SECURITY IN COMPUTING FIETH EDITION Chapter 4: Operating Systems 授课教师:高海波 可南中医药大学 信息管理与信息系统教研室 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
SECURITY IN COMPUTING, FIFTH EDITION Chapter 4: Operating Systems From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 1 授课教师:高海波 河南中医药大学 信息管理与信息系统教研室
2 Chapter 5 Objectives Basic security functions provided by operating systems System resources that require operating system protection Operating system design principles How operating systems control access to resources The history of trusted computing Characteristics of operating system rootkits From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Chapter 5 Objectives • Basic security functions provided by operating systems • System resources that require operating system protection • Operating system design principles • How operating systems control access to resources • The history of trusted computing • Characteristics of operating system rootkits 2 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
3 Operating System Functions 黑黑 User Interface Operating Ices Management Communication Ing Resource Allocation CPU Memo Program 1/0 Devic From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Operating System Functions 3 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
History of Operating Systems Single-user systems, no OS Multiprogrammed os, aka monitors Multiple users Multiple programs Scheduling, sharing, concurrent use Personal computers From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
History of Operating Systems •Single-user systems, no OS • Multiprogrammed OS, aka monitors • Multiple users • Multiple programs • Scheduling, sharing, concurrent use •Personal computers 4 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
5 Protected Objects Memory Sharable l/o devices, such as disks Serially reusable I/O devices, such as printers Sharable programs and subprocedures Networks Sharable data From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Protected Objects • Memory • Sharable I/O devices, such as disks • Serially reusable I/O devices, such as printers • Sharable programs and subprocedures • Networks • Sharable data 5 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
6 OS Layered Design Subprocesses of User Processes User processes Compilers, Database Managers Utility Functions File Systems, Device Allocation rating System Scheduling Sharing, Memory Management Synchronization, Allocation Operating System Security Functions Kernel Security Kernel Hardware From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
OS Layered Design 6 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
7 Functions Spanning Layers Trusted User Authentication module nterface Mo Authentication Data Comparison Code ∧ authentication From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Functions Spanning Layers 7 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
8 Modular OS Design Users Users ers Users User mode User interface Se ec File ObjectA/V Net ack p Shell System Services Interface 1O Time Synch Memory Comm Primitive services Microkernel Kermel Mode drivers Hardware Interface and Abstraction Hardware From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Modular OS Design 8 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
9 Virtualization With virtualization the os presents each user with just the resources that user should see The user has access to a virtual machine(VM), which contains those resources The user cannot access resources that are available to the os but exist outside the vm A hypervisor, or VM monitor, is the software that implements a vm Translates access requests between the VM and the Os Can support multiple OSs in VMs simultaneously Honeypot: A VM meant to lure an attacker into an environment that can be both controlled and monitored From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Virtualization • With virtualization, the OS presents each user with just the resources that user should see • The user has access to a virtual machine (VM), which contains those resources • The user cannot access resources that are available to the OS but exist outside the VM • A hypervisor, or VM monitor, is the software that implements a VM • Translates access requests between the VM and the OS • Can support multiple OSs in VMs simultaneously • Honeypot: A VM meant to lure an attacker into an environment that can be both controlled and monitored 9 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
Separation and Sharing Methods of separation Physical Temporal Logical Cryptographic Methods of supporting separation/sharing Do not protect Isolate Share all or share nothing Share but limit access Limit use of an object From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Separation and Sharing • Methods of separation: • Physical • Temporal • Logical • Cryptographic • Methods of supporting separation/sharing: • Do not protect • Isolate • Share all or share nothing • Share but limit access • Limit use of an object 10 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved