Unit -3

Security and Protection in Operating System

3.1 Goals of Protection

• Obviously to prevent malicious misuse of the system by users or programs.

• To ensure that each shared resource is used only in accordance with
system policies, which may be set either by system designers or by system
administrators.
• To ensure that errant programs cause the minimal amount of damage possible.
• Note that protection systems only provide the mechanisms for enforcing
policies and ensuring reliable systems. It is up to administrators and users to
implement those mechanisms effectively.

3.2 Principles of Protection

• The principle of least privilege dictates that programs, users, and systems be
given just enough privileges to perform their tasks.
• This ensures that failures do the least amount of harm and allow the least of
harm to be done.
• For example, if a program needs special privileges to perform a task, it is better
to make it a SGID program with group ownership of "network" or "backup" or
some other pseudo group, rather than SUID with root ownership. This limits
the amount of damage that can occur if something goes wrong.
• Typically each user is given their own account, and has only enough privilege
to modify their own files.
• The root account should not be used for normal day to day activities - The
System Administrator should also have an ordinary account, and reserve use of
the root account for only those tasks which need the root privileges

3.3 Domain of Protection

• A computer can be viewed as a collection of processes and objects ( both HW

& SW ).
• The need to know principle states that a process should only have access to
those objects it needs to accomplish its task, and furthermore only in the modes
for which it needs access and only during the time frame when it needs access.
• The modes available for a particular object may depend upon its type.
3.3.1 Domain Structure

• A protection domain specifies the resources that a process may access.

• Each domain defines a set of objects and the types of operations that
may be invoked on each object.
• An access right is the ability to execute an operation on an object.
• A domain is defined as a set of < object, { access right set } > pairs, as
shown below. Note that some domains may be disjoint while others
overlap.

Figure 3.1 - System with three protection domains.

• The association between a process and a domain may

be static or dynamic.
o If the association is static, then the need-to-know principle
requires a way of changing the contents of the domain
dynamically.
o If the association is dynamic, then there needs to be a mechanism
for domain switching.
• Domains may be realized in different fashions - as users, or as processes,
or as procedures. E.g. if each user corresponds to a domain, then that
domain defines the access of that user, and changing domains involves
changing user ID.

3.4 Access Control

• A crucial element of operating systems is protection, controlling who is

permitted to access various system resources.
• An operating system is responsible for giving programs access to the resources
they need when they run. Different users will have different access privileges to
files, devices, and other system resources. The operating system must enforce
these access privileges.
• Access control works at a number of levels (Figure 3.1).
• Application
• Middleware
• Operating system
• Hardware

ApplicationMiddlew

areOperating

systemHardware

Figure 3.2: Access controls at different levels in a system

1. The access control mechanisms the user sees at the application level may
express a very rich and complex security policy. A modern online busi-
ness could assign staff to one of dozens of different roles, each of which
could initiate some subset of several hundred possible transactions in the
system. Some of these (such as refunds) might require dual control or
approval from a supervisor. And that’s nothing compared with the com-
plexity of the access controls on a modern social networking site, which
will have a thicket of rules and options about who can see, copy, and
search what data from whom.
2. The applications may be written on top of middleware, such as a
database management system or bookkeeping package, which enforces a
number of protection properties. For example, bookkeeping soft- ware
may ensure that a transaction which debits one ledger for a certain
amount must credit another ledger for the same amount, while database
software typically has access controls specifying which dictio- naries a
given user can select, and which procedures they can run.
3. The middleware will use facilities provided by the underlying operating
system. As this constructs resources such as files and communications
ports from lower level components, it acquires the responsibility for pro-
viding ways to control access to them.
 4. Finally, the operating system access controls will usually rely on hard-
ware features provided by the processor or by associated memory
management hardware. These control which memory addresses a given
process can access.

3.4.1 Subjects and objects

In order to determine who gets to do what, the first thing that the operating
system needs is the user’s identity. Typically, the login program establishes that
by getting the user’s credentials, which usually comprise a login name to
identify the user and password to authenticate the user. The system then
associates a unique user ID number with that user and grants access to
resources based on that ID.

When we look at access control, we talk in terms of subjects and objects.

A subject is the thing that needs to access the resources, or objects. Often, the
subject is the user. However, the subject can also be a logical entity. For
example, you might run the postfix mail server and create a user ID of postfix
for that server even if it does not correspond to a human user. Having this
distinct ID will enable you to configure access rights for the postfix server that
are distinct from other users. You will also likely do this for certain other
servers, such as a web server.

Processes run with the identity & authority of some user identifier. This
identifies the subject or principal (or security principal). The terms are often
used interchangeably but there are slight differences. A subject is any entity
that requests access to an object, often a user. A principal is a unique identity
for a user. The subject resolves to a principal when you log in; your user ID is
the principal. A subject might have multiple identities and be associated with a
set of principals. Principals don’t need to be humans. The identity of a program
or process may be a principal. We will not worry about the distinction in our
discussions and will casually talk about users or subjects – just keep in mind
that we really refer to the user ID that the operating system assigned to that
subject.
 An object is the resource that the subject may access. The resource is often a
file but may also be a device, communication link, or even another subject. In
most modern operating systems, devices are treated with the same abstraction
as files. In POSIX6 systems, the file system namespace contains names and
permissions for devices; an attribute tells the system it’s not a data file.

Access control defines allowable operations of subjects on objects: it defines

what different subjects are allowed to do or defines what can be done to
different objects.

As we will soon see, most operating systems define what can be done with
different objects, meaning that permissions are associated with each object.

3.4.2 The access control matrix

The access controls provided with an operating system typically
authenticateprincipals using a mechanism such as passwords or
Kerberos, then mediate their access to files, communications ports and
other system resources.
Their effect can often be modelled by a matrix of access
permissions, with columns for files and rows for users.

Figure3.3:Accesscontrolmatrix

• Domain switching can be easily supported under this model, simply by

providing "switch" access to other domains:
 Figure 3.4 - Access matrix of Figure 14.3 with domains as objects.

• The ability to copy rights is denoted by an asterisk, indicating that

processes in that domain have the right to copy that access within the same
column, i.e. for the same object. There are two important variations:
o If the asterisk is removed from the original access right, then the right
is transferred, rather than being copied. This may be termed
a transfer right as opposed to a copy right.
o If only the right and not the asterisk is copied, then the access right is
added to the new domain, but it may not be propagated further. That is
the new domain does not also receive the right to copy the access. This
may be termed a limited copy right, as shown in Figure 3.4 below:

Figure 3.5 - Access matrix with copy rights.

• The owner right adds the privilege of adding new rights or removing existing
ones:

Figure 3.6 - Access matrix with owner rights.

• Copy and owner rights only allow the modification of rights within a column.
The addition of control rights, which only apply to domain objects, allow a
process operating in one domain to affect the rights available in other domains.
For example in the table below, a process operating in domain D2 has the right
to control any of the rights in domain D4.
 Figure 3.7. - Modified access matrix of Figure 3.3

3.5 Implementation of Access Matrix

3.5.1 Global Table

• The simplest approach is one big global table with < domain, object,
rights > entries.
• Unfortunately this table is very large ( even if sparse ) and so cannot be
kept in memory ( without invoking virtual memory techniques. )
• There is also no good way to specify groupings - If everyone has access
to some resource, then it still needs a separate entry for every domain.

3.5.2 Access Control Lists

Another way of simplifying the management of access rights is to store the

access control matrix a column at a time, along with the resource to which the
column refers. This is called an access control list or ACL (pronounced
‘ackle’).
Figure3.8 Access Control List

• Even when a basic access matrix works satisfies most of our needs,
implementing it becomes unwieldy. It will lead to a huge table with
dynamically changing rows (each time users or groups are added or
removed) and objects (whenever files or devices are added or deleted).
Even on personal computers, this table can easily contain several billion
entries, making it impractical to store and access efficiently.

