1

UNIT IVSECURE AND PROTECTION

File System Interface – File Protection, File Sharing; Security - The Security
Problem, Program Threats, System and Network Threats, Cryptography, User
Authentication, Implementing Security Defenses; Protection – Goals, Principles,
Protection Rings, Domain Protection, Access Matrix, Implementation of Access
Matrix, Revocation of Access Rights, Role-Based Access Control, Mandatory Access
Control, Capability-Based Systems, Protection Improvement Methods, Language-
Based Protection.

4 .FILE SYSTEM INTERFACE:

 The file system is the most visible aspect of an operating system. It provides the
mechanism for on-line storage of and access to both data and programs of the
operating system and all the users of the computer system.
 The file system consists of two distinct parts: a collection of files, each storing related
data, and a directory structure, which organizes and provides information about all
the files in the system

4.1 FILE CONCEPTS:

❖ A file is defined as a named collection of related information that is stored on
secondary storage device.
❖ Many different types of information may be stored in a file such as source or
executable programs, numeric or text data, photos, music, video, and so on.
❖ A file has a certain defined structure, which depends on its type.
❖ Types of Files: A text file is a sequence of characters organized into lines.
❖ A source file is a sequence of functions, each of which is further
organized as declarations followed by executable statements.
❖ An executable file is a series of code sections that the loader can bring into memory
and execute.

4.1.1 FILE ATTRIBUTES:

A file’s attributes vary from one operating system to another but typically consist of
these:
• Name. The file name is the information kept in human readable form.
• Identifier. This unique tag, usually a number, identifies the file within the file
system
• Type. This information is needed for systems that support different types of files.
• Location. This information is a pointer to a device and to the location of the file on
that device.
• Size. The current size of the file (in bytes, words, or blocks)
• Protection. Access-control information determines who can do reading, writing,
executing
 2

• Time, date, and user identification. This information may be kept for creation,
last modification, and last use.
4.1.2 FILE OPERATIONS:
❖ A file is an abstract data type.
❖ The operating system can provide system calls to create, write, read,
reposition, delete, and truncate files. The Basic Operations on a file includes
▪ Creating a File
▪ Writing a File
▪ Reading a File
▪ Repositioning within a File
▪ Deleting a file

▪ Truncating a file
1) Creating a file: OS first finds space in the file system for the file. Second, an
entry for the new file must be made in the directory.
2) Writing a file. To write a file, we make a system specifying both the name of the
file and the information to be written to the file. The system must keep a write
pointer to the location in the file where the next write is to take place.
3) Reading a file. To read from a file, we use a system call that specifies the name
of the file. The system needs to keep a read pointer to the location in the file
where the next read is to take place.
❖ Current File Position Pointer: Because a process is usually either reading
from or writing to a file, the current operation location can be kept as a per-
process current file- position pointer.
4) Repositioning within a file. The directory is searched for the appropriate
entry, and the current-file-position pointer is repositioned to a given value.
This file operation is also known as files seek.
5) Deleting a file. To delete a file, we search the directory for the named file.
6) Truncating a file. The user may want to erase the contents of a file but keep its
attributes.

FILE LOCKS:
❖ File locks allow one process to lock a file and prevent other processes from gaining
access to it. File locks are useful for files that are shared by several processes.
❖ There are two types of file locks
▪ Shared Lock
▪ Exclusive Lock
❖ A shared lock is similar to a reader lock in that several processes can acquire the lock
concurrently.
❖ An exclusive lock behaves like a writer lock; only one process at a time can acquire
such a lock.
❖ Operating systems may provide either mandatory or advisory file-locking
mechanisms.
❖ If a lock is mandatory, then once a process acquires an exclusive lock, the
operating system will prevent any other process from accessing the locked file.
 3

❖ If a lock is advisory then the Operating System will allow the process to access the
locked file.

4.1.3 FILE TYPES:

❖ A common technique for implementing file types is to include the type as part of the file
name.
❖ The name is split into two parts—a name and an extension, usually separated by a period
or a dot.
❖ The system uses the extension to indicate the type of the file and the type of operations
that can be done on that file.
❖ Example: Java compilers expect source files to have a .java extension, and the
Microsoft Word word processor expects its files to end with a .doc or .docx extension.

4.1.4 FILE ACCESS METHODS:

❖ Files store information. When it is used, this information must be accessed
and read into computer memory. The information in the file can be accessed in
several ways.
 Sequential access Method
 Direct Access method
 Indexed access method
 Sequential access Method:
 The simplest access method is sequential access. Information in the file is
processed in order, one record after the other.
 Example: Editors and compilers usually access files in Sequential manner.
 4

 A read operation—read next ()—reads the next portion of the file and
automatically advances a file pointer, which tracks the I/O location.
 Similarly, the write operation—write next ()—appends to the end of the file and
advances to the end of the newly written material (the new end of file).

 Direct Access Method:

 A file is made up of fixed-length logical records that allow programs to read
and write records rapidly in no particular order.
 The file is viewed as a numbered sequence of blocks or records.
 Direct-access files are of great use for immediate access to large amounts of
information.
 EXAMPLE: Databases are often of this type. When a query concerning a
particular subject arrives, we compute which block contains the answer and
then read that block directly to provide the desired information.
 For the direct-access method, the file operations must be modified to
include the block number as a parameter. Thus, we have read (n), where n
is the block number, write (n) rather than write next ().
 RELATIVE BLOCK NUMBER: The block number provided by the user to
the operating system is normally a relative block number

 Indexed Access Methods:

 These methods generally involve the construction of an index for the file.
 The index, like an index in the back of a book, contains pointers to the various
blocks.
 To find a record in the file, we first search the index and then use the
pointer to access the file directly and to find the desired record.
 5

 With large files, the index file itself may become too large to be kept in
memory.
 One solution is to create an index for the index file. The primary index file
contains pointers to secondary index files, which point to the actual data
items.
 6

4.2 FILE SHARING

4.2.File Sharing:
❖ File sharing is very important for users who want to cooperate their files
with each other and to reduce the effort required to achieve a computing
goal.
❖ Multiple users share files. When multiple users are allowed to share files, then
there is a need to extend sharing to multiple file systems, including remote file
systems.
❖ File sharing includes

▪ Multiple users
▪ Remote File Systems
● Client server model
● Distributed Information systems
● Failure Modes
▪ Consistency semantics
● Unix Semantics
● Session Semantics
● Immutable Shared File Semantics
4.2.1 Multiple Users:
❖ The system with multiple users can either allow a user to access the files of
other users by default or require that a user specifically grant access to the
files.
❖ To implement sharing and protection, the system must maintain more file
and directory attributes than are needed on a single-user system.
❖ The systems uses the concepts of file owner (or user) and group for File
sharing.
❖ The owner is the user who can change attributes and grant access and who has
the most control over the file.
❖ The group attribute defines a subset of users who can share access to the file.
❖ The owner and group IDs of a given file are stored with the other file attributes.
❖ When a user requests an operation on a file, the user ID can be
compared with the owner attribute to determine if the requesting user is
the owner of the file.
❖ If he is not the owner of the file, the group IDs can be compared. The result
indicates which permissions are applicable.
❖ The system then applies those permissions to the requested operation and allows
or denies it.

4.2.2 Remote File Systems:

 7

❖ Networking allows the sharing of resources across a campus or even around the
world.
❖ The first implemented method for remote file systems involves manually
transferring files between machines via programs like FTP.
❖ The second major method uses a distributed file system (DFS) in which
remote directories is visible from a local machine.
❖ The third method is the World Wide Web where the browser is needed to
gain access to the
remote files.
4.2.2.1 Client Server Model:
❖ Remote file systems allow a computer to mount one or more file systems from one or
more remote machines.
❖ The machine containing the files is the server, and the machine seeking access to
the files is the client.
❖ The server declares that a resource is available to clients and specifies exactly
which resource is shared by which clients.
❖ A server can serve multiple clients, and a client can use multiple servers.
❖ A client can be specified by a network name or other identifier, such as an IP
address but these can be spoofed, or imitated.
❖ As a result of spoofing, an unauthorized client could be allowed access to the server.

❖ In the case of UNIX and its network file system (NFS), authentication takes
place via the client networking information.
❖ The user’s IDs on the client and server must match. If they do not, the server will
be unable to determine access rights to files.

4.2.2.2 Distributed Information Systems

❖ Distributed information systems, also known as distributed naming
services, provide unified access to the information needed for remote
computing.
❖ The domain name system (DNS) provides host-name-to-network-address
translations for the entire Internet.
❖ Distributed information systems provide user name/password/user ID/group ID
space for a distributed facility.
❖ In the case of Microsoft’s common Internet file system (CIFS), network
information is used in conjunction with user authentication to create a network
login that the server uses to decide whether
to allow or deny access to a requested file system.
❖ Microsoft uses active directory as a distributed naming structure to provide a
single name space for users. Once established, the distributed naming facility is
used by all clients and servers to authenticate users.
❖ LDAP: lightweight directory-access protocol (LDAP) is a secure distributed
naming mechanism.

