DEPT & SEM : CSE & II SEM

SUBJECT Operating System

NAME :
OS
COURSE CODE
: V

UNIT : P BHAVYA

PREPARED BY
:

COURSE:OS UNIT: 5 Pg. 1

CONTENT :

 System Protection: Goals of protection

 Principles and domain of protection

 Access matrix, Access control

 Revocation of access rights.

COURSE:OS UNIT: 5 Pg. 2

CONTENT :


System Security: Introduction


Program threats


System and network threats


Cryptography as a security


User authentication


Implementing security defenses


Firewalling to protect systems and networks


Computer security classification.

COURSE:OS UNIT: 5 Pg. 3

GOALS OF PROTECTION :

Protection refers to a mechanism which controls the access of programs,
processes, or users to the resources defined by a computer system.

We can take protection as a helper to multi programming operating system, so
that many users might safely share a common logical name space such as
directory or files.
• Modern protection concepts have evolved to increase the reliability of any
complex system that makes use of shared resources.
Goal of Protection:

To prevent the mischievous, intentional violation of an access restriction by a
user.

To ensure that each active programs or processes in the system uses resources
like CPU, memory, software and even the OS only as the stated policy.

COURSE:OS UNIT: 5 Pg. 4

GOALS OF PROTECTION :

A protection-oriented system provides means to distinguish between authorized
and unauthorized usage

Protection can improve reliability by detecting latent errors at the interfaces
between component subsystems.

--- Early detection of interface errors can often prevent contamination of a

healthy subsystem by a malfunctioning subsystem.

The role of protection in a computer system is to provide a mechanism for the
enforcement of the policies governing resource use.

Some policies are defined at the time of design of the system, some are
designed by management of the system and some are defined by the users of the
system to protect their own files and programs.

-----Policy is different from mechanism. Mechanisms determine how

something will be done and policies determine what will be done. Policies are
changed over time and place to place. Separation of mechanism and policy is
important for the flexibility of the system.
COURSE:OS UNIT: 5 Pg. 5
PRINCIPLES OF PROTECTION:

 Guiding principle – it can be used throughout a design of project ,resultant

the system consistent and easy to understand .
 Guiding principle used by OS for protection is called the principle of least
privilege
 Principle of least privilege - It dictates that programs, users, and even
systems be given just enough privileges to perform their tasks.
 EX: Security guard with a passkey - If this key allows the guard into just the
public areas - minimal damage. If the passkey allows access to all areas, then
damage from its being lost, stolen, misused, copied, or otherwise compromised
will be Maximum damage.
 An operating system following the principle of least privilege implements its
features, programs, system calls, and data structures so that failure or
compromise of a component does the minimum damage and allows the
minimum damage to be done.

COURSE:OS UNIT: 5 Pg. 6

PRINCIPLES OF PROTECTION:

Ex: Daemon process - The overflow of a buffer in a system daemon might cause
the daemon process to fail, we ensure that any remote user should not gain
maximum privileges and access to the entire system

An operating system also provides system calls and services that allow
applications to be written with fine-grained access controls.

It provides mechanisms to enable privileges when they are needed and to
disable them when they are not needed.

Managing users with the principle of least privilege entails creating a separate
account for each user, with just the privileges that the user needs.

An operator who needs to mount tapes and back up files on the system has
access to just those commands and files needed to accomplish the job. Some
systems implement role-based access control (RBAC) to provide this
functionality.

The principle of least privilege can help produce a more secure computing
environment.
COURSE:OS UNIT: 5 Pg. 7
Domain of Protection :

A computer system is a collection of processes and objects.

Hardware objects(resources)(such as the CPU, memory segments, printers,
disks, and tape drives) and software objects(such as files, programs, and
semaphores).

Each object has a unique name that differentiates it from all other objects in the
system, and each can be accessed only through well-defined and meaningful
operations.

The operations that are possible may depend on the object.(Ex: Data files can be
created, opened, read, written, closed, and deleted).
Two things to be take care of when a process request resources:
1. A process should be allowed to access only those resources for which it has
proper authorization.
2. Process should be able to access only those resources that it currently requires
to complete its task. This commonly referred to as the need-to-know principle.

COURSE:OS UNIT: 5 Pg. 8

Domain of Protection :
Domain Structure :

A process operates with in a protection domain- which specifies set of resources
that the process may access.

Each domain defines a set of objects and the types of operations that may be
invoked on each object.

Access right - The ability to execute an operation on an object .

A domain is a collection of access rights, each of which is an ordered pair
<object-name, rights-set>.

For example, if domain has the access right <file F,{ read , write } >

Domains don’t need to be disjoint, Domains may share access rights.

COURSE:OS UNIT: 5 Pg. 9

Domain of Protection :

The association between a process and a domain may be either static - if the set of
resources available to the process is fixed throughout the process’s lifetime, or
dynamic - if the set of resources available to the process is Flexible throughout the
process’s lifetime.

If a domain is static, we must define the domain to include both read and write
access.

If the association is dynamic, a mechanism is available to allow domain switching,
enabling the process to switch from one domain to another.
A domain can be realized in a variety of ways:

Each user may be a domain:
Domain switching occurs when the user is changed — generally when one
user logs out and another user logs in. In this case, the set of objects that can be
accessed depends on the identity of the user.

COURSE:OS UNIT: 5 Pg. 10

Domain of Protection :

Each process may be a domain:
Domain switching occurs when one process sends a message to another
process and then waits for a response .In this case, the set of objects that can be
accessed depends on the identity of the process.

Each procedure may be a domain:
Domain switching occurs when a procedure call is made. In this case, the set
of objects that can be accessed corresponds to the local variables defined within the
procedure.
Domain Implementation (UNIX):

In the UNIX operating system, a domain is associated with the user(userID).

Switching the domain corresponds to changing the user identification temporarily
accomplished via file system.

Each file has associated with owner identification and a domain bit (known as the
setuid bit).
COURSE:OS UNIT: 5 Pg. 11
Domain of Protection :

When the setuid bit is on, and a user executes that file, the userID is set to that of
the owner of the file.

When the bit is off, however, the userID does not change.

Ex: when a user A(that is, a user with userID=A) starts executing a file owned by B,
whose associated domain bit is off , the user ID of the process is set to A.

When the setuid bit is on , the userID is set to that of the owner of the file : B.
When the process exits, this temporary userID change.

Domain Switch accomplished Via Passwords:
SU command temporarily switches to another user’s domain when other
domain’s password provided.

Domain Switching Via commands:
SUDO command prefix executes specified command in another domain (if
original domain has privileges or password given ).

COURSE:OS UNIT: 5 Pg. 12

Access Matrix :


General model of protection can be viewed abstractly as a matrix, called an Access
matrix.

The rows (i) of the access matrix represent domains, and

The columns ( j ) represent objects.

Each entry in the matrix consists of a set of access rights.

