Chapter: Protection and Security

Objectives

 Discuss the goals and principles of protection in a modern

computer system
 Explain how protection domains combined with an access matrix
are used to specify the resources a process may access
 Examine capability and language-based protection systems
 Goals of Protection

 Process in OS must be protected from the one another.

 Protection refers to a mechanism for controlling the access of the
programs, processes or users to the resources defined by the computer
system.
 Protection improves reliability.
 Protection Mechanism determine: how some thing will be done
 Policy determine: what is to be done.
 Protection refers to a mechanism for controlling the access of
programs, processes, or users to the resources defined by a computer
system.
 This mechanism must provide a means for specifying the controls to be
imposed, together with a means of enforcement.
 Protection in Computer System

 System with Contiguous memory allocation:

 Protection is achieved by Use of Limit Registers
 In Paging System:
 Protection is achieved by use of Page Table. Each
process has its own page table.
 In System with Segmentation:
 Protection is achieved by Use of Segment Table –
Each table is protected by base address and limit
register
 In System with files stored on Secondary Storage:
 Protection is achieved by Access Rights
 Access Control

Method that determines:

 What types of access are permitted on different resources
 Under what circumstances
 By Whom
 Access Control

Access Control Model has 3 basic components:

 Subjects (S) or Domain: Represents a finite set of entities that
have access to current object.
 Subject may be: User , Process or Procedure
 Objects (O): Represents a finite set of resources that need
access.
 Object may be: H/w device ( processor, memory) Or S/W
resources ( page table, files etc)
 Rights ( R): Represents a finite set of Operations that a Subject
can perform on Object.
 Access Control Policies

Protection Domain: is a collection of objects and access rights

(Permissions –rwx-)

1. Discretionary Access Control

 In this model, Each object is owned by some
subject/domain and Owner of the object decides
which what kind of access rights are there.
2. Mandatory Access Control
 System Administrator enforce a policy for all users.
3. Role-Based Access Control
 Access control is based on roles that users have within
the system
Discretionary Access Control/ Access Matrix

 Discretionary Access Control Model is represented by Access

Matrix.
 It is used to describe which users have access to what
objects or resources.
 Access Matrix consists of Rows and Columns
 Rows represent : Current Subject / Domain
 Column represent: Current Object
Discretionary Access Control/ Access Matrix

 View protection as a matrix (access matrix)

 Rows represent domains

 Columns represent objects

 Access(i, j) is the set of operations that a process

executing in Domaini can invoke on Objectj
Access Matrix
 Use of Access Matrix

 If a process in Domain Di tries to do “op” on object Oj, then

“op” must be written in the access matrix

 Can be expanded to dynamic protection

 Operations to add, delete access rights
 Special access rights:
 owner of Oi
 copy op from Oi to Oj
 control – Di can modify Dj access rights
 transfer – switch from domain Di to Dj
 Use of Access Matrix (Cont)

 Access matrix design separates mechanism from policy

 Mechanism (Method)
 Operating system provides access-matrix + rules
 Ifensures that the matrix is only manipulated by
authorized agents and that rules are strictly enforced

 Policy (Rules)
 User dictates policy
 Who can access what object and in what mode
 Implementation of Access Matrix
 There are 2 methods:
 1. Access Control Lists
 ACL can be created by dividing Access Matrix Column
Wise.
 Separate list is maintained for each domain and each object.
 It skips blank row entries in each domain.

 2. Capability List
 Can be created by dividing Access Matrix Row Wise.
 It is list of access rights that a user / domain or a process has
for a object.
 It is divided into 2 fields:
 Object Descriptor
 Access Rights
Access Matrix With Domains as Objects

Figure B
 Operation on Access Matrix Entries
 1. Copy
 It allows the access right to
be copied only within the
column (for an object)
 Ability to copy an access
right from one domain (row)
to another is denoted by
asterisk ( * )
 A process executing in
domain D2 can copy read
operation into any entry
associated with file F2
 The ability to copy rights is
denoted by an asterisk,
indicating that processes
in that domain have the
right to copy that access
within the same column
Access Matrix with Copy Rights
For example, in Figure
(a), a process executing in
domain D2 can copy the
read operation into any
entry associated with file
F2.