4.2.2.3 Failure Modes:

 8

Local file systems can fail for a variety of reasons that

includes
Failure of the disk containing the file system,

 Corruption of the directory structure or other disk-management

information
 Disk-controller failure,
 Cable failure,
 Host-adapter failure
 User or system-administrator failure
Remote file systems have more failure modes because of the complexity of
network systems and the required interactions between remote machines.
 The failure semantics are defined and implemented as part of the remote-file-
system protocol.
 Termination of all operations can result in users’ losing data.
To implement the recovery from failure, some kind of state information may be
maintained on both the client and the server.
If both server and client maintain knowledge of their current activities and open files,
then they can recover from a failure.
4.2.3 Consistency Semantics:
 Consistency semantics represent a criterion for evaluating any file system
that supports file sharing.
 The semantics specify how multiple users of a system are to access a shared
file simultaneously.
 They specify when modifications of data by one user will be observable
by other users.
 These semantics are typically implemented as code with the file system.
 Consistency semantics are directly related to the process synchronization
algorithms.
 A series of file accesses attempted by a user to the same file is always
enclosed between the open() and close() operations.
The series of accesses between the open() and close() operations makes up a file
session
The Examples of Consistency semantics includes
 Unix Semantics
 Session Semantics
 Immutable shared File Semantics

i) Unix Semantics:
❖ The UNIX file system uses the following consistency semantics.
o Writes to an open file by a user are visible immediately to other users who have
this file open.
 9
o One mode of sharing allows users to share the pointer of current
location into the file. Thus, the advancing of the pointer by one user
affects all sharing users
ii) Session Semantics:
❖ The Andrew file system uses the following consistency semantics:
o Writes to an open file by a user are not visible immediately to other users that
have the same file open.
o Once a file is closed, the changes made to it are visible only in sessions
starting later. Already open instances of the file do not reflect these
changes.
iii) Immutable Shared File Semantics:
❖ The Immutable Shared file system uses the following consistency semantics
o Once a file is declared as shared by its creator, it cannot be modified.
o An immutable file has two key properties: its name may not be reused, and its
contents may not be altered
o An immutable file signifies that the contents of the file are fixed.

4.3 FILE PROTECTION:

❖ Protection mechanisms provide controlled access by limiting the types of file
access that can be made. Access is permitted or denied depending on several
factors, one of which is the type of access requested.
❖ File Protection is also defined as the process of protecting the file of a user from
unauthorized access or any other physical damage.
Goals of Protection:
i) To prevent malicious misuse of the system by users or programs. See chapter 15 for
a more thorough coverage of this goal.
ii) To ensure that each shared resource is used only in accordance with system policies,
which may be set either by system designers or by system administrators.
iii) To ensure that errant programs cause the minimal amount of damage possible.
4.3.1 Types of Access:
❖ The need to protect files is a direct result of the ability to access files.
❖ Systems that do not permit access to the files of other users do not need protection
❖ Several different types of operations may be controlled:
• Read. Read from the file.
• Write. Write or rewrite the file.
• Execute. Load the file into memory and execute it.
• Append. Write new information at the end of the file.
• Delete. Delete the file and free its space for possible reuse.
• List. List the name and attributes of the file.

❖ These higher-level functions may be implemented by a system program that makes

lower-level system calls.
4.3.2 Access control:
❖ The most common approach to the protection problem is to make access dependent
on the identity of the user.
❖ Different users may need different types of access to a file or directory.
 10

❖ The general scheme to implement identity dependent access is to associate with

each file and directory an access- control list (ACL) specifying user names and
the types of access allowed for each user.
❖ When a user requests access to a particular file, the operating system checks
the access list associated with that file.
❖ If that user is listed for the requested access, the access is allowed. Otherwise, a
protection violation occurs, and the user job is denied access to the file.
❖ The main problem with access lists is their length.
❖ This technique has two undesirable consequences:
• Constructing such a list may be a tedious and unrewarding task, especially
if we do not know in advance the list of users in the system.
• The directory entry, previously of fixed size, now must be of
variable size, resulting in more complicated space management
❖ To reduce the length of the access-control list, many systems recognize three
classifications of users in connection with each file:
▪ Owner. The user who created the file is the owner.
▪ Group. A set of users who are sharing the file and need similar access
▪ Universe. All other users in the system constitute the universe
❖ EXAMPLE: consider a person, Sara, who is writing a new book. She has hired
three graduate students (Jim, Dawn, and Jill) to help with the project. The text
of the book is kept in a file named book.tex
❖ The protection associated with this file is as follows:
• Sara should be able to invoke all operations on the file.
• Jim, Dawn, and Jill should be able only to read and write the file; they
should not be allowed to delete the file.
• All other users should be able to read, but not write, the file.
❖ In the UNIX system, groups can be created and modified only by the manager of the
facility
❖ Three fields are needed to define protection. Each field is a collection of bits,
and each bit either allows or prevents the access associated with it.
❖ The UNIX system defines three fields of 3 bits each—rwx where r controls read
access, w controls write access, and x controls execution.
❖ A separate field is kept for the file owner, for the file’s group, and for all other users.
❖ In this scheme, 9 bits per file are needed to record protection information.
❖ Thus, for our example, the protection fields for the file book.tex are as follows
▪ For the owner Sara, all bits are set;
▪ For the group text, the r and w bits are set;
▪ For the universe, only the r bit is set.
 11

❖ Windows users typically manage access-control lists via the Graphical User
Interface.

4.3.3 Password Protection:

❖ Another approach to the protection problem is to associate a password with each
file.
❖ Access to each file can be controlled with the help of passwords.
❖ If the passwords are chosen randomly and changed often, this scheme may be
effective in limiting access to a file.
❖ Disadvantages: The number of passwords that a user needs to remember may
become large.
❖ If only one password is used for all the files, then once it is discovered,
all files are accessible; protection is on an all-or-none basis.
❖ In a multilevel directory structure, we need to protect not only individual
files but also collections of files in subdirectories;
❖ We need to provide a mechanism for directory protection. The directory
operations that must be protected are somewhat different from the file
operations. We want to control the creation and deletion of files in a
directory.

4.4. Security
Security, requires not only an adequate protection system but also
consideration of the external environment within which the system
operates. A protection system is ineffective if user authentication is
compromised or a program is run by an unauthorized user.
Computer resources must be guarded against unauthorized access,
malicious destruction or alteration, and accidental introduction of
inconsistency. These resources include information stored in the system
(both data and code), as well as the CPU, memory, disks, tapes, and
networking that are the computer.
 12

4.4.1 The Security Problem

It is a process of ensuring the confidentiality and integrity of the OS. Security is

one of most important as well as the major task in order to keep all the threats
or other malicious tasks or attacks or program away from the computer’s
software system.
A system is said to be secure if its resources are used and accessed as intended
under all the circumstances, but no system can guarantee absolute security
from several of various malicious threats and unauthorized access.
The security of a system can be threatened via two violations:
Threat: A program that has the potential to cause serious damage to the
system.
Attack: An attempt to break security and make unauthorized use of an asset.

Security violations affecting the system can be categorized as malicious and

accidental threats. Malicious threats, as the name suggests are a kind of harmful
computer code or web script designed to create system vulnerabilities leading to
back doors and security breaches.
Accidental Threats, on the other hand, are comparatively easier to be
protected against. Example: Denial of Service DDoS attack.
Security can be compromised via any of the breaches mentioned:
 Breach of confidentiality: This type of violation involves the unauthorized
reading of data.
 Breach of integrity: This violation involves unauthorized modification of
data.
 Breach of availability: It involves unauthorized destruction of data.
 Theft of service: It involves the unauthorized use of resources.
 Denial of service: It involves preventing legitimate use of the system. As
mentioned before, such attacks can be accidental in nature.
To protect the system, Security measures can be taken at the following levels:
1.Physical:
The sites containing computer systems must be physically secured against armed and
malicious intruders. The workstations must be carefully protected.
2.Human:
Only appropriate users must have the authorization to access the system.
Phishing(collecting confidential information) and Dumpster Diving(collecting basic
information so as to gain unauthorized access) must be avoided.
3.Operating system:
The system must protect itself from accidental or purposeful security breaches.
4.Networking System:
Almost all of the information is shared between different systems via a network.
Intercepting these data could be just as harmful as breaking into a computer.
Henceforth, Network should be properly secured against such attacks.
 13

4.5 Program Threats

4.5.1 Trojan Horse
 A code segment that misuses its environment is called a Trojan Horse. It seem
to be attractive and harmless cover programs but are really harmful hidden
programs that can be used as the virus carrier.
 the User is fooled to enter confidential login details on an application. Those
details are stolen by a login emulator and can be further used as a way of
information breaches. One of the major as well as a serious threat or
consequences of the Trojan horse is that it will actually perform proper damage
once installed or run on the computer’s system but at first, a glance will appear
to be useful software and later turns out to be maliciously unwanted one.
 Another variance is Spyware, Spyware accompanies a program that the user
has chosen to install and download ads to display on the user’s system, thereby
creating pop-up browser windows and when certain sites are visited by the user,
it captures essential information and sends it over to the remote server. Such
attacks are also known as Convert Channels.

4.5.2 Trap Door:

 The designer of a program or system might leave a hole in the software
that only he is capable of using, the Trap Door works on similar
principles.
 Trap Doors are quite difficult to detect as to analyze them, one needs to
go through the source code of all the components of the system. In other
words, if we may have to define a trap door then it would be like, a trap
door is actually a kind of a secret entry point into a running or static
program that actually allows anyone to gain access to any system
without going through the usual security access procedures.
4.5.3 Logic Bomb :
A program that initiates a security attack only under a specific situation. To
be very precise, a logic bomb is actually the most malicious program which
is inserted intentionally into the computer system and that is triggered or
functions when specific conditions have been met for it to work.
4.5.4 Virus:
An infamous threat, known most widely. It is a self-replicating and malicious
thread that attaches itself to a system file and then rapidly replicates itself,
modifying and destroying essential files leading to a system breakdown.
Further, Types of computer viruses can be described briefly as follows:
 file/parasitic – appends itself to a file
 boot/memory – infects the boot sector
 macro – written in a high-level language like VB and affects MS Office
files
 source code – searches and modifies source codes
 14

 polymorphic – changes in copying each time

 encrypted – encrypted virus and decrypting code
 stealth – avoids detection by modifying parts of the system that can be
used to detect it, like the read system call
 tunneling – installs itself in the interrupt service routines and device
drivers
 multipartite – infects multiple parts of the system
4.6 System and Network Threats
 Program threats typically use a breakdown in the protection mechanisms
of a system to attack programs. In contrast, system and network threats
involve the abuse of services and network connections. System and
network threats create a situation in which operating-system resources
and user files are misused. Sometimes, a system and network attack is
used to launch a program attack, and vice versa.
 The more open an operating system is—the more services it has enabled
and the more functions it allows—the more likely it is that a bug is
available to exploit. Increasingly, operating systems strive to be secure
by default. For example, Solaris 10 moved from a model in which many
services (FTP, telnet, and others) were enabled by default when the
system was installed to a model in which almost all services are disabled
at installation time and must specifically be enabled by system
administrators. Such changes reduce the system’s attack surface—the
set of ways in which an attacker can try to break into the system
 It is important to note that masquerading and replay attacks are also
commonly launched over networks between systems. In fact, these
attacks are more effective and harder to counter when multiple systems
are involved. For example, within a computer, the operating system
usually can determine the sender and receiver of a message. Even if the
sender changes to the ID of someone else, there may be a record of that
ID change. When multiple systems are involved, especially systems
controlled by attackers, then such tracing is much more difficult
 In general, we can say that sharing secrets (to prove identity and as
keys to encryption) is required for authentication and encryption, and
sharing secrets is easier in environments (such as a single operating
system) in which secure sharing methods exist. These methods include
shared memory and interprocess communications.
4.6.1 Worms:
An infection program that spreads through networks. Unlike a virus, they target
mainly LANs. A computer affected by a worm attacks the target system and
writes a small program “hook” on it. This hook is further used to copy the
worm to the target computer. This process repeats recursively, and soon
enough all the systems of the LAN are affected. It uses the spawn
mechanism to duplicate itself. The worm spawns copies of itself, using up a
majority of system resources and also locking out all other processes.
 15

4.6.2 Port Scanning:

It is a means by which the cracker identifies the vulnerabilities of the
system to attack. It is an automated process that involves creating a
TCP/IP connection to a specific port.
To protect the identity of the attacker, port scanning attacks are launched
from Zombie Systems, that is systems that were previously independent
systems that are also serving their owners while being used for such
notorious purposes.

4.6.3 Denial of Service:

 Attacks aren’t aimed for the purpose of collecting information or destroying
system files. Rather, they are used for disrupting the legitimate use of a system
or facility.

 These attacks are generally network-based. They fall into two categories:
Attacks in this first category use so many system resources that no useful work
can be performed.
 For example, downloading a file from a website that proceeds to use all
available CPU time.
 Attacks in the second category involve disrupting the network of the facility.
These attacks are a result of the abuse of some fundamental TCP/IP principles.
the fundamental functionality of TCP/IP.
4.7 Cryptography
 cryptography is used to constrain the potential senders and/or
receivers of a message. Modern cryptography is based on secrets
called keys that are selectively distributed to computers in a network
and used to process messages.
 Cryptography enables a recipient of a message to verify that the
message was created by some computer possessing a certain key.
Similarly, a sender can encode its message so that only a computer
with a certain key can decode the message. Unlike network
 16
addresses, however, keys are designed so that it is not
computationally feasible to derive them from the messages they were
used to generate or from any other public information. Thus, they
provide a much more trustworthy means of constraining senders and
receivers of messages.
 cryptography is a field of study unto itself, with large and small
complexities and subtleties. Here, we explore the most important
aspects of the parts of cryptography that pertain to operating
systems
4.7.1 Encryption
encryption is used frequently in many aspects of modern computing. It
is used to send messages securely across across a network, as well
as to protect database data, files, and even entire disks from having
their contents read by unauthorized entities. An encryption algorithm
enables the sender of a message to ensure that only a computer
possessing a certain key can read the message, or ensure that the
writer of data is the only reader of that data. Encryption of messages
is an ancient practice, of course, and there have been many
encryption algorithms, dating back to ancient times
An encryption algorithm consists of the following components:

• A set K of keys.
• A set M of messages.
• A set C of ciphertexts.
• An encrypting function E : K → (M → C). That is, for each k ∈ K, Ek is a
function for generating ciphertexts from messages. Both E and Ek for
any k should be efficiently computable functions. Generally, Ek is a
randomized mapping from messages to ciphertexts.
• A decrypting function D : K → (C → M). That is, for each k ∈ K, Dk is a
function for generating messages from ciphertexts. Both D and Dk for
any k should be efficiently computable functions.

ciphertext c ∈ C, a computer can compute m such that Ek (m) = c

An encryption algorithm must provide this essential property: given a

only if it possesses k. Thus, a computer holding k can decrypt

ciphertexts to the plaintexts used to produce them, but a computer
not holding k cannot decrypt ciphertexts. Since ciphertexts are
generally exposed (for example, sent on a network), it is important
that it be infeasible to derive k from the ciphertexts. There are two
main types of encryption algorithms: symmetric and asymmetric.
4.7.1.1 Symmetric Encryption
 In a symmetric encryption algorithm, the same key is used to
encrypt and to decrypt. Therefore, the secrecy of k must be
protected. Following figure shows an example of two users
communicating securely via symmetric encryption over an insecure
channel. Note that the key exchange can take place directly
between the two parties or via a trusted third party (that is, a
certificate authority),
 For the past several decades, the most commonly used symmetric
 17
encryption algorithm in the United States for civilian applications has
been the data-encryption standard (DES) cipher adopted by the
National Institute of Standards and Technology (NIST). DES works by
taking a 64-bit value and a 56-bit key and performing a series of
transformations that are based on substitution and permutation
operations. Because DES works on a block of bits at a time, is known
as a block cipher, and its transformations are typical of block
ciphers. With block ciphers, if the same key is used for encrypting an
extended amount of data, it becomes vulnerable to attack.
 DES is now considered insecure for many applications because its
keys can be exhaustively searched with moderate computing
resources. (Note, though, that it is still frequently used.) Rather than
giving up on DES, NIST created a modification called triple DES, in
which the DES algorithm is repeated three times (two encryptions
and one decryption) on the same plaintext using two or three keys—
for example, c = Ek3(Dk2(Ek1(m))). When three keys are used, the
effective key length is 168 bits. Triple DES is in widespread use
today.