The entry access (i , j) defines the set of operations that a process executing in
domain Di can invoke on object Oj.

COURSE:OS UNIT: 5 Pg. 13

Access Matrix :

If a process in Domain Di tries to do “op”(operation) on object Oj, then “op”
must be in the access matrix.

Access matrix need to implement 2 policy decision:

1. Which Right to include? (by User)

2. Which domain the process execute ? (by Operating System )


User who creates object can define access column for that object

The access matrix provides an appropriate mechanism for defining and
implementing strict control for both static and dynamic association between
processes and domains.

When we switch a process from one domain to another, we are executing an
operation (switch) on an object (the domain).

COURSE:OS UNIT: 5 Pg. 14

Access Matrix :

We can control domain switching by including domains among the objects of
the access matrix.

Processes should be able to switch from one domain to another.

Switching from domain Di to domain Dj is allowed if and only if the access
right switch ∈ access(i,j).

A process executing in domain D2 can switch to domain D3 or to domain D4. A
process in domain D4 can switch to D1,and one in domain D1 can switch to D2.

Can be expanded to dynamic protection
• Operations to add, delete access rights
• Special access rights:
 owner of Oi

 copy op from Oi to Oj (denoted by “*”)

COURSE:OS UNIT: 5 Pg. 15

Access Matrix of Figure A with Domains as Objects :
 control – Di can modify Dj access rights

 transfer – switch from domain Di to Dj

• Copy and Owner applicable to an object

• Control applicable to domain object

COURSE:OS UNIT: 5 Pg. 16

Access Matrix :

The ability to copy an access right from one domain (or row) of the access
matrix to another is denoted by an asterisk (*) appended to the access right.

The copy right allows the access right to be copied only within the column(that
is, for the object) for which the right is defined.

For example, in Figure14.5(a), a process executing in domain D2 can copy the
read operation into any entry associated with file F2. Hence, the access matrix
of Figure 14.5(a) can be modified to the access matrix shown in Figure 14.5(b).

The owner right controls addition of new rights and removal of some rights.

If access(i,j) includes the owner right, then a process executing in domain Di
can add and remove any right in any entry in column j.

For example, in Figure 14.6(a), domain D1 is the owner of F1and thus can add
and delete any valid right in column F1.Similarly, domain D2is the owner of F2
and F3 and thus can add and remove any valid right within these two columns.

COURSE:OS UNIT: 5 Pg. 17

Access Matrix with Copy Rights and Access Matrix With Owner Rights

COURSE:OS UNIT: 5 Pg. 18

Access Matrix :
Mechanism for removing the access right in a Domain :

 The copy and owner rights allow a process to change the entries in a column.

 A mechanism is also needed to change the entries in a row. The control right is
applicable only to domain objects.

 If access(i,j) includes the control right, then a process executing in domain Di can
remove any access right from row j.

 The control right in access(D2,D4). Then, a process executing in domain D2 could

modify domain D4.

COURSE:OS UNIT: 5 Pg. 19

Modified Access Matrix of Figure B :

COURSE:OS UNIT: 5 Pg. 20

Implementation of the Access Matrix :

Access matrix will be generally a sparse matrix. Most of the entries in sparse
matrix will be empty. Although data-structure techniques are available for
representing sparse matrices, they are not particularly useful for Access matrix,
because of the way in which the protection facility is used.

There are several methods of implementing the access matrix are
1. Global table
2. Access lists for objects
3. Capability Lists for Domains
4. A Lock–Key Mechanism

COURSE:OS UNIT: 5 Pg. 21

Implementation of the Access Matrix :

1. Global table:

The simplest implementation of the access matrix is a global table consisting of
a set of ordered triples<domain, object, rights-set>.

Whenever an operation M is executed on an object Oj within domain Di, the
global table is searched for a triple< Di , Oj , Rk >,with M ∈ Rk.

If this triple is found, the operation is allowed to continue; otherwise, an
exception (or error) condition is raised.

Drawbacks:

1. The table is usually large and thus cannot be kept in main memory, so additional
I/O is needed. Virtual memory techniques are often used for managing this table.

2. In addition, it is difficult to take advantage of special groupings of objects or

domains. For example, if everyone can read a particular object, this object must
have a separate entry in every domain.

COURSE:OS UNIT: 5 Pg. 22

Implementation of the Access Matrix :
2. Access Lists for Objects :

Each column in the access matrix can be implemented as an access list for one
object
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read

The resulting list for each object consists of ordered pairs <domain, rights-set>,
which define all domains with a nonempty set of access rights for that object.

This approach can be extended easily to define a list plus a default set of access
rights for every object.

When an operation M on an object Oj is attempted in domain Di, we search the
access list for object Oj, looking for an entry <Di , Rk> with M ∈ Rk.

If the entry is found, we allow the operation; if it is not, we check the default set.

COURSE:OS UNIT: 5 Pg. 23

Implementation of the Access Matrix :

If M is in the default set, we allow the access. Otherwise, access is denied, and an
exception condition occurs.

For efficiency, we may check the default set first and then search the access list.
3. Capability Lists for Domains :

A capability list for a domain is a list of objects together with the operations
allowed on those objects.
Object F1 – Read
Object F4 – Read, Write, Execute
Object F5 – Read, Write, Delete, Copy

An object is often represented by its physical name or Unique address, in a
particular domain called a capability.

To execute operation M on object Oj, the process executes the operation M,
specifying the capability (or pointer) for object Oj as a parameter. Simple
possession of the capability means that access is allowed.

COURSE:OS UNIT: 5 Pg. 24

Implementation of the Access Matrix :

The capability list is associated with a domain, but it is never directly accessible
to a process executing in that domain

The capability list is itself a protected object, maintained by the operating
system and accessed by the user only indirectly.

Capabilities are usually distinguished from other data in one of two ways:

1. Each object has a tag to denote whether it is a capability or accessible data. The
tags themselves must not be directly accessible by an application program.

Hardware or firmware support may be used to enforce this restriction.

2. The address space associated with a program can be split into two parts.

One part is accessible to the program and contains the program’s normal data
and instructions.

The other part, containing the capability list, is accessible only by the operating
system.

COURSE:OS UNIT: 5 Pg. 25

Implementation of the Access Matrix :
A Lock–Key Mechanism :

The lock – key scheme is a compromise between access lists and capability
lists.

Each object has a list of unique bit patterns called locks.

Each domain has a list of unique bit patterns called keys.

A process executing in a domain can access an object only if that domain has a
key that matches one of the locks of the object.

As with capability lists, the list of keys for a domain must be managed by the
operating system on behalf of the domain.

Users are not allowed to examine or modify the list of keys (or locks) directly.

COURSE:OS UNIT: 5 Pg. 26

Implementation of the Access Matrix :
Comparison :

Using a global table is simple; however, the table can be quite large and often
cannot take advantage of special groupings of objects or domains.

Access lists correspond directly to the needs of users.

→ Determining the set of access rights for each domain is difficult.

