Debre

tabor
OS, DB & Program security
University 
Seminar Prepared By……………...Id No.
1. Sewlesew Tilahun ……1422
2. Yeabsira Haile………....1483
3. Surafel Abedela……….0495
4. Daniel Gethaun …….…0649
5. Mamaru Anemaw …....0539
6. Temsgen Yilma………..1267
 Outline
 Introduction

 Os security
 Database security
 Program security

12/30/2022 Prepared by group 5 students 2

 Introduction


Every computer system and software design must
handle all security risks and implement the necessary
measures to enforce security policies.
 Much money has been lost and many people’s lives
have been harmed when computer security has failed.
 Attacks on computer systems are so common as to be
inevitable in almost any scenario where you perform
computing

12/30/2022 Prepared by group 5 students 3

12/30/2022 Prepared by group 5 students 4
 OS security
 The

process of ensuring OS availability,
confidentiality, integrity is known as operating
system security.
 OS security refers to the processes or measures taken
to protect the operating system from dangers, including
viruses, worms, malware, and remote hacker
intrusions.

12/30/2022 Prepared by group 5 students 5

 Cont’d


System security may be threatened through two violations, and these
are as follows:
1. Threat: A program that has the potential to harm the system
seriously.
2. Attack: A breach of security that allows unauthorized access to a
resource.
 Breach of integrity: This violation has unauthorized data
modification.
 Theft of service: It involves the unauthorized use of resources.
 Breach of confidentiality: The unauthorized reading of data.
 Breach of availability: The unauthorized destruction of data.
 Denial of service: It includes preventing legitimate use of the
12/30/2022 Prepared by group 5 students 6
system. Some attacks may be accidental.
 Goals of security
system


Integrity: Unauthorized users must not be allowed to
access the system's objects, and users with insufficient
rights should not modify the system's critical files and
resources.
 Secrecy: The system's objects must only be available
to a small number of authorized users.
 Availability: All system resources must be accessible
to all authorized users.

12/30/2022 Prepared by group 5 students 7

 Threats to OS


There are various threats to the operating system. Some of
them are as follows:
 Malware: It contains viruses, worms, Trojan horses, and other
dangerous software.
 Network Intrusion: Network intruders are classified as
masqueraders, misfeasors, and unauthorized users.
 Buffer Overflow: It is also known as buffer overrun. It is the
most common and dangerous security issue of the operating
system. It occurs when the volume of data exceeds the
storage capacity of the memory buffer.

12/30/2022 Prepared by group 5 students 8

 How to ensure OS
security


Authentication: matching an identified user with the
programs or data that they are allowed to access. operating
systems identify and authenticate users in three ways.
1. Username/Password: Every user contains a unique username
and password that should be input correctly before accessing a
system.
2. User Attribution: These techniques usually include biometric
verification, such as fingerprints, retina scans, etc.
3. User card and Key: To login into the system, the user must
punch a card into a card slot or enter a key produced by a key
generator into an option provided by the operating system.
12/30/2022 Prepared by group 5 students 9
 Cont’d


One Time passwords: A one-time password is a unique
password that is generated each time a user logs into a
system. These passwords cannot be reused.
1. Network passwords: applications issue one-time
passwords to registered mobile/email addresses, which must be
input before logging in.
2. Random numbers: The user receives a card with listing
numbers that correspond to machine letters.
3. Secret keys: The user receives a device that generates
secret keys. The user then enters the secret key into the OS
system.
12/30/2022 Prepared by group 5 students 10
 Cont’d


Firewalls: are essential for monitoring all incoming
and outgoing traffic.
 Physical Security: The most important method of
maintaining operating system security is physical
security.
 An attacker with physical access to a system may
edit, remove, or steal important files since operating
system code and configuration files are stored on the
hard drive.
12/30/2022 Prepared by group 5 students 11
 OS security policies and
Procedures


Various operating system security policies may be implemented
based on the organization .
 OS security policy is a document that specifies the procedures
for ensuring that the operating system maintains a specific level
of integrity, confidentiality, and availability.
 Installing and updating anti-virus software
 Ensure the systems are patched or updated regularly
 Implementing user management policies to protect user accounts and
privileges.
 Installing a firewall and ensuring that it is properly set to monitor all
incoming and outgoing traffic.
12/30/2022 Prepared by group 5 students 12
 Question


12/30/2022 Prepared by group 5 students 13

 Database
security
12/30/2022 Prepared by group 5 students 14
 What is Database
security
 Database:

 It is a collection of information stored in a computer
 Security:
 It is being free form danger
 Database security:
 It is the mechanisms that protect the database
against intentional or accidental threats.

