Operating Systems

21CSC202J

Nishant Kr. Singh

Asst. Professor
Dept. of CSE, SRMIST, Delhi-NCR
 Unit-5
Topics to be covered
•PROTECTION AND SECURITY: •The Security Problem
Goals of Protection
•Principles of Protection •Program Threats
•Domain of Protection •System and Network Threats
•Access Matrix •Cryptography as a Security Tool
•Implementation of the Access •User Authentication
Matrix
•Access Control •Implementing Security Defenses
•Capability-Based Systems •Firewalling to Protect Systems and Networks
•Language-Based Protection •Computer-Security Classifications
Outcome

 Demonstrate different device and resource management

techniques for memory utilization with security mechanisms
 Goals of Protection
 Computer consists of a collection of objects, hardware or
software

 Each object has a unique name and can be accessed

through a well-defined set of operations.

 Protection problem - ensure that each object is accessed

correctly and only by those processes that are allowed to do
so
 Principles of Protection
 Guiding principle – principle of least privilege
 Programs, users and systems should be given just enough
privileges to perform their tasks
 Properly
set permissions can limit damage if entity has a bug,
gets abused
 Can be static (during life of system, during life of process)
 Ordynamic (changed by process as needed) – domain
switching, privilege escalation
 Domain of Protection
 Computer can be treated as processes and objects
 Hardware objects (such as devices) and software objects (such as files, programs, semaphores)
 Process for example should only have access to objects it currently requires to complete
its task – the need-to-know principle
 Implementation can be via process operating in a protection domain
 Specifies resources process may access
 Each domain specifies set of objects and types of operations on them
 Ability to execute an operation on an object is an access right
 <object-name, rights-set>
 Domains may share access rights
 Associations can be static or dynamic
 If dynamic, processes can domain switch
 Access Matrix
 View protection as a matrix (access matrix)
 Rows represent domains
 Columns represent objects
 Access(i, j) is the set of
operations that a process
executing in Domaini can
invoke on Objectj
 If a process in Domain Di tries to
do “op” on object Oj, then “op”
must be in the access matrix
 User who creates object can define access column for that object
Implementation of the Access Matrix
 Generally, a sparse matrix
 Option 1 – Global table
 Store ordered triples <domain, object, rights-set> in table
 A requested operation M on object Oj within domain Di -> search table for < Di, Oj,
Rk >
 with M ∈ Rk
 But table could be large -> won’t fit in main memory
 Difficult to group objects (consider an object that all domains can read)
Implementation of the Access Matrix

 Option 2 – Access lists for objects

 Each column implemented as an access list for one object
 Resulting per-object list consists of ordered pairs <domain, rights-
set> defining all domains with non-empty set of access rights for
the object
 Easily extended to contain default set -> If M ∈ default set, also
allow access
Implementation of the Access
Matrix
 Option 3 – Capability list for domains
 Instead of object-based, list is domain based
 Capability list for domain is list of objects together with operations
allows on them
 Object represented by its name or address, called a capability
 Capability list associated with domain but never directly accessible
by domain
Implementation of the Access Matrix

 Option 4 – Lock-key
 Compromise between access lists and capability lists
 Each object has list of unique bit patterns, called locks
 Each domain as list of unique bit patterns called keys
 Process
in a domain can only access object if domain has key that
matches one of the locks
 Access Control
 Protection can be applied to non-file
resources
 Oracle Solaris 10 provides role-based
access control (RBAC) to implement
least privilege
 Privilege is right to execute system call or use
an option within a system call
 Can be assigned to processes
 Users assigned roles granting access to
privileges and programs
 Enable role via password to gain its privileges
 Similar to access matrix
 Capability-Based Systems
 Hydra and CAP were first capability-based systems
 Now included in Linux, Android and others, based on POSIX.1e (that never became a
standard)
 Essentially slices up root powers into distinct areas, each represented by a bitmap bit
 Fine grain control over privileged operations can be achieved by setting or masking the
bitmap
 Three sets of bitmaps – permitted, effective, and inheritable
 Can apply per process or per thread
 Once revoked, cannot be reacquired
 Process or thread starts with all privs, voluntarily decreases set during execution
 Essentially a direct implementation of the principle of least privilege

 An improvement over root having all privileges but inflexible (adding new privilege
difficult, etc.)
Language-Based Protection
 Specification of protection in a programming language allows the high-level
description of policies for the allocation and use of resources