→ Every access to the object must be checked, requiring a search of the

access list.

→ In a large system with long access lists, this search can be time consuming.

COURSE:OS UNIT: 5 Pg. 27

Implementation of the Access Matrix :

Comparison :

Capability lists do not correspond directly to the needs of users, but they are
useful for localizing information for a given process.

→ The process attempting access must present a capability for that access. Then,
the protection system needs only to verify that the capability is valid.

→ Revocation of capabilities can be inefficient .


The lock – key mechanism effective and flexible, depending on the length of the
keys. The keys can be passed freely from domain to domain.

→ In addition, access privileges can be effectively revoked by the simple

technique of changing some of the locks associated with the object.

COURSE:OS UNIT: 5 Pg. 28

Access Control :

Access controls can be used on files with in a
file system. Each file and directory is assigned
an owner, a group, or possibly a list of users,
and for each of those entities, access-control
information is assigned (read ,write ,execute).


Ex: Solaris 10(sun micro systems) advances
the protection available in the operating system
by explicitly adding the principle of least
privilege via role-based access
control(RBAC).


This facility revolves around privileges.

COURSE:OS UNIT: 5 Pg. 29

Access Control :

A privilege is the right to execute a system call or to use an option within that
system call (such as opening a file with write access).

Here privileges can be assigned to process and roles.

Privileges can be assigned to processes, limiting them to exactly the access
they need to perform their work.

Privileges and programs can also be assigned to roles.

Users are assigned roles or can take roles based on passwords to the roles.

In this way, a user can take a role that enables a privilege, allowing the user to
run a program to accomplish a specific task.

This implementation of privileges decreases the security risk associated with
superusers and setuid programs.

COURSE:OS UNIT: 5 Pg. 30

Revocation of Access Rights :

In a dynamic protection system, we may sometimes need to revoke access
rights to objects shared by different users.

Various questions about revocation may arise:


Immediate versus delayed: Does revocation occur immediately, or is it delayed? If
revocation is delayed, can we find out when it will take place?

Selective versus general: When an access right to an object is revoked, does it affect
all the users who have an access right to that object, or can we specify a select group
of users whose access rights should be revoked?

Partial versus total: Can a subset of the rights associated with an object be revoked,
or must we revoke all access rights for this object?

Temporary versus permanent: Can access be revoked permanently (that is, the
revoked access right will never again be available), or can access be revoked and later
be obtained again?

Revocation : it means take back, withdraw, or cancel.

COURSE:OS UNIT: 5 Pg. 31

Revocation of Access Rights : Access List

Access Lists for Objects : Each column = Access-control list for one object
Defines who can perform what operation < Domain ,Right – set >.


Easy to implement with Access List.

With an access-list scheme, revocation is easy.

Simple - The access list is searched for any access rights to be revoked, and they are
delete Access rights from the access list.

Revocation is immediate and can be general or selective, total or partial, and
permanent or temporary.

COURSE:OS UNIT: 5 Pg. 32

Revocation of Access Rights : capabilities

A capability list for a domain is a list of objects together with the operations
allowed on those objects.

An object is often represented by its physical name or Unique address, in a
particular domain called a capability.

Capabilities maintain by Operating System. Capabilities are not viewed by user,
Programs or Processers.

Harder to implement with capability list.

COURSE:OS UNIT: 5 Pg. 33

Revocation of Access Rights : capabilities

Capability List – The capabilities are distributed throughout the system, we
must find them before we can revoke them.

Schemes that implement revocation for capabilities include the following:
1. Reacquisition
2. Back-pointers
3. Indirection
4. Keys
1. Reacquisition:

Periodically, capabilities are deleted from each domain. If a process wants to
use a capability, it may find that that capability has been deleted.

The process may then try to reacquire the capability. If access has been
revoked, the process will not be able to reacquire the capability.

COURSE:OS UNIT: 5 Pg. 34

Revocation of Access Rights : capabilities
2. Back-pointers :

A list of pointers is maintained with each object, pointing to all capabilities
associated with that object.

When revocation is required, we can follow these pointers, changing the
capabilities as necessary.

This scheme was adopted in the MULTICS system. It is quite general, but its
implementation is costly.

3. Indirection: (The capabilities point indirectly, not directly, to the objects)


Each capability points to a unique entry in a global table, which in turn points to
the object.

We implement revocation by searching the global table for the desired entry and
deleting it.

COURSE:OS UNIT: 5 Pg. 35

Revocation of Access Rights : capabilities

Disadvantage : This scheme was adopted in the CAL system. It does not allow
selective revocation
4. Keys :

A key is a unique bit pattern that can be associated with a capability.

This key is defined when the capability is created, and it can be neither
modified nor inspected by the process that owns the capability.

A master key is associated with each object.

When a capability is created, the current value of the master key is associated
with the capability.

When the capability is exercised, its key is compared with the master key. If the
keys match, the operation is allowed to continue; otherwise, an exception
condition is raised.

Revocation replaces the master key with a new value via the set-key operation,
invalidating all previous capabilities for this object.

COURSE:OS UNIT: 5 Pg. 36

The Security Problem :

A system is said to be secure if its resources are used and accessed as intended
under all the circumstances, but no system can guarantee absolute security from
several of the various malicious threats and unauthorized access.

Security of a computer system is a crucial task. It is a process of ensuring
confidentiality and integrity of the OS.

Security must consider external environment of the system, and protect it from:

✦ unauthorized access.

✦ malicious modification or destruction

✦ accidental introduction of inconsistency


Intruders (crackers) attempt to breach(breaking) security.

COURSE:OS UNIT: 5 Pg. 37

The Security Problem :


Security of a system can be threatened via two violations:

Threat: A program which has the potential to cause serious damage to the system.

( potential security violation )


Attack: An attempt to break security and make unauthorized use of an asset.
(attempt to breach security)

Security violations affecting the system can be categorized as malicious and
accidental.

Malicious threats, as the name suggests are a kind of harmful computer code or
web script designed to create system vulnerabilities leading to back doors and
security breaches.

Accidental Threats, on the other hand, are comparatively easier to be protected
against. Example: Denial of Service DDoS attack.

Easier to protect against accidental than malicious misuse.

COURSE:OS UNIT: 5 Pg. 38

Security Violations :
Some of the most common types of violations include:
 Breach of Confidentiality - Theft of private or confidential information,
such as credit-card numbers, trade secrets, patents, secret formulas,
manufacturing procedures, medical information, financial information, etc.
 Breach of Integrity - Unauthorized modification of data, which may have
serious indirect consequences. For example a popular game or other
program's source code could be modified to open up security holes on users
systems before being released to the public.
 Breach of Availability - Unauthorized destruction of data, often just for
the "fun“, some crackers would rather wreak havoc and gain status or
bragging rights than gain financially. Website defacement is a common
example of this type of security breach.
( Web defacement is an attack in which malicious parties penetrate a
website and replace content on the site with their own messages.)

