Operating System Security

Questions and Answers

Explain the primary difference in security considerations between application software and system software.

System software's security focus is managing application software, in contrast to application software which handles viruses, trojans, and logic bombs amongst others.

Why is a modern general-purpose operating system required to 'protect' the controlled sharing of its objects?

To ensure controlled sharing, modern OSs must protect objects from unauthorized access or modification, maintaining system integrity and confidentiality.

What is the main goal of 'protection' in the context of operating systems?

To prevent intentional or mischievous violations of access restrictions by users, by distinguishing between authorized and unauthorized usage.

List at least three examples of 'protected objects' within an operating system.

Memory, shareable I/O devices (disks, printers), shareable programs/libraries (DLLs), and networks, plus shareable data like databases.

Describe the core concept behind security methods in operating systems.

The core concept is separation, which involves isolating processes and resources to prevent unauthorized access and interference.

Explain the primary limitation of physical and temporal separation as security methods within an OS.

Physical separation inefficiently utilizes resources, while temporal separation does not work well with modern computing practices. Resources are not used in parallel.

What are the implications of choosing not to protect shared code and data in an OS?

Without protection, shared resources become vulnerable to unauthorized access, corruption, or misuse, leading to potential security breaches and system instability.

Describe what is meant by the sharing method 'Share via limited access'.

It allows access based on permissions, limiting how the objects can be used after accessed, controlled by the operating system.

Explain the need for memory protection in a multi-programmed operating system.

Memory protection prevents user programs from interfering with the operating system or other user programs, ensuring system stability and security.

Explain the purpose of a 'fence' in early operating systems like DOS.

A 'fence' prevents faulty user programs from affecting the memory-resident operating system sections, protecting OS integrity.

What is the improvement achieved by using a 'fence register' over a fixed fence implementation?

The fence register allows dynamic adjustment of the memory allocated to the OS, as the value of the address at the end of the OS is stored.

What is the primary function of 'relocation' in memory management?

Relocation adjusts program addresses to reflect its actual location in memory, allowing it to run correctly regardless of where it's loaded.

What is the purpose of having both a 'base register' and a 'bound register' in memory protection?

They define the lower and upper memory limits for a program, confining it to its own address space and protecting it from other programs.

Explain how the use of 'tagged architectures' can enhance memory protection.

Tagged architectures allow different parts of memory to have different protection schemes, by using extra bits for access rights for the operating system to implement.

In segmentation, how are memory addresses typically represented?

Addresses are represented as a pair: <segment_id, offset>. The segment ID identifies the segment, and the offset specifies the location within that segment.

How does segmentation enable sharing of data and code between different processes or users?

Segments can be shared by different users/programs with different access rights, which enables control of access to the memory region.

What is a major drawback of segmentation that is addressed by paging?

Programmers must be aware of segment size in segmentation, but not in paging.

What is a disadvantage of paging compared to segmentation regarding data protection?

In paging, data items may not be of any similarity, so cannot have unified protection like segmentation.

In the context of operating systems, what is the role of 'access control'?

Access control is about protecting objects, by checking access according to privileges, least privilege, and acceptable usage.

Define the 'need to know' principle in relation to domain of protection.

A process should only have access to the resources it needs to complete its current task, minimizing potential damage from a faulty process.

Explain what is meant by 'domain' in the context of OS security and access control.

A domain is a protection domain that specifies the resources a process may access, defining the boundaries within which it can operate.

What information is contained in an 'access-right' construct?

An access-right includes the object name and the rights-set, which is a subset of valid operations that a user can execute on that object.

In practice, how are 'domains', 'subjects', and 'users' typically treated in operating system security discussions?

They are often treated as equivalent, but in reality, a domain may refer to a process or other OS object, and may not necessarily be bound by user identity.

How can a 'directory' be used to protect objects in an Operating System?

A directory is used with a listing of file permissions, used to implement easy access controls.

What are at least 2 main limitations of using a standard directory for access control?

It is time consuming for large systems, each object must have an entry, and has a consuming issue with deletion/revocation.

Explain the key difference between traditional 'directory' based access control and an 'Access Control List' (ACL).

Directory based control is per-user/subject while ACLs are per-object. An entry is not necessary for every user in the ACL.

In an Access Matrix, what do the rows and columns represent?

Rows represent users or domains, and columns represent protected objects.

In an Access Matrix, what does Access(i, j) signify?

It represents the set of operations that a process executing in Domain i can invoke on Object j.

List at least three 'special access rights' and their corresponding function.

The special access rights are: Own (owner of object), Copy (op from O to O), Control (modify D access rights), Transfer (switch from user D1 to D1).

Explain how an Access Matrix separates the 'mechanism' from the 'policy' of access control.