• The access control matrix can easily become far too large to store in
memory but we want lookups in to be efficient. We’d like to avoid extra
block reads from the disk just to get access permission information for a
user on a file. In practice, implementing an access control matrix in a
system is not practical.

• Instead, we can break apart the access control matrix by columns. Each
column represents an object and we can store the permissions of each
subject with each object.

• When the operating system accesses the object, it also accesses the list of
access permissions for that object. Adding new permissions is done on
an object-by-object basis.
 • When we open file F0, we can at that time get the access control list for
that file, telling us what each subject is allowed to do to that file. This is
called an access control list (ACL). All current operating systems use
access control lists.

3.5.3 Capability lists

The next way to manage the access control matrix is to store it by rows. These
are called capabilities

Figure 3.9 Acapability

An access control list associates column with each object. That is, each object
stores a list of access permissions for all the domains (subjects). Another way
of breaking up the access control matrix is by rows. We can associate a row of
the table with each domain (subject). This is called a capability list. A
capability** is the set of operations that the subject is allowed to perform on a
specific object. Each subject now has a complete list of capabilities.

Before the operating system performs a request on an object, it will check the
subjects capability list and see if the requested access is allowed for that object.
A process, of course, cannot freely modify its capability list unless it has a
control attribute for all objects in the domain or is the owned of a specific
object.
Capability lists have the advantage that, because they are associated with a
subject, the system does not have to read any additional data to check access
rights each time an object is accessed, as it has to do to read an access control
list. It is also very easy to delegate rights from one user to another user: simply
copy the capability list. If a user must be deleted, it is also easy to handle that:
simply delete the capability associated with that user; there is no need to go
through the access control list of every file in the file system.

In practical use, the disadvantages of capability lists outweigh its advantages. It

is incredibly difficult to change a file’s access permissions on a global level:
you have to go through ever user’s capability list and modify it. There is no
easy way to find all users that have access to a resource short of checking every
user’s capability list. Capability lists have generally failed to attain mainstream
use. They were deployed in IBM’s AS/400 system and in a research system
from Cambridge University called CAP. Beyond that, access control lists
(either full ones or the truncated Unix versions) won out.

However, the idea of a capability list is useful with networked services. You
often connect to servers that do not know you and where you do not have an
account. In such cases, authorization and single sign-on services such as OAuth
and Kerberos can provide an unmodifiable message stating who a user is and
what operations they are allowed to perform.

Microsoft incorporated a form of capabilities into Windows (since Windows

2000). The primary access control mechanism on Windows is Access Control
Lists (referred to as Discretionary Access Control Lists, or DACL). However,
systems need to be able to support centralized account management and and
authentication via Active Directory servers. Authentication is a sign-in process
that returns a Security Identifier (SID) for a user along with a list of SIDs for
the groups of which the User is a member. This information is then used to
create a single access token, which is attached to every thread and process that
executes on the user’s behalf. Whenever the thread needs to access an object or
perform any system task that requires user rights, the operating system checks
that access token.
 3.6 Trusted Computing

3.6.1. Introduction to Trusted Computing

• Definition:
Trusted Computing (TC) refers to technologies and standards developed to
enhance computer security and trustworthiness.
o Key Objective: Ensure that a computing environment behaves as
expected by its owner or controller.

3.6.2Trusted Computing Framework

The framework consists of:

• Trusted Hardware: Components like the TPM chip, which act as a foundation
for security.
• Secure Boot Mechanisms: Verifies the integrity of the system during startup.
• Attestation Protocols: Enables remote verification of system trustworthiness.

3.6.3 Why Trusted Computing is Important

• Increasing Complexity: Modern computing systems are complex, making

them susceptible to advanced persistent threats (APTs).
• Critical Systems: Trusted Computing is crucial in areas like finance,
healthcare, and defense, where breaches can have catastrophic consequences.
• Emerging Threats: With the rise of IoT, cloud computing, and AI, ensuring
trust at all levels (hardware, software, and network) is more important than
ever.

3.6.4 Key Concepts of Trusted Computing

Trust

• Definition:
Trust is the confidence that a system will behave as intended under specific
conditions. In computing, this means ensuring that hardware, software, and
firmware remain uncompromised.
• Trust Requirements:
 o Systems must be verifiable.
o Mechanisms for integrity checking must be robust and reliable.

Root of Trust

• Definition:
The foundation upon which all other trust in the system is built. It is typically
hardware-based to ensure tamper resistance.
• Types of Roots of Trust:
1. Root of Trust for Measurement (RTM): Ensures the accuracy of
integrity measurements.
2. Root of Trust for Storage (RTS): Protects sensitive data like
cryptographic keys.
3. Root of Trust for Reporting (RTR): Enables secure and verifiable
reporting of the system state.

Trusted Platform Module (TPM)

• Overview:
A TPM is a hardware chip that provides a secure environment for
cryptographic operations and storing sensitive information.
• Key Functions:
o Platform Configuration Registers (PCRs): Store integrity metrics.
o Cryptographic Key Management: Securely generate, store, and
manage encryption keys.
o Random Number Generation: Provides a source of high-quality
random numbers for secure operations.
o Sealing: Binds data to a specific system state, ensuring its
confidentiality.

Integrity

• Definition:
Integrity ensures that data and system states are not altered without detection.
• Measurement and Reporting:
 o Measurements are taken during boot or runtime to ensure the system
matches a known good state.
o Reporting involves creating a verifiable log of these measurements.

Secure Boot and Measured Boot

• Secure Boot:
Ensures that only trusted software components are loaded during system
startup. If an untrusted component is detected, the boot process halts.
• Measured Boot:
Logs the integrity of each component loaded during boot, allowing for
verification without halting the system.

Remote Attestation

• Definition:
Remote attestation allows a third party to verify the integrity and
trustworthiness of a system remotely.
• How It Works:
1. The system takes measurements (hashes) of its current state using TPM.
2. The TPM signs these measurements using a secure key.
3. The signed measurements are sent to the verifier.
4. The verifier checks the measurements against a known good state.

Data Confidentiality and Sealing

• Data Confidentiality:
Ensures sensitive data is encrypted and inaccessible to unauthorized parties.
• Sealing:
o Data is encrypted and bound to a specific system state.
o If the system deviates from the expected state, access to the data is
denied.

Trust Chains
 • Definition:
A trust chain links multiple components (hardware, firmware, software) to
ensure that the trust established at the root propagates throughout the system.
• How It Works:
o Each layer verifies the integrity of the next layer before passing control.
o Any deviation from expected behavior breaks the trust chain.

3.6.2. Goals of Trusted Computing

• Establish hardware-based roots of trust.

• Ensure data confidentiality and integrity.
• Protect against unauthorized modifications to hardware, software, and
firmware.
• Provide mechanisms for secure boot and reliable attestation.

3.6.3. Components of Trusted Computing

a. Trusted Platform Module (TPM)

b. Root of Trust

c. Secure Boot

d. Remote Attestation

a. Trusted Platform Module (TPM)

• What is TPM?
o The Trusted Platform Module (TPM) is a hardware-based security
solution designed to protect sensitive data and enhance the security of
computing devices.
o It is a tamper-resistant chip embedded in modern computing devices,
acting as a root of trust for security operations.
• Purpose of TPM
o To safeguard sensitive information such as cryptographic keys,
passwords, and certificates.
 o To ensure the integrity of the platform by securely verifying the system
state during boot-up and runtime.
• Functions:
o Cryptographic Operations: Key generation, encryption, and
decryption.
o Secure Storage: Protect sensitive information such as encryption keys.

Platform Integrity Measurement: Ensures that the system is in a known good state.