12/30/2022 Prepared by group 5 students 15

 Cont’d

 Database security refers to the collective measures
used to protect and secure a database or database
management software from illegitimate use and
malicious cyber threats and attacks.

12/30/2022 Prepared by group 5 students 16

 Database security
concepts
 Three main aspects:

 Confidentiality
 Integrity
 Availability

 Threats to database
 Loss of integrity
 Loss of availability
 Loss of confidentiality
12/30/2022 Prepared by group 5 students 17
 Confidentiality


No one can read our data/ communication unless we
want them to
 It is protecting the database from unauthorized users
 Ensures that users area allowed to do things they are
trying to do
 For example:
 The employees should not see the salaries of their
mangers.

12/30/2022 Prepared by group 5 students 18

 Integrity


No one can manipulate our data
/processing/communication unless we want them to
 Protecting the database from authorized users
 Ensure that what users are trying to do is correct
 For example
 An employee should be able to modify his own
information.

12/30/2022 Prepared by group 5 students 19

 Availability


We can access our data / conduct our
processing/ use our communication capabilities
when we want to
 Authorized users should be able to access data
for legal purpose as necessary
 For example
 Payment orders regarding taxes should be made
on time by tax law
12/30/2022 Prepared by group 5 students 20
 Factors that amplify the
threats

 Data volumes are growing: Data capture, storage, and processing
continue to increase exponentially in almost all organizations. Any
tools or methods must be highly flexible to meet current as well as far-
off needs.
 The infrastructure is sprawling: Network environments are
becoming more complicated, especially as companies shift their
workloads into multiple clouds and hybrid cloud architectures and
make the selection of deployment, management, and administration
of security solutions more difficult.
 More stringent requirements for regulatory compliance: The
worldwide regulatory compliance
12/30/2022
landscape continues to increase by
Prepared by group 5 students 21
complexity. This makes the compliance of every mandate more
 Methods of securing the
database


Logical – firewalls, net proxies
 Encryption – public key/ private key, secure
sockets,
 Authorization – privileges, vies
 Authentication- passwords

12/30/2022 Prepared by group 5 students 22

 Securing the database through
firewalls


A FIREWALL is dedicated software on another computer which
inspects network traffic passing through it and denies or
permits passage based on set of rules.

 Basically it is piece of software that monitors all traffic that

goes from your system to another via the internet or network
and vice versa.

 Database FIREWALS are type of web application firewalls that

motor databases to identify and protect against database
specific attack mostly
12/30/2022 seekbyto
Prepared access
group sensitive information
5 students 23
 How database FIREWALL
works


The database firewall includes a set of pre-defined, customizable
security audit policies and they can identify database attackers based
on threat patterns called signatures.

 The SQL input statements(or) quires and compared to these signature,

which are updated frequently by the vend to identify known attacks
on the databases.

 Database firewall build (or come with) white list of approved SQL
commands(or) statement that are safe.

 All
12/30/2022the input commands are compared
Prepared with white list and only those
by group 5 students 24
that are already present in the white list are sent to the database.
 Advantage of using
FIREWALLS


Database firewalls maintains the black list of certain specific and
potential harmful commands(or) SQL statements and do not allow this
type of input.

 Database firewalls identifies the data base operating system and

protocol vulnerabilities in database and intimate the administrator.
Who can take steps to patch them.

 Database firewalls monitors for database responses (from the db

server) to block potential data leakage.

