MODULE 4

FILE DIRECTORIES
Associated with any file management system and collection of files is a file directory. The
directory contains information about the files, including attributes, location, and ownership.
Much of this information, especially those that concern storage, is managed by the operating
system. The directory is itself a file, accessible by various file management routines. Although
some of the information in directories is available to users and applications, this is generally
provided indirectly by system routines.
Concept of File Directory
To keep track of files, the file system normally provides directories, which, in many systems are
themselves files. The structure of the directories and the relationship among them are the main
areas where file systems tend to differ, and it is also the area that has the most significant effect
on the user interface provided by the file system.
Contents of File Directory
From the user’s point of view, the directory provides a mapping between file names, known to
users and applications, and the files themselves. Thus, each file entry includes the name of the
file. Virtually all systems deal with different types of files and different file organisations, and
this information is also provided.
An important category of information about each file concerns its storage, including its location
and size. In shared systems, it is also important to provide information that is used to control
access to the file.
Typically, one user is the owner of the file and may grant certain access privileges to other users.
Finally, usage information is needed to manage the current use of the file and to record the
history of its usage.
File Directory Structure
The number of directories varies from one operating system to another.
In this section, we describe the most common schemes for defining the logical structure of a
directory. These are:
1. Single-Level Directory
2. Two-Level Directory
3. Tree-Structured Directory
4. Acyclic Graph Directory

1. Single-Level Directory
In a single-level directory system, all the files are placed in one directory. This is very common
on single-user operating systems. A single-level directory has significant limitations when the
number of files increases or when there is more than one user. Since all files are in the same
directory, they must have unique names. If there are two users who call their data file
“cit381note.doc”, then the unique-name rule is violated. Even with a single user, as the number
of files increases, it becomes difficult to remember the names of all the files in order to create
only files with unique names.
The Figure 5 below shows the structure of a single-level directory system.
Fig 5: Single Level Directory
Source: Operating System Concepts with Java, 6th ed. by Abraham
Silberschatz and Others. (2004)
2. Two-Level Directory
In the two-level directory system, the system maintains a master block that has one entry for
each user. This master block contains the addresses of the directory of the users. There are still
problems with two-level directory structure. This structure effectively isolates one user from
another. This design eliminates name conflicts among users and
this is an advantage because users are completely independent, but a disadvantage when the
users want to cooperate on some task and access files of other users. Some systems simply do not
allow local files to be accessed by other users. It is also unsatisfactory for users with many files
because it is quite common for users to want to group their files
together in a logical way.

3. Tree-Level Structural Directories

In the tree-structured directory, the directory themselves are considered as files. This leads to the
possibility of having sub-directories that can contain files and sub subdirectories. An interesting
policy decision in a tree-structured directory structure is how to handle the deletion of a
directory. If a directory is empty, its entry in its containing directory can simply be deleted.
However, suppose the directory to be deleted is not empty, but contains several files or sub-
directories then it becomes a bit problematic. Some systems will not delete a directory unless it is
empty. Thus, to delete a directory, someone must first delete all the files in that directory. If there
are any subdirectories, this procedure must be applied recursively to them so that they can be
deleted too. This approach may result in a substantial amount of work. An alternative approach is
just to assume that when a request is made to delete a directory, all of that
directory’s files and sub-directories are also to be deleted. This is the most common directory
structure.
4. Acyclic-Graph Directories
The acyclic directory structure is an extension of the tree-structured directory structure. In the
tree-structured directory, files and directories starting from some fixed directory are owned by
one particular user. In the acyclic structure, this prohibition is taken out and thus a directory or
file under directory can be owned by several users.

Operations on Files Versus Directories

The operating system provides systems calls to create, write, read, reposition, truncate and delete
files. The following sub-units discuss the specific duties a file system must do for each of the
following basic file operations.
