prevention of legitimate use.
Distributed DOS (DDOS) becomes common in recent years
Lecture 12
through internet. COMP 2432 2021/2022
Breaching Security
Masquerading
Pretending to be an authorized user to escalate privileges.
Replay attack
Save a previous message and replay it or with message
modification.
Man-in-the-middle attack
Intruder sits in data flow, masquerading as sender to
receiver and vice versa.
Session hijacking
Intercept an already-established session to bypass authentication.
Lecture 12
COMP 2432 2021/2022
Program Threats
Trojan horse
Code segment that misuses its environment.
Exploits mechanisms for allowing programs to be executed by other users.
Spyware, pop-up browser windows, covert channels.
Trap door
Specific user identifier or password that circumvents normal security procedures.
Logic bomb
Program that initiates a security incident under certain circumstances.
Stack and buffer overflow
Exploits a bug in a program (overflow either stack or memory buffers): gets() in C.
Write past arguments on stack into return address on stack.
When routine returns from call, returns to hacked address.
Lecture 12
Code fragment embedded in legitimate program.
Self-replicating, designed to infect other computers.
Very specific to CPU architecture, operating system, applications.
Usually borne via email or as a macro.
COMP 2432 2021/2022
Security Measure Levels
It is impossible to have absolute security, but should make cost high enough to deter most intruders.
Security must occur at four levels to be effective.
Physical level
Data centers, servers, connected terminals
Human level
Avoid social engineering, phishing, dumpster diving
Operating system level
Protection mechanisms, debugging
Network level
Intercepted communications, interruption, DOS
Security is as weak as the weakest link in the chain. Very often this weakest link is the human!
Lecture 12
COMP 2432 2021/2022
Cryptography
Cryptography allows transforming data (text) into something not readable by outsiders (ciphertext) without secret key.
It is the broadest security tool available.
OS and information inside a computer could be trusted.
Create, manage, protect process ID, communication port.
Internal to computer, source and destination of messages are known and protected.
Source and destination of messages on network cannot be trusted without cryptography.
Localnetwork–IPaddress?
WAN / Internet – how to establish authenticity
Cryptography can constrain potential senders (sources) and / or receivers (destinations) of messages.
Enable confirmation of source, receipt only by certain destination, trust relationship between sender and receiver.
Lecture 12
COMP 2432 2021/2022
Authentication
Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity.
It is most often related to the confirmation of a person or an agency on network.
It can be used to constrain set of potential senders of a message, and to prove that message is unmodified.
Closelyrelatedtoandcomplementarytocryptography.
Proving you are who you claim by
Knowledge factor: something you knows, e.g. password, PIN, challenge response, security question.
Ownership factor: something you own, e.g. ID card, octopus card, cell phone with built-in hardware token, digital certificate.
Inherence factor: something you are, e.g. fingerprint, palm print, retinal pattern, face, voice.
Lecture 12
COMP 2432 2021/2022
Information Security
Measures taken to prevent unauthorized use of electronic data, including disclosure, alteration, substitution, or destruction of the data concerned.
It goes beyond just the OS, the computer system, the network, to the full application environment.
Threemajorrequirements:CIA
Confidentiality: concealment of data from unauthorized parties.
Integrity: assurance that data is genuine.
Availability: system still functions efficiently with security provisions.
Anothercommonrequirementisnon-repudiation,i.e.you cannot deny you have done something, e.g. sending a signed message, having purchased a product.
Lecture 12
COMP 2432 2021/2022
Case Studies
We will look into how the key concepts are being implemented in real systems.
Scheduling
Memory management Virtual memory
Deadlock
File system
Synchronization
Access control
Lecture 12
COMP 2432 2021/2022
Windows Scheduling
Preemptivepriority-basedscheduler,calleddispatcher,with larger number to mean higher priority.
Lecture 12
A process within a priority class could still have a range of priorities that it can take. This is called the relative priority of the process. There are 7 of them, from TIME-CRITICAL to IDLE.