 In 2001, NIST adopted a new block cipher, called the advanced

encryption standard (AES), to replace DES. AES is another block
cipher. It can use key lengths of 128, 192, or 256 bits and works on
128-bit blocks. Generally, the algorithm is compact and efficient.
Block ciphers are not in themselves secure encryption schemes. In
particular, they do not directly handle messages longer than their
required block sizes. However, there are many modes of encryption
that are based on stream ciphers, which can be used to securely
encrypt longer messages.
 RC4 is perhaps the most common stream cipher. A stream cipher is
designed to encrypt and decrypt a stream of bytes or bits rather
than a block. This is useful when the length of a communication
would make a block cipher too slow. The key is input into a pseudo–
random-bit generator, which is an algorithm that attempts to
produce random bits. The output of the generator when fed a key is
 18
a keystream. A keystream is an infinite set of bits that can be used
to encrypt a plaintext stream by simply XORing it with the plaintext.
(XOR, for “eXclusive OR” is an operation that compares two input
bits and generates one output bit. If the bits are the same, the result
is 0. If the bits are different, the result is 1.) RC4 is used in
encrypting steams of data, such as in WEP, the wireless LAN
protocol. Unfortunately, RC4 as used in WEP (IEEE standard 802.11)
has been found to be breakable in a reasonable amount of computer
time. In fact, RC4 itself has vulnerabilities.
4.7.1.2 Asymmetric Encryption
 In an asymmetric encryption algorithm, there are different encryption
and decryption keys. An entity preparing to receive encrypted
communication creates two keys and makes one of them (called the
public key) available to anyone who wants it. Any sender can use that
key to encrypt a communication, but only the key creator can decrypt
the communication. This scheme, known as public-key encryption,
was a breakthrough in cryptography. No longer must a key be kept
secret and delivered securely. Instead, anyone can encrypt a message
to the receiving entity, and no matter who else is listening, only that
entity can decrypt the message.
 As an example of how public-key encryption works, we describe an
algorithm known as RSA, after its inventors, Rivest, Shamir, and
Adleman. RSA is the most widely used asymmetric encryption
algorithm. (Asymmetric algorithms based on elliptic curves are
gaining ground, however, because the key length of such an algorithm
can be shorter for the same amount of cryptographic strength.)
 In RSA, ke is the public key, and kd is the private key. N is the
product of two large, randomly chosen prime numbers p and q (for
example, p and q are 512 bits each). It must be computationally
infeasible to derive kd,N from ke,N, so that ke need not be kept secret
and can be widely disseminated. The encryption algorithm is Eke,N(m)
= mke mod N, where ke satisfies kekd mod (p−1)(q −1) = 1. The
decryption algorithm is then Dkd ,N(c) = ckd mod N. An example
using small values is shown in Figure 15.8. In this example, we make
p = 7 andq = 13. We then calculate N = 7∗13 = 91 and (p−1)(q−1) =
72. We next select ke relatively prime to 72 and < 72, yielding 5.
Finally, we calculate kd such that kekd mod 72 = 1, yielding 29. We
now have our keys: the public key, ke,N = 5, 91, and the private key,
kd,N = 29, 91. Encrypting the message 69 with the public key results
in the message 62, which is then decoded by the receiver via the
private key.
 The use of asymmetric encryption begins with the publication of the
public key of the destination. For bidirectional communication, the
source also must publish its public key. “Publication” can be as simple
as handing over an electronic copy of the key, or it can be more
complex. The private key (or “secret key”) must be zealously
guarded, as anyone holding that key can decrypt any message
created by the matching public key.
 We should note that the seemingly small difference in key use
between asymmetric and symmetric cryptography is quite large in
practice. Asymmetric cryptography is much more computationally
 19
expensive to execute. It is much faster for a computer to encode and
decode ciphertext by using the usual symmetric algorithms than by
using asymmetric algorithms. Why, then, use an asymmetric
algorithm? In truth, these algorithms are not used for general purpose
encryption of large amounts of data. However, they are used not only
for encryption of small amounts of data but also for authentication,
confidentiality, and key distribution, as we show in the following
sections

4.7.1.3 Authentication
Constraining the set of potential senders of a message is called
authentication. Authentication is thus complementary to encryption.

Encryption and decryption using RSA asymmetric cryptography.

Authentication is also useful for proving that a message has not been modified. In
this section, we discuss authentication as a constraint on possible senders of a
message. Note that this sort of authentication is similar to but distinct from user
authentication
An authentication algorithm using symmetric keys consists of the following
components: • A set K of keys. • A set M of messages.
• A set A of authenticators.
• A function S : K → (M → A). That is, for each k ∈ K, Sk is a function for generating
authenticators from messages. Both S and Sk for any k should be efficiently
computable functions.
• A function V : K → (M × A → {true, false}). That is, for each k ∈ K, Vk is a function
for verifying authenticators on messages. Both V and Vk for any k should be
efficiently computable functions.

message m, a computer can generate an authenticator a ∈ A such that Vk (m, a)

The critical property that an authentication algorithm must possess is this: for a

= true only if it possesses k. Thus, a computer holding k can generate

authenticators on messages so that any computer possessing k can verify them.
However, a computer not holding k cannot generate authenticators on messages
that can be verified using Vk . Since authenticators are generally exposed (for
example, sent on a network with the messages themselves), it must not be
 20
feasible to derive k from the authenticators. Practically, if Vk (m, a) = true, then
we know that m has not been modified, and that the sender of the message has k.
If we share k with only one entity, then we know that the message originated from
k.
4.7.1.4 Key Distribution
 A good part of the battle between cryptographers (those inventing ciphers)
and cryptanalysts (those trying to break them) involves keys. With
symmetric algorithms, both parties need the key, and no one else should
have it.
 The delivery of the symmetric key is a huge challenge. Sometimes it is
performed out-of-band—say, via a paper document or a conversation. These
methods do not scale well, however. Also consider the key-management
challenge. Suppose a user wanted to communicate with N other users
privately. That user would need N keys and, for more security, would need
to change those keys frequently.
 These are the very reasons for efforts to create asymmetric key algorithms.
Not only can the keys be exchanged in public, but a given user needs only
one private key, no matter how many other people she wants to
communicate with.
 There is still the matter of managing a public key for each recipient of the
communication, but since public keys need not be secured, simple storage
can be used for that key ring.
4.7.2 Implementation of Cryptography
 Network protocols are typically organized in layers, like an onion or a parfait,
with each layer acting as a client of the one below it. That is, when one
protocol generates a message to send to its protocol peer on another machine,
it hands its message to the protocol below it in the network-protocol stack for
delivery to its peer on that machine.
 For example, in an IP network, TCP (a transportlayer protocol) acts as a client
of IP (a network-layer protocol): TCP packets are passed down to IP for delivery
to the IP peer at the other end of the connection. IP encapsulates the TCP
packet in an IP packet, which it similarly passes down to the data-link layer to
be transmitted across the network to its peer on the destination computer. This
IP peer then delivers the TCP packet up to the TCP peer on that machine.
 21

