Chapter 6: Security and Protection

Security refers to providing a protection system to computer system resources such as CPU, memory,
disk, software programs and most importantly data/information stored in the computer system. If a
computer program is run by unauthorized user then he/she may cause severe damage to computer or
data stored in it. So a computer system must be protected against unauthorized access, malicious access
to system memory, viruses, worms etc.

6.1. Threats, intruders, accidental data loss, encryption, user authentication

Operating system's processes and kernel do the designated task as instructed. If a user program made
these process do malicious tasks then it is known as Program Threats.

Attacker or Intruder: An entity which tries to find a way to gain unauthorized access to information,
cause harm or engage in other malicious activities.

In addition to threats caused by malicious intruders, data can also be lost by accident. Common Causes:

1. Acts of God

- fires, floods, wars

2. Hardware or software errors

- CPU malfunction, bad disk, program bugs

3. Human errors

- data entry…

The basic idea of encryption is to encode a message so that only the desired recipient can decode and
read it. Encryption has been around since before the days of Caesar, and is an entire field of study in
itself.

Authentication is a method for identifying an individual user with credentials supplied by the operating
system of the user's computer. These credentials can be the OS password.

6.2. Other security issues: Trojan horses, viruses, worms, logic bombs

A Trojan horse is a program that secretly performs some maliciousness in addition to its visible actions.

Some Trojan horses are deliberately written as such, and others are the result of legitimate programs
that have become infected with viruses.

A virus is a fragment of code embedded in an otherwise legitimate program, designed to replicate itself
(by infecting other programs), and (eventually) wreaking havoc.

Viruses are more likely to infect PCs than UNIX or other multi-user systems, because programs in the
latter systems have limited authority to modify other programs or to access critical system structures

1
A worm is a process that uses the fork / spawn process to make copies of itself in order to wreak havoc
on a system. Worms consume system resources, often blocking out other, legitimate processes. Worms
that propagate over networks can be especially problematic, as they can tie up vast amounts of network
resources and bring down large-scale systems.

A Logic Bomb is code that is not designed to cause destruction all the time, but only when a certain set
of circumstances occurs, such as when a particular date or time is reached or some other noticeable
event.

6.3. Protection mechanisms

The purpose of a protection system is to prevent accidental or intentional misuse of a system.

• Accidents: Problems of this kind are easy to solve (can do things to make the likelihood small).

• Malicious abuse: Problems of this kind are very hard to completely eliminate (cannot leave any
loopholes, cannot play on probabilities).

There are three aspects to a protection mechanism:

• User identification (authentication): make sure we know who is doing what.

• Authorization determination: must figure out what the user is and is not allowed to do. Need a
simple database for this.

• Access enforcement: must make sure there are no loopholes in the system.

Even the slightest flaw in any of these areas may ruin the whole protection mechanism.

Authentication

Modern authentication is based on a three factor model: (1) what you have, (2) what you are, and (3)
what you know.

What you know: This means some sort of password or PIN number. Passwords are commonly used by
themselves and so are a relatively week form of authentication.

• Passwords should not be stored in a readable form. One-way transformations should be used.

• Passwords should be relatively long and obscure. Paradox: short passwords are easy to guess or
crack; long passwords are easily forgotten and usually written down.

What you have: This means some sort physical device that you hold. It should be something that is
difficult for forge or copy and, if stolen, is hard to use. Some examples:

• A physical key: often easy to copy, and easy to use if stolen.

• An identification badge: moderate to difficult to copy and easy to use if stolen.

2
 • Crypto card or app: generates one-time use keys. Difficult (not impossible) to copy of the chips
are designed to be tamper resistant. The addition of a PIN number for the device makes it hard
to use if stolen (this is effectively adding a second factor).

What you are: this means using physical data about your body, called biometrics. It might be a finger or
hand print, retinal scan, facial recognition, or even weight (or some combination of these).

• Fingerprint readers are now common, found on lots of smart phones and laptop computers.
Finger or hand print readers are common in secure environments. For example, U.S. Customs
and Border Protection uses finger prints for both frequent travelers (the Global Entry system)
and foreign visitors.

• CERN uses retinal scans to restrict access to their underground accelerator beam tunnel.

• Some secure environments will weigh you as you enter or exit to see if that is consistent with
your records. (Lots of false alarms after the holidays!)

You use two or three factor authentication for stronger security. Just using one factor alone has
significant weakness. The most secure environments use all three factors, which means that the tricks
that you have seen in the James Bond movies would not work that well in the real world.

Once identification is complete, the system must be sure to protect the identity since other parts of the
system will rely on it.

Authorization Determination

Must indicate who is allowed to do what with what. Draw the general form as an access matrix with one
row per user, one column per file. Each entry indicates the privileges of that user on that object. There
are two general ways of storing this information: access lists and capabilities.

Access Lists: with each file, indicate which users are allowed to perform which operations.

• In the most general form, each file has a list of pairs.

• It would be tedious to have a separate listing for every user, so they are usually grouped into
classes. For example, in Unix there are three classes: self, group, anybody else (nine bits per
file).

• Access lists are simple, and are used in almost all file systems.

Capabilities: with each user, indicate which files may be accessed, and in what ways.

• Store a list of pairs with each user. This is called a capability list.

• Typically, capability systems use a different naming arrangement, where the capabilities are the
only names of objects. You cannot even name objects not referred to in your capability list.

3
 • In access-list systems, the default is usually for everyone to be able to access a file. In capability-
based systems, the default is for no-one to be able to access a file unless they have been given a
capability. There is no way of even naming an object without a capability.

• Capabilities are usually used in systems that need to be very secure. However, capabilities can
make it difficult to share information: nobody can get access to your stuff unless you explicitly
give it to them.

Are the following things access-based or capability-based protection schemes?

• Protection Keys

• Page tables

Access Enforcement

Some part of the system must be responsible for enforcing access controls and protecting the
authorization and identification information.

• Obviously, this portion of the system must run unprotected. Thus it should be as small and
simple as possible. Example: the portion of the system that sets up memory mapping tables.

• The portion of the system that provides and enforces protection is called the security kernel.
Most systems, like Unix, do not have a security kernel. As a consequence, the systems are not
very secure.

• What is needed is a hierarchy of levels of protection, with each level getting the minimum
privilege necessary to do its job. However, this is likely to be slow (crossing levels takes time).