Protection: Goals of Protection, Principles of Protection, Domain of Protection Access Matrix,

Implementation of the Access Matrix, Access Control, Revocation of Access Rights, Capability-Based
Systems. Security: The Security Problem, Program Threats, System and Network Threats, Cryptography as a
Security Tool, User Authentication.

Protection
The processes in an operating system must be protected from one another’s activities. To provide
such protection, we can use various mechanisms to ensure that only processes that have gained
proper authorization from the operating system can operate on the files, memory segments, CPU,
and other resources of a system.

Protection refers to a mechanism for controlling the access of programs, processes, or users to the
resources defined by a computer system. Protection can improve reliability by detecting latent
errors at the interfaces between component subsystems. The role of protection in a computer system
is to provide a mechanism for the enforcement of the policies governing resource use.

Goals of protection:
 To ensure data safety, process and program safety against illegal user access, or even program
access, we need protection.
 To ensure that programs, resources and data are accessed only according to the systems’
policies.
 To ensure that there are no access rights’ breach, no unauthorized access to the existing data, no
virus or worms.
 Make the system to work properly for the authorized users themselves.

Principles of Protection
A time-tested guiding principle can be used for protection is the principle of least privilege. It
dictates that programs, users, and even systems be given just enough privileges to perform their
tasks.

Consider the analogy of a security guard with a passkey. If this key allows the guard into just the
public areas that she guards, then misuse of the key will result in minimal damage. If, however, the
passkey allows access to all areas, then damage from its being lost, stolen, misused, copied, or
otherwise compromised will be much greater.
An operating system following the principle of least privilege implements its features, programs,
system calls, and data structures so that failure or compromise of a component does the minimum
damage and allows the minimum damage to be done.

Such an operating system also provides system calls and services that allow applications to be
written with fine-grained access controls. It provides mechanisms to enable privileges when they
are needed and to disable them when they are not needed. Also beneficial is the creation of audit
trails for all privileged function access. The audit trail allows the programmer, system
administrator, or law-enforcement officer to trace all protection and security activities on the
system.

The principle of least privilege can help produce a more secure computing environment.

Domain of Protection
A computer system is a collection of processes and objects. By objects, we mean both hardware
objects (such as the CPU, memory segments, printers, disks, and tape drives) and software objects
(such as files, programs, and semaphores).

A process operates within a protection domain, which specifies the resources that the process may
access. Each domain defines a set of objects and the types of operations that may be invoked on
each object. The ability to execute an operation on an object is an access right.

A domain is a collection of access rights, each of which is an ordered pair <object-name, rights-
set>. For example, if domain D has the access right <file F, {read,write}>, then a process executing
in domain D can both read and write file F. It cannot, however, perform any other operation on that
object. Domains may share access rights. For example, in Figure 14.1, we have three domains: D1,
D2, and D3. The access right <O4, {print}> is shared by D2 and D3, implying that a process
executing in either of these two domains can print object O4. Note that a process must be executing
in domain D1 to read and write object O1, while only processes in domain D3 may execute object
O1.

The association between a process and a domain may be either static, if the set of resources
available to the process is fixed throughout the process’s lifetime, or dynamic.

A domain can be realized in a variety of ways i.e A domain can be user, process, procedure

Each user may be a domain. In this case, the set of objects that can be accessed depends on the
identity of the user. Domain switching occurs when the user is changed — generally when one user
logs out and another user logs in.
Each process may be a domain. In this case, the set of objects that can be accessed depends on the
identity of the process. Domain switching occurs when one process sends a message to another
process and then waits for a response.

Each procedure may be a domain. In this case, the set of objects that can be accessed corresponds
to the local variables defined within the procedure. Domain switching occurs when a procedure call
is made.

Access Matrix and implementation

Our general model of protection can be viewed abstractly as a matrix, called an access matrix. The
rows of the access matrix represent domains, and the columns represent objects. Each entry in the
matrix consists of a set of access rights. Because the column defines objects explicitly, we can omit
the object name from the access right. The entry access(i,j) defines the set of operations that a
process executing in domain Di can invoke on object Oj .
To illustrate these concepts, we consider the access matrix shown in Figure 14.3. There are four
domains and four objects — three files (F1, F2, F3) and one laser printer. A process executing in
domain D1 can read files F1 and F 3. A process executing in domain D4 has the same privileges as
one executing in domain D1; but in addition, it can also write onto files F1 and F3. The laser printer
can be accessed only by a process executing in domain D2.