4.8 User Authentication

If a system cannot authenticate a user, then authenticating that a message
came from that user is pointless. Thus, a major security problem for
operating systems is user authentication. The protection system depends
on the ability to identify the programs and processes currently executing,
which in turn depends on the ability to identify each user of the system.
Users normally identify themselves. How do we determine whether a user’s
identity is authentic? Generally, user authentication is based on one or
more of three things: the user’s possession of something (a key or card),
the user’s knowledge of something (a user identifier and password), or an
attribute of the user (fingerprint, retina pattern, or signature).
4.8.1 Passwords
The most common approach to authenticating a user identity is the use of
passwords. When the user identifies herself by user ID or account name, she is
asked for a password. If the user-supplied password matches the password
stored in the system, the system assumes that the account is being accessed
by the owner of that account. Passwords are often used to protect objects in the
computer system, in the absence of more complete protection schemes. They
can be considered a special case of either keys or capabilities. For instance, a
password may be associated with each resource (such as a file). Whenever a
request is made to use the resource, the password must be given. If the
password is correct, access is granted. Different passwords may be associated
with different access rights. For example, different passwords may be used for
reading files, appending files, and updating files.
4.8.2 Password Vulnerabilities
Passwords are extremely common because they are easy to understand and use.
Unfortunately, passwords can often be guessed, accidentally exposed, sniffed
(read by an eavesdropper), or illegally transferred from an authorized user to an
unauthorized one,
There are two common ways to guess a password. One way is for the intruder
(either human or program) to know the user or to have information about the
user. All too frequently, people use obvious information (such as the names of
their cats or spouses) as their passwords. The other way is to use brute force,
 22
trying enumeration—or all possible combinations of valid password characters
(letters, numbers, and punctuation on some systems)—until the password is
found. Short passwords are especially vulnerable to this method. For example, a
four-character password provides only 10,000 variations.
On average, guessing 5,000 times would produce a correct hit. A program that
could try a password every millisecond would take only about 5 seconds to
guess a four-character password. Enumeration is less successful where systems
allow longer passwords that include both uppercase and lowercase letters,
along with numbers and all punctuation characters. Of course, users must take
advantage of the large password space and must not, for example, use only
lowercase letters.
4.8.3 Securing Passwords
 weakness in the UNIX password methods is that many UNIX systems treat
only the first eight characters as significant. It is therefore extremely
important for users to take advantage of the available password space.
Complicating the issue further is the fact that some systems do not allow
the use of dictionary words as passwords.
 A good technique is to generate your password by using the first letter of
each word of an easily remembered phrase using both upper and lower
characters with a number or punctuation mark thrown in for good measure.
For example, the phrase “My mother’s name is Katherine” might yield the
password “Mmn.isK!”. The password is hard to crack but easy for the user to
remember. A more secure system would allow more characters in its
passwords. Indeed, a system might also allow passwords to include the
space character, so that a user could create a passphrase.
4.8.4 One-Time Passwords
 To avoid the problems of password sniffing and shoulder surfing, a system
can use a set of paired passwords. When a session begins, the system
randomly selects and presents one part of a password pair; the user must
supply the other part.
 In this system, the user is challenged and must respond with the correct
answer to that challenge. This approach can be generalized to the use of an
algorithm as a password. Such algorithmic passwords are not susceptible to
reuse. That is, a user can type in a password, and no entity intercepting that
password will be able to reuse it. In this scheme, the system and the user
share a symmetric password.
 The password pw is never transmitted over a medium that allows exposure.
Rather, the password is used as input to the function, along with a challenge
ch presented by the system. The user then computes the function H(pw,
ch). The result of this function is transmitted as the authenticator to the
computer. Because the computer also knows pw and ch, it can perform the
same computation.
 If the results match, the user is authenticated. The next time the user needs
to be authenticated, another ch is generated, and the same steps ensue.
This time, the authenticator is different. This one-time password system is
one of only a few ways to prevent improper authentication due to password
exposure.
4.8.5 Biometrics
 Palm- or hand-readers are commonly used to secure physical access—for
 23
example, access to a data center. These readers match stored parameters
against what is being read from hand-reader pads. The parameters can
include a temperature map, as well as finger length, finger width, and line
patterns. These devices are currently too large and expensive to be used
for normal computer authentication.
 Fingerprint readers have become accurate and cost-effective and should
become more common in the future. These devices read finger ridge
patterns and convert them into a sequence of numbers. Over time, they
can store a set of sequences to adjust for the location of the finger on the
reading pad and other factors. Software can then scan a finger on the pad
and compare its features with these stored sequences to determine if they
match. Of course, multiple users can have profiles stored, and the scanner
can differentiate among them. A very accurate two-factor authentication
scheme can result from requiring a password as well as a user name and
fingerprint scan. If this information is encrypted in transit, the system can
be very resistant to spoofing or replay attack.
 Multifactor authentication is better still. Consider how strong authentication
can be with a USB device that must be plugged into the system, a PIN, and
a fingerprint scan. Except for having to place ones finger on a pad and plug
the USB into the system, this authentication method is no less convenient
than that using normal passwords. Recall, though, that strong
authentication by itself is not sufficient to guarantee the ID of the user. An
authenticated session can still be hijacked if it is not encrypted.
4.9 Implementing Security Defenses
The solutions range from improved user education, through technology, to
writing bug-free software. Most security professionals subscribe to the theory of
defense in depth, which states that more layers of defense are better than
fewer layers. Of course, this theory applies to any kind of security. Consider the
security of a house without a door lock, with a door lock, and with a lock and an
alarm.
4.9.1 Security Policy
 The first step toward improving the security of any aspect of computing is to
have a security policy.
 Policies vary widely but generally include a statement of what is being
secured. For example, a policy might state that all outside accessible
applications must have a code review before being deployed, or that users
should not share their passwords, or that all connection points between a
company and the outside must have port scans run every six months.
Without a policy in place, it is impossible for users and administrators to
know what is permissible, what is required, and what is not allowed. The
policy is a road map to security, and if a site is trying to move from less
secure to more secure, it needs a map to know how to get there.
 Once the security policy is in place, the people it affects should know it well.
It should be their guide. The policy should also be a living document that is
reviewed and updated periodically to ensure that it is still pertinent and
still followed
4.9.2 Vulnerability Assessment
Vulnerability scans typically are done at times when computer use is
relatively low, to minimize their impact. When appropriate, they are done
on test systems rather than production systems, because they can induce
 24
unhappy behavior from the target systems or network devices.
A scan within an individual system can check a variety of aspects of the
system:
• Short or easy-to-guess passwords
• Unauthorized privileged programs, such as setuid programs
• Unauthorized programs in system directories
• Unexpectedly long-running processes
• Improper directory protections on user and system directories
• Improper protections on system data files, such as the password
file, device drivers, or the operating-system kernel itself
• Dangerous entries in the program search path
• Changes to system programs detected with checksum values
• Unexpected or hidden network daemons
4.9.3 Intrusion Detection
Securing systems and facilities is intimately linked to intrusion detection.Intrusion
detection, as its name suggests, strives to detect attempted or successful
intrusions into computer systems and to initiate appropriate responses to the
intrusions. Intrusion detection encompasses a wide array of techniques that vary
on a number of axes, including the following:
• The time at which detection occurs. Detection can occur in real time (while
the intrusion is occurring) or after the fact.
• The types of inputs examined to detect intrusive activity. These may include
user-shell commands, process system calls, and network packet headers or
contents. Some forms of intrusion might be detected only by correlating
information from several such sources.
• The range of response capabilities. Simple forms of response include alerting an
administrator to the potential intrusion or somehow halting the potentially
intrusive activity—for example, killing a process engaged in such activity. In a
sophisticated form of response, a system might transparently divert an intruder’s
activity to a honeypot—a false resource exposed to the attacker. The resource
appears real to the attacker and enables the system to monitor and gain
information about the attack.
4.9.4 Virus Protection
 Protection from viruses thus is an important security concern. Antivirus
programs are often used to provide this protection. Some of these programs
are effective against only particular known viruses. They work by searching
all the programs on a system for the specific pattern of instructions known
to make up the virus. When they find a known pattern, they remove the
instructions, disinfecting the program. Antivirus programs may have
catalogs of thousands of viruses for which they search.
 Both viruses and antivirus software continue to become more sophisticated.
Some viruses modify themselves as they infect other software to avoid the
basic pattern-match approach of antivirus programs. Antivirus programs in
turn now look for families of patterns rather than a single pattern to identify
a virus. In fact, some antivirus programs implement a variety of detection
algorithms. They can decompress compressed viruses before checking for a
signature. Some also look for process anomalies. A process opening an
 25
executable file for writing is suspicious, for example, unless it is a compiler.
Another popular technique is to run a program in a sandbox, which is a
controlled or emulated section of the system. The antivirus software
analyzes the behavior of the code in the sandbox before letting it run
unmonitored. Some antivirus programs also put up a complete shield rather
than just scanning files within a file system. They search boot sectors,
memory, inbound and outbound e-mail, files as they are downloaded, files
on removable devices or media, and so on
 The best protection against computer viruses is prevention, or the practice
of safe computing. Purchasing unopened software from vendors and
avoiding free or pirated copies from public sources or disk exchange offer
the safest route to preventing infection. However, even new copies of
legitimate software applications are not immune to virus infection: in a few
cases, disgruntled employees of a software company have infected the
master copies of software programs to do economic harm to the company.
For macro viruses, one defense is to exchange Microsoft Word documents in
an alternative file format called rich text format (RTF).
4.9.5 Auditing, Accounting, and Logging
 Auditing, accounting, and logging can decrease system performance,
but they are useful in several areas, including security. Logging can
be general or specific. All system-call executions can be logged for
analysis of program behavior (or misbehavior).
 More typically, suspicious events are logged. Authentication failures
and authorization failures can tell us quite a lot about break-in
attempts. Accounting is another potential tool in a security
administrator’s kit.
 It can be used to find performance changes, which in turn can reveal
security problems. One of the early UNIX computer break-ins was
detected by Cliff Stoll when he was examining accounting logs and
spotted an anomaly

Protection
Protection refers to a mechanism for controlling the access of
programs, processes, or users to the resources defined by a
computer system. This mechanism must provide a means for
specifying the controls to be imposed, together with a means of
enforcement. We distinguish between protection and security,
which is a measure of confidence that the integrity of a system and
its data will be preserved.

4.10 Goals of Protection

 Protection can improve reliability by detecting latent errors at the interfaces between
component subsystems. Early detection of interface errors can often prevent
contamination of a healthy subsystem by a malfunctioning subsystem. Also, an
unprotected resource cannot defend against use (or misuse) by an unauthorized or
incompetent user.
 26

 A protection-oriented system provides means to distinguish between authorized and

unauthorized usage. The role of protection in a computer system is to provide a
mechanism for the enforcement of the policies governing resource use. These
policies can be established in a variety of ways. Some are fixed in the design of the
system, while others are formulated by the management of a system. Still others are
defined by the individual users to protect their own files and programs.
 A protection system must have the flexibility to enforce a variety of policies.
Policies for resource use may vary by application, and they may change over time.
 For these reasons, protection is no longer the concern solely of the designer of an
operating system. The application programmer needs to use protection mechanisms
as well, to guard resources created and supported by an application subsystem
against misuse.