2. Historical Background

• Development and Standards

o The TPM concept was first introduced by the Trusted Computing
Group (TCG), an industry consortium.
o Initial specifications: TPM 1.2 (released in 2003).
o Current specifications: TPM 2.0 (introduced in 2014), which provides
more flexibility, algorithms, and enhanced security features.
• Integration in Technology
o TPM is now a standard feature in many devices, including PCs, laptops,
servers, and IoT devices.
o Microsoft mandates TPM 2.0 as a hardware requirement for Windows
11.

3. Core Components of TPM

1. Platform Configuration Registers (PCRs):

o Special memory locations inside the TPM used to store cryptographic
measurements.
o Measure the state of the system (e.g., firmware, bootloader) to ensure
integrity.
2. Endorsement Key (EK):
o A unique, permanent key generated during the TPM manufacturing
process.
o Used to authenticate the TPM and ensure its trustworthiness.
3. Storage Root Key (SRK):
o A master key stored within the TPM to protect other keys and sensitive
data.
4. Cryptographic Co-Processor:
o Performs cryptographic operations like encryption, decryption, signing,
and hashing in a secure environment.
5. Random Number Generator (RNG):
 o Generates high-quality random numbers required for cryptographic
operations.

4. Key Features of TPM

1. Hardware-Based Security:
o Tamper-resistant design ensures physical and logical security.
2. Cryptographic Operations:
o TPM can generate and securely store cryptographic keys, perform digital
signing, and verify signatures.
3. Secure Boot and Measured Boot:
o Secure Boot: Prevents unauthorized software from loading during
startup.
o Measured Boot: Logs measurements of boot components and verifies
their integrity.
4. Remote Attestation:
o Provides verifiable proof of a system's integrity to a remote party.
5. Sealing and Binding:
o Sealing: Encrypts data in a way that it can only be decrypted if the
platform is in a specific state.
o Binding: Encrypts data using a TPM-protected key.
6. Platform Integrity Measurement:
o Measures and records the state of the system during boot and runtime,
ensuring no unauthorized changes occur.

5. Use Cases of TPM

1. Secure Key Management:

o Used in software like Microsoft BitLocker to store encryption keys
securely.
2. Device Authentication:
o TPM ensures secure device authentication in enterprise networks.
3. Disk Encryption:
o Enhances the security of disk encryption solutions by securely storing
encryption keys.
4. Digital Rights Management (DRM):
o Protects copyrighted content by ensuring compliance with usage
policies.
5. IoT Security:
 o Provides a root of trust for securing IoT devices against unauthorized
access.
6. Cloud Computing:
o Ensures virtual machine isolation and protects sensitive data in cloud
environments.

6. Types of TPM

1. Discrete TPM:
o A dedicated chip embedded in the device hardware.
o Provides the highest level of security as it is physically separated from
other components.
2. Integrated TPM:
o Implemented within other components, such as a chipset or CPU.
o Slightly less secure than discrete TPMs.
3. Firmware TPM (fTPM):
o Emulates TPM functionalities in firmware.
o Provides cost-effective solutions but may be less secure than hardware-
based TPMs.
4. Software TPM (sTPM):
o Fully implemented in software and used for development and testing.
o Does not provide hardware-level security.

7. TPM 1.2 vs. TPM 2.0

Feature TPM 1.2 TPM 2.0

Cryptographic Algorithms SHA-1, RSA SHA-1, SHA-256, RSA, ECC
Authorization Methods Simple password-based Role-based hierarchical auth
Flexibility Limited algorithm options Algorithm agility
Applications Older systems Modern systems (Windows 11)

b. Root of Trust
 • The Root of Trust (RoT) is a set of hardware, firmware, or software
components that form the foundation of a trusted computing
environment.
o It serves as the baseline for all secure operations, ensuring that the
system starts in a known good state and continues to operate securely.
• Purpose:
o To establish and maintain the integrity, confidentiality, and authenticity
of a computing platform.
o Acts as a reliable anchor for cryptographic processes, authentication, and
verification of system components.

2. Characteristics of a Root of Trust

• Immutable: The RoT is unmodifiable during runtime to prevent tampering.

• Reliable: It is designed to be highly trustworthy and resistant to attacks.
• Self-Contained: Operates independently from the rest of the system to avoid
dependencies that could compromise security.
• Isolated: Physically or logically separated from the main computing
components to minimize attack surfaces.

3. Types of Root of Trust

1. Root of Trust for Measurement (RTM):

o Measures the integrity of system components during the boot process.
o Captures cryptographic measurements (e.g., hashes of BIOS, firmware,
and OS loaders) and stores them in Platform Configuration Registers
(PCRs) within the Trusted Platform Module (TPM).
o Example: Secure/Measured Boot processes.
2. Root of Trust for Storage (RTS):
o Secures sensitive data such as cryptographic keys, passwords, and
certificates.
o Protects against unauthorized access or modification by encrypting the
data and storing it within the TPM or similar hardware.
3. Root of Trust for Reporting (RTR):
o Provides verifiable evidence about the system's integrity and state to
external entities.
o Enables remote attestation, where a remote party can verify the
platform's integrity without direct access to the device.
4. Components of a Root of Trust

1. Hardware-Based Root of Trust:

o Implemented in dedicated hardware components like the Trusted
Platform Module (TPM) or hardware security modules (HSMs).
o Provides a high level of security due to its resistance to tampering and
physical attacks.
2. Firmware-Based Root of Trust:
o Implemented in the firmware of a device, such as UEFI Secure Boot.
o Measures the integrity of the system and passes control only to verified
components.
3. Software-Based Root of Trust:
o Fully implemented in software, often used in virtualized environments.
o Less secure compared to hardware-based solutions due to higher
vulnerability to attacks.

5. Functionality of the Root of Trust

1. System Integrity Verification:

o Ensures that the system boot process starts with trusted firmware and
software components.
o Detects and prevents unauthorized changes or malicious software from
executing.
2. Cryptographic Operations:
o Performs secure cryptographic functions, such as key generation,
signing, and encryption.
o Protects sensitive cryptographic keys within a secure environment.
3. Secure Storage:
o Safeguards confidential data and prevents unauthorized access or
tampering.
o Used by disk encryption solutions like BitLocker.
4. Authentication and Identity Verification:
o Provides a trusted identity for the platform, enabling secure
communication with external systems.

• Examples: Secure Boot Process.

c. Secure Boot
 • Secure Boot is a security standard that ensures that a device boots using only
software that is trusted by the Original Equipment Manufacturer (OEM).

• Purpose:

• Prevent unauthorized software and malware from loading during the

boot process.

• Ensure the integrity of the operating system and firmware.

3. How Secure Boot Works

• Boot Process Overview:

1. Power On: The device is powered on, and the firmware (BIOS/UEFI)
initializes.

2. Firmware Verification: The firmware checks the digital signatures of

the bootloader and other critical components.

3. Chain of Trust: Each component in the boot process verifies the next
component in the chain, starting from the firmware to the operating
system.

4. Loading the OS: If all components are verified, the operating system is
loaded; otherwise, the boot process is halted.

• Key Concepts:

• Digital Signatures: Used to verify the authenticity and integrity of

software components.

• Public Key Infrastructure (PKI): A system that manages digital

certificates and public-key encryption to establish trust.

4. Components of Secure Boot

• Firmware (BIOS/UEFI):
 • Responsible for the initial hardware checks and loading the bootloader.

• UEFI (Unified Extensible Firmware Interface) is the modern

replacement for BIOS and supports Secure Boot.

• Bootloader:

• A small program that loads the operating system.

• Must be signed by a trusted key to be executed.

• Operating System:

• The OS kernel and drivers must also be signed to ensure they are trusted.

• Trusted Platform Module (TPM):

• Stores cryptographic keys and can be used to store measurements of the

boot process.