Figure 14.3 Access matrix.

The access matrix provides an appropriate mechanism for defining and implementing strict control
for both static and dynamic association between processes and domains. When we switch a process
from one domain to another, we are executing an operation (switch) on an object (the domain).

Processes should be able to switch from one domain to another. Switching from domain Di to
domain Dj is allowed if and only if the access right switch =access(i, j). Thus, in Figure 14.4, a
process executing in domain D2 can switch to domain D3 or to domain D4. A process in domain D4
can switch to D1, and one in domain D1 can switch to D2.
 Figure 14.4 Access matrix of Figure 14.3 with domains as objects.

Implementation of the Access Matrix

1. Global Table

The simplest implementation of the access matrix is a global table consisting of a set of ordered
triples <domain, object, rights-set>. Whenever an operation M is executed on an object Oj
within domain Di , the global table is searched for a triple < Di , Oj , Rk >, with M ∈ Rk . If this
triple is found, the operation is allowed to continue; otherwise, an exception (or error) condition
is raised.

2. Access Lists for Objects

Each column in the access matrix can be implemented as an access list for one object.
Obviously, the empty entries can be discarded. The resulting list for each object consists of
ordered pairs <domain, rights-set>, which define all domains with a nonempty set of access
rights for that object.
3. Capability Lists for Domains

Rather than associating the columns of the access matrix with the objects as access lists, we can
associate each row with its domain. A capability list for a domain is a list of objects together
with the operations allowed on those objects. An object is often represented by its physical
name or address, called a capability. To execute operation M on object Oj , the process executes
the operation M by specifying the capability (or pointer) for object Oj as a parameter. Simple
possession of the capability means that access is allowed.

4. A Lock – Key Mechanism

The lock – key scheme is a compromise between access lists and capability lists. Each object
has a list of unique bit patterns, called locks. Similarly, each domain has a list of unique bit
patterns, called keys. A process executing in a domain can access an object only if that domain
has a key that matches one of the locks of the object.
 System Security
The security of a computer system is a crucial task. It is a process of ensuring the confidentiality
and integrity of the OS. Security is one of most important as well as the major task in order to
keep all the threats or other malicious tasks or attacks or program away from the computer’s
software system.
A system is said to be secure if its resources are used and accessed as intended under all the
circumstances, but no system can guarantee absolute security from several of various malicious
threats and unauthorized access.
The security of a system can be threatened via two violations:
 Threat: A program that has the potential to cause serious damage to the system.
 Attack: An attempt to break security and make unauthorized use of an asset.

Security violations affecting the system can be categorized as malicious and accidental threats.

Malicious threats, as the name suggests are a kind of harmful computer code or web script
designed to create system vulnerabilities leading to back doors and security breaches.

Accidental Threats, on the other hand, are comparatively easier to be protected against.
Example: Denial of Service DDoS attack .
Security can be compromised via any of the breaches mentioned:
 Breach of confidentiality: This type of violation involves the unauthorized reading of data.
 Breach of integrity: This violation involves unauthorized modification of data.
 Breach of availability: It involves unauthorized destruction of data.
 Theft of service: It involves the unauthorized use of resources.
 Denial of service: It involves preventing legitimate use of the system. As mentioned before,
such attacks can be accidental in nature.

Security System Goal:

Henceforth, based on the above breaches, the following security goals are aimed:
1. Integrity:
The objects in the system mustn’t be accessed by any unauthorized user & any user not having
sufficient rights should not be allowed to modify the important system files and resources.
2. Secrecy:
The objects of the system must be accessible only to a limited number of authorized users. Not
everyone should be able to view the system files.
3. Availability:
All the resources of the system must be accessible to all the authorized users.