A normal process will belong to NORMAL-PRIORITY-CLASS in the middle with NORMAL relative priority in middle.
A process resumed from I/O will get a higher relative priority.
Interactive foreground process has a larger time qCuOaMnPt2u43m2.2021/2022
Round robin with time quantum is used for each priority.
A process is executed by the CPU, until it is preempted by a
higher priority process or until its time quantum expires.
32 (0-31) different priorities, so there are 32 queues, following a multi-level feedback queue arrangement.
Top 16 (16 to 31) are for real-time class of jobs and bottom 15 (1 to 15) are for user class of jobs. 0 is for memory management.
A user class process will get a lower priority upon time quantum expiry. In Windows API, there are 6 priority classes, from highest
REALTIME-PRIORITY-CLASS to lowest IDLE-PRIORITY-CLASS.
Windows Scheduling
Lecture 12
COMP 2432 2021/2022
Linux Scheduling
Preemptivepriority-basedscheduler,withsmallernumberto mean higher priority.
Lecture 12
Round robin with time quantum is used for each priority.
100(0to99)prioritiesforreal-timejobsand41(100to140)
priorities for others.
Real-time jobs have static priority and other jobs have dynamic
priority p± 5, depending on how interactive is the job.
Higher priority jobs have larger time quantum and lower priority
ones have smaller time quantum.
Interesting prioritized quota-based scheduling:
All processes are given an initial quota (on CPU time) equal to the time quantum at its priority.
Highest priority process will be executed first.
Quota will be subtracted when timer interrupt occurs or process
When quota becomes zero, another process is chosen.
When all processes use up all their quotas, all will be given the full quotas again. COMP 2432 2021/2022
waits for I/O.
Linux Scheduling
Linux priority and time quantum
Lecture 12 COMP 2432 2021/2022
Pentium Memory
Pentium CPU (IA-32) provides segmentation (at most 16384 segments).
It adopts two types of paging. 2-level paging (page size 4KB).
Outer page table is also called page directory.
1-level paging (page size 4MB).
page number
page directory page table
page offset
page number
page offset
Lecture 12
10 22 COMP 2432 2021/2022
ARM Memory
CPU used in majority of mobile devices.
Logical address of 32 bits.
Physical address of 32 bits.
It adopts two types of paging.
2-level paging (page size 4KB).
1-level paging (page size 1MB).
With special arrangement in sharing 4 least significant bits in (inner) page number to offset, page sizes may be 64KB and 16MB respectively
(16 times larger).
page number
outer page inner page
page offset
page number
page offset
Lecture 12
12 20 COMP 2432 2021/2022
Itanium Memory
x86-64, 64-bit version of Intel CPU (IA-64).
Logical address (also called virtual address) of 48 bits.
Physical address of 32 bits.
With physical address extension scheme, physical address can be up to 52 bits (40 bits of physical page number in page table entry).
It is based on 4 levels of paging (IA-32 only 2 levels) with 3 types.
4-level paging (page size 4KB).
3-level paging (page size 2MB).
2-level paging (page size 1GB).
page number
unused page map page dir page
level 4 ptr table directory table
page offset
16 9 9 9 9 12
p3 d (1GB padge)
Lecture 12
16 9 9 9 COMP 24132 2021/2022
Windows Virtual Memory
Lecture 12
a variant of FIFO algorithm on more advanced multi-CPU systems.
COMP 2432 2021/2022
Windows uses demand paging with clustering.
Whenever a command is executed, the program file is opened and its
contents are mapped into virtual memory.
Clustering brings in pages surrounding the faulting page in one step,
anticipating that those pages would be needed in near future.
The first part of the program is loaded into physical memory.
As the program executes, it generates page faults and Windows brings the appropriate group of pages into memory for execution.
Processes are assigned two variables: working set minimum and working set maximum.
Working set minimum is the minimum number of pages the process is guaranteed to have in memory.
A process may be assigned pages up to working set maximum.
When the amount of free memory in the system falls below a threshold, automatic working set trimming is performed to restore the amount of free memory.
