04 Operating Systems Security

Computer Systems Security
CT013-3.5-3
Operating Systems Security
Prepared by: NOR Prepared on: 21-1-2014
Learning Outcomes
At the end of this session you should be able to
explain: Protection features provided by general-purpose
operating systems: protecting memory, files, and the
execution environment
Controlled access to objects
User authentication
CT013-3.5-3 Computer System Security

CE00360-3 Computer Systems Security
Operating System Security
Goals of an Operating System

Controlling shared access
Implementing an interface to allow that access

Categories of Operating System functions

Access control
Identity and credential management
Information flow
Audit and integrity protection

Resource Separation
Several aspects of computing systems require
protection
Memory
Shared I/O devices (disks, . . . )
Serially reusable I/O devices (printers, . . . )
Sharable programs and sub-procedure
Networks
Sharable data

Different Way to Realize Separation

Goal: keeping one users object separate from other users
Physical separation:
Different processes use different physical objects
Temporal separation:
Process with different security requirements are executed at
different
times
Logical separation:
A process cannot access objects outside its permitted domain
Cryptographic separation:
Processes conceal their data and computations
Different Levels of Protections

Do not protect
Sensitive procedure run at separate times
Isolate
Each process unaware of the presence of other processes
Share all or share nothing

Each object is declared either public (all users) or private (only the owner)
Share via access limitation

Access control implemented for a specific user and a specific object
Share by capabilities
Sharing depends on owner, object and context of the computation
Limit use of an object

Not just the access to the object, but the use of that object
Memory and Address Protection

Goal: prevent one program from affecting the data and
programs in the memory space of other users
Different forms of memory protection:
Fence
Relocation
Base/Bounds Registers
Tagged Architecture
Segmentation
Paging
Fence
Predefined memory address: the OS resides on one side and the user on
the other
Drawback
Predefined mount of space assigned to the OS
Hardware register or fence register

Contains the address of the end of the OS
It can be modified
Check address for each data modification request
Drawback
Cannot protect one user from another user


Fixed Fence
Variable Fence Register

Relocation
Think of a program as if it begins at location 0
Use constant relocation factor to map each address of
the program to it actual location in memory
Fence register can be a hardware relocation
device
Add its content to each program address
Use special instruction when a program legitimately
intends to access a location of the OS

Base register: variable fence register
Provides a lower bound (starting address)
Bounds register: upper address limit

Each program address forced to stay above the base
address and below the bounds address
Context Switch
When execution change from one users program to
anothers, OS updates base and bounds registers

Prevent a user to modify another users program
A user can accidentally store data on top of programs
instructions
Two pairs of base/bounds registers
One for instructions (code) of the program and the other for
the data space
Extra advantage: Ability to split a program into two

pieces that can be relocated separately


Two Pairs of Base/Bounds Registers

Tagged Architecture
With base/bounds registers, each pair of registers confines
access to a consecutive range of addresses
All-or-nothing sharing: either allow to modify all data or prohibits
access to all data
Tagged architecture: every word of machine memory has one
or more extra bits to identify the access right to that word
Can be set only by privileged instructions
Bits tested every time an instruction access that location
Drawback: require fundamental changes to existing OS

Tagged Architecture

Segmentation
Divide program into separate pieces (segments)
Each segment has a logical unity
The code of a single procedure
The data of an array
Each segment can have different access rights

The program is seen as a collection of segments
Each segment has a unique name
A code within a segment is address with the pair <name,
offset>
Segment Address Table

OS maintains a table of segment name and their true
address in memory
When a program requests <name, offset>, the OS looks up
name in the table, and add offset to the real memory
address stored in the table
If two process share access to the same segment,

both will have the same segment name and address
in their segment tables

Logical and Physical Representation

of Segments

Translation of Segment Address

Hiding Properties of the Segment Table

User have no way, and have no need to determine the actual
address associate to each segment
OS can place/move any segment at any location, even after the
program begins to execute
need only update the corresponding entry in the table
A segment can be removed from main memory, if not used

OS can check every request to access an address
A process can access a segment only if its name appear in the process
segment table

