Security

An operating system must prevent unauthorized access to the system and permit authorized sharing of resources.

1. Security Aspects

A security policy specifies what security is provided:

What is protected.
Who has access.
What access is permitted.

A security mechanism describes:

How to implement a security policy.
The same mechanism can be used to implement different policies.

1.1 People Security

A large number of computer crime is perfomed by insiders (e.g. employees in a company that have privaleges).
Social engineering can be used to trick people into revealing information.
People can work around security measures for convenience (e.g. reusing passwords).
People can have misconceptions about security expectations (e.g. "one cannot forge an email address").

1.2 Hardware Security

Physical access to a computer can compromise security. (E.g. reading contents of memory / disks, listening to network traffic, alter memory / disks, forging messaages on a network, steal a machine or set it on fire).
Hardware can conntain backdoors (e.g. side channel attacks, incorrectly implemented access control).

1.3 Software Security

Software bugs* may allow attackers to compromise a system by gaining root privaleges, crashing an application, stealing data, compromising data integrity and denying access to the system.

2. Authentication

Authentication verifies identity based on personal characteristics, possessions and knowledge. It is based on hard to forge personal characteristics (e.g. fingerints, etc.). It can suffer from problems like false positives / negatives and high equipment cost.

Authentication based on possession usually depends on keys. This can suffer from impersonation attacks if the key is lost and high equipment costs (e.g. RFID chips for users).
Authentication based on knowledge usually involves a password. This is cheap to implement, but can suffer from dictionary attacks (a list of commonly used passwords) and password reuse from users.

2.1 Passwords

Passwords suffer from password turnover (password is vulnerable to guessing attacks throughout lifetime). Even if a password is changed regularly, users often reuse simple passwords (e.g. pw1, pw2, ...).
Some OSs store passwords in a protected file, but this is vulnerable to data theft. Modern OSs store a hash of the password instead of the password itself.
A rainbow table is a precomputed table for reversing cryptographic hash functions. It can be used to crack passwords.
A salt is a random value that is added to the password before hashing. This makes it harder to crack passwords using rainbow tables.

2.2 Access Control

Specifies who, when and how someone can access a resouce with a policy. The Principle of Least Privelage (PoLP) is used, which gives users minimum rights required to carry out a task.

Protection domains are a set of access rights defined as a set of objects and the operations permitted on them. This can be represented in an access control matrix, where rows represent principles, columns represent objects and cells represent access rights. However, these can be expensive to implement, so instead we use:

Access Control Lists (ACL) - each column of the matrix stored as a list. This allows for revocation and persistence.
Each row is associated with a domain to give a capability list. Capabilities are protected objects that specify what operations can be performed on an object. This allows for PoLP and rights transfer.

(!) Access Control in Unix

Users are principals, each has a unique UID. Superuser root has UID 0.

Files are objects. In UNIX, everything is a file.

Each user can belong to one or more groups. Each file can only belong to one group.

Access rights are read, write and execute.

Each program has three UIDs. The real UID - the user who started the program, the effective UID - the user who owns the program and the saved UID - a saved id which the effective id can be changed to.

When a program starts, the effective UID is set to the real UID. If the program needs to perform an operation that requires a different UID, it can change the effective UID to the saved UID.

There are two kinds of access control

Discretionary Access Control (DAC) - the owner of an object can control access to it.
Mandatory Access Control (MAC) - access is controlled by the system, not the owner.

2.3 Bell-LaPadula Model

A MAC model that uses security levels to control access. It has two rules:

Simple Security Property (No Read Up) - a subject at level x can read an object at level y if x >= y.
Star Property (No Write Down) - a subject at level x can write to an object at level y if x <= y. This ensures confidentiality, but not integrity.

2.4 Biba Model

A MAC model that uses integrity levels to control access. It has two rules:

Simple Integrity Property (No Write Up) - a subject at level x can write to an object at level y if x <= y.
Star Integrity Property (No Read Down) - a subject at level x can read an object at level y if x >= y. This ensures integrity, but not confidentiality.

3. Design Principles for Security

Give each process the least amount of privilege it needs to complete its task. Defauls should be no access.
Protection mechanism should be simple and uniform.
Scheme should be phsychologically acceptable.
System design should be open.

Back to Home

Table of Contents