Working set trimming removes pages from processes that have pages in excess of their working set minimum.
Windows uses a variant of clock algorithm on Intel systems, but it uses
Linux Virtual Memory
Linux page size is 4KB on Intel machines.
Several processes can share the physical memory.
Each process has its own separate page table.
An example for memory sharing in Linux:
Lecture 12
COMP 2432 2021/2022
Physical frame number 4 is shared between process X and Y.
The shared physical page does not have to exist at the same place in virtual memory for any or all of the processes sharing it. It is virtual page number 4 for X but virtual page number 6 for Y.
Linux Virtual Memory
Lecture 12
Pageaging
The initial age of a page when it is first allocated is 3.
Each time it is accessed, its age is increased by 3 (maximum is 20).
When the kernel swap daemon runs, it decreases every page’s age by 1 (make them older).
A page with age 0 is oldest and a page with 20 is youngest.
COMP 2432 2021/2022
Linuxusesdemandpaging.
Linux page table contains valid bit, dirty bit, accessed bit,
plus a good number of useful bits.
Akernelswapdaemonthreadwakesupperiodicallytoscanfor the number of available free pages.
If that number becomes low, it will either free up 3 or 6 pages. Linux uses an LRU page aging mechanism for page
replacement.
Every page has an age which changes as the page is accessed.
If a page is accessed frequently, it becomes younger.
If a page is not accessed for long, it becomes older.
Old pages are candidates for replacement.
Linux Page Fault Handling
Lecture 12 COMP 2432 2021/2022
Windows and *nix Deadlocks
Ostrich approach
Ignore the deadlock problem and pretend that
deadlocks never occur in the system. Rationale
Too rare deadlocks occurring that the overhead is not worthy for deadlock handling.
Lecture 12
COMP 2432 2021/2022
Too often other problems happening to lead to system restarts so that deadlocks do not form a significant proportion to demand special handling mechanism.
DOS File System
File allocation table (FAT)
Lecture 12
A variation of linked allocation.
All links are stored in separate table at beginning of disk.
FAT uses the traditional 8.3 file naming convention.
FAT file system is best for drives and/or partitions under approximately 200 MB.
FAT partitions are limited to 4 GB under NT and 2 GB in MS-DOS.
FAT 32 since Windows 2000 supports up to 2 to 32 TB.
FAT table can be cached in memory for faster random access.
COMP 2432 2021/2022
Lecture 12
Windows File System
Besides DOS FAT, Windows adopts NTFS (NT File System) and HPFS (High Performance File System).
Maintain the directory organization of FAT, with sorted file
name on directories.
Filenames can be up to 254 double byte characters.
Allow a file to be composed of data and special attributes, allowing more flexible structures.
Directory entry points to FNODE, not first cluster as in FAT.
FNODE can contain file data, or pointers that may point to
file data or other structures that eventually point to file data.
Best for drives in the range of 200-400 MB.
Only supported under NT versions 3.1, 3.5, and 3.51.
COMP 2432 2021/2022
Lecture 12
Windows File System
A journaling file system (with delta changes stored at a log
of the current file).
A recoverable file system by keeping track of transactions.
All filenames are Unicode-based and 8.3 filenames are kept.
Support also Unix hard links (alternative access to the same file with a different name, i.e. alias).
Contain meta-files that define and organize the file system.
Best for use on volumes of about 400 MB or more.
Not recommended on volume smaller than 400 MB due to space overhead (over 4MB).
Most POSIX.1-compliant file system under Windows.
Linux can access NTFS files via an open source NTFS driver. COMP 2432 2021/2022
Unix File System
Lecture 12
Unix adopts an improved variant of indexed allocation.
Implement Fast File System to reduce disk accesses to file data blocks.
Kernel maintains file information in an inode.
Contain creation, modification time stamps, ownership, file size etc.
Not just one level of index block, but four levels of index blocks, depending on the actual size of the file. There are direct block, indirect block, double indirect block and triple indirect block.