4.11 Principles of Protection

• A key, time-tested guiding principle for protection is the principle of least
privilege. It dictates that programs, users, and even systems be given just
enough privileges to perform their tasks.
• Consider the analogy of a security guard with a passkey. If this key allows
the guard into just the public areas that she guards, then misuse of the key
will result in minimal damage. If, however, the passkey allows access to all
areas, then damage from its being lost, stolen, misused, copied, or
otherwise compromised will be much greater.
• An operating system following the principle of least privilege implements
its features, programs, system calls, and data structures so that failure or
compromise of a component does the minimum damage and allows the
minimum damage to be done. The overflow of a buffer in a system daemon
might cause the daemon process to fail, for example, but should not allow
the execution of code from the daemon process’s stack that would enable
a remote user to gain maximum privileges and access to the entire system
(as happens too often today).
• Such an operating system also provides system calls and services that
allow applications to be written with fine-grained access controls. It
provides mechanisms to enable privileges when they are needed and to
disable them when they are not needed. Also beneficial is the creation of
audit trails for all privileged function access. The audit trail allows the
programmer, system administrator, or law-enforcement officer to trace all
protection and security activities on the system.
• Managing users with the principle of least privilege entails creating a
separate account for each user, with just the privileges that the user needs.
An operator who needs to mount tapes and back up files on the system has
access to just those commands and files needed to accomplish the job.
Some systems implement role-based access control (RBAC) to provide this
functionality.
 27

• Computers implemented in a computing facility under the principle of least

privilege can be limited to running specific services, accessing specific
remote hosts via specific services, and doing so during specific times.
• The principle of least privilege can help produce a more secure computing
environment. Unfortunately, it frequently does not. For example, Windows
2000 has a complex protection scheme at its core and yet has many
security holes. By comparison, Solaris is considered relatively secure, even
though it is a variant of UNIX, which historically was designed with little
protection in mind. One reason for the difference may be that Windows
2000 has more lines of code and more services than Solaris and thus has
more to secure and protect. Another reason could be that the protection
scheme in Windows 2000 is incomplete or protects the wrong aspects of
the operating system, leaving other areas vulnerable.
4.12 Protection Rings,
The ordered protection domains are referred to as Protection Rings. These
mechanisms help in improving fault tolerance and provide Computer Security.
Operating Systems provide different levels to access resources. Rings are
hierarchically arranged from most privileged to least privileged. Use of
Protection Ring : Use of Protection Rings provides logical space for the levels of
permissions and execution. Two important uses of Protection Rings are :
1. Improving Fault Tolerance
2. Provide Computer Security
Levels of Protection Ring : There are basically 4 levels ranging from 0 which is the
most privileged to 3 which is least privileged. Most Operating Systems use level 0
as the kernel or executive and use level 3 for application programs. A resource
that is accessible to level n is also accessible to levels 0 to n and the privilege
levels are rings.
Modes of Protection Ring : There are basically two modes : Supervisor Mode, and
Hypervisor
Mode. These are explained as following below in brief.
1. Supervisor Mode : Supervisor Mode is an execution mode in some of processors
which allows execution of all instructions including privileged instructions. It also
gives access to different address space, to memory management hardware, and to
other peripherals. Usually, Operating System runs in this mode.
2. Hypervisor Mode : Modern CPUs offer x86 virtualization instructions for
hypervisor to control “Ring 0” hardware access. In order to help virtualization, VT
and Pacifica insert new privilege level below “Ring 0” and Both these add nine new
“machine code” instructions that only work on Ring −1 and intended to be used by
hypervisor.
Implementation : Protection Rings are combined with processor modes against rule of
slave in some systems. Operating system running on hardware that supports such
rules can use both methods of protecting or only one of them. Efficient use of
architecture of Protection Rings requires close interaction between hardware and
operating system. The operating system is designed such that they have worked on a
lot of platforms and may have different implementation mechanism rings on each
platform. The security model is generally simplified

4.13 Domain Protection

Need of protection OS :
 28

 To ensure data safety, process and program safety against illegal user access,
or even program access, we need protection.

 It is to ensure that programs, resources and data are accessed only according
to the systems’ policies.
 It is also to ensure that there are no access rights’ breach, no unauthorized
access to the existing data, no virus or worms.
 There can be security threats such as unauthorized reading, writing,
modification or preventing the system to work properly for the authorized users
themselves.
Goals of Protection :
 Therefore, protection is a method of safeguarding data and processes against
malicious and intentional intrusion. For that purpose, we have protection
policies that are either designed by the system itself or specified by the
management itself or are imposed by the programmers individually to protect
their programs with extra safety.
 It also gives a multiprogramming OS the sense of safety that is required by its
users to share common space like files or directories.
 The policies bind how the processes are to access the resources present in the
computer system, resources like CPU, memory, software and even the OS. Both
the OS designer and the application programmer are responsible for this.
However, these policies always change from time to time.
Domain of Protection :
 The protection policies limit the access of each process with respect to their
resource handling. A process is bound to use only those resources which it
requires to complete its task, in the time limit that it requires and also the mode
in which it is required. That is the protected domain of a process.
 A computer system has processes and objects, which are treated as abstract
data types, and these objects have operations specific to them. A domain
element is described as <object, {set of operations on object}>.
 Each domain consists of a set of objects and the operations that can be
performed on them. A domain can consist of either only a process or a
procedure or a user. Then, if a domain corresponds to a procedure, then
changing domain would mean changing procedure ID. Objects may share a
common operation or two. Then the domains overlap.

Association between process and domain :

 29

Processes switch from one domain to other when they have the access right to do
so. It can be of two types as follows.
1. Fixed or static –

In fixed association, all the access rights can be given to the processes at the
very beginning but that give rise to a lot of access rights for domain switching.

2. Changing or dynamic –

In dynamic association where a process can switch dynamically, creating a new

domain in the process, if need be.
Security Measures :
 Security measures at different levels are taken against malpractices, such as no
person should be allowed on the premises or allowed access to the systems.
 The network that is used for the transfer of files must be secure at all times. No
alien software must be able to extract information from the network while the
transfer. This is known as Network Sniffing, and it can be prevented by
introducing encrypted channels of data transfer. Also, the OS must be able to
resist against forceful or even accidental violations.
 The best ways of authentication are using a username password combination,
using fingerprint, eye retina scan or even user cards to access the system.
 Passwords are a good method to authenticate, but it is also one of the most
common as well as vulnerable methods. To crack passwords is not too hard.
While there are weak passwords, but even hard passwords can be cracked by
either sniffing around or giving access to multiple users or even network
sniffing as mentioned above.
Security Authentication :
To make passwords strong and a formidable authentication source, one time
passwords, encrypted passwords and Cryptography are used as follows.
1. One Time Passwords :

It is used in such a way that it is unique at every instance of login by the user. It
is a pair of passwords combined to give the user access. The system generates
a random number and the user provides a complementary one or the system
and the user are provided a random number by an algorithm and through a
common function that the two share they match the output and thus get
access.

2. Encrypted Passwords :

It is also a very way to authenticate access. Encrypted data is passed over the
network which does the transfer and checking of the passwords that helps in
the data passage Without interruption or interception.
 30

3. Cryptography :

It is another method of ensuring that data transfer over a network is not

available to the unauthorized users. This helps in transfer of data with full
protection. It protects the data by introducing the concept of a key. The key is
very important here. When a user sends the data, he encodes it using a
computer possessing the key and the receiver also has to decode the data
using the very same key. Thus, even if the data is stolen mid-way, there’s still a
big possibility that the unauthorized user cannot access it.
Protection is an essential aspect of an operating system, which ensures the safety
and security of system resources and data. It provides a way to control access to
resources and ensure that unauthorized access is prevented.
There are three main components of protection in an operating system:
domain of protection, association, and authentication.
1. Domain of Protection: The domain of protection is the set of resources that are
controlled by a particular protection mechanism. In an operating system, a
domain can be defined as a set of objects that are accessed by a set of
subjects. Objects are resources, such as files, memory, and I/O devices, while
subjects are entities that access these resources, such as processes, users, and
groups. Each domain has a specific set of rules that govern the access to its
objects by its subjects.
2. Association: Association is the mapping of a subject to a domain of protection.
In other words, it is the relationship between a subject and the set of resources
that it is authorized to access. In an operating system, association can be
defined as the process of assigning a subject to a domain of protection based
on its authentication credentials. Authentication credentials can be a password,
a digital certificate, or a biometric identifier.
3. Authentication: Authentication is the process of verifying the identity of a
subject before granting access to protected resources. Authentication is an
essential component of protection because it ensures that only authorized
subjects can access protected resources. In an operating system,
authentication can be implemented using various methods, such as passwords,
digital certificates, smart cards, and biometric identifiers.
4. In summary, protection in an operating system is achieved through the
combination of domain of protection, association, and authentication. The
domain of protection defines the set of resources that are controlled by the
protection mechanism, association maps subjects to domains of protection, and
authentication ensures that only authorized subjects can access protected
resources.