• Provides hardware-based security features.

d. Remote Attestation
• Remote attestation is a mechanism that enables a device (the "attester") to
prove to a remote party (the "verifier") that it is in a known and trusted state.
• Purpose:
• To provide assurance that the software and configuration of a device
have not been tampered with.
• To establish trust in a remote device before allowing it to participate in
secure communications or transactions.

How Remote Attestation Works

• Process Overview:
1. Measurement: During the boot process, the device measures the integrity
of its software components (e.g., BIOS, bootloader, OS) and stores these
measurements in the TPM.
 2. Quote Generation: The TPM generates a cryptographic "quote" that
includes the measurements and a signature, proving that the
measurements were taken by a trusted hardware component.
3. Communication: The attester sends the quote to the verifier along with
its public key and other relevant information.
4. Verification: The verifier checks the quote against expected values
(known good measurements) to determine if the attester is in a trusted
state.

Key Concepts:

• TPM: Provides secure storage for cryptographic keys and measurements.

• PCR (Platform Configuration Register): A register in the TPM that
stores integrity measurements. Each PCR can be extended with new
measurements, creating a chain of trust.
• Quote: A signed statement from the TPM that includes the current state
of the PCRs.

4. Benefits of Remote Attestation

• Integrity Verification: Ensures that the software running on a device is genuine
and has not been altered.
• Trust Establishment: Allows remote parties to establish trust in devices before
engaging in sensitive operations.
• Enhanced Security: Provides a foundation for secure communications, access
control, and policy enforcement.

Challenges and Considerations

• Privacy Concerns: Remote attestation can expose information about the

device's configuration and software, raising privacy issues.
• Complexity: Implementing remote attestation can be complex, requiring careful
management of keys, certificates, and policies.
• Interoperability: Different implementations of TPM and remote attestation
protocols may lead to compatibility issues.

Use Cases for Remote Attestation

 • Cloud Computing: Ensuring that virtual machines running in the cloud are in
a trusted state before allowing them to access sensitive data.
• IoT Devices: Verifying the integrity of IoT devices before they connect to a
network or communicate with other devices.
• Enterprise Security: Establishing trust in endpoints within an enterprise
network to enforce security policies.

Remote Attestation Protocols

• TPM-based Protocols: Utilize the TPM for secure measurement and quoting.
• DICE (Device Identifier Composition Engine): A framework for attesting
IoT devices, focusing on lightweight and efficient attestation methods.
• Trusted Computing Group (TCG) Standards: Various standards and
specifications for implementing remote attestation in trusted computing
environments.

3.6.4. Key Features of Trusted Computing

• Measured Boot: Sequential integrity checking of all boot processes.
• Data Encryption: Ensures data confidentiality and protects against tampering.
• Platform Configuration Registers (PCRs): Used in TPM to store integrity
metrics securely.

3.6.5. Challenges and Criticisms

• Privacy Concerns: Potential for misuse in monitoring and data collection.
• Vendor Lock-In: Trusted computing platforms might restrict users to specific
vendors or software.
• Complexity: Implementation and maintenance can be resource-intensive.
• Trust Dilemma: Reliance on a manufacturer for the integrity of TPM
hardware.

3.6.6. Applications of Trusted Computing

• Corporate Security: Protect sensitive corporate data on devices.
• Digital Rights Management (DRM): Enforce licensing and prevent piracy.
• Cloud Computing: Secure virtual machines and isolate workloads.
• IoT Security: Protect connected devices from unauthorized access.
3.4 MULTICS

• The MULTICS system uses a complex system of rings, each

corresponding to a different protection domain, as shown below:

Figure 3.10 - MULTICS ring structure.

• Rings are numbered from 0 to 7, with outer rings having a subset of the
privileges of the inner rings.
• Each file is a memory segment, and each segment description includes
an entry that indicates the ring number associated with that segment, as
well as read, write, and execute privileges.
• Each process runs in a ring, according to the current-ring-number, a
counter associated with each process.
• A process operating in one ring can only access segments associated
with higher ( farther out ) rings, and then only according to the access
bits. Processes cannot access segments associated with lower rings.
• Domain switching is achieved by a process in one ring calling upon a
process operating in a lower ring, which is controlled by several factors
stored with each segment descriptor:
o An access bracket, defined by integers b1 <= b2.
o A limit b3 > b2
o A list of gates, identifying the entry points at which the segments
may be called.
 • If a process operating in ring i calls a segment whose bracket is such that
b1 <= i<= b2, then the call succeeds and the process remains in ring i.
• Otherwise a trap to the OS occurs, and is handled as follows:
o If i< b1, then the call is allowed, because we are transferring to a
procedure with fewer privileges. However if any of the parameters
being passed are of segments below b1, then they must be copied
to an area accessible by the called procedure.
o If i> b2, then the call is allowed only if i<= b3 and the call is
directed to one of the entries on the list of gates.
• Overall this approach is more complex and less efficient than other
protection schemes.

3.6 Trojan Horse

• A Trojan Horse is a program that secretly performs some maliciousness in

addition to its visible actions.
• Some Trojan horses are deliberately written as such, and others are the result of
legitimate programs that have become infected with viruses, ( see below. )
• One dangerous opening for Trojan horses is long search paths, and in particular
paths which include the current directory ( "." ) as part of the path. If a
dangerous program having the same name as a legitimate program ( or a
common mis-spelling, such as "sl" instead of "ls" ) is placed anywhere on the
path, then an unsuspecting user may be fooled into running the wrong program
by mistake.
• Another classic Trojan Horse is a login emulator, which records a users account
name and password, issues a "password incorrect" message, and then logs off
the system. The user then tries again ( with a proper login prompt ), logs in
successfully, and doesn't realize that their information has been stolen.
• ( Special Note to UIC students: Beware that someone has registered the
domain name of uic.EU ( without the "D" ), and is running an ssh server
which will accept requests to any machine in the domain, and gladly accept
your login and password information, without, of course, actually logging
you in. Access to this site is blocked from campus, but you are on your own
off campus. )
• Two solutions to Trojan Horses are to have the system print usage statistics on
logouts, and to require the typing of non-trappable key sequences such as
Control-Alt-Delete in order to log in. ( This is why modern Windows systems
require the Control-Alt-Delete sequence to commence logging in, which cannot
 be emulated or caught by ordinary programs. I.e. that key sequence always
transfers control over to the operating system. )
• Spyware is a version of a Trojan Horse that is often included in "free" software
downloaded off the Internet. Spyware programs generate pop-up browser
windows, and may also accumulate information about the user and deliver it to
some central site. ( This is an example of covert channels, in which
surreptitious communications occur. ) Another common task of spyware is to
send out spam e-mail messages, which then purportedly come from the infected
user.