Small files can be accessed with direct block: fast data access.
Only very large file needs to be indexed with the triple indirect
block: slower data access for those files.
Implementation of indirect blocks to determine disk location (address) is similar to multi-level page table for address translation. File access may be via direct blocks or indirect blocks, but for
address translation, all need to go through same number of levels. COMP 2432 2021/2022
Unix File System
Lecture 12
COMP 2432 2021/2022
A Unix inode
Linux File System
Linux kernel implements Virtual File System (VFS).
It supports different file systems.
Ext 2 is the default system for Debian and Red Hat Linux, implementing Unix inodes.
Ext 3 and ext 4 are enhancements to ext 2.
Lecture 12
COMP 2432 2021/2022
Lecture 12
Linux File System
Four main objects:
Superblock: contains global information on a file system, e.g. the device on which it lives, its block size, its type, the dentry of the root of the file system, the methods it has, etc.
Dentry: directory entry encoding the file system tree structure, names of files in memory. Main parts of a dentry are the inode (file) that it points to and its file name.
Inode: contains meta-data of a file, e.g. its serial number, its protection mode, its owner, its size, dates of last access, creation and last modification, etc. It also points to the superblock of the file system that the file is in, methods and dentries (i.e. names) for this file.
File: actual opened file object, an inode together with a
current reading/writing offset, also a pointer to the dentry. COMP 2432 2021/2022
Lecture 12
*nix Synchronization
Though shared memory is available in *nix, message passing are more commonly adopted between normal processes.
Shared memory is supported with special system calls.
Communication via pipes on same machine, and via sockets
over network.
Synchronization is achieved via properties of message passing: a blocking receiver should wait for sender to send a message.
Shared memory is more common within a threaded process implemented via Pthreads.
Each thread has its own private memory, but also shares the memory of the parent process. COMP 2432 2021/2022
*nix Synchronization
Provide Pthreads library following POSIX API.
A standard specifying the behavior of the thread library. Implementation is up to the developer.
Critical sections can be implemented via mutex-locks (mutual exclusion locks).
Mutex-locks have two states: locked and unlocked.
A mutex-lock is like a binary semaphore with initial value 1.
pthread_mutex_lock() is used to lock it, like P().
pthread_mutex_unlock() is used to unlock it, like V().
pthread_mutex_init() is used to initialize a lock to the unlocked state.
pthread_mutex_trylock() allows a process to see whether a lock is locked without being blocked (like non-blocking receive).
Lecture 12
COMP 2432 2021/2022
*nix Synchronization
It is expensive to lock a lock, check for a condition and then unlock again if condition is not yet true. Condition variables are used for threads to wait for.
Provide the condition that a thread is waiting for, to be associated with the actual locking mechanism to ensure exclusive access.
A barrier allows threads to meet up at certain points before continuing.
Lecture 12
COMP 2432 2021/2022
pthread_barrier_wait() allows threads to wait at a barrier, until all participants have all arrived.
pthread_barrier_init() provides the initial value of the barrier, specifying how many threads need to join before going forward.
Windows Synchronization
Windows provides a family of wait functions, on change of state of special objects, called synchronization objects.
Windows provides the common mutex and semaphore objects, together with event objects.
Lecture 12
A special critical section object is a light-weighted form of mutex locks, that can only work under threads of the same process.
Windows also provides condition variables, after Windows XP, for waiting on some events or conditions.
Starting Windows 8, barriers are provided.
COMP 2432 2021/2022
Lecture 12
Unix Access Control
Unix uses access control lists.
A user has a right to start processes to make requests.
A single process may correspond to multiple domains. Each process has a user identity, verifiable from a password file.
In the past, that password file /etc/passwd was visible to users so that there is a risk of password cracking, even with the use of salt. Recent systems no longer expose this file.
This implements authentication (via knowledge factor), knowing the identity of the subject (process/domain) accessing the object.
All objects in Unix are files.
Access control comes down to controlling access to files.
Providestanda
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com