COURSE:OS UNIT: 5 Pg. 39

Security Violations :
• Theft of Service - Unauthorized use of resources, such as theft of CPU
cycles, installation of daemons running an unauthorized file server, or
tapping into the target's telephone or networking services.

• Denial of Service, DOS - This violation involves preventing legitimate

use of the system. Denial-of-service (DOS) attacks are sometimes
accidental. The original Internet worm turned into a DOS attack when a
bug failed to delay its rapid spread.

COURSE:OS UNIT: 5 Pg. 40

Security Methods :
Attackers use several standard methods in their attempts to breach security.

Masquerading, in which one participant in a communication pretends to be
someone else (another host or another person). By masquerading, attackers
breach authentication, the correctness of identification

A replay attack consists of the malicious or fraudulent repeat of a valid data
transmission. Sometimes the replay comprises the entire attack (for example, in
a repeat of a request to transfer money),but frequently it is done along with
message modification, again to escalate privileges.

The man-in-the-middle attack, in which an attacker sits in the data flow of a
communication, masquerading as the sender to the receiver, and vice versa.

In a network communication, a man-in-the-middle attack may be preceded by a
session hijacking, in which an active communication session is intercepted.

COURSE:OS UNIT: 5 Pg. 41

Standard Security Attacks :

COURSE:OS UNIT: 5 Pg. 42

Security Measure Levels :

Absolute protection of the system from malicious abuse is not possible, but the
cost to the perpetrator can be made sufficiently high to deter most intruders.
To protect a system, we must take security measures at four levels:
1. Physical - The site or sites containing the computer systems must be
physically secured against armed or surreptitious entry by intruders. The machine
rooms, Data centres, servers, connected terminals or workstations that have
access to the machines must be secured.
2. Human - Authorization must be done carefully to assure that only
appropriate users have access to the system.

However more and more attacks today are made via social engineering, which
basically means fooling trustworthy people into accidentally breaching security.

Phishing involves sending an innocent-looking e-mail or web site designed to
fool people into revealing confidential information. E.g. spam e-mails
pretending to be from e-Bay, PayPal, or any of a number of banks or credit-card
companies.

COURSE:OS UNIT: 5 Pg. 43

Security Measure Levels :

Dumpster Diving : It means searching trash for find useful information that
can be used to attack a computer network. For
example by looking through trash, finding phone books, or finding notes
containing passwords.

Password Cracking involves divining users passwords, either by watching
them type in their passwords, knowing something about them like their pet's
names, or simply trying all words in common dictionaries.
3. Operating System - The OS must protect itself from security breaches, such as
runaway processes ( denial of service ), memory-access violations, stack overflow
violations, the launching of programs with excessive privileges, and many others.
4. Network Much computer data in modern systems travels over private
leased lines, shared lines like the Internet, wireless connections, or dial-up
lines. Intercepting these data could be just as harmful as breaking into a
computer, and interruption of communications could constitute a remote
denial-of-service attack, diminishing users’ use of and trust in the system.

COURSE:OS UNIT: 5 Pg. 44

Program Threats :

Processes, along with the kernel, are the only means of accomplishing work on
a computer. Therefore, writing a program that creates a breach of security, or
causing a normal process to change its behavior and create a breach, is a
common goal of crackers.

Trojan Horse:

A code segment that misuses its environment is called a Trojan horse.
Ex: Text Editor ,Boot Strap Program etc..

Exploits are programs that contain data or code that takes advantage of a
vulnerability within application software that's running on your computer.
(Vulnerability is a weakness or some area where you are exposed or at risk.)
Ex: Trojan-Banker programs are designed to steal your account data for online
banking systems, e-payment systems, and credit or debit cards.

COURSE:OS UNIT: 5 Pg. 45

Trojan Horse:

A Trojan must be executed by its victim to do its work. Trojan malware can infect
devices in several ways.
(Malware : software that is specifically designed to disrupt, damage, or gain
unauthorized access to a computer system.)
For example:

A user sees a pop-up for a fake antivirus program that claims your computer is
infected and invites you to run a program to clean it up. This is known as
“scareware”. In reality, users are downloading a Trojan onto their device.

A user downloads a program whose publisher is unknown from an untrustworthy
website.

Attackers install a Trojan through exploiting a software vulnerability or through
unauthorized access.

Hackers create a fake Wi-Fi hotspot network that looks like one a user is trying to
connect to. When the user connects to this network, they can be redirected to fake
websites containing browser exploits that redirect any file they try to download.
COURSE:OS UNIT: 5 Pg. 46
Trojan Horse:

One dangerous opening for Trojan horses is long search paths, and in particular
paths which include the current directory ( "." ) as part of the path. If a
dangerous program having the same name as a legitimate program ( or a
common mis-spelling, such as "sl" instead of "ls" ) is placed anywhere on the
path, then an unsuspecting user may be fooled into running the wrong program
by mistake.

Another classic Trojan Horse is a login emulator, which records a users account
name and password, issues a "password incorrect" message, and then logs off
the system. The user then tries again ( with a proper login prompt ), logs in
successfully, and doesn't realize that their information has been stolen.

This type of attack can be defeated by having the operating system print a usage
message at the end of an interactive session or by a non- trappable key
sequence, such as the control-alt-delete combination used by all modern
Windows operating systems.

COURSE:OS UNIT: 5 Pg. 47

Trojan Horse:
Backdoor :

A backdoor Trojan gives malicious users remote control over the infected computer.

They enable the author to do anything they wish on the infected computer – including
sending, receiving, launching, and deleting files, displaying data, and rebooting the
computer.

Backdoor Trojans are often used to unit a group of victim computers to form a botnet
or zombie network that can be used for criminal purposes.
Dropper Trojan :

These programs are used by hackers to install Trojans or viruses – or to prevent the
detection of malicious programs.

Not all antivirus programs are capable of scanning all of the components inside this
type of Trojan.
Spyware :

Spyware is a version of a Trojan Horse and sometimes accompanies a program that the
user has chosen to install.

COURSE:OS UNIT: 5 Pg. 48

Trojan Horse:

The goal of spyware is to download ads to display on the user ’s system, create pop-
up browser windows when certain sites are visited, or capture information from the
user ’s system and return it to a central site.

This latter practice is an example of a general category of attacks known as covert
channels, in which surreptitious communication occurs.

Another common task of spyware is to send out spam e-mail messages, which
then purportedly come from the infected user.

The spyware could contact a central site, be given a message and a list of recipient
addresses, and deliver a spam message to those users from the Windows machine.

In 2010, it was estimated that 90 percent of spam was being delivered by this
method.

COURSE:OS UNIT: 5 Pg. 49

Trap Door:

The designer of a program or system might leave a hole in the software that only
she is capable of using.

This type of security breach (or trap door) was shown in the movie War Games.
Ex: Baking Website Application

Because of the possibility of trap doors, once a system has been in an untrustworthy
state, that system can never be trusted again. Even the backup tapes may contain a
copy of some cleverly hidden back door.

