Basic Principles of Protecting

Computer System Objects—

The user’s view
Barbara Endicott-Popovsky
CSSE592/491

In collaboration with:
Deborah Frincke, Ph.D.
Director, Center for Secure and Dependable
Systems
University of Idaho
Text Book
 Both broad survey and focused
 Chapters 1-2 lay groundwork
 Chapters 3 –7 Software
• Chapter 4
– Protection Features of General OS
• Protecting memories
• Protecting files
• Protecting execution environment
– Controlled access to objects
– User authentication
 Chapter 8 Management
 Chapter 9 Privacy, ethics, the law
 Chapter 10 Cryptography – the how
In this section of the course we
will look at…

 User’s side of protection in

General-Purpose OS:

• Functions that directly address security

• Functions that have security as a by-product

Source: Pfleeger & Pfleeger

Agenda
 I. Overview

 II. Memory & File Protection

 III. Access Control

 IV. File Protection Mechanisms

 IV. User Authentication

I. Overview
 Protected Objects
• Memory
• Sharable I/O (disks)
• Serially reusable I/O (printers)
• Sharable programs
• Networks
• Sharable data
 Security Methods
• Physical separation
• Temporal separation
• Logical separation
• Cryptographic separation
 Levels of Protection
• Do not protect
• Isolate
• Share all or share nothing
• Share via access limitation
• Share by capabilities
• Limit use of an object

Source: Pfleeger & Pfleeger


II. Memory & File Protection
 Fences (between OS and user)
 Relocation
• Relocation factor = starting address of program
• Add relocation factor to each program address
 Base/Bounds Register
• Base register = variable fence register
• Bounds register = upper address limit
• 2 pair of registers
• Data
• Instructions

Source: Pfleeger & Pfleeger

Tagged Architecture
 Every word of memory
has “tag” bits
Tag Word

R 0001
RW 0137

R 4091
R= Read only
R 0002 RW = Read/Write
X
X = Execute only

Source: Pfleeger & Pfleeger

Segmentation
 Divide programs into
logical pieces

 OS maintains segment
address table
(name, offset)

 Different access for different segments

Source: Pfleeger & Pfleeger

Segmentation Problems
 Security holes (overflow)

 Efficiency (overhead)
• OS lookup slow
• Segment names difficult to encode

 Fragmentation of main memory

Source: Pfleeger & Pfleeger

Paging
 Divide programs into
equal pieces

(pages, page frames)

 OS maintains page
translation table
(page, offset)

 Different access for different segments

Source: Pfleeger & Pfleeger

Paging Problems
 Can’t associate
access controls

 No unity to page

Source: Pfleeger & Pfleeger

III. Access Control …
 Memory
 Remote file or data set
 Directory of files
 Hardware
 Data structure
 OS tables
 Instructions
 Passwords/authentication

Source: Pfleeger & Pfleeger

Goals
 Check every access

 Enforce least privilege

 Verify acceptable usage

Source: Pfleeger & Pfleeger

Protection Mechanisms:
Simple to Complex

 Directory
 Access Control List
 Access Control Matrix
 Capability
 Procedure-Oriented Access Control

Source: Pfleeger & Pfleeger

Directory
 Unique file owner
• “Controls” access rights
• Read, write, execute
 Each user has access rights directory
 Easy to implement
 Difficulties
• Directory gets too big
• Maintenance
• Revocation of access
• Pseudonyms

Source: Pfleeger & Pfleeger

Access Control Lists
 Access Control List / computing object
• Distinguishes rights of different users
• Directories created for each subject
 Access Control Matrix (variation)
• Subject, object
• Can be slow

Source: Pfleeger & Pfleeger

Capability

 Unforgeable token giving access rights

• OS holds all tokens, only issues pointers
• Encryption
 Keeps track of access rights during execution
• Hidden from normal users
• Accessed capabilities kept available
 Revocation can be complicated

Source: Pfleeger & Pfleeger

Procedure-Oriented Access Control

 Procedure encapsulates object

• Controls access
• Provides trusted interface
• Implements information hiding

 Efficiency penalty

Source: Pfleeger & Pfleeger

IV. File Protection Mechanisms
• All-None Protection
– Problems
• Lack of trust
• All or nothing – difficult to limit
• Complexity – human intervention required
• File listings exist
• Group Protection
– User, group, world class
– Ease of implementation
– Problems
• Group affiliation mutually exclusive
• Multiple accounts—inconvenient, redundancy, a/c proliferation
• All groups– limiting sharing for multiple personalities
• Limited sharing– won’t allow any but 3 levels of sharing

Source: Pfleeger & Pfleeger

IV. File Protection Mechanisms
(Cont’d.)
• Single Permissions
– Provide a password to files
– Finer degree of protection
– Problems
• Lose passwords
• Using passwords/file wastes time
• Sharing passwords
• Revocation—who does it? Involves sharing it
• Temporary Acquired Permission
– Set userid (suid)
– Allows users to share files
• Per-Object and Per-User Protection
– Complex
– Challenge to create groups

Source: Pfleeger & Pfleeger

V. User Authentication
 Identifying you are who you say your are

• Something you know—password, PIN, etc.

Something you have—badge, key, etc.
• Something you are--biometrics

Source: Pfleeger & Pfleeger

Authentication Mechanisms
 Passwords
• Problems
– Log-in failure notification
– Additional authentication
• Specific terminals
• Specific times
 Password attacks
• Try all possible
• Try many probable
• Try likely passwords
• Search system lists
• Ask users

Source: Pfleeger &

Exhaustive Attacks
 Brute force
 Alphabetic password—8 bits

261 + 262 + … 268 = 5 million million

 150 year attack

 Options
• ½ passwords
• Simple words

Source: Pfleeger & Pfleeger

Probable Passwords
 People are predictable
• Family names, pet names, etc.
• Common words (Use spell check dictionaries)

 86% uncovered in a week (7/24)

Source: Pfleeger & Pfleeger

Password Guessing Steps
• No password
• Same as user ID
• Derived from user name
• Common word
• Short college dictionary
• Complete English word list
• Common non-English language dictionaries
• Short college dictionary with capitalization (PaSsWorD) and
substitutions (0 for O)
• Complete English with capitalization and substitutions
• Common non-English dictionaries with capitalization and substitutions
• Brute force, lowercase alphabetic characters
• Brute force, full character set

Source: Pfleeger & Pfleeger

Password Management
 Lists discoverable by intruders
• Password files accessible
• Requires strong access controls
• Memory dump can acquire it
• Available from backups
 Protection
• Encryption
• Salt (UNIX)
 Indiscreet users
• Tape to PC
• Share
 One-time passwords
Source: Pfleeger & Pfleeger
Password Selection Criteria
 Use characters other than just A – Z
 Choose long passwords
 Avoid actual names or words
 Choose an unlikely password
 Change password regularly
 Don’t write it down
 Don’t tell anyone else

Source: Pfleeger & Pfleeger

Authentication Process Control
 Limit tries
 Profiles
• Password
• Time, log-in machine
 Fix flaws
• Challenge-Response
(deviate response)
• Impersonation of log-in
(attacker sets up machine to grab log-in)

Source: Pfleeger & Pfleeger