Protection in General

Purpose Operating
Systems
 Protection features provided by general-purpose
operating systems—protecting memory, files, and
the execution environment
 Controlled access to objects
 User authentication
Protected Objects and
Methods of Protections
 1rst OS were simple utilities –
executives
 Multiprogramming OS required
monitors which oversaw each
program’s execution
 Protected objects
 Memory
 Sharable I/O devices (disks)
 Serially reusable devices (printers)
 Shareable programs & subprocedures
 Networks
 Shareable Data
Security Methods of
Operating Systems

 (different processes
Physical Separation
use different objects)
 (processes executed
Temporal Separation
at different times)
 Logical Separation (process appears to be
alone)
 (processes
Cryptographic Separation
conceal data and computations)
Security Methods of
Operating Systems

 Want to be able to share resources without

compromising security
 Do not protect
 Isolate different processes
 Share all or nothing

Share via access limitation (granularity)
 Share by capabilities
 Limit use of an object
Memory & Address
Protection
 – confines user to one side of
Fence
boundary
 Use predefined memory addresses
 Can protect OS, but not one user from
another
 – changes all addresses of
Relocation
program using offset
 Base/Bounds Registers
 Uses variable fence register (base register) to provide
lower bound
 Uses bounds register for upper address
Memory & Address
Protection
 Tagged Architecture
 Every word of machine memory has
extra bits to indicate access rights
(expensive)
 Segmentation (program divided into pieces)
 Each segment has name & offset
 Each address reference is checked for protection
 Different classes of data can be assigned
different levels of protection
 Users can share access to segments
 User cannot access an unpermitted segment
 Paging (program uses equal sized
“pages”; memory divided into equal sized
page frames)
Control of Access to
General Objects
 Memory
 File/data set
 Program in memory
 Directory of files
 Hardware device
 Data structure (stack)
 Operating system table
 Instructions (privileged)
 Passwords / user authentication
mechanism
 Protection mechanism
Goals in protecting objects

 Check every access

 Enforce least privilege
 Verify acceptable usage
Directory mechanism

 Each user (subject) has a file directory, which lists

all files accessible by user
 List can become too large if many shared objects
 Cannot revoke rights of everyone to an object
 File names for different owners may be different
Access Control List

 One list for each object with list showing all

subjects & their access rights
 Can use wildcards to limit size of ACL
 Access Control Matrix
 Rows for subjects
 Columns for objects
 Sparse matrix of triples <subjects, objects, rights>
Capability

 Unforgeable token that gives possessor rights to

an object
 Predecessor of Kerberos
 Can propagate capabilities to other subjects
 Capabilities must be stored in inaccessible
memory
Procedure-Oriented
Access Control
 Procedure that controls access to objects
including what subjects can do to objects
File Protection
Mechanisms
 All-None Protection
 Lack of trust
 All or nothing
 Timesharing issues
 Complexity
 File listings
File Protection
Mechanisms
 Group Protection
 User cannot belong to two groups
 Forces one person to be multiple users
 Forces user to be put into all groups
 Files can only be shared within groups
File Protection
Mechanisms
 Single Permissions
 Password/Token for each file
 Can be lost
 Inconvenient
 Must be protected (if changed, must notify all users)
 Temporary Acquired Permission
 UNIX’s set userid (suid)
User Authentication


(password,
Something the user knows
PIN, passphrase, mother’s
maiden name)


(ID, key, driver’s
Something the user has
license, uniform)


Something the user is (biometrics)
Use of Passwords

 Mutually agreed-upon code words, assumed

known only to user and system
 First line of defense
 Loose-Lipped Systems
 WELCOME TO XYZ COMPUTING
 ENTER USER ID: summers
 INVALID USER NAME
 ENTER USER ID:
Attack on Passwords

 Ask the user

 Search for the system list of
passwords
 Find a valid user ID
 Create a list of possible passwords
(encrypt if needed)
 Rank the passwords from high to low
probability
 Try each password
 If attempt fails, try again (don't exceed
password lockout)
Attack on Passwords

 Exhaustive Attack (brute-force)

 18,278 passwords of 3 letters or less
 1 password / millisecond would take
18 seconds (8 minutes for 4 letters,
3.5 hours for 5 letters)
 Probable passwords (dictionary
attack)
 80,000 word dictionary would take
80 seconds
 Expanded “dictionary”
Attack on Passwords