4.14 Access Matrix

An Access Matrix is a digital model utilized to control and manage permissions.
This model defines the rights each user has for different resources. In simple
terms, it’s a table that shows what actions an individual or a group of users can
perform on specific objects within a system.
It represents the access control mechanism that specifies which actions (e.g.,
read, write, execute) are allowed or denied for each subject on each object.
 31

Different Types of Rights

There are different types of rights the files can have. The most
common ones are:
1. Read- This is a right given to a process in a domain that allows it to read
the file.
2. Write- Process in the domain can be written into the file.
3. Execute- The process in the domain can execute the file.
4. Print- Process in the domain only has access to a printer.

Observations of Above Matrix

 There are four domains and four objects– three files(F1, F2, F3) and one
printer.
 A process executing in D1 can read files F1 and F3.
 A process executing in domain D4 has same rights as D1 but it can also write on
files.
 Printer can be accessed by only one process executing in domain D2.
 A process executing in domain D3 has the right to read file F2 and execute file F3.

Mechanism of Access Matrix

The mechanism of access matrix consists of many policies and semantic
properties. Specifically, we must ensure that a process executing in domain Di can
access only those objects that are specified in row i. Policies of access matrix
concerning protection involve which rights should be included in the (i, j)th entry.
We must also decide the domain in which each process executes. This policy is
usually decided by the operating system. The users decide the contents of the access-
matrix entries. Association between the domain and processes can be either static or
dynamic. Access matrix provides a mechanism for defining the control for this
association between domain and processes.
Switch operation: When we switch a process from one domain to another, we execute
a switch operation on an object(the domain). We can control domain switching by
 32

including domains among the objects of the access matrix. Processes should be able
to switch from one domain (Di) to another domain (Dj) if and only if a switch right is
given to access(i, j). This is explained using an example below:

Access matrix with domains as objects

The ability to copy an access right from one domain (or row) of the access matrix to
another is denoted by an asterisk (*) appended to the access right. The copy right
allows the access right to be copied only within the column (that is, for the object)
for which the right is defined. a process executing in domain D2 can copy the read
operation into any entry associated with file F2. Hence, the access matrix of can be
modified to the access matrix
This scheme has two additional variants:
1. A right is copied from access(i, j) to access(k, j); it is then removed from access(i, j).
This action is a of a right, rather than a copy.
2. Propagation of the copy right may be limited. That is, when the right R∗ is copied
from access(i, j) to access(k, j), only the right R (not R∗) is created. A process
executing in domain Dk cannot further copy the right R.
A system may select only one of these three copy rights, or it may provide all three by
identifying them as separate rights: copy, transfer, and limited copy. We also need a
mechanism to allow addition of new rights and removal of some rights. The owner
right controls these operations. If access(i, j) includes the owner right, then a process
executing in domain Di can add and remove
 33

Access matrix with copy rights.

 34

Access matrix with owner rights.

Modified access matrix

4.15 Implementation of Access Matrix

 35

The Access Matrix is a security model for a computer system's protection state. It
is described as a matrix. An access matrix is used to specify the permissions of
each process running in the domain for each object. The rows of the matrix
represent domains, whereas the columns represent objects. Every matrix cell
reflects a set of access rights granted to domain processes, i.e., each entry (i,
j) describes the set of operations that a domain Di process may invoke on
object Oj.
There are various methods of implementing the access matrix in the operating system.

These methods are as follows:

1. Global Table
2. Access Lists for Objects
3. Capability Lists for Domains
4. Lock-Key Mechanism

Global Table
It is the most basic access matrix implementation. A set of ordered triples <domain,
object, rights-set> is maintained in a file. When an operation M has been
performed on an object Oj within domain Di, the table is searched for a triple <Di,
Oj, Rk>. The operation can proceed if this triple is located; otherwise, an
exception (or error) condition has arrived. This implementation has various
drawbacks. The table is generally large and cannot be stored in the main
memory, so additional input and output are required.

Access Lists for Objects

Every access matrix column may be used as a single object's access list. It is
possible to delete the blank entries. For each object, the resulting list contains
ordered pairs <domain, rights-set> that define all domains for that object and
a nonempty set of access rights.

We may start by checking the default set and then find the access list. If the item is
found, we enable the action; if it isn't, we verify the default set. If M is in the
default set, we grant access. Access is denied if this is not the case, and an
extraordinary scenario arises.

Capability Lists for Domains

A domain's capability list is a collection of objects and the actions that can be done
on them. A capacity is a name or address that is used to define an object. If you
want to perform operation M on object Oj, the process runs operation M,
specifying the capability for object Oj. The simple possession of the capability
implies that access is allowed.

In most cases, capabilities are separated from other data in one of two ways. Every
object has a tag to indicate its type as capability data. Alternatively, a program's
address space can be divided into two portions. The programs may access one
portion, including the program's normal instructions and data. The other portion is
a capability list that is only accessed by the operating system.
 36

Lock-Key Mechanism
It is a compromise between the access lists and the capability lists. Each object has
a list of locks, which are special bit patterns. On the other hand, each domain has
a set of keys that are special bit patterns. A domain-based process could only
access an object if a domain has a key that satisfies one of the locks on the
object. The process is not allowed to modify its keys.

Now, let's take an example to understand the implementation of an access matrix in

the operating system.

4.16 Revocation of Access Rights

In a dynamic protection system, we may sometimes need to revoke access
rights to objects shared by different users. Various questions about
revocation may arise:
• Immediate versus delayed. Does revocation occur immediately, or is it
delayed? If revocation is delayed, can we find out when it will take place?
• Selective versus general. When an access right to an object is revoked, does
it affect all the users who have an access right to that object, or can we
specify a select group of users whose access rights should be revoked?
• Partial versus total. Can a subset of the rights associated with an object be
revoked, or must we revoke all access rights for this object?
• Temporary versus permanent. Can access be revoked permanently (that is,
the revoked access right will never again be available), or can access be
revoked and later be obtained again? With an access-list scheme,
revocation is easy. The access list is searched for any access rights to be
revoked, and they are deleted from the list. Revocation is immediate and
can be general or selective, total or partial, and permanent or temporary.
Capabilities, however, present a much more difficult revocation problem, as
mentioned earlier. Since the capabilities are distributed throughout the
system, we must find them before we can revoke them. Schemes that
implement revocation for capabilities include the following:
• Reacquisition. Periodically, capabilities are deleted from each domain. If a
process wants to use a capability, it may find that that capability has been
deleted. The process may then try to reacquire the capability. If access has
been revoked, the process will not be able to reacquire the capability. •
Back-pointers. A list of pointers is maintained with each object, pointing to
all capabilities associated with that object. When revocation is required, we
can follow these pointers, changing the capabilities as necessary. This
scheme was adopted in the MULTICS system. It is quite general, but its
implementation is costly.
• Indirection. The capabilities point indirectly, not directly, to the objects. Each
capability points to a unique entry in a global table, which in turn points to
the object. We implement revocation by searching the global table for the
desired entry and deleting it. Then, when an access is attempted, the
capability is found to point to an illegal table entry. Table entries can be
reused for other capabilities without difficulty, since both the capability and
the table entry contain the unique name of the object.
 Keys. A key is a unique bit pattern that can be associated with a
capability. This key is defined when the capability is created, and it can
be neither modified nor inspected by the process that owns the
capability.
 37

 A master key is associated with each object; it can be defined or

replaced with the set-key operation. When a capability is created, the
current value of the master key is associated with the capability. When
the capability is exercised, its key is compared with the master key.
 If the keys match, the operation is allowed to continue; otherwise, an
exception condition is raised. Revocation replaces the master key with a
new value via the set-key operation, invalidating all previous capabilities
for this object.

