24308 CSC 080A - 0 - Operating Systems
Monday, 5:30 pm - 8:10 pm , Kramer Science Center 102A
Herbert J. Bernstein (firstname.lastname@example.org)
This web page is http://www.bernstein-plus-sons.com/.dowling/CSC080/CSC080_Security.html
Copyright © 2002 Herbert
J. Bernstein and other parties. All rights reserved.
In designing operating systems, we try to protect programs and data from
accidental or deliberate loss, alteration, misuse or destruction.
The issues involved are complex. We cannot anticipate and eliminate
all possible modes of failure, but we can make a reasonable effort
to reduce the probability of failure to acceptable levels.
Sound security policies protect against a wide range of risks,
not just against the most likely threats.
- Security and protection: Overview of system security; policy/mechanism
separation; security methods and devices; protection, access, and
authentication; models of protection; memory protection; encryption;
Security and Protection
- Overview of system security
- Understanding the concept of a system
- Internals and external flows
- Risks (possibilities of loss)
- Loss or corruption of data
- Unintended acccess to data
- Denial of access to data
- The system may fail to hold/process information correctly
- A power failure caused a disk crash, destroying valuable data.
- The infomation may be altered even though the system functions
- A student alters his grade records.
- Actions, persons or systems that
pose a risk of loss, corruption or misuse.
- May be inherent in the system
- Infant mortality of components
- Aging of systems
- Wear and tear in disks and tapes
- Design defects
- May come from within a system or subsystem
- Rabbits and other denial of service attacks
- Users snooping in files of other users
- Logic bombs (programs that blow up after some period of use)
- Trojan horses (programs with hidden side effects)
- Pretending to be getty, login, etc (spoofing)
- Field-service bypasses, system backdoors
- Failure to protect against illegal data entry (buffer overflows)
- May come from outside the system
- Denial of service attacks (as above)
- Trojan horses (as above)
- Worms -- self-replication stand-alone programs that penetrate
- Viruses -- self-reproducing code attached to another program.
- Network snooping (esp. Ethernet, cable modems, wireless)
- Spoofing (pretending to be another host to see their messages)
- Enviromental problems (temperature, power, humidity).
- Network failures
- Equipment failures
- Software errors
- Unauthorized access to computers, networks, disks
- Policy vs. Mechanism
- Policies estabish general framework
- Mechanisms specify the specific parameters of protection
- Similar to approach to scheduling
- TCP wrapper
- Establishes a general framework within which
access to unix network-based services may be controlled
- Parametrized in inetd.conf, hosts.allow, hosts.deny
- Establishes a general firewall framework
- Parametrized by lists of ports, protocols and packet types
to forward or to block
- Security Methods and Devices
- All information in more than one place (backups)
- Alternative systems (hot spares)
- Physical access control
- Logical access control
- Access restricted by address of connection (operator's console)
- Access restricted by time
- Access restricted by identfying the user
- Username/password schemes
- Smartcards and one-time passwords
- Biometrics (retina, voice, handprint)
- Access restricted by function (restricted shells)
- Access restricted to limited areas (filesystem protections, chroot)
- Private key systems
- Public key systems
- RSA (Rivest et al. 1978)
- Symmetric encrypt/decrypt:
let p and q be prime, e < pq, e relatively prime to n = (p-1)*(q-1)
find d, such that (e*d -1) is divisible by n
define the public key to be (n,e)
define the private key to be (n,d)
encrypted_message = mod(plain_text ** e , n)
decrypted_message = mod(encrypted_messages ** d, n)
= mod(plain_text ** (e*d) , n)
which works, since, by definition of d, e*d is congruent to 1 mod n.
- Heavily used to secure computer communications
- e.g. (SSL) Secure Socket Layer/(TLS)Transport Layer
2246 by T. Dierks and C. Allen, January 1999.
- used by browsers and web servers
- based on authenticated certificates with public keys
- nonces (numbers used once) used to prevent playback
of previously accepted sessions
- client says hello
- server sends public key
- client sends first secret key
(pre-master-secret key) encrypted by public
- second secret key (master-secret key)
computed from first secret key, and all the nonces sent thus far
by client or server.
- each subsequent secret key is computed from
the first key and the nonces, so that each message is sent with
a different secret key.
- each message has a message authentication code (MAC)
computed from the secret key and all the nonces to that point.
- e.g. SSH (T. Ylonen, 1995)
- See the Secure Shell (secsh) IETF internet drafts at
- may use distributed authentication or centralized
- each node has a public and a private key
- authenticates both hosts and users
- forwards multiple encrypted service connections
- Evolving Public Key Infrastructure (PKI, see
- Carefully restricted access to information
- Systems secure by design
- Recovery Mechanisms
- Logs and backups
- Virus "protection"
- System consistency checks
Updated 24 April