3.7 Viruses

• A virus is a fragment of code embedded in an otherwise legitimate program,

designed to replicate itself ( by infecting other programs ), and ( eventually )
wreaking havoc.
• Viruses are more likely to infect PCs than UNIX or other multi-user systems,
because programs in the latter systems have limited authority to modify other
programs or to access critical system structures ( such as the boot block. )
• Viruses are delivered to systems in a virus dropper, usually some form of a
Trojan Horse, and usually via e-mail or unsafe downloads.
• Viruses take many forms ( see below. ) Figure 15.5 shows typical operation of
a boot sector virus:
 Figure 3.11 A boot-sector computer virus.
• Some of the forms of viruses include:
o File - A file virus attaches itself to an executable file, causing it to run
the virus code first and then jump to the start of the original program.
These viruses are termed parasitic, because they do not leave any new
files on the system, and the original program is still fully functional.
o Boot - A boot virus occupies the boot sector, and runs before the OS is
loaded. These are also known as memory viruses, because in operation
they reside in memory, and do not appear in the file system.
o Macro - These viruses exist as a macro ( script ) that are run
automatically by certain macro-capable programs such as MS Word or
 Excel. These viruses can exist in word processing documents or
spreadsheet files.
o Source code viruses look for source code and infect it in order to spread.
o Polymorphic viruses change every time they spread - Not their
underlying functionality, but just their signature, by which virus
checkers recognize them.
o Encrypted viruses travel in encrypted form to escape detection. In
practice they are self-decrypting, which then allows them to infect other
files.
o Stealth viruses try to avoid detection by modifying parts of the system
that could be used to detect it. For example the read( ) system call could
be modified so that if an infected file is read the infected part gets
skipped and the reader would see the original unadulterated file.
o Tunneling viruses attempt to avoid detection by inserting themselves
into the interrupt handler chain, or into device drivers.
o Multipartite viruses attack multiple parts of the system, such as files,
boot sector, and memory.
o Armored viruses are coded to make them hard for anti-virus researchers
to decode and understand. In addition many files associated with viruses
are hidden, protected, or given innocuous looking names such as "...".
• In 2004 a virus exploited three bugs in Microsoft products to infect hundreds of
Windows servers ( including many trusted sites ) running Microsoft Internet
Information Server, which in turn infected any Microsoft Internet Explorer web
browser that visited any of the infected server sites. One of the back-door
programs it installed was a keystroke logger, which records users keystrokes,
including passwords and other sensitive information.
• There is some debate in the computing community as to whether
a monoculture, in which nearly all systems run the same hardware, operating
system, and applications, increases the threat of viruses and the potential for
harm caused by them.

3.7 Worms

• A worm is a process that uses the fork / spawn process to make copies of itself
in order to wreak havoc on a system. Worms consume system resources, often
blocking out other, legitimate processes. Worms that propagate over networks
 can be especially problematic, as they can tie up vast amounts of network
resources and bring down large-scale systems.
• One of the most well-known worms was launched by Robert Morris, a graduate
student at Cornell, in November 1988. Targeting Sun and VAX computers
running BSD UNIX version 4, the worm spanned the Internet in a matter of a
few hours, and consumed enough resources to bring down many systems.
• This worm consisted of two parts:
1. A small program called a grappling hook, which was deposited on the
target system through one of three vulnerabilities, and
2. The main worm program, which was transferred onto the target system
and launched by the grappling hook program.

Figure 3.12 The Morris Internet worm.

• The three vulnerabilities exploited by the Morris Internet worm were as
follows:
1. rsh ( remote shell ) is a utility that was in common use at that time for
accessing remote systems without having to provide a password. If a
user had an account on two different computers ( with the same account
name on both systems ), then the system could be configured to allow
that user to remotely connect from one system to the other without
having to provide a password. Many systems were configured so
that any user ( except root ) on system A could access the same account
on system B without providing a password.
 2. finger is a utility that allows one to remotely query a user database, to
find the true name and other information for a given account name on a
given system. For example "finger [email protected]" would
access the finger daemon at somemachine.edu and return information
regarding joeUser. Unfortunately the finger daemon ( which ran with
system privileges ) had the buffer overflow problem, so by sending a
special 536-character user name the worm was able to fork a shell on the
remote system running with root privileges.
3. sendmail is a routine for sending and forwarding mail that also included
a debugging option for verifying and testing the system. The debug
feature was convenient for administrators, and was often left turned on.
The Morris worm exploited the debugger to mail and execute a copy of
the grappling hook program on the remote system.
• Once in place, the worm undertook systematic attacks to discover user
passwords:
1. First it would check for accounts for which the account name and the
password were the same, such as "guest", "guest".
2. Then it would try an internal dictionary of 432 favorite password
choices. ( I'm sure "password", "pass", and blank passwords were all on
the list. )
3. Finally it would try every word in the standard UNIX on-line dictionary
to try and break into user accounts.
• Once it had gotten access to one or more user accounts, then it would attempt to
use those accounts to rsh to other systems, and continue the process.
• With each new access the worm would check for already running copies of
itself, and 6 out of 7 times if it found one it would stop. ( The seventh was to
prevent the worm from being stopped by fake copies. )
• Fortunately the same rapid network connectivity that allowed the worm to
propagate so quickly also quickly led to its demise - Within 24 hours remedies
for stopping the worm propagated through the Internet from administrator to
administrator, and the worm was quickly shut down.
• There is some debate about whether Mr. Morris's actions were a harmless prank
or research project that got out of hand or a deliberate and malicious attack on
the Internet. However the court system convicted him, and penalized him heavy
fines and court costs.
• There have since been many other worm attacks, including the
W32.Sobig.F@mm attack which infected hundreds of thousands of computers
and an estimated 1 in 17 e-mails in August 2003. This worm made detection
difficult by varying the subject line of the infection-carrying mail message,
including "Thank You!", "Your details", and "Re: Approved".

3.8 ROOTKIT
A rootkit is a collection of software that is used by the hacker and specially
designed for doing malicious attacks like malware attacks to gain control by
infecting its target user or network. There are different types of Methods by
which hackers install rootkits on the target user’s computer.
Methods:
Description
Methods

The primary goal of social engineering is to exploit

human weaknesses and psychology to gain access to
Social malware, systems for stealing data, personal
Engineering information, and more of the user because it is easy
to exploit the natural trustworthiness of their victims.

A phishing attack is an attack in which a hacker

sends a fraud or malicious message specifically
Phishing designed to trick a target. Through phishing attacks,
Attacks hackers spread ransomware into systems, bypassing
firewalls and taking out sensitive information or
taking control of systems.

Hackers hide malware in various unknown files such

Downloadable as archive files (.zip, .rar), etc. When a target user
software opens this malicious file, malwares automatically
enters the system and takes control of the system.
 Description
Methods

vulnerabilities in an application that compromise the

Software security of the application are called application
vulnerability vulnerabilities. Hackers exploit this vulnerability by
bypassing firewalls.

Types of Rootkits
Different Types of Rootkits are Explained Below:
Different Types
of Rootkits in
Description
cyber security

Firmware is software that provides instructions and

commands to allow hardware to work and
communicate with the software running on the
Firmware system. Firmware rootkits allow hackers to easily
Rootkits install malware on a memory chip on a target
computer’s motherboard, infect the target
computer’s hard drive or system BIOS, and
intercept data written to the hard drive.

Hackers use application rootkits to replace the target

user’s computer’s default files with rootkit files that
disrupt the working of default applications. The
Application hacker can gain access to the computer system
Rootkits whenever the target user opens the infected
application. It is difficult to detect a rootkit in an
application because the infected application looks
and works fine.

Memory Memory is the most important element in a

Different Types
of Rootkits in
Description
cyber security

Rootkits computer system because without it, the computer

cannot perform simple tasks. In a memory rootkit,
the hacker hides the rootkit in the RAM of the target
user’s computer, which makes it easy for the hacker
to perform malicious activities in the background,
but this rootkit has a short lifespan because the
RAM is a volatile memory due to which it lost all
its data when the power is turned off but sometimes
additional actions are required to get rid of memory
rootkit.

A bootloader control is a program that runs before

the operating system runs. The job of the boot-
loader is to start the operating system by putting it
Boot-loader into memory. Hackers use boot-loader rootkits to
Rootkits replace the legitimate boot-loader of the target
user’s computer with the hacked boot-loader. This
means that the rootkit is activated even before your
computer’s operating system starts.

The kernel is the core component of the operating

system, which facilitates the interaction between
hardware and software components using inter-
process communication and system calls. In simple
Kernel mode
word, it control everything in the system and
Rootkits
manages memory and CPU time operations. The
kernel is first loaded into memory when the OS is
loaded and remains there until the OS is shut down
again. Using a kernel-mode rootkit, hackers attack
 Different Types
of Rootkits in
Description
cyber security

the core of the target user’s computer’s operating

system, the kernel. In rootkit kernel mode, hackers
can change the functionality of the operating system
simply by adding their own programs, making it
easy for hackers to steal the personal information of
targeted users.

