Chap 14

Slide 14-1
Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 5
Slide 14-2
Protection 14
and Security
1
Slide 14-3
Allowing Only Authorized Access
Subject
Authorized Authentication
Access Authorization
Unauthorized
Subject Secure
Access Entity
Policy & Mechanism Slide 14-4
• Protection mechanisms are tools used to

implement security policies
– Authentication
– Authorization
– Cryptography
• A security policy reflects an organization’s
strategy for authorizing access to the computer’s
resources only to authenticated parties
– Accountants have access to payroll files
– OS processes have access to the page table
– Client process has access to information provided by a
server
2
Slide 14-5
Cryptographically Protected Information
Secure Container
Secure
Element
Secure
Element
Secure Environment Secure Environment
Windows 2000 Logon

Slide 14-6
Local Security Authority Subsystem

(Lsass)
Winlogon
Winlogon LSA*
LSA* Network
Netlogon
Netlogon
process
process Server
Server
Authentic.
Authentic.
LSA
LSA
Policy
Policy
Active Active
Active SAM**
SAM**
Active SAM
Directory Directory
Directory Server
Server SAM
Directory
User Space
Supervisor Space
Security
SecurityReference
ReferenceMonitor
Monitor
(SRM)
(SRM)
* Local Security Authority

** Security Accounts Manager (SAM)
3
Security Goals
Slide 14-7
Machine X
Resource W
Resource X Resource Y
read Process A
Resource Z
read/write read
Process B
read/write
• Authentication Machine Y
• Authorization
Process C
Authentication Slide 14-8
• User/process authentication
– Is this user/process who it claims to be?
• Passwords
• More sophisticated mechanisms
• Authentication in networks
– Is this computer who it claims to be?
• File downloading
• Obtaining network services
• The Java promise
4
Authorization
Slide 14-9
• Is this user/process allowed to access the

resource under the current policy?
• What type of access is allowable?
– Read
– Write
– Execute
– Append
Lampson’s Protection Model Slide 14-10
• Active parts (e.g., processes)

– Operate in different domains
– Subject is a process in a domain
• Passive parts are called objects
• Want mechanism to implement different
security policies for subjects to access
objects
– Many different policies must be possible
– Policy may change over time
5
A Protection System Slide 14-11
Subjects Objects
S
a
X
•S desires a access to X
Slide 14-12
A Protection System
Subjects Objects
Protection
S State X
•Protection state reflects
current ability to access X
6
Slide 14-13
A Protection System
Subjects Objects
Protection
S State X
State
Transition
•Authorities can change
Slide 14-14
A Protection System
Subjects Objects
Protection
S State X
State
Transition
Rules
•What are rules for
changing authority?
7
Slide 14-15
A Protection System
Subjects Objects
Protection
S State X
State
Transition
Rules
•What are rules for
changing authority?
•How are the rules chosen?
Policy
Slide 14-16
Protection System Example
a
S X
8
Slide 14-17
S X
•S desires a access to X S a
•Captures the protection state
Access matrix
Slide 14-18

(S, a, X)
Access
S X
authentication
X
•Generates an unforgeable ID
Access matrix
9
Protection System Example Slide 14-19
(S, a, x)
Access
S Monitor X
authentication
X
•Generates an unforgeable ID
•Checks the access against
the protection state
Protection State Example Slide 14-20
S1 S2 S3 F1 F2 D1 D2
S1 control block control read* seek owner
wakeup owner write*
owner
S2 control stop owner update owner seek*
S3 control delete execute

owner
10
Slide 14-21
A Protection System
Subjects Objects
Protection
S State X
State
Transition
Handling state changes Rules
Policy
Policy Rules Example Slide 14-22
S1 S2 S3 F1 F2 D1 D2
S1 control block control read* seek owner
wakeup owner write*
owner
S2 control stop owner update owner seek*
S3 control delete execute

owner
Rules for a Particular Policy

Rule Command by S0 Authorization Effect
1 transfer(a|a*) to (S, X) a*ŒA[S0, X] A[S, X] = A[S, X]»{a|a*}
2 grant(a|a*) to (S, X) ownerŒA[S0, X] A[S, X] = A[S, X]»{a|a*}
3 delete a from (S, X) controlŒA[S0, S] A[S, X] = A[S, X]-{a}
or
ownerŒA[S0, X]
11
Protection Domains Slide 14-23
• Lampson model uses processes and

domains -- how is a domain implemented?
– Supervisor/user hardware mode bit
– Software extensions -- rings
• Inner rings have higher authority
– Ring 0 corresponds to supervisor mode
– Rings 1 to S have decreasing protection, and
are used to implement the OS
– Rings S+1 to N-1 have decreasing protection,
and are used to implement applications
Slide 14-24
Protection Domains (cont)

• Ring crossing is a domain change
• Inner ring crossing fi rights amplification
– Specific gates for crossing
– Protected by an authentication mechanism
• Outer ring crossing uses less-protected
objects
– No authentication
– Need a return path
– Used in Multics and Intel 80386 (& above)
hardware
12
Slide 14-25
A Two-level Domain Architecture
User
Supv
The General Ring Architecture