 UK Study
(http://www.cnn.com/2002/TECH/ptech/03/13/d
angerous.passwords/?related)
 50% passwords were family names
 Celebrities/soccer stars – 9% each
 Pets – 8%
 10% reflect a fantasy
 Only 10% use cryptic combinations
Attack on Passwords

 Look on desk…
 Try no password
 Try user ID
 Try user’s name
 Common words (password, private, secret)
 Short dictionary
 Complete English word list
 Common non-English dictionaries
 Dictionary with capitalization and
substitutions (0 for o and 1 for i)
 Brute force (lowercase alphabet)
 Brute force (full character set)
Attack on Passwords

 Plaintext System Password List (MS Windows)

 Encrypted Password List – 1-way (/etc/passwd)
 Shadow Password List (/etc/shadow)
 Salt – 12-bit number formed from system time
and process id; concatenated to password
Password Selection
Criteria
 Use characters other than A-Z
 Choose long passwords
 Avoid names and words
 Choose unlikely password
 Change password regularly (don’t
reuse)
 Don’t write it down
 Don’t tell anyone
 http://www.mit.edu/afs/sipb/project/doc/p
asswords/passwords.html
 One-time passwords
Authentication

 Should be slow (5-10 seconds)

 Should only allow a limited # of failures (e.g. 3)
 Challenge-Response Systems
 Impersonation of Login
 Authentication Other than Passwords
User Authentication
 Most computing authentication systems must be based on
some knowledge shared only by the computing system and
the user. Authentication mechanisms use any of three
qualities to confirm a user's identity.
1. Something the user knows a Passwords, PIN numbers,
passphrases, a secret handshake, and mother's maiden
name are examples of what a user may know.
2. Something the user has a Identity badges, physical
keys, a driver's license, or a uniform are common examples
of things people have that make them recognizable.
Something the user isa These authenticators, called
biometrics, are based on a physical characteristic of the
user, such as a fingerprint, the pattern of a person's voice,
or a face (picture).
 These authentication methods are old (we recognize friends
in person by their faces or on a telephone by their voices)
but are just starting to be used in computer uthentications.
Use of Passwords
 The most common authentication mechanism for user to
operating system is a password, a "word" known to computer and
user.
 Although password protection seems to offer a relatively secure
system, human practice sometimes degrades its quality.
Use of Passwords
 Passwords are mutually agreed-upon code words, assumed to be
known only to the user and the system. In some cases a user
chooses passwords; in other cases the system assigns them. The
length and format of the password also vary from one system to
another.
Even though they are widely used, passwords suffer from
some difficulties of use:
1. Loss. Depending on how the passwords are implemented, it is
possible that no one will be able to replace a lost or forgotten
password. The operators or system administrators can certainly
intervene and unprotect or assign a particular password, but
often they cannot determine what password a user has chosen; if
the user loses the password, a new one must be assigned.
Use of Passwords…
Even though they are widely used, passwords
suffer from some difficulties of use:
2. Use. Supplying a password for each access to
a file can be inconvenient and time consuming.
3. Disclosure. If a password is disclosed to an
unauthorized individual, the file becomes
immediately accessible. If the user then changes
the password to reprotect the file, all the other
legitimate users must be informed of the new
password because their old password will fail.
3. Revocation. To revoke one user's access
right to a file, someone must change the
password, thereby causing the same problems
as disclosure.
Additional authentication information
 In addition to the name and password, we can use other
information available to authenticate users. Suppose JOHN
works in the accounting department during the shift between
8:00 a.m. and 5:00 p.m., Monday through Friday. Any
legitimate access attempt by JOHN should be made during
those times, through a workstation in the accounting
department offices.
 By limiting JOHN to logging in under those conditions, the
system protects against two problems:
1. Someone from outside might try to impersonate JOHN. This
attempt would be thwarted by either the time of access or the
port through which the access was attempted.
2. JOHN might attempt to access the system from home or on a
weekend, planning to use resources not allowed or to do
something that would be too risky with other people around.
 Additional authentication
 Limiting users to certain workstations or certain times of
information…
access can cause complications (as when a user Legitimately
needs to work overtime, a person has to access the system
while out of town on a business trip, or a particular
workstation fails).
 However, some companies use these authentication
techniques because the added security they provide
outweighs inconveniences.