 Database
12/30/2022 firewalls notifies thebysuspicious
Prepared activity instead of blocking
group 5 students 25
them right away.
 How data encryption
works


Data encryption is a key-based access control system. Even if the
encrypted data is received, it cannot be understood until authorized
decryption occurs, which is automatic for users authorized to access
the tables.

 When a table contains the encrypted columns, a single key is used

regardless of the number of encrypted columns. This key is called the
column encryption

 The column encryption key for all tables, containing encrypted

columns, are encrypted with the database server master encryption
key and stored in a dictionary
12/30/2022 table
Prepared by groupin the database.
5 students 26
 The master encryption key is stored in an external security module
 Advantage of data
encryption


As a security administrator, one can sure that sensitive data is safe
in case the storage media or data file gets stolen,

 You do not need to create triggers or views to decrypt data. Data from
tables is decrypted for the database user.

 Database users need not be aware of the fact that the data they are
accessing is stored in encrypted form. Data is transparently decrypted
for the database users and does not require an action on their part.

 Applications need not be modified to handle encrypted data. Data

encryption/decryption Prepared
12/30/2022 is managed by5 the
by group database.
students 27
 Authorization

 The authorization gives permission to user to access database,
 Read Authorization —allows reading, but not modification of data
 Insert authorization —allows insertion of new data, but not modification of
existing data
 Update authorization —allows modification, but not deletion of data
 Delete authorization - allows deletion of data.

12/30/2022 Prepared by group 5 students 28

 Authentication

 Database authentication is the process or act of confirming that a
user who is attempting to log in to a database is authorized to do so,
and is only accorded the rights to perform activities that he or she
has been authorized to do.

12/30/2022 Prepared by group 5 students 29

 Program Security
12/30/2022 Prepared by group 5 students 30
 Secure programming


Security implies some degree of trust that the program enforces
expected
 Confidentiality
 Integrity
 Availability.

 Security and safety are two important aspects of the quality of

software.
 Security is the ability of a system to protect itself against accidental or
intentional attacks.
 Safety is the ability of a system operating without risk, performing
12/30/2022 Prepared by group 5 students 31
normal functions as well as handling exceptional conditions.
 Non-Malicious Code and Malicious Code


A. Non-malicious code
 Unintentional
 Caused from a mistake done by a human such as programmers
and developers
 Many such errors cause program malfunction but do not lead to
more serious security vulnerabilities

12/30/2022 Prepared by group 5 students 32

 Cont’d
B. Malicious code

 Rogue program
 General name for unanticipated or undesired effects in programs or
program parts, caused by an agent intent on damage
 Behaves in an unexpected ways
 It can do anything any other program can such as writing a message on a
computer screen, stopping a running program, generating a sound or
erasing a stored file
 Malicious code runs under the user’s authority but without the user's
permission or even knowledge

12/30/2022 Prepared by group 5 students 33

 A:Non-Malicious Program
Errors
 Three classic error types:

 Buffer overflow
 Incomplete mediation
 Time-of-check to time-of-use (TOCTTOU}

12/30/2022 Prepared by group 5 students 34

 • Buffer Overflows


A buffer: space in which data can be held
 Resides in memory; because memory is finite, a buffer’s capacity is
finite
 For this reason, the programmer must declare the buffer’s maximum
size so that the compiler can set aside that amount of space

Example:
char sample|10];
-> compiler set aside 10 bytes to store this buffer
sample[10] = ‘A’
-> the subscript is out of bound, we have a problem

12/30/2022 Prepared by group 5 students 35

 Cont’d


Damage done by buffer overflow
 Affects users data(overwrite user data)
 Affects user code( change user instruction)
 Affects system data(overwrites os data)
 Affects system code(changes os instruction)

 Attacker can insert malicious data values/ instruction/code into

overflow space

12/30/2022 Prepared by group 5 students 36

 • Incomplete Mediation


Consider the previous example from previous slide:
 http://www.somesite.com/subpage/userinput.asp?parm1=(808)555-
1212&parm2=2009Jani7
 The two parameters looks like a telephone number and a date
 The question now:
 What would happen if parm2 were submitted as 1800Jan01? Or
1800Feb30% Or 2048Min32_ or Ardvark2Many’?
 One way to produce the problem is to try to anticipate them