Threats can be classified into the following two categories:

1. Program Threats:
A program was written by a cracker to hijack the security or to change the behavior of a normal
process. In other words, if a user program is altered and further made to perform some
malicious unwanted tasks, then it is known as Program Threats.
2. System Threats:
These threats involve the abuse of system services. They strive to create a situation in which
operating-system resources and user files are misused. They are also used as a medium to
launch program threats.

Types of Program Threats:

1. Virus:
An infamous threat, known most widely. It is a self-replicating and malicious thread that
attaches itself to a system file and then rapidly replicates itself, modifying and destroying
essential files leading to a system breakdown.
Further, Types of computer viruses can be described briefly as follows:
– file/parasitic – appends itself to a file
– boot/memory – infects the boot sector
– macro – written in a high-level language like VB and affects MS Office files
– source code – searches and modifies source codes
– polymorphic – changes in copying each time
2. Trojan Horse:
A code segment that misuses its environment is called a Trojan Horse.

3. Trap Door:
A trap door is actually a kind of a secret entry point into a running or static program that
actually allows anyone to gain access to any system without going through the usual security
access procedures.

4. Logic Bomb:
A program that initiates a security attack only under a specific situation.
5. Worm:
A computer worm is a type of malware that replicates itself and infects other computers while
remaining active on affected systems.

Types of System Threats –

Aside from the program threats, various system threats are
also endangering the security of our system:
1. Worm:

2. Port Scanning:
It is a means by which the cracker identifies the vulnerabilities of the system to attack. It is an
automated process that involves creating a TCP/IP connection to a specific port. To protect the
identity of the attacker, port scanning attacks are launched from Zombie Systems, which is
systems that were previously independent systems that are also serving their owners while being
used for such notorious purposes.

3. Denial of Service:
Such attacks aren’t aimed for the purpose of collecting information or destroying system files.
Rather, they are used for disrupting the legitimate use of a system or facility.

Security Measures Taken –

To protect the system, Security measures can be taken at the following levels:
 Physical:
The sites containing computer systems must be physically secured against armed and malicious
intruders. The workstations must be carefully protected.
 Human:
Only appropriate users must have the authorization to access the system. Phishing(collecting
confidential information) and Dumpster Diving(collecting basic information so as to gain
unauthorized access) must be avoided.
 Operating system:
The system must protect itself from accidental or purposeful security breaches.
 Networking System:
Almost all of the information is shared between different systems via a network. Usually, Anti
Malware programs are used to periodically detect and remove such viruses and threats.
Additionally, to protect the system from Network Threats, a Firewall is also be used.

Cryptography
Cryptography is a technique of securing communication by converting plain text into ciphertext.
It involves various algorithms and protocols to ensure data confidentiality, integrity,
authentication, and non-repudiation.
 Features of Cryptography
 Confidentiality: Information can only be accessed by the person for whom it is intended and no
other person except him can access it.
 Integrity: Information cannot be modified in storage or transition between sender and intended
receiver without any addition to information being detected.
 Non-repudiation: The creator/sender of information cannot deny his intention to send
information at a later stage.
 Authentication: The identities of the sender and receiver are confirmed. As well
destination/origin of the information is confirmed.

 Interoperability: Cryptography allows for secure communication between different systems

and platforms.
 Adaptability: Cryptography continuously evolves to stay ahead of security threats and
technological advancements.

What is user authentication?

User authentication verifies the identity of a user attempting to gain access to a network or
computing resource by authorizing a human-to-machine transfer of credentials during interactions
on a network to confirm a user's authenticity. The term contrasts with machine authentication,
which is an automated authentication method that does not require user input.

Authentication helps ensure only authorized users can gain access to a system by preventing
unauthorized users from gaining access and potentially damaging systems, stealing information or
causing other problems. Almost all human-to-computer interactions, other than guest and
automatically logged-in accounts, perform a user authentication. It authorizes access on both wired
and wireless networks to enable access to networked and internet-connected systems and resources.

A straightforward process, user authentication consists of three tasks:

Identification. Users have to prove who they are.
Authentication. Users have to prove they are who they say they are.
Authorization. Users have to prove they're allowed to do what they are trying to do.