Slide 14-26
Ri
R2
R1
… … R0
13
Slide 14-27
Implementing the Access Matrix

• Usually a sparse matrix
– Too expensive to implement as a table
– Implement as a list of table entries
• Column oriented list is called an access
control list (ACL)
– List kept at the object
– UNIX file protection bits are one example
• Row oriented list is a called a capability list
– List kept with the subject (i.e., process)
– Kerberos ticket is a capability
– Mach mailboxes protected with capabilities
Access Control Lists Slide 14-28
Derived from an Access Matrix

X X X
• Store the Access
Matrix by columns
S a a a
• Each ACL is kept at
the object
X X X
• UNIX file protection
bits are one example
Resource Descriptor
Resource Descriptor
Resource Descriptor
• Windows resource
a a a
managers also use
ACLs for protection
14
Capability Lists Slide 14-29
Derived from an Access Matrix

X
S a • Store the Access

Matrix by rows
S a
• List kept with the
S a subject (i.e., process)
S a • Examples
Process Descriptor – Ticket to a concert
– Kerberos ticket
S a
Process Descriptor – Mach mailboxes
S a
Process Descriptor
More on Capabilities Slide 14-30
• Provides an address to object from a very

large address space
• Possession of a capability represents
authorization for access
• Implied properties:
– Capabilities must be very difficult to guess
– Capabilities must be unique and not reused
– Capabilities must be distinguishable from
randomly generated bit patterns
15
Cryptography Slide 14-31
• Information can be encoded using a key

when it is written (or transferred) --
encryption
• It is then decoded using a key when it is
read (or received) -- decryption
• Very widely used for secure network
transmission
Slide 14-32
More on Cryptography
encryption
plaintext ciphertext
decryption
16
Slide 14-33
Ke Kd
C = EKe(plaintext)
plaintext Encrypt
Encrypt Decrypt
Decrypt plaintext
Slide 14-34
Ke Kd
C = EKe(plaintext)
plaintext Encrypt
Encrypt Decrypt
Decrypt plaintext
Side information Invader

Invader plaintext
17
Cryptographic Systems Slide 14-35
Cryptographic Systems
Conventional Systems Modern Systems
•Ke and Kd are

essentially the
Private Key Public Key
same
•Ke and Kd are •Ke is public
private •Kd is private
Slide 14-36
Kerberos
Authentication
Server
Client
Server
18
Slide 14-37
Kerberos
Authentication Encrypted for client
Server Encrypted for server
Ticket
Client ID Client
Session Key
Session Key
Server
Slide 14-38
Kerberos
Ticket Session Key

Client ID Client
Session Key
Session Key
Server
19
Slide 14-39
Kerberos
Ticket Session Key

Client ID Client
Session Key
Session Key Ticket

Client ID Server
Session Key
Client ID
Session Key
The DES Algorithm Slide 14-40
64-bit
64-bitBlock
Block
Plain
Plain
Text
Text IP
IP
64-bit
64-bitBlock
Block
LLj-1 RRj-1
j-1 j-1
ff Kj = j(K, j)
⊕⊕
RRj-1 RRj-1
j-1 j-1
64-bit
64-bitBlock
Block
IP -1
IP-1
64-bit
64-bitBlock
Block
20
Slide 14-41
A Digital Rights Management System

Publisher
Style Rights Distributor, etc

Editor Editor
Style Raw Rights

•Other parties may contribute
to rights spec
Translate
API
Client
Content Query
Repository Consumer
API
Admin
Distribute InTransit Serve

Server
Consumable Playback
21

Chap 14

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Chap 14

Încărcat de

Drepturi de autor:

Formate disponibile

Slide 14-1

Policy & Mechanism Slide 14-4

• Protection mechanisms are tools used to

Secure Environment Secure Environment

Windows 2000 Logon

Local Security Authority Subsystem

* Local Security Authority

Authentication Slide 14-8

• Is this user/process allowed to access the

Lampson’s Protection Model Slide 14-10

• Active parts (e.g., processes)

Protection System Example

Protection System Example

Protection System Example

Protection State Example Slide 14-20

S3 control delete execute

Handling state changes Rules

Policy Rules Example Slide 14-22

S3 control delete execute

Rules for a Particular Policy

• Lampson model uses processes and

Protection Domains (cont)

The General Ring Architecture

Implementing the Access Matrix

Access Control Lists Slide 14-28

Derived from an Access Matrix

Derived from an Access Matrix

S a • Store the Access

More on Capabilities Slide 14-30

• Provides an address to object from a very

• Information can be encoded using a key

Side information Invader

Conventional Systems Modern Systems

•Ke and Kd are

Ticket Session Key

Ticket Session Key

Session Key Ticket

The DES Algorithm Slide 14-40

A Digital Rights Management System

Style Rights Distributor, etc

Style Raw Rights

Distribute InTransit Serve

S-ar putea să vă placă și