Hence, the access matrix

of Figure (a) can be
modified to the access
matrix shown in Figure(b).
 Operation on Access Matrix Entries
 2. Owner
 It allows addition or removal of access rights.
 If any access includes owner right then a process executing
in domain Di can add or remove any access right in entry
of that column.

 Copy and Owner allow a process to change the entry in

column.
 If access(i, j) includes the owner’s right, then a process
executing in domain Di can add and remove any right in
any entry in column j.
Access Matrix With Owner Rights
For example, in Figure (a),
domain D1 is the owner of F1
and thus can add and delete
any valid right in column F1.

Similarly, domain D2 owns F2

and F3 and thus can add and
remove
any valid right within these two
columns. Thus, the access
matrix of Figure
(a) can be modified to the
access matrix shown in Figure
(b).
 Operation on Access Matrix Entries
 3. Control Right
 Control right mechanism used to change entries in a row.
 Control right is applicable only to domain objects.
 If access( i , j ) includes control right, then a process executing in domain
Di can remove any access right from row j.
 Switch operation works for column only
 For example, suppose that, we include the control right in access(D2, D4).
Then, a process executing in domain D2 could modify domain D4, as shown.
 Operation on Access Matrix Entries
 3. Control Right

For example, suppose we include the control right in access(D2, D4). Then, a
process executing in domain D2 could modify domain D4, as shown.
 Implementation of Access Matrix
1. GLOBAL TABLE:
 Global Table consisting of a ordered set of triples <domain,
object, right set>
 Before every operation on any object in any domain, the global table is
searched for triple.
 If a triple is found, the operation is allowed to continue, otherwise,
an exception or error condition is raised.
 Drawbacks:
 Table is large. Can not be kept in the main memory. So additional I/O
is needed.

2. ACCESS LISTS FOR OBJECTS:

Each column can be implemented as an access list.
Resultant list consists of: <domain, right sets>an
 Security

 Method of protecting information stored in the system from

un-authorized access.
 Security must consider external environment of the system, and
protect it from:
 unauthorized access.
 malicious modification or destruction
 accidental introduction of inconsistency.

 Security violation can be categorized as intentional or accidental.

 Security is a measure of confidence that the integrity of a
system and its data will be preserved.
 Some Security Violations

 Breach of Confidentiality: Unauthorized reading of data. Theft of

information
 Breach of integrity: Unauthorized modification of data.
 Breach of availability: Unauthorized destruction of data/ website
defacement:
A website defacement is an attack on a website that changes the
visual appearance of the site or a webpage.
 Theft of service: Unauthorized use of resources.
 Denial of service: Send invalid data to applications or network
services, which cause abnormal termination.

Flood a computer or the entire network with traffic until a shutdown

occurs because of the overload.
 Security Measure Levels

To protect our system, we must take security measures at 4

levels:

 Physical - Secure Hardware Components

 Human – Use Passwords for protection

 Operating system – Use Valid Login and Password

 Network – Use authentication and anti-virus to protect data/

resources over the network.
 Program Threats

 Writing a program that creates a breach of security or causing a

normal process to change its behavior and create a breach is the
common goal of crackers

 Malware: A destructive program that pretend to be a gentle

application.

 A back door is a means of access to a computer program that

bypasses security mechanisms.
 Program Threats

1. Trojan horse
 A Trojan horse, or Trojan, is software that
appears to perform a desirable function for the
user, but steals information or harms the
system.

 Trojan horse is a program in which harmful code is

contained in such a way that it can get control and
do its chosen form of damage
 1. Trojan horse

 Many systems have mechanisms for allowing programs written

by some users to be executed by other users.
 If these programs are executed in a domain that provides
the access rights of the executing user, the other users
may misuse these rights.

 For example: A text-editor program, may include code to

search the file to be edited for certain keywords. If any are
found, the entire file may be copied to a special area accessible
to the creator of the text editor.

