CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science...
-
date post
20-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science...
![Page 1: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/1.jpg)
CS 5950/6030 Network SecurityClass 19 (F, 10/14/05)
Leszek LilienDepartment of Computer Science
Western Michigan University
Based on Security in Computing. Third Edition by Pfleeger and Pfleeger.Using some slides courtesy of:
Prof. Aaron Striegel — at U. of Notre DameProf. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. Washington
Prof. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The Netherlands
Slides not created by the above authors are © by Leszek T. Lilien, 2005Requests to use original slides for non-profit purposes will be gladly granted upon a written
request.
![Page 2: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/2.jpg)
2
3. Program Security...3.4. Controls for Security
a. Introductionb. Developmental controls for security — PART 1
b. Developmental controls for security — PART 2c. Operating System controls for securityd. Administratrive controls for securitye. Conclusions
4. Protection in General-Purpose OSs4.1. Protected Objects, Methods, and Levels of Protection
a. History of protection in OSsb. Protected objects in OSsc. Security methods in OSsd. Levels of protection in OSse. Three dimensions of protection in OSs
Class 18
![Page 3: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/3.jpg)
3
3.4. Controls for Security How to control security of pgms during their
development and maintenance
Outline:a. Introductionb. Developmental controls for securityc. Operating system controls for securityd. Administrative controls for securitye. Conclusions
![Page 4: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/4.jpg)
4
b. Developmental Controls for Security (1)
Nature of s/w development Collaborative effort Team of developers, each involved in 1 of these
steps: Requirement specification
Regular req. specs: „do X” Security req. specs: „do X and nothing more”
Design Implementation Testing Documenting Reviewing at each of the above stages Managing system development thru all above stages Maintaining deployed system (updates, patches, new versions,
etc.)
Both product and process contribute to quality incl. security dimension of quality
![Page 5: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/5.jpg)
5
Developmental Controls for Security (4)
Techniques for building solid software 1) Peer reviews2) Hazard analysis3) Testing4) Good design5) Risk prediction & mangement6) Static analysis7) Configuration management8) Additional developmental controls
... all discussed below ...
[cf. B. Endicott-Popovsky]
![Page 6: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/6.jpg)
6
c. Operating System Controls for Security (1)
Developmental controls not always usedOR: Even if used, not foolproof=> Need other, complementary controls, incl. OS
controls
Such OS controls can protect against some pgm flaws
![Page 7: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/7.jpg)
7
d. Administrative Controls for Security (1)
They prohibit or demand certain human behavior via policies, procedures, etc.
They include:1) Standards of program development2) Security audits3) Separation of duties
![Page 8: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/8.jpg)
8
e. Conclusions (for Controls for Security)
Developmental / OS / administrative controls help produce/maintain higher-quality (also more secure) s/w
Art and science - no „silver bullet” solutions „A good developer who truly understands security
will incorporate security into all phases of development.”
[textbook, p. 172]
Summary:Control Purpose Benefit
Develop-
mental
Limit mistakesMake malicious code difficult
Produce better software
OperatingSystem
Limit access to system Promotes safe sharing of info
Adminis-trative
Limit actions of people Improve usability, reusability and maintainability
[cf. B. Endicott-Popovsky]
![Page 9: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/9.jpg)
9
4. Protection in General-Purpose OSs
This section: User’s side of protection in general-purpose OS:
Functions that directly address security Functions that have security as a byproduct
[cf. B. Endicott-Popovsky and D. Frincke]
Next section: How OS design is affected by protection requirements
Outline:4.1. Protected Objects, Methods, and Levels of Protection
...
![Page 10: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/10.jpg)
10
4.1. Protected Objects, Methods, and Levels of Protection
Outlinea. History of protection in OSsb. Protected objects in OSsc. Security methods in OSsd. Levels of protection in OSse. Three dimensions of protection in OSs
...
![Page 11: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/11.jpg)
11
e. Three dimensions of protection in OSs
[cf. B. Endicott-Popovsky and D. Frincke]
2
3
1
Dimensions:1—protected objects2—security methods3—protection levels
![Page 12: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/12.jpg)
12
3. Program Security...3.4. Controls for Security
...b. Developmental controls for security — PART 2c. Operating System controls for securityd. Administratrive controls for security / e. Conclusions
4. Protection in General-Purpose OSs4.1. Protected Objects, Methods, and Levels of Protection
a. History of protection in OSsb. Protected objects in OSsc. Security methods in OSsd. Levels of protection in OSse. Three dimensions of protection in OSs
f. Granularity of data protection
4.2. Memory and Address Protectiona. Fenceb. Relocationc. Base/Bounds Registersd. Tagged Architecturee. Segmentationf. Pagingg. Combined Paging with Segmentation
Class 18
Class 19
![Page 13: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/13.jpg)
13
f. Granularity of data protection Granularity of data protection
Aplicable only to data Protect by:
Bit Byte Element/word Field Record File Volume
Ease of implementation
Worse(higher granularity)data control (*)
(*) If no control at proper granularity level, OS must grant access to more data than necessary
E.g., if no field-level data control,user must be given whole record
![Page 14: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/14.jpg)
14
4.2. Memory and Address Protection (1)
Most obvious protection:Protect pgm memory from being affected by other pgms
Outlinea. Fenceb. Relocationc. Base/Bounds Registersd. Tagged Architecturee. Segmentationf. Pagingg. Combined Paging with Segmentation
![Page 15: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/15.jpg)
15
Memory and Address Protection (2)
a. Fence Confining users to one side of a
boundary E.g., predefined memory address n
between OS and userUser pgm instruction at address ≤ n (OS’s side of the fence) not allowed to execute