The OS provides the mechanism (access-matrix + rules), while the policy (user) determines who can access what object and in what mode.

Describe the role of access modes within the concept of Access Control.

Access modes are controllable actions of subjects on objects, including read, write, modify, execute, which are defined rights and permissions to perform on the object.

Explain the purpose of 'least privilege', and how it relates to enforcement of policies.

Programs, users, and systems should be given just enough privileges to perform their tasks. This is to verify acceptable usage and enforce policies.

What is the result of implementing file naming conventions in an OS?

The naming conventions result in an objects in the OS being called a file.

Explain why the OS would need to 'check every access' dynamically.

User privileges change, which can dynamically affect authorization, and quota usage contributes to what can be actioned.

Does the Access Matrix support dynamic protection?

The Access Matrix can be expanded to support dynamic protection. In that regard, operations can add/delete access rights.

Are segments dynamically placed in memory?

Segments can be moved and placed in any memory location, even whilst executing.

Does the OS check addresses with segments? Why?

Every address reference passes through the operating system, which allows for checking to determine if protection is available.

Is segmented memory contiguous?

In segmented memory, the segments are not arranged contiguously in memory.

Does paging require system memory to be contiguous?

Paging allows for memory to be non-contiguous. Paging is a good fit, as systems commonly implement non-contiguous pages of memory.

What is the result of using paging to manage system memory?

The result of using paging is fixed-sized segments are created. This helps programmers not need to consider memory.

Flashcards

System software

Software responsible for managing application software.

OS object protection

A modern OS protects controlled sharing of objects.

Protection

Prevents intentional or mischievous access restriction violations.

Protected Objects

Memory, I/O devices, programs, libraries, networks and data.

Protection Goal

Ensures authorized object access by allowed processes only.

Physical Separation

Processes use different physical setup.

Temporal Separation

Processes execute at different times.

Logical Separation

Illusion that no other processes exist, which is achieved by hiding information between them.

Cryptographic Separation

Each process encrypts its data and computations.

Do not protect

Not attempting to protect the processes.

Isolate

Processes unaware of others, owning dedicated memory.

Share all or share nothing

Owner declares object public or private.

Share via Limited Access

OS checks access permissions to objects.

Limit user of an object

Restricts object usage post-access (e.g., view but not print).

Memory Protection

Protection between the OS and user programs

Fence

Early hardware adds fence to separate OS from user programs.

Fence Register

Stores the value of the address at the end of the OS.

Relocation

Allows memory allocation changes for the OS.

Base register / Fence registers

Lower bound/starting address for user programs.

Bound Register

Used to limit the upper memory use.

Tagged Architectures

Each memory location has extra bits to identify data access rights.

Segmentation

Divides program into variable-sized segments.

Segments

A virtual process that creates address spaces of various sizes.

Paging

Breaks program into fixed-size pages.

Particular Mode Access

Allowed access to objects in a particular mode.

Subjects

Human users represented by surrogate programs.

Objects

Files, tables, programs, memory, hardware.

Access Control Goal

Check access as user privileges change.

Enforce Least Privilege

Minimum privileges to perform tasks.

Protection Domain

The resources that a process may access.

Access-right

Object-name and rights-set.

Directory

Easiest way to protect objects with a naming convention system.

Access Control List

A list per object of users and their access rights.

Access Matrix

A matrix showing user access rights to objects.

Study Notes

System Security

• Focuses on protecting the Operating System (OS).
• Includes considerations for file access and user authentication.
• System software manages application software to maintain security.

General Purpose OS

• Modern OSes protect the controlled sharing of objects.
• Objects include hardware and software, each with a unique name.
• Objects are accessed through defined operations.

Protection

• Needed to prevent intentional or mischievous violations of access restrictions.
• Protection-oriented systems distinguish between authorized and unauthorized usage.
• Guarantees program components use system resources consistent with stated policies.
• Provides mechanisms for policy enforcement.
• Application programmers use protection mechanisms to guard resources against misuse.

Protected Objects

• Include memory, shareable I/O devices like disks and printers, programs, and libraries like Dynamic Link Libraries (DLLs).
• Extends to networks and shareable data, such as databases.
• Addresses a problem: ensuring that only authorized processes correctly access objects.

Security Methods

• Protection is based on separation.
• Types of separation include:
  • Physical separation: uses different physical hardware for different processes.
  • Temporal separation: executes processes at different times.
  • Logical separation: creates the illusion that no other processes exist.
  • Cryptographic separation: each process encrypts its data and computations.
• Physical and temporal separation do not utilize resources well.
• Cryptographic separation requires too many resources.