A clever trap door could be inserted into a compiler, so that any programs compiled
with that compiler would contain a security hole. This is especially dangerous,
because inspection of the code being compiled would not reveal any problems.

Trap doors pose a difficult problem because, to detect them, we have to
analyze all the source code for all components of a system.

Designer Only Know where the loop hole is there .The Code may check 2 or 3
years once.

COURSE:OS UNIT: 5 Pg. 50

Logic Bomb & Stack and Buffer Overflow :
Logic Bomb :

Consider a program that initiates a security incident only under certain
circumstances.

It would be hard to detect because under normal operations, there would be no
security hole.

However, when a predefined set of parameters was met, the security hole would
be created. This scenario is known as a logic bomb.

A Logic Bomb is code that is not designed to cause havoc (Damage) all the
time, but only when a certain set of circumstances occurs, such as when a
particular date or time is reached or some other noticeable event.

COURSE:OS UNIT: 5 Pg. 51

Stack and Buffer Overflow:


Stack and Buffer Overflow:

Exploits a bug (Malicious user creates bug ) in a program (overflow either the
stack or memory buffers)

Failure to check bounds on inputs, arguments

Write past arguments on the stack into the return address on stack

When routine returns from call, returns to hacked address

→ Pointed to code loaded onto stack that executes malicious code


Consider what happens in the following code, for example, if argv[ 1 ] exceeds
256 characters: The strcpy command will overflow the buffer, overwriting
adjacent areas of memory.

The problem could be avoided using strncpy, with a limit of 255 characters
copied plus room for the null byte

COURSE:OS UNIT: 5 Pg. 52

C Program with Buffer-overflow Condition :
 Note that a careful programmer could have performed bounds checking
on the size of argv[1] by using the strncpy() function rather than strcpy(),
replacing the line “strcpy(buffer, argv[1]);”with “strncpy(buffer,
argv[1], sizeof(buffer)-1);”.

 A buffer overflow is the result of stuffing more data into a buffer than it can
handle.

COURSE:OS UNIT: 5 Pg. 53

Layout of Typical Stack Frame :
 When a function is invoked in a typical computer
architecture, the variables defined locally to the
function (sometimes known as automatic variables), the
parameters passed to the function, and the address to
which control returns once the function exits are stored
in a stack frame.
 The stack frame from top to bottom, we first see the
parameters passed to the function, followed by any
automatic variables declared in the function.
 The frame pointer, which is the address of the
beginning of the stack frame.
 Finally, we have the return address, which specifies
where to return control once the function exits.
 The frame pointer must be saved on the stack, as the
value of the stack pointer can vary during the function
call.
 The saved frame pointer allows relative access to
parameters and automatic variables.
COURSE:OS UNIT: 5 Pg. 54
Modified Shell Code :
 One of the simplest and most obvious approaches is to insert the code for "exec(
/bin/sh )". To do this requires compiling a program that contains this instruction,
and then using an assembler or debugging tool to extract the minimum extent that
includes the necessary instructions.
 The bad code is then padded with as many extra bytes as are needed to overflow
the buffer to the correct extent, and the address of the buffer inserted into the return
address location.
 The resulting block of information is provided as "input", copied into the buffer by
the original program, and then the return statement causes control to jump to the
location of the buffer and start executing the code to launch a shell.

COURSE:OS UNIT: 5 Pg. 55

Hypothetical Stack Frame :

COURSE:OS UNIT: 5 Pg. 56

Great Programming Required? :

For the first step of determining the bug, and second step of writing exploit code, yes

Script kiddies can run pre-written exploit code to attack a given system

Attack code can get a shell with the processes’ owner ’ s permissions

→ Or open a network port, delete files, download a program, etc


Depending on bug, attack can be executed across a network using allowed
connections, bypassing firewalls

Fortunately modern hardware now includes a bit in the page tables to mark
certain pages as non-executable.

In this case the buffer-overflow attack would work up to a point, but as soon as
it "returns" to an address in the data space and tries executing statements there,
an exception would be thrown crashing the program.

Available in SPARC and x86

But still have security exploits

COURSE:OS UNIT: 5 Pg. 57

Program Threats : Viruses


Code fragment(Small peace of code) embedded in legitimate program.

Self-replicating (Duplication), designed to infect other computers.

Ex : Memory Size of 1 TB – It Duplicate the file – Memory is killed. So replace
the OS or Update the OS. In order to protect the System install Anti Virus.

Viruses are more likely to infect PCs than UNIX or other multi-user systems,
because programs in the latter systems have limited authority to modify other
programs or to access critical system structures

Viruses are delivered to systems in a virus dropper, usually some form of a Trojan
Horse, and usually via e-mail or unsafe downloads.

Usually borne via email or as a macro.

Visual Basic Macro to reformat hard drive
Sub AutoOpen()
Dim oFS
Set oFS = Create Object(’’Scripting.FileSystemObject’’)
vs = Shell(’’c:command.com /k format c:’’,vbHide)
End Sub
COURSE:OS UNIT: 5 Pg. 58
Program Threats :

Virus dropper inserts virus onto the system
Many categories of viruses, literally many thousands of viruses

File : A standard file virus infects a system by appending itself to a file. File viruses
are sometimes known as parasitic viruses, as they leave no full files behind and
leave the host program still functional.

Boot/Memory : A boot virus infects the boot sector of the system, executing every
time the system is booted and before the operating system is loaded.

Macro : Macro viruses are written in a high-level language, such as Visual
Basic. These viruses are triggered when a program capable of executing
the macro is run. For example Microsoft office-(Microsoft word, Excel, PPT) It may
destroy or steal the data depends upon the virus.

Source code: A source code virus looks for source code and modifies it to
include the virus and to help spread the virus.

Polymorphic : A polymorphic virus changes each time it is installed to avoid
detection by antivirus software.

COURSE:OS UNIT: 5 Pg. 59

Program Threats :

The changes do not affect the virus’s functionality but rather change the virus’s
signature.

A virus signature is a pattern that can be used to identify a virus, typically a series of
bytes that make up the virus code.

Encrypted : An encrypted virus includes decryption code along with the encrypted
virus, again to avoid detection. The virus first decrypts and then executes.

Stealth: This tricky virus attempts to avoid detection by modifying parts of the
system that could be used to detect it.

Tunneling: This virus attempts to bypass detection by an antivirus scanner by
installing itself in the interrupt-handler chain. Similar viruses install themselves in
device drivers.

Multipartite: A virus of this type is able to infect multiple parts of a system,
including boot sectors, memory, and files. This makes it difficult to detect and
contain.

Armored: An armored virus is coded to make it hard for antivirus researchers to
unravel and understand.