Fixed fence (cf. Fig. 4-1, p. 184)
(wastes space if unusued by OS or blocks IOS from growing)
orVariable fence (cf. Fig. 4-2, p. 185)
Using fence register — h/w register
[cf. B. Endicott-Popovsky and D. Frincke]
![Page 16: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/16.jpg)
16
Memory and Address Protection (3)
b. Relocation Pgms written as if starting at location 0 in memory Actually, starting at location n — determined by OS Before user instruction executed, each address
relocated by adding relocation factor n to it Relocation factor = starting address of pgm in memory
Fence register (h/w register) plays role of relocation register as well
Bec. adding n to pgm addresses prevents it from accessing addresses below n
![Page 17: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/17.jpg)
17
Memory and Address Protection (4)
c. Base/Bounds Registers (cf. Fig. 4-3, p. 186) Base register = variable fence register
Determines starting address, i.e. lower limit, for user pgm addresses
Bounds register Determines upper limit for user pgm addresses
Each pgm address forced to be above base address Bec. base reg contents added to it
& each pgm address checked to be below bounds address
To protect user’s instructions from user’s own data address errors – use two pairs of registers: (cf. Fig. 4-4, p. 187)
1) Register pair for data2) Register pair for for instructions
![Page 18: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/18.jpg)
18
Memory and Address Protection (5)
d. Tagged Architecture Problem with base/bounds registers:
high granularity of access rights (ARs) Can allow another module to access all or none of
its data „All or none” data within limits of data base-bounds registers
Solution: tagged architecture (gives low granularity of access rights) Every word of machine memory has ≥1 tag bits
defining access rights to this word (a h/w solution!)Tag Word
R 0001
RW 0137
R 4091
R 0002X
R = Read only
RW = Read/Write
X = Execute only
[cf. B. Endicott-Popovsky and D. Frincke]
Access bits set by OS
Tested every time instruction accesses its location
(# of bits ~ # of different ARs)
![Page 19: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/19.jpg)
19
Memory and Address Protection (6)
Benefit of tagged architecture:Low (good!) granularity of memory access control
– at memory word level
Problems with tagged architecture: Requires special h/w
Incompatible with code of most OSs OS compatible with it must:
Accommodate tags in each memory word Test each memory word accessed
Rewriting OS would be costly Higher memory costs (extra bits per word)
More modern solutions available (below)
![Page 20: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/20.jpg)
20
Memory and Address Protection (7)
e. Segmentation Benefits addressing + enhances memory protection
for free Effect of an unbounded number of base/bounds
registers
Pgm segmentation: Program divided into logical pieces (called
segments) E.g. Pieces are: code for single procedure
/ data of an array / collection of local data values Consecutive pgm segments can be easily stored in
nonconsecutive memory locations (cf. Fig. 4-6 p.190)
![Page 21: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/21.jpg)
21
Memory and Address Protection (8)
Addressing w/ segmentation Data item D addressed as: (segment_name_of_D,
offset_of_D_within_segment)Instructions addressed analogously
For each process, OS keeps a separateSegment Translation Table (STT)
Rows in STT: (segment_name, segment_offset)segment_name – name of segment containg data itemsegment_offset – starting location for named segment
OS translates each data or instruction address using STT
Cf. Fig. 4-7 p. 191
Two processes can share a segment S by having the same segment_name and segment_offset value in their STTs
![Page 22: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/22.jpg)
22
Memory and Address Protection (9)
Security-related benefits of segmentation Strong segment protection
Bec.: STT under exclusive OS control - each address requires STT access to get
segment_offset for segment S- OS checks that address translates into S’s memory
space (not beyond its end) Different protection levels for different segments
(approximates tagging at higher granularity) E.g. segments with: R-only data / X-only code / W data
Different protection levels for different processes accessing the same segment
![Page 23: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/23.jpg)
23
Memory and Address Protection (10)
Problems w/ segmentation Programmer must be aware of segmentation Efficiency
OS lookup of STT is slow Symbolic segment names difficult to encode in pgm
instructions Fragmentation of main memory (by variable-sized
holes left after „old” segments)
![Page 24: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/24.jpg)
24
Memory and Address Protection (11)
f. Paging Principles:
Programs divided into equal-sized pagesMemory divided into same-sized page frames
Size is usually 2n, from 512 B to 4096 B
Address format for item (data or instruction) I: (page_nr_of_I, offset_of_I_within_page)
OS maintains Page Translation Table (PTT)— maps pages into page frames
Address translation similar as for segmentation (cf. Fig. 4-8)
But guaranteed that offset falls within page limit E.g., for page size of 1024 = 210,
10 bits are allocated for page_offset
![Page 25: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/25.jpg)
25
Memory and Address Protection (12)
Benefits of paging Programmer can be oblivious to page boundaries
(automatic) Paging completely hidden from programmer
No fragmentation of main memory
Problem w/ paging Can’t associate access rights with pages
Pages are random collections of items that require different protection level in general
Pages are not ‘access rights’ units (logical units) to be protected at the same level
![Page 26: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/26.jpg)
26
Memory and Address Protection (13)
f. Combined paging with segmentation Principle:
Paging offers efficiency Hiding from programmer No fragmentation
Segmentation offers ‘logical protection’ Grouping items w/ similar protection needs within the
same segment
Paged segmentation: (cf. Fig. 4-9, p. 195)
Programmer defines segments Segments broken into pages automatically
Benefits of paging and segmentationbut extra layer of address translation Additional h/w deals with this overhead
![Page 27: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/27.jpg)
27
Project discussion – separate file
![Page 28: CS 5950/6030 Network Security Class 19 (F, 10/14/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d4e5503460f94a2e4f7/html5/thumbnails/28.jpg)
28
End of Class 19