12/30/2022 Prepared by group 5 students 37

 • Time-of-Check to Time-of-Use
(TOCTTOU)
 Involves synchronization

 Access control is a fundamental part of computer security
 Every requested access must be governed by an access policy stating
who Is allowed access to what; then the request must be mediated by
an access-policy-enforcement agent
 But an incomplete mediation problem occurs when access Is not
checked universally
 TOCTTOU flaw concerns mediation that is performed with a “bait and
switch’ in the middle
 Also known as serialization or synchronization flaw

12/30/2022 Prepared by group 5 students 38

 Combinations of Non-malicious
Program Flaws

 An attacker may begin a three-pronged attack by using a buffer
overflow to disrupt all execution of arbitrary code on a machine

 The attacker then logs in as the new user and exploits an

incomplete mediation flaws as common building blocks

 Clever attacker uses flaws as common building blocks to build a

complex attack

12/30/2022 Prepared by group 5 students 39

 B:Virus and Other Malicious
Code
Why worry about Malicious Code?

 Malicious code can do much (harm)

 It can do anything any other program can such as writing a message

on a computer screen, stopping a running program, generating a
sound or erasing a stored file

 Or it can do nothing at all right now; It can be planted to lie dormant,

undetected, until some event triggers the code to act

 Malicious code runs under the user’s authority but without the user's
12/30/2022 Prepared by group 5 students 40
permission or even knowledge
 Kinds of Malicious
Code

 Malicious code/rogue program is the general name for
unanticipated or undesired effects in programs or programs parts,
caused by an agent intent on damage

 The agent is the writer of the program or the person who Causes Its
distribution

 A virus is a program that can pass on malicious code to other non-

malicious programs by modifying them

 A virus can be either transient or resident

12/30/2022 Prepared by group 5 students 41
 Cont’d
 Transient virus

 Has a life that depends on the life of its host;
 the virus runs when its attached program executes and
terminates when its attached program ends

 Resident virus
 Locates itself in memory;
 Then it can remain active or be activates as a stand-alone
program, even after its attached program ends
12/30/2022 Prepared by group 5 students 42
 Cont’d


12/30/2022 Prepared by group 5 students 43

 Prevention of Virus
Infection
 There are six techniques:

1. Use only commercial software acquired from reliable, well established
vendors.
2. Test all new software on an isolated computer.
3. Open attachments only when you know them to be safe.
4. Make a recoverable system image and store it safely
5. Make and retain backup copies of executable system files.
6. Use virus detectors regularly and update them dally.

12/30/2022 Prepared by group 5 students 44

 Truth and Misconceptions
about viruses


Viruses can infect only Microsoft Windows systems (False)
 Viruses can modify “hidden” or “read-only” files (True}
 Viruses can appear only in data files, or only in Word documents, or
only in programs (False)
 Viruses spread only on disks or through e-mail (False}
 Viruses cannot remain in memory after a complete power off/power
on reboot (True)
 Viruses cannot infect hardware (True}
 Viruses can be malevolent, benign, or benevolent (True}

12/30/2022 Prepared by group 5 students 45

 Controls Against Program
Threats
A. Development Controls

 It requires people to:
 Specify the system
 Design the system
 Implement the system
 Test the system
 Review the system
 Document the system
 Manage the system
 Maintain the system

12/30/2022 Prepared by group 5 students 46

 Cont’d
B.

Operating System Controls on Use of Programs
 A trusted software is where we know the code has been rigorously
developed and analyzed
 To trust any program, we should look for:
 Functional correctness
 Enforcement of integrity
 Limited privilege
 Appropriate confidence level
Others include:
 Mutual suspicion
 Confinement
 Access log
12/30/2022 Prepared by group 5 students 47
 Cont’d
C. Administrative Controls

 Standards of Program Development
 Administrative controls can be exercised by considering the
following standards of:
 Design
 Documentation, language and coding style
 Programming
 Testing
 Configuration management

12/30/2022 Prepared by group 5 students 48

 End of Seminar

Thank you !!!

12/30/2022 Prepared by group 5 students 49