Preventive Measures:
Below are some preventive measures which we can follow for preventing
rootkit attacks.
1. A phishing attack is an attack in which hackers send malicious messages
designed to trick the targeted user. Using phishing attacks, hackers
spread ransomware on a target user’s computer by bypassing firewalls to
extract the target user’s sensitive or personal information. Therefore, never
click on attachments from unknown senders in emails. Avoid clicking on links
in unfamiliar emails. Also, avoid unfamiliar social media activity.
2. Hackers hide malware in various unknown files such as archive files (.zip, .rar),
etc. When a target user opens this malicious file, the malware automatically
enters the system and takes control of the system. So avoid downloading
various types of unknown files, such as archive files (.zip, .rar), etc., because
hackers hide malicious programs in these types of files.
3. Use up-to-date anti-spyware and firewall programs to prevent unwanted access
to your computer.
4. Protect your device or computer from known and unknown viruses, malware,
etc. with a strong, up-to-date security suite and antivirus software.
5. Keep your software and operating system updated.

3.9 Polymorphic Malware

Polymorphic malware refers to malicious software that can change or morph its
code, making it difficult for traditional antivirus solutions to detect. This ability
 to evolve allows polymorphic malware to evade signature-based detection
methods, which rely on static patterns or signatures to identify known threats.
Types of Polymorphic Malware
Polymorphic malware can take various forms, including:
• Polymorphic Viruses – These viruses can change their code or appearance with
each infection, making it difficult for antivirus software to recognize them
based on a static signature.
• Polymorphic Worms – Similar to viruses, polymorphic worms can also alter
their code or structure to evade detection. However, worms can propagate
independently without user intervention or attaching themselves to a host file.
• Polymorphic Trojans – These Trojans can change their code or behavior to
avoid being detected by security software. They often disguise themselves as
legitimate applications to trick users into downloading and installing them.
• Polymorphic Ransomware – This type of ransomware can modify its
encryption algorithms, communication methods, or other characteristics to
bypass security measures and successfully encrypt a victim’s data.
The Mechanics of Polymorphic Malware
Polymorphic malware employs several techniques to evade detection, such as:
• Code Obfuscation – By using encryption, compression, or other obfuscation
methods, polymorphic malware can conceal its true nature from security
software.
• Dynamic Encryption Keys – Polymorphic malware can use different encryption
keys for each new instance, making it challenging for signature-based detection
tools to identify the malware based on a fixed pattern.
• Variable Code Structure – By changing its code structure, polymorphic
malware can confuse security tools that rely on static signatures for detection.
• Behavioral Adaptation – Polymorphic malware can alter its behavior or
execution patterns to blend in with normal system processes, making it harder
for behavioral-based detection methods to identify the threat.
Examples of Polymorphic Malware Techniques
To better understand how malware can become polymorphic, let’s explore
some examples:
• Subroutine Permutation – Polymorphic malware can rearrange its subroutines
or functions in different orders to change its code structure. For example:
• Original Code:
function A() {...}
 function B() {...}
function C() {...}
• Polymorphic Code:
function B() {...}
function C() {...}
function A() {...}
• Register Swapping – By changing the registers used to store values,
polymorphic malware can alter its appearance without affecting its
functionality:
• Original Code:
MOV EAX, 1
ADD EBX, EAX
• Polymorphic Code:
MOV ECX, 1
ADD EBX, ECX
• Instruction Substitution – Polymorphic malware can replace instructions with
equivalent ones to change its code while retaining its functionality:
• Original Code:
SUB EAX, 5
• Polymorphic Code:
ADD EAX, -5

3.10 Protection against Malwares

Virus Protection
• Implementing protection against computer viruses involves a combination of
technical measures, user practices, and organizational policies. Here’s a
detailed approach to protect against viruses:

1. Use Antivirus Software

• Install Antivirus Programs: Use reputable antivirus software that provides
real-time scanning, malware detection, and removal.
• Regular Updates: Keep the antivirus definitions and software up-to-date to
recognize and block new threats.

2. System Updates
• Update the Operating System: Regularly update your OS to fix
vulnerabilities that viruses exploit.
• Patch Applications: Ensure all installed applications, especially commonly
targeted ones like browsers and productivity software, are updated.

3. Network Protection
• Enable Firewalls: Use a firewall to block unauthorized access to your system.
• Secure Wi-Fi Networks: Use strong encryption (WPA3 or WPA2) and change
default passwords on routers.

4. Email Security
• Avoid Phishing Emails: Be cautious with unexpected email attachments or
links.
• Spam Filters: Use email services with strong spam filtering capabilities to
block potentially malicious messages.

5. Safe Browsing Practices

• Avoid Suspicious Websites: Only visit trusted websites and avoid clicking on
unknown links.
• Use Secure Protocols: Ensure sites use HTTPS before entering sensitive
information.

6. User Access Management

• Restrict User Permissions: Use non-administrator accounts for daily
activities.
• Enable User Account Control (UAC): On Windows, UAC helps prevent
unauthorized changes to the system.

7. Backup Strategy
• Regular Backups: Regularly back up important files to external drives or
cloud storage.
• Isolated Backups: Keep backups disconnected from the network to prevent
them from being infected.

8. Educate Users
• Training: Provide training on recognizing phishing attacks, avoiding
suspicious downloads, and safe internet practices.
• Awareness Campaigns: Regularly update users about new types of threats and
best practices.

9. Additional Security Measures

• Application Whitelisting: Allow only approved software to run.
 • Browser Extensions: Use ad blockers and script blockers to reduce exposure
to malicious ads and scripts.
• Disable Autorun: Prevent autorun of external drives to stop spreading viruses.

10. Incident Response

• Quarantine Infections: Use antivirus tools to isolate infected files.
• System Restore Points: Create restore points to revert to a clean state if
necessary.
• Professional Support: For severe infections, seek help from IT professionals
or security experts.
• By integrating these methods, you can create a robust defense against viruses,
ensuring your system's security and integrity.

Protection from Trojan

• Protecting a system from Trojan malware requires a proactive and layered

approach. Trojans disguise themselves as legitimate software, so detection and
prevention are critical. Here’s how to implement protection against Trojans:

1. Install and Maintain Security Software

• Antivirus Software: Use reliable antivirus software that offers Trojan
detection and removal features.
• Anti-Malware Tools: Supplement with anti-malware solutions for broader
protection.
• Real-Time Protection: Enable real-time scanning to detect and block Trojans
before they execute.

2. Keep Systems Updated

• Operating System Updates: Regularly update your OS to patch
vulnerabilities.
• Application Updates: Ensure all software, particularly web browsers, email
clients, and plugins, is updated.
• Firmware Updates: Keep hardware firmware up to date to close potential
security gaps.

3. Practice Safe Downloading

• Download from Trusted Sources: Only download software and files from
reputable websites.
• Verify Authenticity: Check digital signatures or hashes provided by
developers to verify file integrity.
• Avoid Pirated Software: Stay away from cracked software, which often hides
Trojans.

4. Secure Email and Communication

• Beware of Attachments: Do not open unexpected email attachments,
especially from unknown senders.
• Spam Filters: Use email services with robust spam filtering to reduce phishing
and Trojan-laden emails.
• Check Links: Hover over links to verify their destination before clicking.

5. Strengthen Network Security

• Firewalls: Enable firewalls to block unauthorized access.
• VPN: Use Virtual Private Networks on unsecured public Wi-Fi to protect data
and connections.
• Monitor Traffic: Use intrusion detection/prevention systems (IDS/IPS) to
detect suspicious activity.

6. Educate Users
• Recognize Fake Software: Train users to identify and avoid installing fake or
suspicious applications.
• Phishing Awareness: Teach users to recognize phishing attempts that may
lead to Trojan infections.
• Safe Practices: Emphasize the importance of avoiding unknown USB drives or
external media.

