CS170 Lecture notes -- Protection and Security

Lecture notes -- html: http://www.cs.ucsb.edu/~rich/class/cs170/notes/Security/index.html

Overview

We'll be covering bits of Chapters 18 and 19 from the text, along with my own thoughts about some of the concepts. You should come away with a clear understanding of these core concepts and how they are used and implemented in operating systems:

Protection: The mechanism for coherent access to shared resources (files, directories, memory, processors, devices, etc.) by users and programs.
Authentication: The means of verifying the identity and permissions of a user or program.
Access Control: A method of protection that attaches permissions to the objects to be protected.
Capability: A method of protection that attaches permissions to users or programs.
Principle of Least Privilege: The notion that no user or program should have more permission than is required for the task at hand. Related to the "need to know" principle, by which entities are allowed access to information only according to their present needs.

Much of this material needs to be understood abstractly, because if you only understand how it's done in a particular operating system, you miss the general principles involved.

Protection

Protection is mediated by permissions that an entity has to access the objects in the system.

System Model
- Entities: users and processes
- Objects:
  - Hardware objects: CPU, memory, printer, disk, terminals
  - Software objects: file, program, semaphore
Protection policies
- use and sharing of data
- allocation of resources
  - CPU time
  - disk quotas
  - memory
- access to devices
- organization of entities
  - users
  - groups
Protection domains - permission contexts for a process.
- protection context of a process
- static or dynamic, but static systems tend to waste resources.
- variety of organizations
  - by user
  - by process
  - by procedure (code unit)
  - by role (e.g. as user, as sysadmin, as operator)
  - etc.
- domain switching
  - by request for permission
  - by assuming a new role
  - by asserting a new identity
UNIX
- The user is a domain
- Switch by asserting a new username (su program)
- Switch by implicit change (suid, sgid programs)
- Extension by request to daemon process (database)
MULTICS
- Ring structure, inner ring has the most privilege
- Process has an access bracket, and current ring.
- Access within the bracket is allowed
- Access outside the bracket traps to the OS
- Calls to outer rings may need to copy their arguments
- Calls to inner rings must occur through a "gate".
This turns out to be complex and slow. Nevertheless, it inspired much of the design of the Data General Eagle-class machines (e.g. MV-8000), immortalized in "The Soul of a New Machine".

Access Matrix Match domains to objects:

                 Object
              -------------------------
              |  1  |  2  |  3  |  4  |
              -------------------------
    
        ----- -------------------------
        | 1 | |  r  |     |  r  |     |    r = read
        ----- -------------------------    w = write
        | 2 | |     |     |     |  p  |    x = execute
Domain  ----- -------------------------    p = print
        | 3 | |     |  r  |  x  |     |
        ----- -------------------------
        | 4 | |  rw |     |  rw |     |
        ----- -------------------------

Can extend this idea

the access matrix is an object, and can be accessed
the domains are objects, with the permission to "switch".

                 Object
              -------------------------------------------------------
              |  1  |  2  |  3  |  4  |  AM |  D1 |  D2 |  D3 |  D4 |
              -------------------------------------------------------
 
        ----- -------------------------------------------------------
        | 1 | |  r  |     |  r  |     |     |     |  s  |     |     |
        ----- -------------------------------------------------------
        | 2 | |     |     |     |  p  |     |     |     |  s  |  s  |
Domain  ----- -------------------------------------------------------
        | 3 | |     |  r  |  x  |     |     |     |     |     |     |
        ----- -------------------------------------------------------
        | 4 | |  rw |     |  rw |     |  M  |  s  |     |     |     |
        ----- -------------------------------------------------------

Access Control vs Capability

Access Control (ACL) is a column, and belongs to an object.
Capability is a row, and belongs to a process (though it is protected from the process).
Lock and Key; a hybrid.

Either ACLs or Capabilities may have defined groups: membership in the group defines some of the permissions. Database roles, for instance.

There are drawbacks to each method.

ACLS are hard to manage if there are a great many objects with distinct ACLS; the ACLS get long.
Capabilities can be difficult to revoke
Key lists can get long, as do ACLS.

Question: does this correspond to the systems you know? How closely?

Security

Protection provides the mechanisms for reasonably well-behaved processes to coexist productively. Security requires effective protection and much more.

The Problem

Ensure data is not stolen, misused or erased improperly, and that system functions are not interfered with. This requires efforts at several levels.
- Physical Problem - lock the doors.
- Human Problem - who are you really?
- Network - intrusion, denial of service (DOS)
- OS
Authentication
- Passwords
  - System generated
  - User generated
  - Duration
  - Reuse
  - Password Encryption
  - One-time passwords
- Biometrics
  - Fingerprints
  - Retinal or Iris scans
  - Face recognition
Program Threats
- Trojan Horse
- Trap Door
- Flaws: Stack Mangling -- why we don't use fgets() and strcpy()
- Packet sniffers
- Covert channels
System Threats
- Worms
- Viruses
- Denial of Service

Countermeasures

Securing Systems and Facilities
Scan for:
- Password filters
- Inappropriate permissions, especially directories
- Inappropriate programs
- Unexpected executions, or overlong executions
- Dangerous PATH
- Modified system programs
- Inappropriate daemons
Active Methods:
- Firewall - monitor and filter
  - Must be trusted
  - May have to pass some traffic if there are servers
  - Does not prevent tunneling, spoofing, DOS
- NAT - rename to prevent access
Intrusion Detection
- The many ways...
  - Immediate / After
  - Features detected
    - Network traffic
    - Commands
    - Services used
    - System Calls
  - Responses
    - Block the intruder's host, site, subnet, or domain
    - Kill an offending process
    - Honey trap (decoy resource)
- Detection
  - Signatures - identify suspect behavior
    - Prohibited behavior
    - Sensitive information
    - Virus scanners
  - Anomalies - identify normal behavior
    - Characterize what users are expected to do
  - Comparison
    - Signatures cannot catch a new kind of attack
    - Anomalous behavior may be innocent, or normal but simply rare
    - Bayes Theorem
- Subject matter
  - Audit trails and Logging
  - Tripwire - file and directory signatures
  - System Calls

Cryptography

Authentication
Encryption
SSL and SSH and https
VPN

Military Designations

Confidential, Secret, Top Secret
Special: Crypto, etc

US DOD Trusted Computer System Evaluation Criteria

Division D: failure to qualify for any other division
- Windows
- Macintosh
Division C: discretionary protections and accountability
- C1: most versions of UNIX
- C2: adds individual-level access control
Division B: mandatory protection, with sensitivity labels
- B1: every object has a security label
- B2: storage objects also have labels; control of covert channels
- B3: adds denial labels, active countermeasures
Division A: uses formal design process