COURSE:OS UNIT: 5 Pg. 60

A Boot-sector Computer Virus :

COURSE:OS UNIT: 5 Pg. 61

The Threat Continues :

Attacks still common, still occurring

Attacks moved over time from science experiments to tools of organized crime

→ Targeting specific companies

→ Creating botnets to use as tool for spam and DDOS delivery

→ Keystroke logger to grab passwords, credit card numbers


Why is Windows the target for most attacks?

→ Most common

→ Everyone is an administrator

→ Licensing required?

→ Monoculture considered harmful

COURSE:OS UNIT: 5 Pg. 62

System and Network Threats :

Program threats typically use a breakdown in the protection mechanisms of a system to
attack programs. In contrast, system and network threats involve the abuse of services
and network connections. System and network threats create a situation in which
operating-system resources and user files are misused. Sometimes, a system and
network attack is used to launch a program attack, and vice versa.

Some systems “ open ” rather than secure by default
a. Reduce attack surface
b. But harder to use, more knowledge needed to administer

Network threats harder to detect, prevent
a. Protection systems weaker
b. More difficult to have a shared secret on which to base access
c. No physical limits once system attached to internet
--- Or on network with system attached to internet
d. Even determining location of connecting system difficult
--- IP address is only knowledge
COURSE:OS UNIT: 5 Pg. 63
System and Network Threats :
Worm :

A worm is a process that uses the spawn mechanism to duplicate itself.

The worm spawns copies of itself, using up system resources and perhaps
locking out all other processes.; standalone program
Internet worm :

Exploited UNIX networking features (remote access) and bugs in finger and
send mail programs

Exploited trust-relationship mechanism used by rsh to access friendly systems
without use of password

The worm was made up of two programs, a grappling hook (also called
a bootstrap or vector) program and the main program.

The grappling hook consisted of 99 lines of C code compiled and run on each
machine it accessed.

COURSE:OS UNIT: 5 Pg. 64

System and Network Threats :

Once established on the computer system under attack, the grappling hook
connected to the machine where it originated and uploaded a copy of the main
worm onto the hooked system .

The main program proceeded to search for other machines to which the newly
infected system could connect easily.

In these actions, Morris exploited the UNIX networking utility rsh for easy
remote task execution.

The worm searched these special files for site names that would allow remote
execution with out a password.

Where remote shells were established, the worm program was uploaded and
began executing anew.

The attack via remote access was one of three infection methods built into
the worm.

COURSE:OS UNIT: 5 Pg. 65

System and Network Threats :

The other two methods involved operating-system bugs in the UNIX
finger and send mail programs.

The finger utility functions as an electronic telephone directory. The command
finger user-name@hostname returns a person’s real and login names along
with other information that the user may have provided, such as office and
home address and telephone number, research plan, or clever quotation.

The bug exploited in send-mail also involved using a daemon process
for malicious entry. Send-mail sends, receives, and routes electronic mail.

COURSE:OS UNIT: 5 Pg. 66

The Morris Internet worm :

COURSE:OS UNIT: 5 Pg. 67

System and Network Threats :
Port scanning :

Port Scanning is technically not an attack, but rather a search for
vulnerabilities to attack.

The basic idea is to systematically attempt to connect to every known ( or
common or possible ) network port on some remote machine, and to attempt to
make contact.

Once it is determined that a particular computer is listening to a particular port,
then the next step is to determine what daemon is listening, and whether or not
it is a version containing a known security flaw that can be exploited.

Because port scanning is easily detected and traced, it is usually launched
from zombie systems, i.e. previously hacked systems that are being used
without the knowledge or permission of their rightful owner.

For this reason it is important to protect "innocuous" systems and accounts as
well as those that contain sensitive information or special privileges.

COURSE:OS UNIT: 5 Pg. 68

System and Network Threats :

There are also port scanners available that administrators can use to check their own
systems, which report any weaknesses found but which do not exploit the
weaknesses or cause any problems.

Two such systems are nmap and nessus .(Nmap ("Network Mapper") is a free and
open source utility for network discovery and security auditing. )

The former identifies what OS is found, what firewalls are in place, and what
services are listening to what ports. The latter also contains a database of known
security holes, and identifies any that it finds.

Denial of Service :

Overload the targeted computer preventing it from doing any useful work

Distributed denial-of-service (DDOS) come from multiple sites at once.

COURSE:OS UNIT: 5 Pg. 69

 System and Network Threats :

Consider the start of the IP-connection handshake (SYN)

How many started-connections can the OS handle?

Consider traffic to a web site

How can you tell the difference between being a target and being really popular? 
Accidental – CS students writing bad fork() code

Purposeful – extortion, punishment

A zombie is a computer connected to the Internet that has been compromised by a
hacker, computer virus, computer worm, or trojan horse program .

A zombie virus gains access to a computer or smartphone system through the
Internet and takes control of its resources.

COURSE:OS UNIT: 5 Pg. 70

Cryptography as a Security Tool :

Cryptography is the study of secure communications techniques that allow
only the sender and intended recipient of a message to view its contents.

When transmitting electronic data, the most common use of cryptography is to
encrypt and decrypt email and other plain-text messages.


Cryptography enables a recipient of a message to verify that the message was
created by some computer possessing a certain key. Similarly, a sender can
encode its message so that only a computer with a certain key can decode the
message.

COURSE:OS UNIT: 5 Pg. 71

Cryptography as a Security Tool :
1. Broadest security tool available

Internal to a given computer, source and destination of messages can be known
and protected
→ OS creates, manages, protects process IDs, communication ports

Source and destination of messages on network cannot be trusted without
cryptography
→ Local network – IP address?
– Consider unauthorized host added
→ WAN / Internet – how to establish authenticity
– Not via IP address

COURSE:OS UNIT: 5 Pg. 72

Cryptography as a Security Tool :
2. Means to constrain potential senders (sources) and / or receivers (destinations)
of messages.

Modern cryptography is based on secrets called keys that are selectively
distributed to computers in a network and used to process messages.

Based on secrets keys (Key plays a vital role) – With help of keys encoding
(sender side) and Decoding (Receiver side) ,both will be done.

Enables :

→ Confirmation of source

→ Receipt only by certain destination

→ Trust relationship between sender and receiver

COURSE:OS UNIT: 5 Pg. 73

Encryption :

Encryption is used frequently in many aspects of modern computing.

It is used to send messages securely across a network, as well as to protect database
data, files, and even entire disks from having their contents read by unauthorized
entities.

