cs 423 operating system design: os security crash course · cs 423: operating systems design...
TRANSCRIPT
![Page 1: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/1.jpg)
CS 423: Operating Systems Design
Tianyin Xu
CS 423Operating System Design:OS Security Crash Course
Thanks for Prof. Adam Bates for the slides.
![Page 2: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/2.jpg)
CS 423: Operating Systems Design
Security Properties
2
• Confidentiality?
• Integrity?
• Availability?
• Authenticity?
![Page 3: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/3.jpg)
CS 423: Operating Systems Design
Security Properties
3
• Confidentiality?
• Only trusted parties can read data
• Integrity?
• Only trusted parties have modified data
• Authenticity?
• Data originates from the correct party
• Availability?
• Data is available to trusted parties when needed
![Page 4: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/4.jpg)
CS 423: Operating Systems Design
Security Functions
4
• Define security functions over principals (e.g., users, programs, sysadmins)
• … and also entities (e.g., files, network sockets, ipc)
• Authentication
• How do we determine the identity of the principal?
• Authorization
• Which principals are permitted to take what actions on which objects?
• Auditing
• Record of (un) authorized actions that took place on the system for post-hoc diagnostics
![Page 5: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/5.jpg)
CS 423: Operating Systems Design
Authorization
5
• Access control matrix
• For every protected resource, list of who is permitted to do what
• Example: for each file/directory, a list of permissions
• Owner, group, world: read, write, execute
• Setuid: program run with permission of principal who installed it
• Smartphone: list of permissions granted each app
![Page 6: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/6.jpg)
CS 423: Operating Systems Design
Question
6
Access control matrices allow us to specify anarbitrary security policy… what properties shouldour security policy provide?
![Page 7: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/7.jpg)
CS 423: Operating Systems Design
Principle of Least Privilege
7
• Grant each principal the least permission possible for them to do their assigned work
• Minimize code running inside kernel
• Minimize code running as sysadmin
• Practical challenge: hard to know
• what permissions are needed in advance
• what permissions should be granted
• Ex: to smartphone apps
• Ex: to servers
![Page 8: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/8.jpg)
CS 423: Operating Systems Design
Authorization w/ Intermediaries
8
• Trusted Computing Base (TCB): set of software trusted to enforce security policy
• Is it good or bad to have a large TCB?
• Ex: Storage Server is trusted to check user access control list
• Why? Because server must store/retrieve data on behalf of all users.
• Implication? security flaw in server allows attacker to take control of system
![Page 9: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/9.jpg)
CS 423: Operating Systems Design
Encryption
9
![Page 10: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/10.jpg)
CS 423: Operating Systems Design
Authentication
10
• How do we know user is who they say they are?
• Try #1: user types password (something they know)
• User needs to remember password!
• Short passwords: easy to remember, easy to guess
• Long passwords: hard to remember
![Page 11: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/11.jpg)
CS 423: Operating Systems Design
Question
11
• Where are passwords stored?
• Password is a per-user secret
• In a file?
• Anyone with sysadmin permission can read file
• Encrypted in a file?
• If gain access to file, can check passwords offline
• If user reuses password, easy to check against other systems
• Encrypted in a file with a random salt?
• Hash password and salt before encryption, foils precomputed password table lookup
![Page 12: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/12.jpg)
CS 423: Operating Systems Design
Symmetric Key (DES, AES)
12
![Page 13: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/13.jpg)
CS 423: Operating Systems Design
Authentication
13
• How do we know user is who they say they are?
• Try #2: user has secret key
• User needs to safely store the secret!
• Is system configured s.t. it can protect the confidentiality of the secret key?
• Can the user prove they know the secret without giving it to the other part?
![Page 14: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/14.jpg)
CS 423: Operating Systems Design
Public Key (RSA, PGP)
14
![Page 15: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/15.jpg)
CS 423: Operating Systems Design
Encryption Summary
15
• Symmetric key encryption
• Single key (symmetric) is shared between parties, kept secret from everyone else
• Ciphertext = (M)^K
• Public Key encryption
• Keys come in pairs, public and private
• Secret: (M)^K-public
• Authentic: (M)^K-private
![Page 16: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/16.jpg)
CS 423: Operating Systems Design
2-Factor Authentication
16
• Can be difficult for people to remember encryption keys and passwords
• Instead, store private key (K-private) inside a chip• Use PIN/PW to prove user is authorized (something user knows)
• Use challenge-response to authenticate smartcard (something user has)
Are there other authentication factors?
![Page 17: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/17.jpg)
CS 423: Operating Systems Design
Public Key to Session Key
17
• Public key encryption/decryption is slow; so can use public key to establish (shared) session key
• assume both sides know each other’s public key
![Page 18: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/18.jpg)
CS 423: Operating Systems Design
Symmetric Key to Session Key
18
• In symmetric key systems, how do we gain a session key with other side?
• infeasible for everyone to share a secret with everyone else
• solution: “authentication server” (Kerberos)
• everyone shares (a separate) secret with server
• server provides shared session key for A <-> B
• everyone trusts authentication server
• if compromise server, can do anything!
![Page 19: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/19.jpg)
CS 423: Operating Systems Design
Kerberos Example
19
![Page 20: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/20.jpg)
CS 423: Operating Systems Design
Message Digest (MD5, SHA)
20
• Cryptographic checksum: message integrity
• Typically small compared to message (MD5 128 bits)
• “One-way”: infeasible to find two messages with same digest
![Page 21: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/21.jpg)
CS 423: Operating Systems Design
Cryptographic Hash Functions
21
• What properties do we need?1. Deterministic
2. Quick
3. One-Way
4. “Avalance Effect”
5. Collision Resistant
6. Pre-image attack resistant
• How does this compare to non-crypto hashes?
All of these functions were once thought to be cryptographically strong (some are
not)… Seahash outperforms BLAKE(2) by 32x!
![Page 22: CS 423 Operating System Design: OS Security Crash Course · CS 423: Operating Systems Design Tianyin Xu CS 423 Operating System Design: OS Security Crash Course Thanks for Prof. Adam](https://reader033.vdocuments.us/reader033/viewer/2022052106/604159d01fc302111547ed4b/html5/thumbnails/22.jpg)
CS 423: Operating Systems Design
Security Practice
22
• In practice, systems are not that secure
• hackers can go after weakest link
• any system with bugs is vulnerable
• vulnerability often not anticipated
• usually not a brute force attack against encryption system
• often can’t tell if system is compromised
• hackers can hide their tracks
• can be hard to resecure systems after a breakin
• hackers can leave unknown backdoors