File Operations
The following are various operations that can take place on file:
a. Creating a File
When creating a file, a space in the file system must be found for the file and then an entry for
the new file must be made in the directory. The directory entry records the name of the file and
the location in the file system.
b. Opening a File
Before using a file, a process must open it. The purpose of the OPEN call is to allow the system
to fetch the attributes and list of secondary storage disk addresses into main memory for rapid
access on subsequent calls.
c. Closing a File
When all the accesses are finished, the attributes and secondary storage addresses are no longer
needed, so the file should be closed to free up internal table space. Many systems encourage this
by imposing a maximum number of open files on processes.
d. Writing a File
To write a file, a system call is made specifying both the name of the file and the information to
be written to the file. Given the name of the file, the system searches the directory to find the
location of the file. The directory entry will need to store a pointer to the current block of the file
(usually the beginning of the file). Using this pointer, the address of the next block can be
computed where the information will be written. The
write pointer must be updated ensuring successive writes that can be used to write a sequence of
blocks to the file. It is also important to make sure that the file is not overwritten in case of an
append operation, i.e. when we are adding a block of data at the end of an already existing file.
e. Reading a File
To read a file, a system call is made that specifies the name of the file and where (in memory) the
next block of the file should be put. Again, the directory is searched for the associated directory
entry, and the directory will need a pointer to the next block to be read. Once the block is read,
the pointer is updated.
Directory Operations
When considering a particular directory structure, we need to keep in mind the operations that
are to be performed on a directory.
a. Create a File
New files need to be created and added to the directory.
b. Delete a File
When a file is no longer needed, we want to remove it from the directory. Only an empty
directory can be deleted.
c. Open a File
Directories can be read. For example, to list all files in a directory, a listing program opens the
directory to read out the names of all the files it contains. Before a directory can be read, it must
be opened.
d. Close a File
When a directory has been read, it should be closed to free up internal table space.
e. Read a File
This call returns the next entry in an open directory. Formerly, it was possible to read directories
using the usual READ system call, but that approach has the disadvantage of forcing the
programmer to know and deal with the internal structure of directories. In contrast, READDIR
always returns one entry in a standard format, no matter which of the possible directory structure
is being used.
f. Rename a File
Because the name of a file represents its contents to its uses, the name must be changeable when
the contents or use of the file changes. Renaming a file may also allow its position within the
directory structure to be changed.
g. Search for a File
We need to be able to search a directory structure to find the entry for a particular file.
List a Directory
We need to list the files in a directory and the contents of the directory entry for each file in the
list.
Note that the above list gives the most important operations, but there are a few others as well,
for example, for managing the protection information associated with a directory.

FILE SYSTEM SECURITY

File systems often contain information that is highly valuable to their users. Therefore,
prevention of or protection against (a) access to information or (b) intentional but unauthorised
destruction or alteration of that information is a major concern. In this unit we will look at a
variety of issues concerned with security and integrity.
3.1 The Security Environment
Security has many facets. Two of the more important ones relate to data loss and intrusion.
Some of the common causes of data loss are:
 Natural phenomenon such as: fire, flood, earthquakes, wars, riots or attacks from rodents
 Hardware or software errors: CPU malfunctions, unreadable disks or tapes,
telecommunication errors, program bugs
 Human errors: incorrect data entry, wrong tape or disk mounted, wrong program run, lost
disk or tape. Most of these can be dealt with by maintaining adequate backups,
preferably far away from the original data.
3.1.1 System Protection
To protect the system, we must take security measures at four levels:
 Physical: The site or sites containing the computer systems must be physically secured
against armed or surreptitious entry by intruders.
 Human: Users must be screened carefully to reduce the chances of authorising a user
who then gives access to an intruder (in exchange for a bribe, for example).
 Network: Much computer data in modern systems travels over private leased lines,
shared lines such as: the Internet, or dial-up lines. Intercepting these data could be just as
harmful as breaking into a computer; and interruption of communications could
constitute a remote denial-of-service attack, diminishing users' use of and trust in the
system.
 Operating system: The system must protect itself from accidental or purposeful security
breaches.
Security at the first two levels must be maintained if operating-system security is to be ensured.
A weakness at a high level of security (physical or human) allows circumvention of strict low-
level (operatingsystem) security measures. Furthermore, the system hardware must provide
protection to allow the implementation of security features. Most contemporary operating
systems are now designed to provide security features.
3.2 Intrusion/Categories of Intruders
Intrusion is a set of actions that attempt to compromise the integrity, confidentiality, or
availability of any resource on a computing platform.
Categories of Intruders
 Casual prying by non technical users. Many people have terminals to timesharing
systems on their desks, and human nature being what it is, some of them will read other
people’s electronic mails and other files if no barriers are placed in the way.