An encryption algorithm consists of the following components:
• A set K of keys.
• A set M of messages.
• A set C of ciphertexts.(Encrypted Message)

A function E : K → (M→C). That is, for each k ∈ K, Ek is a function for
generating ciphertexts from messages
→ Both E and Ek for any k should be efficiently computable functions

A function D : K → (C → M). That is, for each k ∈ K, Dk is a function for
generating messages from ciphertexts
→ Both D and Dk for any k should be efficiently computable functions

COURSE:OS UNIT: 5 Pg. 74

Encryption :

An encryption algorithm must provide this essential property: Given a ciphertext c
∈ C, a computer can compute m such that Ek (m) = c only if it possesses k

Thus, a computer holding k can decrypt ciphertexts to the plaintexts used to produce
them, but a computer not holding k cannot decrypt ciphertexts

Since ciphertexts are generally exposed (for example, sent on the network), it is
important that it be infeasible to derive k from the ciphertexts

Symmetric encryption uses a private key to encrypt and decrypt an encrypted email.
(symmetric encryption uses one Secret key for both encryption and decryption,
)

Asymmetric encryption uses the public key of the recipient to encrypt the message.
Then if the recipient wants to decrypt the message the recipient will have to use
his/her private key to decrypt(asymmetric encryption uses public key for
encryption and a private key for decryption)

COURSE:OS UNIT: 5 Pg. 75

Symmetric Encryption :

In a symmetric encryption algorithm, the same key is used to encrypt and to
decrypt.

Note that the key exchange can take place directly between the two parties or via a
trusted third party.

Data-encryption standard (DES) cipher adopted by the National Institute of
Standards and Technology (NIST).

DES works by taking a 64-bit value and a 56-bit key and performing a series of
transformations that are based on substitution and permutation operations.

DES works on a block of bits at a time, is known as a block cipher, With block
ciphers, if the same key is used for encrypting an extended amount of data, it
becomes vulnerable to attack.

DES is now considered insecure for many applications, Rather than giving up on
DES, NIST created a modification called triple DES, in which the DES algorithm is
repeated three times (two encryptions and one decryption) on the same plaintext
using two or three keys.
COURSE:OS UNIT: 5 Pg. 76
Symmetric Encryption :

For example, c = Ek3(Dk2(Ek1(m))). When three keys are used, the effective
key length is 168 bits. Triple DES is in widespread use today.

In 2001, NIST adopted a new block cipher, called the advanced encryption
standard (AES), to replace DES.

AES is another block cipher. It can use key lengths of 128, 192, or 256 bits
and works on 128-bit blocks. Generally, the algorithm is compact and efficient.

RC4 is most common symmetric stream cipher, but known to have
vulnerabilities
→ A stream cipher is designed to encrypt and decrypt a stream of bytes or bits
rather than a block (i.e., wireless transmission)
→ A keystream is an infinite set of bits that can be used to encrypt a plaintext
stream by simply XORing it with the plaintext.

COURSE:OS UNIT: 5 Pg. 77

A secure communication over an insecure medium :

COURSE:OS UNIT: 5 Pg. 78

Asymmetric Encryption :

Public-key encryption based on each user having two keys:

→ Public key – published key used to encrypt data

→ Private key – key known only to individual user used to decrypt data

Must be an encryption scheme that can be made public without making it easy to
figure out the decryption scheme

→ Most common is RSA block cipher

→ Efficient algorithm for testing whether or not a number is prime

→ No efficient algorithm is know for finding the prime factors of a number

COURSE:OS UNIT: 5 Pg. 79

Asymmetric Encryption :

Formally, it is computationally infeasible to derive kd,N from ke,N, and so ke
need not be kept secret and can be widely disseminated

→ ke is the public key

→ kd is the private key

→ N is the product of two large, randomly chosen prime numbers p and q

(for example, p and q are 512 bits each)

→ Encryption algorithm is Eke,N(m) = mke mod N, where ke satisfies

kekd mod (p−1)(q −1) = 1

→ The decryption algorithm is then Dkd,N(c) = c kd mod N

COURSE:OS UNIT: 5 Pg. 80

Asymmetric Encryption Example :

For example. make p = 7and q = 13

We then calculate N = 7∗13 = 91 (N is the product of two large, randomly chosen
prime numbers p and q)and (p−1)(q−1) = 72

We next select ke relatively prime to 72 and< 72, yielding 5

Finally, we calculate kd such that kekd mod 72 = 1, yielding 29

We how have our keys
→ Public key, ke,N = 5, 91
→ Private key, kd,N = 29, 91

Encrypting the message 69 with the public key results in the cyphertext 62

Cyphertext can be decoded with the private key
→ Public key can be distributed in cleartext to anyone who wants to
communicate with holder of public key

COURSE:OS UNIT: 5 Pg. 81

Encryption and decryption using RSA asymmetric cryptography :

COURSE:OS UNIT: 5 Pg. 82

Cryptography :
Note :

Symmetric cryptography based on transformations

Asymmetric based on mathematical functions

→ Asymmetric much more compute intensive

→ Typically not used for bulk data encryption

COURSE:OS UNIT: 5 Pg. 83

Authentication :

Authentication involves verifying the identity of the entity who transmitted a
message.

Constraining set of potential senders of a message
→ Complementary to encryption
→ Also can prove message unmodified

Algorithm components
→ A set K of keys
→ A set M of messages
→ A set A of authenticators
→ A function S : K → (M→ A)

That is, for each k ∈K, Sk is a function for generating authenticators from
messages

Both S and Sk for any k should be efficiently computable functions

COURSE:OS UNIT: 5 Pg. 84

Authentication :

A function V : K → (M × A→ {true, false}). That is, for each k ∈ K, Vk is a
function for verifying authenticators on messages

→ Both V and Vk for any k should be efficiently computable functions


For a message m, a computer can generate an authenticator a ∈ A such that Vk (m,
a) = true only if it possesses k

Thus, computer holding k can generate authenticators on messages so that any other
computer possessing k can verify them.

Computer not holding k cannot generate authenticators on messages that can be
verified using Vk

Since authenticators are generally exposed (for example, they are sent on the
network with the messages themselves), it must not be feasible to derive k from the
authenticators

COURSE:OS UNIT: 5 Pg. 85

Authentication :

Practically, if Vk (m,a) = true then we know m has not been modified and that send
of message has k .

→ If we share k with only one entity, know where the message originated

Authentication – Hash Functions :


Basis of authentication

Creates small, fixed-size block of data message digest (hash value) from m

Hash Function H must be collision resistant on m

→ Must be infeasible to find an m’ ≠ m such that H(m) = H(m’)


If H(m) = H(m ’), then m = m ’

→ The message has not been modified

COURSE:OS UNIT: 5 Pg. 86

Authentication :

Common message-digest functions include MD5, which produces a 128-bit hash,
and SHA-1, which outputs a 160-bit hash

Not useful as authenticators

→ For example H(m) can be sent with a message

→ But if H is known someone could modify m to m’ and recompute

H(m’) and modification not detected

→ So must authenticate H(m)

Why authentication if a subset of encryption?