 A code segment that misuses its environment is called a Trojan

horse.
 1. Trojan horse

 A variation of the Trojan horse is a program that emulates

(copy) a login program.
 An unsuspecting user starts to log in at a terminal and notices
that he has apparently mistyped his password. He tries again
and is successful.
 What has happened is that his authentication key and password
have been stolen by the login emulator, which was left running
on the terminal by the thief.
 The emulator stored away the password, printed out a login
error message, and exited; the user was then provided with a
genuine login prompt.
 2. Spyware

 A software that secretly monitors the user's computing.

 Spyware is a type of malware that can be installed on computers,

and which collects small pieces of information about users without
their knowledge.

 The presence of spyware is typically hidden from the user, and

can be difficult to detect.

 Sometimes, Spywares are installed by the owner of a shared,

corporate, or public computer in order to secretly monitor other
users.
 2. Spyware

 Spyware sometimes accompanies a program that the

user has chosen to install.

 The goal of spyware is to download ads to display on

the user’s system, create pop-up browser windows
when certain sites are visited, or capture information
from the user’s system and return it to a central site.
 3. Trap Door

 The designer of a program or system might leave a

hole in the software that only designer is capable of
using. This type of security breach is called trap
door.
 For instance, the code might check for a specific user
ID or password, and it might circumvent normal
security procedures
 A clever trap door could be included in a compiler.
The compiler could generate standard object code as
well as a trap door, regardless of the source code
being compiled.
 3. Trap Door

 Trap doors pose a difficult problem because, to detect

them we have to analyze all the source code for all
components of a system.
 4. Logic Bomb

 Consider a program that initiates a security incident only

under certain circumstances.
 Under normal operations, there would be no security hole.
However, when a predefined set of parameters was met,
the security hole would be created. This scenario is known
as a logic bomb.
 for example, A programmer, might write code to detect
whether he is still logged in if that check failed, a daemon
could be generated to allow remote access, or code could
be launched to cause damage to the site.
 5. Stack and Buffer Overflow

 The stack- or buffer-overflow attack is the most common

way for an attacker outside the system, on a network or
dial-up connection, to gain unauthorized access to the
target system.

 the attacker exploits a bug in a program. The bug can be a

simple case of poor programming, in which the programmer
neglected to code bounds checking on an input field. In this
case, the attacker sends more data than the program was
expecting.
 6. VIRUS
 VIRUS: Vital Information Resource Under Seize or Very
Important Resource Under Seize

 Fragment of malicious code embedded in a genuine

program.
 designed to “infect” other programs.
 Specific to architecture, operating systems and applications.
 Needs human intervention to move from host to host.
 Needs some one to actually take that program from one
device and run it onto other device
 Does not self replicate itself
Main categories:
A VIRUS:
 FILE: infects system by appending itself to a file.
Changes start. Execution jumps to its code, returns control,
executes unnoticed.
 BOOT: infects boot sector, executing every time system is
booted. Infects other bootable media(Floppy disks).
 MACRO: these viruses are triggered when a program
capable of executing the macro is run.
 Source Code: looks for source code and modifies it to
include the virus and to help spread the virus.
 Polymorphic: this virus changes every time it is installed to
avoid detection by antivirus software. Changes don’t
change its functionality but change virus functionality.
Main categories:
A VIRUS:
 Encrypted. An encrypted virus includes decryption code
along with the encrypted virus, again to avoid detection. The
virus first decrypts and then executes.
 Stealth. This tricky virus attempts to avoid detection by
modifying parts of the system that could be used to detect it.
For example, it could modify the read system call so that if
the file it has modified is read, the original form of the code
is returned rather than the infected code.
 Tunneling. This virus attempts to bypass detection by an
antivirus scanner by installing itself in the interrupt-handler
chain. Similar viruses install themselves in device drivers.
Main categories:
 Multipartite Avirus of this type is able to infect multiple parts
of a system,including boot sectors, memory, and files. This
makes it difficult to detect and contain.
 Armored. An armored virus is coded to make it hard for
antivirus researchers to unravel and understand. It can also
be compressed to avoid detection and disinfection. In
addition, virus droppers and other full files that are part of a
virus infestation are frequently hidden via file attributes or
unviewable file names.
 System and Network Threats

 Program threats typically use a breakdown in the protection

mechanisms of a system to attack programs.