 Snooping by insiders. Students, system programmers, operators, and other technical
personnel often consider it to be a personal challenge to break the security of a local
computer system. They are often highly skilled and are willing to devote a substantial
amount of time to the effort.
 Determined attempt to make money. Some bank programmers have attempted banking
system to steal from the bank. Schemes vary from changing software to truncating rather
than rounding off interest, keeping the fraction of money for themselves,
siphoning off accounts not used for years, to blackmail (“pay me or I will destroy all the bank’s
records.”)
 Commercial or military espionage. Espionage refers to a serious and well funded by a
competitor or a foreign country to steal programs, trade secrets, patents, technology,
circuit designs, marketing plans, and so forth. Often this attempt will involve wiretapping
or even erecting antennas at the computer to pick up its electromagnetic radiation.
The amount of effort that one puts into security and protection clearly depends on who the
enemy is thought to be. Absolute protection of the system from malicious abuse is not possible,
but the cost to the perpetrator can be made sufficiently high to deter most, if not all, unauthorised
attempts to access the information residing in the system.
3.2.1 Intrusion Detection
Intrusion detection strives to detect attempted or successful intrusions into computer systems
and to initiate appropriate responses to the intrusions. Intrusion detection encompasses a wide
array of techniques that vary on a number of axes. These axes include:
 The time that detection occurs. Detection can occur in real time (while the intrusion is
occurring) or after.
 The types of inputs examined to detect intrusive activity.
 The range of response capabilities. Simple forms of response include alerting an
administrator to the potential intrusion or somehow halting the potentially intrusive
activity—for example, killing a process engaged in apparently intrusive activity.
Intrusion can be detected through:
 Auditing and Logging. A common method of intrusion detection is audit-trail
processing, in which security-relevant events are logged to an audit trail and then
matched against attack signatures (in signature-based detection) or analyzed for
anomalous behavior (in anomaly detection).
 Tripwire operates on the premise that many intrusions result in anomalous modification
of system directories and files.
 System-Call Monitoring is a more recent and speculative form of anomaly detection.
This approach monitors process system calls to detect in real time when a process is
deviating from its expected system-call behavior.
3.3 Design Principles for Security
Some researchers have identified several general principles that can be used as guide to
designing secure systems. A brief summary of their ideas is given below:
 System design should be public.
 The default should be no access. Errors in which legitimate access is refused will be
reported much faster than errors in which unauthorised access is allowed.
 Check for current authority. The system should not check permission, determine that
access is permitted. Many systems check for permission when a file is opened and not
afterwards.
This means that a user who opens a file and keeps it open for weeks will continue to have access,
even if the owner has long changed the file protection.
 Give each process the least privilege possible.
 The protection mechanism should be simple, uniform, and build
to the lowest layers of the system.
 The scheme chosen must be psychologically acceptable. If users feel that protecting their
files is too much work, they just will not do it.
3.4 User Authentication
A major security problem for operating systems is authentication. The protection system depends
on the ability to identify the programs and processes currently executing, which in turn depends
on the ability to identify each user of the system. The process of identifying users when they log
on is called user authentication. How do we determine whether a user's identity is authentic?
Generally, authentication is based on one or more of three items:
 User possession (a key or card)
 User knowledge (a user identifier and password)
 User attributes (fingerprint, retina pattern, or signature).
3.4.1 Passwords
The most common approach to authenticating a user identity is the use of passwords. When a
user identifies herself by user ID or account name, she is asked for a password. If the user-
supplied password matches the password stored in the system, the system assumes that the user
is legitimate. Passwords are often used to protect objects in the
computer system, in the absence of more complete protection schemes.
Different passwords may be associated with different access rights. For example, different
passwords may be used for reading files, appending files, and updating files.
Password Vulnerabilities
Passwords are extremely common because they are easy to understand and use. Unfortunately,
passwords can often be guessed, accidentally exposed, sniffed, or illegally transferred from an
authorized user to an unauthorised one.
There are two common ways to guess a password.
 One way is for the intruder (either human or program) to know the user or to have
information about the user.
 The use of brute force, trying enumeration, or all possible combinations of letters,
numbers, and punctuation, until the password is found.