Fewer computations (except for RSA digital signatures)

Authenticator usually shorter than message

Sometimes want authentication but not confidentiality

Can be basis for non-repudiation

COURSE:OS UNIT: 5 Pg. 87

Authentication :
Key Distribution:

Delivery of symmetric key is huge challenge
→ Sometimes done out-of-band

Asymmetric keys can proliferate – stored on key ring
→ Even asymmetric key distribution needs care – man-in-the-middle attack
Digital Certificates :

Proof of who or what owns a public key

Public key digitally signed a trusted party

Trusted party receives proof of identification from entity and certifies that public
key belongs to entity

Certificate authority are trusted party – their public keys included with web browser
distributions
→ They vouch for other authorities via digitally signing their keys, and so on

COURSE:OS UNIT: 5 Pg. 88

A man-in-the-middle attack on asymmetric cryptography:

COURSE:OS UNIT: 5 Pg. 89

Implementation of Cryptography :

Can be done at various layers of ISO Reference Model
At the network layer the most common standard
•

is IPsec, a secure form of the IP layer, which is used to set

up Virtual Private Networks, VPNs.
At the transport layer the most common implementation is
•

SSL, described below.


Encryption and security can be implemented at any
layer in the stack, with pros and cons to each choice:
• Because packets at lower levels contain the
contents of higher layers, encryption at lower
layers automatically encrypts higher layer
information at the same time.
• However security and authorization may be
important to higher levels independent of the
underlying transport mechanism or route taken.

COURSE:OS UNIT: 5 Pg. 90

User Authentication :

A major security problem for operating systems is user authentication.
The protection system depends on the ability to identify the programs and
processes currently executing, which in turn depends on the ability to
identify each user of the system.
Password:

User identity most often established through passwords, can be considered a
special case of either keys or capabilities
Password Vulnerabilities:

Passwords can be guessed.

"Shoulder surfing" involves looking over people's shoulders while they are
typing in their password.

"Packet sniffing" involves putting a monitor on a network connection and
reading data contained in those packets.

Passwords can be given away to friends or co-workers, destroying the
integrity of the entire user-identification system.
COURSE:OS UNIT: 5 Pg. 91
User Authentication :

Passwords must be kept secret
→ Frequent change of passwords
→ History to avoid repeats
→ Use of “non-guessable” passwords

Passwords may also either be encrypted or allowed to be used only once

→ Does encrypting passwords solve the exposure problem?

→ Might solve sniffing

→ Consider shoulder surfing

→ Consider Trojan horse keystroke logger

→ How are passwords stored at authenticating site?

COURSE:OS UNIT: 5 Pg. 92

User Authentication :

Encrypt to avoid having to keep secret
→ But keep secret anyway (i.e. Unix uses superuser-only readably file
/etc/shadow)
→ Use algorithm easy to compute but difficult to invert
→ Only encrypted password stored, never decrypted
→ Add “salt” to avoid the same password being encrypted to the same value

One-time passwords: one-time password (OTP), also known as a one-time PIN,
one-time authorization code (OTAC) or dynamic password, is a password that is
valid for only one login session or transaction, on a computer system or other
digital device.
→ Use a function based on a seed to compute a password, both user and computer
→ Hardware device / calculator / key fob to generate the password
→ Changes very frequently

COURSE:OS UNIT: 5 Pg. 93

User Authentication :

Biometrics involve a physical characteristic of the user that is not easily forged
or duplicated and not likely to be identical between multiple users.

• Fingerprint scanners are getting faster, more accurate, and more

economical.

• Palm readers can check thermal properties, finger length, etc.

• Retinal scanners examine the back of the users' eyes.

• Voiceprint analyzers distinguish particular voices.

• Difficulties may arise in the event of colds, injuries, or other physiological

changes.

COURSE:OS UNIT: 5 Pg. 94

Implementing Security Defences :

Defense in depth is most common security theory – multiple layers of security

Security policy describes what is being secured

Vulnerability assessment compares real state of system / network compared to security
policy

Intrusion detection endeavors to detect attempted or successful intrusions
→ Signature-based detection spots known bad patterns
. Anomaly detection spots differences from normal behavior -Can detect zero-day attacks
→ False-positives and false-negatives a problem

Virus protection
→ Searching all programs or programs at execution for known virus patterns
→ Or run in sandbox so can’t damage system

Auditing, accounting, and logging of all or specific system or network activities

Practice safe computing – avoid sources of infection, download from only “good”
sites, etc

COURSE:OS UNIT: 5 Pg. 95

Firewalling to Protect Systems and Networks:

A firewall is a computer, appliance, or router that sits between the trusted and the
untrusted.

A network firewall limits network access between the two security domains and
monitors and logs all connections.

It can also limit connections based on source or destination address, source or
destination port, or direction of the connection.

A firewall may allow only HTTP to pass from all hosts outside the firewall to the
web server within the firewall.

A common implementation has the Internet as the untrusted domain; a semi-trusted
and semi-secure network, called the demilitarized zone (DMZ).

Connections are allowed from the Internet to the DMZ computers and from the
company computers to the Internet but are not allowed from the Internet or DMZ
computers to the company computers.

COURSE:OS UNIT: 5 Pg. 96

Firewalling to Protect Systems and Networks:

Optionally, controlled communications may be allowed between the DMZ and one
company computer or more.

For instance, a web server on the DMZ may need to query a database server on the
corporate network.

With a firewall, however, access is contained, and any DMZ systems that are broken
into still are unable to access the company computers.

Firewalls themselves need to be resistant to attacks, and unfortunately have several
vulnerabilities:
• Tunneling, which involves encapsulating forbidden traffic inside of packets
that are allowed.
• Denial of service attacks addressed at the firewall itself.
• Spoofing, in which an unauthorized host sends packets to the firewall with the
return address of an authorized host.

COURSE:OS UNIT: 5 Pg. 97

Firewalling to Protect Systems and Networks:

A personal firewall is a software layer either included with the operating system or
added as an application.

Rather than limiting communication between security domains, it limits
communication to (and possibly from) a given host.

For example : A user could add a personal firewall to her PC so that a Trojan horse
would be denied access to the network to which the PC is connected.

An application proxy firewall understands the protocols that applications speak
across the network.

For example, SMTP is used for mail transfer. It can monitor the traffic as it forwards
the message, watching for and disabling illegal commands, attempts to exploit,
bugs, and so.

System-call firewalls sit between applications and the kernel, monitoring system-
call execution.

COURSE:OS UNIT: 5 Pg. 98

Network Security Through Domain Separation Via Firewall:

COURSE:OS UNIT: 5 Pg. 99

Computer-Security Classifications :

The U.S. Department of Defense Trusted Computer System Evaluation Criteria
specify four security classifications in systems: A, B, C, and D.

The lowest-level classification is division D, or minimal protection.

Division D includes only one class and is used for systems that have failed to meet
the requirements of any of the other security classes.

C – Provides discretionary protection through auditing

→ Divided into C1 and C2

→ C1 identifies cooperating users with the same level of protection

→ C2 allows user-level access control


B – All the properties of C, however each object may have unique sensitivity labels

→ Divided into B1, B2, and B3


A – Uses formal design and verification techniques to ensure security
COURSE:OS UNIT: 5 Pg. 100