User authentication can be as simple as requiring a user to type a unique identifier, such as a user
ID, along with a password to access a system. It can also be more complex, however -- for example,
requiring a user to provide information about physical objects or the environment or even take
actions, such as placing a finger on a fingerprint reader.
User authentication methods

The main factors used in user authentication include the following:

Knowledge factors include all things users must know in order to log in to gain access to a system.
Usernames, IDs, passwords and personal identification numbers (PINs) all fall under this category.
Possession factors consist of anything users must have in their possession in order to log in. This
category includes one-time password tokens, key fobs, smartphone apps, and employee ID cards.
Inherence factors include characteristics inherent to individuals that confirm their identity. This
category includes the scope of biometrics, such as retina scans, fingerprint scans, facial
recognition and Voice authentication.

Single-factor authentication vs. multifactor authentication

Single-factor authentication (SFA) requires verification of one piece of information from a user,
such as a password. Because SFA commonly employs knowledge factors, which require only a
single piece of information, it can't stop an attacker who has stolen a user's password from
accessing a user's system.
Multifactor authentication (MFA) uses more than one method of authentication to verify the
identity of a user. For example, a user may be required to provide a password in combination with a
security question. Two-factor authentication (2FA) uses factors from two of the authentication
categories, while four-factor authentication (4FA) uses at least one factor from four categories of
factors. The latter is considered far more secure due to the additional layers of security that come
with more factors.

Implementing security defenses

OS security encompasses many different techniques and methods which ensure safety from threats
and attacks. OS security allows different applications and programs to perform required tasks and
stop unauthorized interference.
OS security may be approached in many ways, including:
 Performing regular OS patch updates
 Installing updated antivirus engines and software
 Scrutinizing all incoming and outgoing network traffic through a firewall
 Creating secure accounts with required privileges only (i.e., user management)

FireWalls

A firewall is a network security device that prevents unauthorized access to a network. It

monitors both incoming and outgoing traffic using a predefined set of security to detect and
prevent threats.

What is Firewall?

A firewall is a network security device, either hardware or software-based, which monitors all
incoming and outgoing traffic and based on a defined set of security rules accepts, rejects, or
drops that specific traffic.

 Accept: allow the traffic

 Reject: block the traffic but reply with an “unreachable error”
 Drop : block the traffic with no reply

A firewall is a type of network security device that filters incoming and outgoing network
traffic with security policies that have previously been set up inside an organization. A
 firewall is essentially the wall that separates a private internal network from the open
Internet at its very basic level.

Functions of Firewall

 Every piece of data that enters or leaves a computer network must go via the firewall.
 If the data packets are safely routed via the firewall, all of the important data remains intact.
 A firewall logs each data packet that passes through it, enabling the user to keep track of all
network activities.

 Since the data is stored safely inside the data packets, it cannot be altered.
 Every attempt for access to our operating system is examined by our firewall, which also
blocks traffic from unidentified or undesired sources.

Computer Security Classifications

As per the U.S. Department of Defense Trusted Computer System's Evaluation Criteria there are
four security classifications in computer systems: A, B, C, and D. This is widely used
specifications to determine and model the security of systems and of security solutions. Following
is the brief description of each classification.

S.N Classification Type & Description

.

1 Type A
Highest Level. Uses formal design specifications and verification techniques. Grants a high
degree of assurance of process security.

2 Type B
Provides mandatory protection system. Have all the properties of a class C2 system. Attaches a
sensitivity label to each object. It is of three types.
 B1 − Maintains the security label of each object in the system. Label is used for making
decisions to access control.
 B2 − Extends the sensitivity labels to each system resource, such as storage objects,
supports covert channels and auditing of events.
 B3 − Allows creating lists or user groups for access-control to grant access or revoke
 access to a given named object.

3 Type C
Provides protection and user accountability using audit capabilities. It is of two types.
 C1 − Incorporates controls so that users can protect their private information and keep
other users from accidentally reading / deleting their data. UNIX versions are mostly Cl
class.
 C2 − Adds an individual-level access control to the capabilities of a Cl level system.

4 Type D
Lowest level. Minimum protection. MS-DOS, Window 3.1 fall in this category.