Short passwords are especially vulnerable to the last method. For example, a four-digit password
provides only 10,000 variations. On average, guessing 5,000 times would produce a correct hit.
A program that could try a password every 1 millisecond would take only about 5 seconds to
guess a four-digit password. Enumeration is not as successful at finding passwords in systems
that allow longer passwords, that differentiate between uppercase and lowercase letters, and that
allow use of numbers and all punctuation characters in passwords.
In addition to being guessed, passwords can be exposed as a result of visual or electronic
monitoring. An intruder can look over the shoulder of a user (shoulder surfing) when the user is
logging in and can learn the password easily by watching the keystrokes. Alternatively, anyone
with access to the network on which a computer resides could
seamlessly add a network monitor, allowing her to watch all data being transferred on the
network (sniffing), including user IDs and passwords.
Encrypting the data stream containing the password solves this problem.
Exposure is a particularly severe problem if the password is written down where it can be read or
lost. Some systems force users to select hard-to-remember or long passwords, which may cause a
user to record the password. As a result, such systems provide much less security than systems
that allow easy passwords!
The final method of password compromise/illegal transfer is the result of human nature. Most
computer installations have a rule that forbids users to share accounts. This rule is sometimes
implemented for accounting reasons but is often aimed at improving security.
3.4.2 Biometrics
There are many other variations to the use of passwords for authentication. Palmor hand-readers
are commonly used to secure physical access—for example, access to a data center. These
readers match stored parameters against what is being read from hand-reader pads. The
parameters can include a temperature map, as well as finger length, finger width, and line
patterns. These devices are currently too large and expensive to be used for normal computer
authentication.
Fingerprint readers have become accurate and cost-effective and should become more common
in the future. These devices read your finger's ridge patterns and convert them into a sequence of
numbers. Over time, they can store a set of sequences to adjust for the location of the finger on
the reading pad and other factors. Software can then scan a finger on the pad and compare its
features with these stored sequences to determine if the finger on the pad is the same as the
stored one. Of course, multiple users can have profiles stored, and the scanner can differentiate
among them. A very accurate two-factor authentication scheme can result from requiring a
password as well as a user name and
fingerprint scan. If this information is encrypted in transit, the system can be very resistant to
spoofing or replay attack.
3.5 Programme Threats
When a program written by one user may be used by another, misuse and unexpected behavior
may result. Some common methods by which users gain access to the programs of others are:
 Trojan horses
 Trap doors
 Stack and buffer overflow.
3.5.1 Trojan Horse
Many systems have mechanisms for allowing programs written by users to be executed by other
users. If these programs are executed in a domain that provides the access rights of the executing
user, the other users may misuse these rights. A text-editor program, for example, may include
code to search the file to be edited for certain keywords. If any
are found, the entire file may be copied to a special area accessible to the creator of the text
editor. A code segment that misuses its environment is called a Trojan horse.
A variation of the Trojan horse is a program that emulates a login program. An unsuspecting user
starts to log in at a terminal and notices that he has apparently mistyped his password. He tries
again and is successful. What has happened is that his authentication key and password have
been stolen by the login emulator, which was left
running on the terminal by the thief. The emulator stored away the password, print out a login
error message, and exit; the user was then provided with a genuine login prompt.
3.5.2 Trap Door
The designer of a program or system might leave a hole in the software that only he/she is
capable of using. This type of security breach is called trap door. Programmers have been
arrested for embezzling from banks by including rounding errors in their code and having the
occasional half-cent credited to their accounts. This account crediting
can add up to a large amount of money, considering the number of transactions that a large bank
executes. Trap doors pose a difficult problem because, to detect them, we have to analyze all the
source code for all components of a system. Given that software systems may consist of millions
of lines of code, this analysis is not done frequently, and
frequently it is not done at all!
3.5.3 Stack and Buffer Overflow
This is the most common way for an attacker outside of the system, on a network or dial-up
connection, to gain unauthorized access to the target system. An authorized user of the system
may also use this exploit for privilege escalation, to gain privileges beyond those allowed for
that user. Essentially, the attack exploits a bug in a program. The bug can be
a simple case of poor programming, in which the programmer neglected to code bounds
checking on an input field. The buffer-overflow attack is especially pernicious, as it can be run
within a system and can travel over allowed communications channels. Such attacks can occur
within protocols that are expected to be used to communicate with the machine, and they can
therefore be hard to detect and prevent. They can even bypass the security added by firewalls.