Segmentation: Security Benefits

Each address reference is checked for protection
Different classes of data can be assigned different
level of protections
Two or more users can share access to a segment,
with potentially different access rights
A user cannot generate an address to an unpermitted
segment

Segmentation: Limitations
Each segment has a specific size
A program can reference a valid segment, but with an
invalid offset
Segment can grow in size during execution
Cannot check offset during compilation or when a program is
loaded
Add current segment length in translation table

Requires extra time and resources

Paging
Program is divided into equal-sized pieces (pages)
Page size: between 512 and 4096 bytes
Memory is divided into equal-sized units (page

frames)
Each address in a page is specifies with a pair <page,
offset>
OS maintains a page table to store user page number
and their true address in memory

Page Address Translation

Paging: Security Benefits

All pages have the same fixed length
Fragmentation is not a problem
An offset beyond the end of the page results in a carry

on to the next page

Paging: Limitations
Change to a program, such as addition of one
instruction, pushes all subsequent instructions to lower
address
no way to establish that all values on a page should
be protected at the same level (e.g., read-only or
execute-only)

Combining Paging with Segmentation

Paging offer implementation efficiency
Segmentation offer logical protection characteristics
Divide the program into logical segments
Divide each segment into fixed-sized pages

Paged Segmentation

Summary
This chapter has addressed four topics:
memory protection
file protection
general object access control
user authentication.
Memory protection in a multiuser setting has evolved with advances in

hardware and system design.
Fences
base/bounds registers
tagged architecture
Paging
segmentation
Reference
Security in Computing, 4/E
Charles P. Pfleeger
Publisher: Prentice Hall
Pub Date: 2006
ISBN-10: 0-13-239077-9
ISBN-13: 978-0-13-239077-4


04 Operating Systems Security

Uploaded by

04 Operating Systems Security

Uploaded by

Computer Systems Security

Operating Systems Security

Prepared by: NOR Prepared on: 21-1-2014

CT013-3.5-3 Computer System Security

Operating System Security

Goals of an Operating System

CT013-3.5-3 Computer System Security

Operating System Security

Categories of Operating System functions

CT013-3.5-3 Computer System Security

Operating System Security

CT013-3.5-3 Computer System Security

Operating System Security

Different Way to Realize Separation

Operating System Security

Different Levels of Protections

Share all or share nothing

Share via access limitation

Limit use of an object

Operating System Security

Memory and Address Protection

Operating System Security

Hardware register or fence register

Cannot protect one user from another user

CT013-3.5-3 Computer System Security

Operating System Security

CT013-3.5-3 Computer System Security

Operating System Security

Variable Fence Register

CT013-3.5-3 Computer System Security

Operating System Security

CT013-3.5-3 Computer System Security

Operating System Security

Bounds register: upper address limit

CT013-3.5-3 Computer System Security

Operating System Security

Extra advantage: Ability to split a program into two

CT013-3.5-3 Computer System Security

Operating System Security

CT013-3.5-3 Computer System Security

Operating System Security

Two Pairs of Base/Bounds Registers

CT013-3.5-3 Computer System Security

Operating System Security

Drawback: require fundamental changes to existing OS

CT013-3.5-3 Computer System Security

Operating System Security

CT013-3.5-3 Computer System Security

Operating System Security

Each segment can have different access rights

Operating System Security

Segment Address Table

If two process share access to the same segment,

CT013-3.5-3 Computer System Security

Operating System Security

Logical and Physical Representation

CT013-3.5-3 Computer System Security

Operating System Security

Translation of Segment Address

CT013-3.5-3 Computer System Security

Operating System Security

Hiding Properties of the Segment Table

A segment can be removed from main memory, if not used

CT013-3.5-3 Computer System Security

Operating System Security

Segmentation: Security Benefits

CT013-3.5-3 Computer System Security

Operating System Security

Add current segment length in translation table

CT013-3.5-3 Computer System Security

Operating System Security

Memory is divided into equal-sized units (page

CT013-3.5-3 Computer System Security

Operating System Security

Page Address Translation

CT013-3.5-3 Computer System Security