Module 5Security in Operating System aU Seam ocarucnc enc cic ey aca * Itis the first line of defense against all sorts of unwanted behavior. Serco acerca lace Clave Relea a eels ere ete Peete] Se erey reeereee deter a nee Rovere) een fag ee ket anor E ci Tree ieeg ied ese ae Dee tod ents mage crrtetd ed eet Dee hes eee eats)OS tools to implement security functions * Access control techniques such as Access Control List (ACL), Privilege list, @-Ter- Leia core lia Celene ada telecon ae ae Lie SU a Me) Te LN UL OL ee ge Ran MUS ele Leh cont * Sandbox - A protected environment in which a program can run and not endanger anything else on the system. * Honeypot - System to lure an attacker into an environment that can be both (aolatecel Ce E-Ue Rear teOS Tools to implement security functions DTC ee earl Beet e-Ueloane-Tameeel aN R Een Say elec eS ere lola) CMa ruses] sXe el hy + Logical Separation * Cryptographic Separation » Protection can be offered at different levels: Cees cela Beets * Share ail or share nothing * Share but limit access * Limit use of an objectSecurity in Design of Operating Systems + OS handle many duties, are subject to interruptions and context switches, and must minimize overhead so as not to slow user computations and (lus ie-tatfela + Adding the responsibility for security enforcement to the operating system eta Rela le melee ciel + Layered Trust SRN e- Bel CMCC eee elle eel a) Poke Reel ie ee LR enh xe) ace wR innermost layers. Pee eee Mee ee Cee eee aye felcew dle eRe Rem asic ace eMC eR lan eeeSecurity in Design of Operating Systems + Kernalized Design Se CRS amelie Re) oe es laa MAC a CI Se Deere Lag) Eres ieee aa acres eel eee reborn eile ee EC eRe TaLe interrupt handling. + Asecurity kernel is responsible for enforcing the security mechanisms of Slee eer eee) PM eran a Tat ecw ico tg esteem an alee Te Ma ee operating system, and other parts of the computing system. Sete emi eeu eM Nara) Clee celia Cuneo (Om cant Mell lens T ae) SleSecurity in Design of Operating Systems * Security functions may be isolated in a security kernel due to the following reasons: * Coverage: Every access to a protected object must pass through the Ete ia tt a eae ile la eR RCN mt Reel Rat) Ere fia ned WCU Rattle par tee cca Rett race » Separation: \solating security mechanisms both from the rest of the OS and from the user space makes it easier to protect those mechanisms from penetration by the OS or the users. Secs ee Neat iia Miva Mel alee omy aR aes eleL a so it is easier to trace the cause of any problems that arise with ales oce aed oDSecurity in Design of Operating Systems * Modifiability: Changes to the security mechanisms are easier to make and easier to test. And because of unity, the effects of changes are localized so interfaces are easier to understand and control. PRG eiaeg tee cel ode ne LS a a eee Pa) Prat ea US CH hme sac CcLih alban + Verifiability: Being relatively small, the security kernel can be analyzed rigorously. For example, formal methods can be used to Care Rare een act Cee aE- SC Mecano tol oma oliSecurity in Design of Operating Systems * Reference Monitor * The most important part of a security kernel which controls accesses to objects. + It separates subjects and objects, enforcing that a subject can access only those objects expressly allowed by security policy. + It must be tamperproof, unbypassable & analyzable. * Correctness & Completeness * OS design must include definitions of which objects will be protected in CaO CN Levey eR ChE lee cela Ta Ute 1a 1-1 Taleo) Cra See ect este Ceased emit elena sai ce (Ule(te RL] Erase trace a aSecurity in Design of Operating Systems »* Secure design principles include: » least privilege * economy of mechanism Sae)xlaei=- fea) * complete mediation Ce ey-deal dealer 1-10] » separation of privilege Pa rimeel UML ToR NL) peelSecurity in Design of Operating Systems PMG se to Ry 1a OP Utes Cu eo Ce en amen Cero ke el. t ee ae Tae nek e-Len (aie cine en AT accordance with users’ expectations. CMM aUie corte awa Rene Reread » a defined policy that details what security qualities it enforces. * appropriate measures and mechanisms by which it can enforce that ra inal UCN CMiitel r-rel aed ah mele 7-1 Laan ORT Renan Matar Tae have been selected and implemented properly so that the security io) a are amelie ts -LeSecurity in Design of Operating Systems * Trusted Computing Base (TCB) * Everything necessary for a system to enforce its security policy. Cre reieeme ia Fale ie rate ed Saeed Leth) * Execution domain switching * Memory protection » 1/0 operation * Secure startup ensures no malicious code can block or interfere with Eto aie aa ielke tanta * A trusted path precludes interference between a user and the security Cicer ce Ua Ulan ea Rom ee Sele eeSecurity Requirements of Databases » Following is a list of requirements for database security: * Physical database integrity: The data of a database are immune from physical problems, such as power failures, and someone can reconstruct the database if itis destroyed through a catastrophe. + Logical database integrity: The structure of the database is preserved. With logical integrity of a database, a modification to the value of one field does rene] eC a oe Ses coaies iis aa eee Reece eR UR Aan eee Tee + Auditability: It is possible to track who or what has accessed (or modified) the elements in the database.Security Requirements of Databases tae cxmeog ice ee MU ME) Cl reo tte tee WA Taacelara-ce Rell CMT Relig aa users can be restricted to different modes of access (such as read or write). CMe hrp elec