7. Limit User Privileges

• Use Non-Admin Accounts: Perform daily activities using accounts with
limited privileges.
• Application Whitelisting: Allow only pre-approved applications to run on the
system.
• Access Control: Restrict user access to sensitive files and directories.

8. Backup Strategy
• Regular Backups: Create regular backups of critical files to protect against
data loss from Trojan infections.
• Isolated Backups: Store backups offline or in secure cloud storage to prevent
them from being compromised.

9. Advanced Protections
• Sandboxing: Test unknown software or files in a virtual sandbox environment
before running them on the main system.
 • Behavioral Monitoring: Use security software that monitors application
behavior to detect Trojan-like activities.
• File Integrity Monitoring: Monitor changes in critical files to detect
unauthorized modifications.

10. Respond Quickly to Infections

• Disconnect: Isolate infected systems from the network to prevent the spread.
• Run Scans: Use antivirus and anti-malware tools to detect and remove the
Trojan.
• System Restore: Revert the system to a previous state if the Trojan has caused
damage.
• Reinstall: In severe cases, reinstall the operating system from a clean source.
• By implementing these measures, you can effectively reduce the risk of Trojan
infections and minimize their impact on your systems.
•
Protection Root Kit

• What is a Rootkit?
• A rootkit is a type of malicious software designed to gain unauthorized access
to a computer system while concealing its presence. Rootkits often allow
attackers to control the system as an administrator, modify system files, and
evade detection by antivirus programs. They can be installed through phishing
attacks, software vulnerabilities, or physical access to the system.

Types of Rootkits
• Kernel-Level Rootkits: Operate at the OS kernel level, giving attackers deep
access and control over the system.
• User-Mode Rootkits: Operate at the application layer, affecting software and
user-level processes.
• Firmware Rootkits: Reside in firmware such as BIOS or UEFI, making them
highly persistent and difficult to remove.
• Hypervisor Rootkits: Target virtual machines by acting as a hypervisor
beneath the OS.
• Bootkits: Infect the master boot record (MBR) or EFI system partition to
execute before the OS loads.

• How to Protect Against Rootkits

• Protection against rootkits involves a multi-layered defense strategy, as rootkits
are often hard to detect and remove once installed.

1. Install and Use Security Software

• Rootkit Detection Tools: Use specialized tools like GMER, Malwarebytes
Anti-Rootkit, or built-in capabilities of antivirus software.
• Antivirus Software: Keep antivirus software up-to-date to detect known
rootkits.
• Real-Time Protection: Enable real-time monitoring to prevent rootkit
installation.

2. Keep the System Updated

• OS and Software Patching: Regularly update the operating system and
applications to fix vulnerabilities that rootkits may exploit.
• Firmware Updates: Ensure BIOS, UEFI, and other firmware are updated with
the latest security patches.

3. Secure the Boot Process

• Enable Secure Boot: Use Secure Boot to ensure only trusted software runs
during system startup.
• Trusted Platform Module (TPM): Leverage TPM for cryptographic security
during the boot process.
• Boot-Level Scanning: Use tools like Windows Defender Offline or Rescue
Disk to scan for rootkits before the OS loads.

4. Monitor System Integrity

• File Integrity Monitoring (FIM): Continuously monitor critical system files
for unauthorized changes.
• Event Logs: Regularly check logs for signs of unusual activity or unauthorized
access.

5. Strengthen Network Security

• Firewalls: Use firewalls to monitor and control network traffic.
• Intrusion Detection and Prevention Systems (IDS/IPS): Deploy these
systems to detect and block rootkit-like behavior on the network.

6. Practice Safe Computing

• Avoid Phishing Attacks: Be cautious with email attachments and links from
unknown sources.
• Secure Downloads: Only download software from trusted and verified
sources.
• USB Drive Protection: Avoid using untrusted USB drives and enable autorun
protection.

7. Backup Data Regularly

 • Offline Backups: Store backups in an offline or secure cloud environment to
prevent rootkit interference.
• Recovery Points: Create system restore points to facilitate recovery if a rootkit
infects the system.

8. Use Advanced Techniques

• Virtualization-Based Security (VBS): Use virtualization technologies to
isolate critical OS components from rootkits.
• Kernel Patch Protection: On Windows, enable Kernel Patch Protection
(PatchGuard) to protect against kernel-level attacks.

9. Incident Response and Removal

• Identify the Rootkit: Use rootkit detection tools to confirm its presence.
• Boot in Safe Mode or Recovery Mode: Access the system in a limited mode
to minimize rootkit activity.
• Offline Scanning: Use live operating systems or bootable antivirus tools to
scan and remove rootkits.
• Reinstall OS if Necessary: For persistent infections, wipe the system and
reinstall the operating system from trusted media.
• By implementing these measures, you can significantly reduce the risk of
rootkits and improve your system’s resilience against such threats.
Protection Ransomware

• What is Ransomware?
• Ransomware is a type of malicious software that encrypts the victim's files or
locks them out of their system. The attacker demands a ransom payment in
exchange for providing a decryption key or restoring access. Some ransomware
also threatens to leak stolen data if the ransom isn't paid (known as double
extortion).

• How Ransomware Works

• Infection: Often spreads through phishing emails, malicious downloads,
exploit kits, or unsecured remote desktop services.
• Encryption: Encrypts files or locks the system, making data inaccessible.
• Ransom Demand: Displays a ransom note demanding payment in
cryptocurrency to decrypt files or restore access.

• How to Implement Protection Against Ransomware

• Protecting against ransomware requires preventive measures, detection, and a
robust recovery plan.
1. Use Security Software
• Antivirus and Anti-Malware: Install reputable security software capable of
detecting and blocking ransomware.
• Ransomware-Specific Tools: Use dedicated anti-ransomware tools from
vendors like Malwarebytes, Bitdefender, or Kaspersky.
• Behavioral Monitoring: Deploy security solutions that monitor suspicious
activities, such as mass file encryption.

2. Regular System Updates

• Update OS and Applications: Regularly patch the operating system,
applications, and plugins to fix vulnerabilities.
• Firmware Updates: Keep firmware, such as BIOS or network device
firmware, up-to-date.

3. Backups
• Regular Backups: Regularly back up important files to external drives or
cloud services.
• Offline Backups: Store backups offline or in a separate, air-gapped network to
protect against ransomware targeting backups.
• Test Restores: Periodically test restoring files from backups to ensure
reliability.

4. Email Security
• Beware of Phishing Emails: Do not open suspicious email attachments or
click on links from unknown senders.
• Spam Filters: Use email services with strong spam filtering to block phishing
attempts.
• Email Authentication: Implement protocols like DMARC, SPF, and DKIM to
reduce email spoofing risks.

5. Network Security
• Firewalls: Enable firewalls to block unauthorized access.
• Intrusion Detection/Prevention Systems (IDS/IPS): Monitor and block
suspicious network activity.
• Secure Remote Access: Use Virtual Private Networks (VPNs) and multi-factor
authentication (MFA) for remote connections.

6. Restrict User Access

• Principle of Least Privilege: Limit user permissions to the minimum required
for their role.
 • Application Whitelisting: Allow only approved applications to run on the
system.
• Restrict RDP (Remote Desktop Protocol): Disable RDP unless absolutely
necessary, and secure it with strong passwords and MFA.

7. Educate and Train Users

• Phishing Awareness: Train users to recognize phishing emails and suspicious
links.
• Safe Practices: Promote safe browsing habits and caution when downloading
files.
• Incident Awareness: Ensure employees know how to report suspicious
activity promptly.

8. Advanced Protections
• Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor,
detect, and respond to ransomware threats.
• Zero Trust Architecture: Implement zero trust principles to verify all access
requests continuously.
• Micro-Segmentation: Segment the network to prevent lateral movement of
ransomware.