 Using additional authentication information is called

multifactor authentication. Two forms of authentication
(which is, not surprisingly, known as two-factor
authentication) are better than one, assuming of course
that the two forms are strong. But as the number of forms
increases, so also does the inconvenience. (For example,
think about passing through a security checkpoint at an
airport.) Each authentication factor requires the system and
its administrators to manage more security information.
Attack on password
 How secure are passwords themselves? Passwords are
somewhat limited as protection devices because of the
relatively small number of bits of information they contain.
 Here are some ways you might be able to determine a user's
password, in decreasing order of difficulty.
1. Try all possible passwords.
2. Try frequently used passwords.
3. Try passwords likely for the user.
4. Search for the system list of passwords.
5. Ask the user.
Loose-Lipped Systems
1. So far the process seems secure, but in fact it has some
vulnerabilities. To see why, consider the actions of a would-be
intruder. Authentication is based on knowing the <name,
password > pair. A complete outsider is presumed to know
nothing of the system. Suppose the intruder attempts to access
a system in the following manner.
 (In the following examples, the system messages are in uppercase, and the
user's responses are in lowercase.)

Example 1 (not recommended )

 WELCOME TO THE XYZ COMPUTING SYSTEMS
ENTER USER NAME: adams
INVALID USER NAME UNKNOWN USER
ENTER USER NAME:
Example 2 (recommended
)
 WELCOME TO THE XYZ COMPUTING SYSTEMS
ENTER USER NAME: adams
ENTER PASSWORD: john
INVALID ACCESS
ENTER USER NAME:

 This system notifies a user of a failure only after

accepting both the user name and the password. The
failure message should not indicate whether it is the
user name or password that is unacceptable. In this
way, the intruder does not know which failed.
 These examples also gave a clue as to which
computing system is being accessed.
Example 3 (better option)-

 user is given no information until the

system is assured of the identity of the user.


ENTER USER NAME: adams
ENTER PASSWORD: john
INVALID ACCESS
ENTER USER NAME: adams
ENTER PASSWORD: johnq
WELCOME TO THE XYZ COMPUTING
SYSTEMS
Attack on Passwords

 Ask the user- social engineering

 Passwords Likely for a User
If Jane is selecting a password, she is probably not
choosing a word completely at random.
Most likely Jane’s password is something
meaningful to her. People typically choose
personal passwords, such as the name of a
spouse, a child, a brother or sister, a pet, a street
name, or something memorable or familiar. If we
restrict our password attempts to just names of
people (first names), streets, projects, and so
forth, we generate a list of only a few hundred
possibilities at most.
 Trying this number of passwords takes under a
second a Even a person working by hand could try
ten likely candidates in a minute or two.
Attack on Passwords

 Exhaustive Attack (brute-force)

 In an exhaustive or brute force attack, the attacker tries
all possible passwords, usually in some automated
fashion. Of course, the number of possible passwords
depends on the implementation of the particular
computing system.
 18,278 passwords of 3 letters or less
 1 password / millisecond would take 18
seconds (8 minutes for 4 letters, 3.5 hours
for 5 letters)
 Probable passwords (dictionary attack)
 80,000 word dictionary would take 80
seconds
 Expanded “dictionary”
Attack on Passwords

 UK Study
(http://www.cnn.com/2002/TECH/ptech/03/13/d
angerous.passwords/?related)
 50% passwords were family names
 Celebrities/soccer stars – 9% each
 Pets – 8%
 10% reflect a fantasy
 Only 10% use cryptic combinations
Attack on Passwords

 Look on desk…
 Try no password
 Try user ID
 Try user’s name
 Common words (123456,password, private,
secret)
 Short dictionary
 Complete English word list
 Common non-English dictionaries
 Dictionary with capitalization and
substitutions (0 for o and 1 for i)
 Brute force (lowercase alphabet)
 Brute force (full character set)
Password Selection
Criteria
 Use characters other than A-Z
 Choose long passwords
 Avoid names and words
 Choose unlikely password
 Change password regularly (don’t reuse)
 Don’t write it down
 Don’t tell anyone
 http://www.mit.edu/afs/sipb/project/doc/passwo
rds/passwords.html
 One-time passwords
Authentication

 Should be slow (5-10 seconds)

 Should only allow a limited # of failures (e.g. 3)
 Challenge-Response Systems
 Impersonation of Login
 Authentication Other than Passwords(Biometrics)
 For more go through chapter 4 and 5 of the book
by Charles P. Pfleeger, Security in computing,
fourth edition, Prentice Hall