Ap meme elmo ee cel Colm a AEs [Le] and for permission to access certain data. + Availability: Users can access the database in general and all the data for which they are authorized.Reliability & Integrity * Database concerns about reliability and integrity can be viewed from three CTE EH Sievert wien sO Nee RSL) E CE dne AEN eerste fel Ta EV le eM eA M lle Meme Me eli, Mma Me Lela Me) MU MCE Ie database index. These concerns are addressed by operating system integrity ola E URC telZ 1a melces te Ut Cee eomint ts ee Tee ROB LR aR ae) or changed only by authorized users. Proper access controls protect a database from corruption by unauthorized users. * Element accuracy: Concern that only correct values are written into the Ste Mela Rec le)o beeen Role) cue insertion of improper values. Also, constraint conditions can detect incorrect SEIUReliability & Integrity * Two-Phase Update Ce esto olee)e] UM (LM Me Le) LM Cael [ a CTI Ue OLA ee a tT OLUsCL Te] system in the middle of data modification. + If the data item to be modified was a long field or a record consisting of several attributes, only some of the new data might have been written to fe Le] ee a * Therefore, the database file would contain incorrect data that had not been updated. + The solution to this problem is a two-phase update.Reliability & Integrity » Two-Phase Update Technique + During the first phase, called the intent phase, the DBMS gathers the resources it needs to perform the update. + It may gather data, create dummy records, open files, lock out other users, and calculate final answers; in short, it does everything to prepare for the update, but it makes no changes to the database. SMa Riese aaa este) Rama) annie eM ean elmo mance ete me Coda e) permanent action. See RT eRe alien cree) e Lm At mela LeAnn eRe (ola because all these steps can be restarted and repeated after the system PU oe keel BReliability & Integrity * The last event of the first phase, called committing, involves the writing of a commit flag to the database. Sia mela eal Maar Ma eC ste a Molo) em LC After committing, the DBMS begins making permanent changes. Cia creme eM ase) ema Clee laa eal Tale =U Dae Reale -tse aT EL no actions from before the commit can be repeated, but the update activities of phase two can also be repeated as often as needed. Ce mcmey TRL CM Cet ema Meee] aC ESAT MRe Leta ae] incomplete data, but the system can repair these data by performing all activities of the second phase. + After the second phase has been completed, the database is again complete.Database Disclosure Pera Me Teles EE ROLE Croat Ree R- leer Le- Maar acitolll Mala Miele ole) Sete MAS CCM UE Moe Re TL ake ora ocelot a nT individual database and the underlying meaning of the data. Sta ale Se cole Rol oH eae ace eer bao N77] ae aa Lae Eg: Locations of defensive missiles. + From a sensitive source: The source of the data may indicate a need for confidentiality. Eg: Information from an informer whose identity would be compromised if the information were disclosed.Database Disclosure Sa ei eR CeO en aga Le) ay mar Vem (oe Bone Leo Re etn emote TLR Loe + Part of a sensitive attribute or record: In a database, an entire attribute or eee ae Kec ee teCe Ie tech a alae diel le Rela Me ere) database. + Sensitive in relation to previously disclosed information: Some data become sensitive in the presence of other data. Eg: The longitude coordinate of a secret gold mine reveals little, but the longitude coordinate in conjunction with the latitude coordinate pinpoints the mine.Types of Disclosures bac aoL LE) Saeed eater cl ae Dc aL Relea ne SM aaa UCU Lh MeL LCR ae mete Utica LO mn request general data without knowing that some of it is sensitive. + A faulty database manager may even deliver sensitive data by accident, without the user’s having requested it. a= TelPL ok) + Another exposure is disclosing bounds on a sensitive value, that is, indicating Rule Uh R 1 Um A a orn 1a eR 0a Ta Le a » Negative result + Sometimes we can word a query to determine a negative result. That is, we eT eae mn Reon ATypes of Disclosures baa se tee claa « Insome cases, the existence of datz is itself a sensitive piece of data, regardless of the actual value. * For example, an employer may not want employees to know that their telephone use is being monitored. In this case, discovering a NUMBER OF PERSONAL TELEPHONE CALLS field in a personnel file would reveal sensitive data. Da acel- > RIL Suh m ee orecile) RKeke ede a Mea ecole mn Te Renee a od fete + Direct inference * Inference is a way to infer or derive sensitive data from nonsensitive data.Types of Disclosures boar NR leL 4 SP MUS len ces ean aM) Oem Le ey a Boa ee with queries that yield few records. Sate red eee aiae Seca e lee eRe RC Teale colton mae t intermediate statistical results. CPR a ya RU RN Ae) M ee caer l Kt + The count can be combined with the sum to produce some even more Meee + The arithmetic mean (average) allows exact disclosure if the attacker can manipulate the subject population. CMe ores laelecens -insigaalueeelam el celina) CM icelemmaalom Cl: IC LaPmMaC Mune) Ce) ated an ordered list of values.Preventing Disclosure Biuer ace OR cote a eee cate Se ae ween ae tn Mie eet er ne ees ie ce eens ee) Cee feet in eRe ere Sota ese UR ed kel eR LoL Random sample: The result is computed on a random sample of the database. feele=lat aia tetera Tare ell) Pa} Random Data Perturbation: Perturb the values of the database by a small error. Swapping: Values of some rows or columns may be interchanged. One hen nc eeu ohn cain masa nC TS should be provided.