9. Incident Response Planning

• Response Plan: Develop a ransomware-specific incident response plan.
• Isolation: If ransomware is detected, immediately disconnect the infected
system from the network to prevent further spread.
• Forensics: Engage cybersecurity experts to analyze the incident and
understand the scope of the attack.

10. Recovery and Prevention Post-Incident

• Restore Data: Recover encrypted files from backups.
• Do Not Pay the Ransom: Paying doesn’t guarantee decryption and may
encourage further attacks.
• Review Security Measures: After recovery, review and enhance security
controls to prevent recurrence.
•
• By implementing these measures, organizations and individuals can
significantly reduce the risk of ransomware attacks and minimize their impact
if they occur.
•
Protection Polymorphic Malware
• What is Polymorphic Malware?
• Polymorphic malware is a type of malicious software that changes its code,
appearance, or behavior to evade detection by security systems, such as
antivirus programs. This adaptability makes it particularly challenging to
identify using traditional signature-based methods.

• Characteristics of Polymorphic Malware

• Dynamic Code: Modifies its code with each iteration while retaining its
original functionality.
• Evasive Techniques: Evades detection by creating unique variants that
antivirus programs cannot easily recognize.
• Rapid Mutation: Can generate thousands of different variants in a short
period.
• Delivery Methods: Often spreads through phishing emails, malicious
attachments, or compromised websites.
•
• How to Protect Against Polymorphic Malware
• Protection against polymorphic malware requires advanced, behavior-based
detection methods and robust preventive measures.
•
• 1. Use Advanced Security Software
• Next-Generation Antivirus (NGAV): Use antivirus software that includes
machine learning and behavioral analysis to detect suspicious activities, even
from unknown variants.
• Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor,
detect, and respond to anomalous activities in real time.
• Intrusion Detection and Prevention Systems (IDS/IPS): Use IDS/IPS to
detect and block malware at the network level.
•
• 2. Regular System Updates
• OS and Software Patches: Regularly update the operating system, browsers,
and software to fix vulnerabilities.
• Firmware Updates: Keep all firmware updated to prevent exploitation.
•
• 3. Monitor and Analyze Behavior
• Behavioral Analysis Tools: Use tools that monitor and analyze application and
system behavior for signs of malware, such as unusual file encryption or
communication with known malicious servers.
• Sandboxing: Execute suspicious files in an isolated environment (sandbox) to
observe their behavior before allowing them to run on the main system.
•
• 4. Network Security
• Firewalls: Use firewalls to monitor and block unauthorized traffic.
• Secure DNS Services: Employ secure DNS solutions to block access to known
malicious domains.
• Network Segmentation: Segment networks to limit the spread of malware if a
device is compromised.
•
• 5. Secure Email and Web Browsing
• Email Security: Use email filtering solutions to block phishing emails and
malicious attachments.
• Browser Security: Install browser extensions to block ads, pop-ups, and
malicious scripts.
• URL Scanning: Scan URLs for threats before visiting them.
•
• 6. Use Strong Authentication and Access Controls
• Least Privilege Principle: Limit user permissions to reduce the impact of an
attack.
• Multi-Factor Authentication (MFA): Add an extra layer of security to user
accounts to prevent unauthorized access.
• Application Whitelisting: Allow only pre-approved applications to run.
•
• 7. Backup Data Regularly
• Frequent Backups: Regularly back up important files to external or cloud
storage.
• Isolated Backups: Keep backups offline or in a secure network segment to
protect them from corruption.
•
• 8. User Education and Awareness
• Training Programs: Educate users on recognizing phishing attempts and
avoiding suspicious downloads.
• Secure Practices: Teach users safe browsing habits and the importance of
verifying email sources.
•
• 9. Implement Threat Intelligence
• Threat Feeds: Use real-time threat intelligence feeds to stay updated on
emerging polymorphic malware trends.
• Collaboration: Share and receive threat intelligence with cybersecurity
communities.
•
• 10. Incident Response Plan
• Preparedness: Develop and regularly update an incident response plan.
 • Quarantine Infections: Immediately isolate affected systems to prevent the
spread.
• Recovery Procedures: Use clean backups and forensics to restore systems and
identify the attack vector.

3.11 Malware Analysis using Honeypot

Honeypots are a type of Internet security resource which is used to entice

cybercriminals to deceive them when they try to intrude inside the network for
any illegal use. These honeypots are generally set up to understand the activity
of the attacker in the network so that the organization can come up with
stronger prevention methods against these intrusions. The honeypots do not
carry any valuable data as it a fake proxy that helps in logging the network
traffic.
A honeypot is a security mechanism designed to detect, deflect, or study
attempts to access a computer system for malicious purposes. It acts as a decoy,
simulating a vulnerable system or service to attract attackers. By monitoring
interactions with the honeypot, security professionals can gather valuable
information about attack methods, tools, and motivations.

Architecture of a Honeypot

The architecture of a honeypot can vary based on its purpose, but it generally
consists of the following components:
1. Honeypot System:
• Physical or Virtual Machine: The honeypot can be deployed on a
physical server or as a virtual machine. Virtual honeypots are often
easier to manage and can be quickly deployed or destroyed.
• Operating System: The honeypot can run a standard OS (like Linux or
Windows) or a custom OS designed to appear vulnerable.
• Services: The honeypot may run services that are commonly targeted by
attackers (e.g., SSH, FTP, HTTP) to simulate a real environment.
2. Data Collection:
• Logging: All interactions with the honeypot are logged. This includes
connection attempts, commands executed, and any data sent or received.
 • Monitoring Tools: Tools like Snort, Suricata, or custom scripts can be
used to monitor network traffic and system calls.
3. Analysis Tools:
• Data Analysis: Collected data is analyzed to identify patterns, attack
vectors, and the tools used by attackers.
• Alerting Mechanisms: Alerts can be configured to notify administrators
of suspicious activity.
4. Isolation:
• Network Segmentation: The honeypot should be isolated from the
production network to prevent attackers from moving laterally to other
systems.
• Firewall Rules: Specific firewall rules can be implemented to control
traffic to and from the honeypot.
5. Management Interface:
• Dashboard: A management interface can be created to visualize data,
monitor activity, and manage the honeypot's configuration.

Figure 3.13 HoneyPotArchitechture

Types of Honeypots

1. Production Honeypots: These are used in real environments to protect

production systems. They are less complex and provide limited interaction.
2. Research Honeypots: These are used primarily for research purposes to gather
extensive data on attack methods and trends. They are more complex and allow
for greater interaction.

Implementing a Honeypot

Here’s a step-by-step guide to implementing a basic honeypot:

1. Define Objectives:
• Determine what you want to achieve with the honeypot (e.g., data
collection, threat intelligence, etc.).
2. Choose the Type of Honeypot:
• Decide whether you need a production or research honeypot based on
your objectives.
3. Select the Software:
• Choose a honeypot software solution. Some popular options include:
• Honeyd: A versatile honeypot that can simulate multiple virtual
hosts.
• Dionaea: Designed to capture malware by emulating vulnerable
services.
• Cowrie: A medium-interaction SSH and Telnet honeypot.
4. Set Up the Environment:
• Deploy the honeypot on a dedicated physical or virtual machine.
• Ensure it is isolated from your production network.
5. Configure Services:
• Set up the services you want to simulate (e.g., SSH, FTP, web server).
• Make sure these services are configured to appear vulnerable.
6. Implement Logging and Monitoring:
• Set up logging to capture all interactions.
• Use monitoring tools to analyze traffic and detect anomalies.
7. Establish Alerting Mechanisms:
• Configure alerts to notify you of suspicious activity.
8. Regularly Update and Maintain:
• Keep the honeypot software and services updated.
 • Regularly review logs and analyze data to improve your security posture.
9. Analyze Data:
• Use the collected data to understand attack patterns and improve your
overall security strategy.
10. Document Findings:
• Document your findings and share them with your security team to
enhance awareness and response strategies.