Resource Sharing

• Sharing methods include:
  • Not protecting at all, relying on temporal separation.
  • Isolation: processes are unaware of each other and have their own memory space.
  • Sharing all or nothing: the owner declares resources as public or private.
  • Sharing via limited access, with the OS checking permissions.
  • Limiting user actions with accessed objects, for example, allowing viewing but not printing.

Memory Protection

• A crucial need in a multi-programmed OS.
• Includes protection between the operating system and user programs.
• Also, protection among user programs.
• Can be built into hardware.

Fence

• Employed in single-user OSs like DOS.
• Prevents faulty user programs from affecting memory-resident OS sections.
• Achieved in hardware by placing a "fence" between the OS and user programs.

Fence Register

• Addresses the limitation of fixed memory space in hardware fences.
• Stores the address at the end of the OS.
• Protects the OS but not between user programs.

Relocation

• Like using a fence register, relocation lets OS memory allocation be dynamically changed.
• Involves taking a program written as if it started at address 0 and changing all addresses to reflect the actual address in memory.
• Achieved using a fence register.
• User programs' memory addresses are relative to a "relocation factor."

Bound Registers

• Fence registers act as the lower bound or starting address for user programs, also known as the base register.
• A "bound register" is used to limit the program's upper memory usage.
• Each user program is confined to its address space.
• OS context switching includes switching the base and bound registers.
• Protects users from each other.

Tagged Architectures

• Used when different memory parts need different protection levels.
• Each memory location has extra bits for the OS to identify access rights.

Segmentation

• Process creates address spaces of various sizes, called segments, in a computer system.
• Segmentation is an extension of the base/bound registers.
• Programs are divided into separate pieces.
• This creates a segment address table for each process.
• Segments are addressed by <name, offset> pairs.
• Memory addresses consist of a segment ID and an offset inside the segment.
• Effectively offers an "unlimited" number of base/bound registers.
• Each segment is tagged for different permissions.

Segmentation Details

• A program segment contains main functions, utility functions, and data structures.
• The OS keeps a segment map table for each process, with free memory blocks.
• For each segment, the table stores the start address and length.
• A memory location reference includes a segment identifier and an offset.

Segmentation Features

• Enables segments to be moved and placed in any memory location, even during execution.
• Segments can be moved off main memory when not in use.
• Address references pass through the OS, making protection checks available.

Segmentation Security

• Each address reference has protection.
• Different data items are assigned different protection levels.
• Segments can be shared among users/programs with differing access rights.
• Prevents users from accessing other memory areas as they are invisible.

Paging

• Fixed-size segmentation.
• Programmers don't have to check segment memory size, unlike in segmentation.
• A fault occurs if a program goes beyond its memory boundaries.
• Lacks the flexibility of different protection levels for each segment found in segmentation.

Access Control

• Pertains to protecting files.
• Addresses who can access what objects and how. Basic Concept of Access Control
• A subject can access an object in a specific mode, with only authorized accesses allowed.
• Subjects are human users (or programs running on their behalf).
• Objects are items on which actions are performed.
• Access modes include read, write, modify, execute, etc.

Access Control Principles

• Check every access as user privileges change.
• Enforce least privilege by providing only enough privileges to perform tasks,
• Verify acceptable usage for proper usage, for example, one can view but not edit.

Domain of Protection

• Processes should access only authorized resources.
• They should access only resources needed to complete their tasks (need-to-know principle).
• Limits the damage from faulty processes.
• A process operates within a protection domain that specifies accessible resources.

Domain Structure

• The ability to perform an operation on an object.
• Access-right = <object-name, rights-set>
• Association between process and domain are static or dynamic.
• Domains can be treated as subjects or users in this lecture.

Directory-Based Protection

• A straightforward way to protect objects in an OS.
• A global list managed by the OS that is called a directory which lists file permissions.
• Is easy to implement.

Drawbacks of Directory-Based Protection

• Large multi-user systems need an entry for each user, which is inefficient.
• Revoking access is time-consuming.
• Handling pseudonyms or same-named files shared among users introduces complexity.

Access Control List (ACL)

• Per-object based, not per user.
• Reduced overhead by not requiring entries for every user.
• Generally has default access rights.

Access Matrix

• Represents protection as a matrix.
• Rows represent users (domains).
• Columns represent objects.
• Access(i, j) is the set of operations a process in Domain i can invoke on Object j.

Use of Access Matrix

• A process in Domain Di can only do "op" on Object Oj if "op" is in the access matrix.
• Supports dynamic protection through operations to add/delete access rights.
• Special access rights include "Own" (owner of O), "copy op," "control" (modify access rights), and "transfer" (switch domains).

Access Matrix Design

• Separates mechanism and policy.
• The OS provides the access matrix and rules.
• Ensures authorized agents only manipulate the matrix.
• Sets user policies.
• Determines who can access what objects and how.