One solution to this problem is for the CPU to have a feature that disallows execution of code in
a stack section of memory.
3.6 System Threats
Most operating systems provide a means by which processes can spawn other processes. In such
an environment, it is possible to create a situation where operating system resources and user
files are misused.
The two most common methods for achieving this misuse are worms and viruses. We discuss
each below, along with a somewhat different form of system threat: denial of service.
3.6.1 Worms
A worm is a process that uses the spawn mechanism to ravage system performance. The worm
spawns copies of itself, using up system resources and perhaps locking out all other processes.
On computer networks, worms are particularly potent, since they may reproduce themselves
among systems and thus shut down the entire network.
3.6.2 Viruses
Like worms, viruses are designed to spread into other programmes and can wreck havoc in a
system by modifying or destroying files and causing system crashes and programme
malfunctions. Whereas a worm is structured as a complete, standalone programme, a virus is a
fragment of code embedded in a legitimate programme. Viruses are a major
problem for computer users, especially users of microcomputer systems.
Multiuser computers generally are not susceptible to viruses because the executable programs are
protected from writing by the operating system.
Even if a virus does infect a programme, its powers are limited because other aspects of the
system are protected. Single-user systems have no such protections and, as a result, a virus has
free run. Viruses are usually spread when users download viral programmes from public bulletin
boards or exchange disks containing an infection.
In recent years, a common form of virus transmission has been via the exchange of Microsoft
Office files, such as Microsoft Word documents.
These documents can contain so-called macros (or Visual Basic Programmes) that programmes
in the Office suite (Word, PowerPoint, or Excel) will execute automatically.
Most commercial antivirus packages are effective against only particular known viruses. They
work by searching all the programmes on a system for the specific pattern of instructions known
to make up the virus.
When they find a known pattern, they remove the instructions, disinfecting the programme.
These commercial packages have catalogs of thousands of viruses for which they search. Viruses
and the antivirus software continue to become more sophisticated. Some viruses modify
themselves as they infect other software to avoid the basic pattern-match approach of antivirus
software. The antivirus software in turn now looks for families of patterns rather than a single
pattern to identify a virus.
The best protection against computer viruses is prevention, or the practice of safe computing.
Purchasing unopened software from vendors and avoiding free or pirated copies from public
sources or disk exchange is the safest route to preventing infection. For macro viruses, one
defense is to exchange Word documents in an alternative file format called rich text format
(RTF). Unlike the native Word format, RTF does not include the capability to attach macros.
Another defense is to avoid opening any e-mail attachments from unknown users.
3.6.3 Denial of Service
The last attack category, denial of service, is aimed not at gaining information or stealing
resources but rather at disrupting legitimate use of a system or facility. An intruder could delete
all the files on a system, for example. Most denial-of-service attacks involve systems that the
attacker has not penetrated. Indeed, launching an attack that prevents
legitimate use is frequently easier than breaking into a machine or facility.
3.7 File Protection
There are three most popular implementations of file protection:
 File Naming
It depends upon the inability of a user to access a file he cannot name.
This can be implemented by allowing only users to see the files they have created. But since
most file systems allow only a limited number of characters for filenames, there is no guarantee
that two users will not use the same filenames.
 Password Protection
This scheme associates a password to each file. If a user does not know the password associated
to a file then he cannot access it. This is a very effective way of protecting files but for a user
who owns many files, and constantly changes the password to make sure that nobody accesses
these files will require that users have some systematic way of keeping track of their passwords.
 Access Control
An access list is associated with each file or directory. The access list contains information on
the type of users and accesses that they can do on a directory or file. An example is the following
access list associated to a UNIX file or directory:
drwxrwxrwx
The d indicates that this is an access list for a directory, the first rwx indicates that it can be read,
written, and executed by the owner of the file, the second rwx is an access information for users
belonging to the same group as the owner (somewhere on the system is a list of users belonging
to same group as the owner), and the last rwx for all other users. The rwx can be changed to just
r - - indicating that it can only be read, or – w - for write-only, - - x for execute only.