 System and network threats involve the abuse of services

and network connections.
 System and network threats create a situation in which
operating-system resources and user files are misused.
 1. Worms
 Self propagating.
 A worm is a process that uses the spawn mechanism to duplicate
itself. The worm spawns copies of itself, using up system resources
and perhaps locking out all other processes.

 If a device gets infected, it sends the copies of itself onto the network
to other devices.

 Sometimes more disturbing, it might go into your email, find your

contacts, sends copies of itself to all the contacts.
 2. Port Scanning
 Port scanning is not an attack but rather a means for a cracker to
detect a system’s vulnerabilities (bug) to attack.
 3. Denial of Service
 denial-of-service attacks are aimed not at gaining information or
stealing resources but rather at disrupting genuine use of a system
or facility.
 Denial-of-service attacks are generally network based.
 They fall into two categories:

1. Attacks in the first category use so many facility resources that, in

essence no useful work can be done.
2. The second category involves disrupting the network of the facility.
 Authentication

 Process of verifying the identity of user or information

 1. User Authentication
 Process of verifying the identity of user when user logs
into a computer system.

Main Objective: Allow authorized users to access the

computer.

Authentication Process consists of 2 steps:

1. Identification Step
2. Verification Step
 Measures of Authentication

 False Acceptance Ratio: % of unauthorized users

incorrectly entered the system

 False Rejection Ratio: % of authorized users that fails to

access the system due to failure of authentication.
 General Methods of Authentication

 Include a Password

 Include electronic key or smart cards

 Static Biometric – Recognition by finger print, retina or face.

 Dynamic Biometric – Recognition by Voice, Handwriting or

Typing Pattern.
 Password Verification

 Password Verification – Authentication Mechanism

 Password- a secret text that is supposed to be known only to

users.

 System allows authorized users who have valid user name and
password to access the system.
 Threat Monitoring

 Check for suspicious patterns of activity – several incorrect password

attempts may signal password guessing.

 Audit log – Check audit logs to see the time a user is trying to accesses
an object
 Useful for recovery from a violation and developing better security
measures.

 Scan the system periodically for security holes; done when the
computer is relatively unused.
 Threat Monitoring (Cont.)

 Check for:
 Short or easy-to-guess passwords
 Unauthorized set, user id’s
 Unauthorized programs in system directories
 Unexpected long-running processes
 Improper directory protections
 Improper protections on system data files
 Changes to system programs
 FireWall

 A firewall is a device or set of devices designed to allow or deny

network transmissions based upon a set of rules.

 Firewall is frequently used to protect networks from unauthorized

access.

 A firewall is placed between trusted and untrusted hosts.

 Encryption

Encryption is the process of encoding messages or information in such a

way that only authorized parties can read it

 Plaintext: The original intelligible message

 Cipher text: The transformed message

 Encryption

 Key: Information used by the cipher, known only to the

sender& receiver

 Encipher (encode) The process of converting plaintext to

cipher text using a cipher and a key

 Decipher (decode) the process of converting cipher text

back into plaintext using a cipher and a key
 Encryption/ Decryption Method
Encryption/Decryption methods fall into two categories:
 Symmetric key
 Public key
1. Symmetric key algorithms: the encryption and decryption keys are known
both to sender and receiver.
2. Public key algorithms: Encryption key is made public
 Encryption

 Properties of good encryption technique:

 Should be simple for authorized users to encrypt and decrypt data.
 Encryption technique should be able to encrypt the data by generating a
the encryption key.
 Should be extremely difficult for an intruder to determine the
encryption key.

 Data Encryption:
 Convert the data into a secret message on the basis of an encryption key
provided to authorized users.
 Public-key Technique

 Invented in 1976 by Whitfield Diffie and Martin Hellman. So also

called Diffie-Hellman encryption.

 Also called asymmetric encryption because it uses two keys

instead of one key

 Require two separate keys:

 One to encrypt the plaintext
 Other to decrypt the cipher text.
 Neither key will do both functions.
 One of these keys is published or public and the other is kept
private.
 Private key encryption

 Symmetric encryption (also called private-key

encryption or secret-key encryption) involves using the
same key for encryption and decryption.

 Encryption involves applying an operation (an algorithm) to

the data to be encrypted using the private key to make them
unintelligible.
Communication
Encryption and Decryption using Keys