 Language implementation can provide software for protection enforcement

when automatic hardware-supported checking is unavailable

 Interpret protection specifications to generate calls on whatever protection

system is provided by the hardware and the operating system

 Compiler based, run time environment based

The Security Problem
 System secure if resources used and accessed as intended under all
circumstances
 Unachievable
 Intruders (crackers) attempt to breach security
 Threat is potential security violation
 Attack is attempt to breach security
 Attack can be accidental or malicious
 Easier to protect against accidental than malicious misuse
 Program Threats
 Many variations, many names
 Trojan Horse
 Code segment that misuses its environment
 Exploits mechanisms for allowing programs written by users to be executed by other
users
 Spyware, pop-up browser windows, covert channels
 Up to 80% of spam delivered by spyware-infected systems
 Ransomware – locks up data via encryption, demanding payment to unlock it
 Trap Door
 Specific user identifier or password that circumvents normal security procedures
 Could be included in a compiler
 How to detect them?
 Program Threats
 Malware - Software designed to exploit, disable, or damage
computer
 Others include trap doors, logic bombs
 All try to violate the Principle of Least Privilege
 System and Network Threats
 Network threats harder to detect, prevent
 Worms – use spawn mechanism; standalone program
 Port scanning
 Automated attempt to connect to a range of ports on one or a range
of IP addresses

 Denial of Service
 Overload the targeted computer preventing it from doing any useful
work
 Distributed Denial-of-Service (DDoS) come from multiple sites at once
 Cryptography as a Security Tool
 Broadest security tool available
 Internal to a given computer, source and destination of messages can be known
and protected
 OS creates, manages, protects process IDs, communication ports
 Source and destination of messages on network cannot be trusted without
cryptography

 Cryptography- Means to constrain potential senders (sources) and / or receivers

(destinations) of messages
 Based on secrets (keys)
 Enables
 Confirmation of source
 Receipt only by certain destination
 Trust relationship between sender and receiver
Cryptography as a Security Tool
 Encryption- Constrains the set of possible receivers of a
message
 Encryption algorithm consists of
 Set K of keys
 Set M of Messages
 Set C of ciphertexts (encrypted messages)
 User Authentication
 Crucial to identify user correctly, as protection systems depend on user ID

 User identity most often established through passwords, can be considered

a special case of either keys or capabilities

 Passwords must be kept secret

 Frequent change of passwords
 History to avoid repeats
 Use of “non-guessable” passwords
 Log all invalid access attempts (but not the passwords themselves)
 Unauthorized transfer

 Passwords may also either be encrypted or allowed to be used only once

 Implementing Security Defenses
 Defense in depth is most common security theory – multiple layers of security
 Security policy describes what is being secured
 Vulnerability assessment compares real state of system / network compared to security policy
 Intrusion detection endeavors to detect attempted or successful intrusions
 Signature-based detection spots known bad patterns
 Anomaly detection spots differences from normal behavior
 Can detect zero-day attacks
 False-positives and false-negatives a problem
 Virus protection
 Searching all programs at execution for known virus patterns
 Or run in sandbox so can’t damage system
 Auditing, accounting, and logging of all or specific system or network activities

 Practice safe computing – avoid sources of infection, download from only “good” sites, etc
Firewalling to Protect Systems and Networks
 A network firewall is placed between trusted and untrusted hosts
 The firewall limits network access between these two security domains
 Can be tunneled or spoofed
 Tunneling allows disallowed protocol to travel within allowed protocol (i.e., telnet
inside of HTTP)
 Firewall rules typically based on host name or IP address which can be spoofed
 Personal firewall is software layer on given host
 Can monitor / limit traffic to and from the host
 Application proxy firewall understands application protocol and can
control them (i.e., SMTP)
 System-call firewall monitors all important system calls and apply rules to
them (i.e., this program can execute that system call)
 Computer-Security Classifications
 U.S. Department of Defense outlines four divisions of computer security: A,
B, C, and D
 D – Minimal security
 C – Provides discretionary protection through auditing
 Divided into C1 and C2
 C1 identifies cooperating users with the same level of protection
 C2 allows user-level access control

 B – All the properties of C, however each object may have unique

sensitivity labels
 Divided into B1, B2, and B3
 A – Uses formal design and verification techniques to ensure security
THANK YOU!!!