4.17 Role-Based Access Control

Role-based Access Control – The concept of Role-based Access Control

is to create a set of permissions and assign these permissions to a user
or group. With the help of these permissions, only limited access to
users can be provided therefore level of security is increased. There are
different ways to perform RBAC such as creating custom privilege levels
or creating views.
Custom level privilege – When we take a console of the router, we
enter into the user-level mode. The user-level mode has privilege level
1. By typing enable, we enter into a privileged mode where the privilege
level is 15. A user with privilege level 15 can access all the commands
that are at level 15 or below. By creating a custom privilege level
(between 2 and 14) and assigning commands to it, the administrator
can provide subset of commands to the user.
Configuration – First we will add a command to our privilege level say 8
and assign a password to it.
R1(config)#privilege exec level 8 configure terminal
R1(config)#enable secret level 8 0 saurabh
Also note that 0 here means the password followed is clear text (non-hashed) . Now,
we will create a local user name saurabh and associated this user with configured
level. Enable aaa model and assign default list to various lines.
R1(config)#username saurabh privilege 8 secret cisco123
R1(config)#aaa new-model
R1(config)#line vty 0 4
R1(config)#login local

Advantages of Role-based Access Control

There are different advantages to utilizing RBAC, including:

1.Working on functional proficiency:-
With RBAC, organizations can diminish the requirement for administrative work and
secret word changes when they recruit new representatives or switch the jobs of
existing representatives. RBAC allows associations rapidly to add and change jobs, as
well as carry out them across stages, working frameworks (OSes) and applications. It
 38

likewise eliminates the potential for blunder while allocating client consents. Also,
with RBAC, organizations can all the more effectively incorporate outsider clients into
their organizations by giving them predefined jobs.
2.Upgrading consistence:- Each association should conform to nearby, state and
government guidelines. Organizations for the most part really like to carry out RBAC
frameworks to meet the administrative and legal necessities for secrecy and
protection since leaders and IT offices can all the more actually oversee how the
information is gotten to and utilized. This is especially significant for monetary
establishments and medical organizations that oversee delicate information.
3.Giving chairmen expanded perceivability:-
RBAC gives network overseers and administrators greater perceivability and oversight
into the business, while likewise ensuring approved clients and visitors on the
framework are just given admittance to what they need to take care of their
responsibilities.
Lessening costs:- By not permitting client admittance to specific cycles and
applications, organizations might ration or more expense successfully use assets, like
organization data transmission, memory and capacity.
4.Diminishing gamble of breaks and information spillage:-
Executing RBAC implies confining admittance to delicate data, consequently lessening
the potential for information breaks or information spillage.

Disadvantages of Role-based Access Control :

1. Lack of Flexibility: RBAC can be inflexible, as roles and permissions are typically
assigned based on a predetermined set of rules. This can make it difficult to
accommodate exceptions or unique situations where an individual needs access to
resources that are outside of their assigned role.
2. Complexity: Implementing RBAC can be complex, requiring significant planning
and resources. Setting up roles and permissions for each user can be time-
consuming and may require ongoing maintenance to ensure that access levels
remain appropriate.
3. Lack of Granularity: RBAC can lack granularity in terms of the level of access
granted to users. This can result in situations where users have access to more
resources than they need to perform their job, which can increase the risk of data
breaches and other security incidents.
4. Overreliance on Roles: RBAC can result in overreliance on roles, which can limit
the ability to make granular access decisions based on specific user attributes,
such as their level of trust or the sensitivity of the data they are accessing.
5. Difficulty in Delegation: Delegating roles and permissions can be difficult,
particularly in larger organizations where there are many different roles and levels
of access. This can result in delays in granting access to resources, which can
impact productivity and business operations.

4.18 Mandatory Access Control

 Mandatory access control is access control policies that are
decided by the system and not the application or data owner.
Mandatory Access Control (MAC) is a group of security policies
constrained according to system classification, configuration and
authentication. MAC policy management and settings are created
in one secure network and defined to system administrators.
 39

 MAC defines and provides a centralized enforcement of confidential

security policy parameters. Mandatory access control creates strict
security policies for single users and the resources, systems, or
data they are enabled to access. These policies are controlled by a
management; single users are not given the authority to set, alter,
or revoke permissions in a method that contradicts current policies.
 Under this system, both the subject (user) and the object (data,
system, or other resource) should be assigned similar security
attributes to connect with each other. The bank’s president would
not only need the proper security clearance to access user data
files, but the system administrator would require to define that
those files can be considered and altered by the president. While
that process can seem redundant, it provides that users cannot
implement unauthorized actions simply by gaining access to
specific data or resources.
Modern access control systems based upon
 It can be integrated enterprise user and identity databases and
Lightweight Directory Access Protocol (LDAP) directories.
 It can be powerful business procedure pertaining to the
provisioning and deprovisioning of a user.
 It can be provisioning application integrated with the business
provisioning and de-provisioning process.
 A global enterprise id for each user to integrate the user’s identity
among some applications and systems.
 A strong end to end audit of everywhere the physical person went
and the systems, software and information systems they accessed.
 The types of access control structure available for information
technology initiatives today continues to enhance at a breakneck
pace. Most access control approaches are based on the same basic
principles. If it can understand the basic concepts and principles, it
can use this understanding to new products and technologies and
shorten the learning curve so it can maintain pace with new
technology initiatives.
 Access control devices properly recognize people, and test their
identity through an authentication procedure so they can be held
accountable for their actions. Best access control systems data and
timestamp all connection and transactions so that access to
systems and information can be audited at current dates.

4.19 Capability-Based Systems

4.19.1 An Example: Hydra
 Hydra is a capability-based protection system that provides
considerable flexibility. The system implements a fixed set of
possible access rights, including such basic forms of access as the
right to read, write, or execute a memory segment. In addition, a
user (of the protection system) can declare other rights. The
interpretation of user-defined rights is performed solely by the
user’s program, but the system provides access protection for the
use of these rights, as well as for the use of system-defined rights.
These facilities constitute a significant development in protection
technology.
 40

 Hydra also provides rights amplification. This scheme allows a

procedure to be certified as trustworthy to act on a formal
parameter of a specified type on behalf of any process that holds a
right to execute the procedure. The rights held by a trustworthy
procedure are independent of, and may exceed, the rights held by
the calling process. However, such a procedure must not be
regarded as universally trustworthy (the procedure is not allowed
to act on other types, for instance), and the trustworthiness must
not be extended to any other procedures or program segments
that might be executed by a process.
 Programmers can make direct use of the protection system after
acquainting themselves with its features in the appropriate
reference manual. Hydra provides a large library of system-defined
procedures that can be called by user programs. Programmers can
explicitly incorporate calls on these system procedures into their
program code or can use a program translator that has been
interfaced to Hydra.

4.20 Protection Improvement Methods

• As operating systems have become more complex, and particularly

as they have attempted to provide higher-level user interfaces, the
goals of protection have become much more refined. The designers
of protection systems have drawn heavily on ideas that originated
in programming languages and especially on the concepts of
abstract data types and objects.
• Protection systems are now concerned not only with the identity of
a resource to which access is attempted but also with the
functional nature of that access. In the newest protection systems,
concern for the function to be invoked extends beyond a set of
system-defined functions, such as standard file-access methods, to
include functions that may be user-defined as well. Policies for
resource use may also vary, depending on the application, and
they may be subject to change over time. For these reasons,
protection can no longer be considered a matter of concern only to
the designer of an operating system. It should also be available as
a tool for use by the application designer, so that resources of an
application subsystem can be guarded against tampering or the
influence of an error

4.21 Language-Based Protection.

• As operating systems have become more complex, and particularly

as they have attempted to provide higher-level user interfaces, the
goals of protection have become much more refined.
• The designers of protection systems have drawn heavily on ideas
that originated in programming languages and especially on the
concepts of abstract data types and objects. Protection systems
are now concerned not only with the identity of a resource to which
 41

access is attempted but also with the functional nature of that

access.
• In the newest protection systems, concern for the function to be
invoked extends beyond a set of system-defined functions, such as
standard file-access methods, to include functions that may be
user-defined as well.
• Policies for resource use may also vary, depending on the
application, and they may be subject to change over time. For
these reasons, protection can no longer be considered a matter of
concern only to the designer of an operating system.
• It should also be available as a tool for use by the application
designer, so that resources of an application subsystem can be
guarded against tampering or the influence of an error

4.22.1 Compiler-Based Enforcement

• 1.Protection needs are simply declared, rather than programmed as a

sequence of calls on procedures of an operating system.
• 2. Protection requirements can be stated independently of the
facilities provided by a particular operating system.
• 3. The means for enforcement need not be provided by the designer
of a subsystem.
• 4. A declarative notation is natural because access privileges are
closely related to the linguistic concept of data type.
 A variety of techniques can be provided by a programming-language
implementation to enforce protection, but any of these must depend on some
degree of support from an underlying machine and its operating system. For
example, suppose a language is used to generate code to run on the Cambridge
CAP system. On this system, every storage reference made on the underlying
hardware occurs indirectly through a capability. This restriction prevents any
process from accessing a resource outside of its protection environment at any
time. However, a program may impose arbitrary restrictions on how a resource
can be used during execution of a particular code segment.
 We can implement such restrictions most readily by using the software
capabilities provided by CAP. A language implementation might provide standard
protected procedures to interpret software capabilities that would realize the
protection policies that could be specified in the language. This scheme puts
policy specification at the disposal of the programmers, while freeing them from
implementing its enforcement.
 Security. Enforcement by a kernel provides a greater degree of security of the
protection system itself than does the generation of protectionchecking code by a
compiler. In a compiler-supported scheme, security rests on correctness of the
translator, on some underlying mechanism of storage management that protects
the segments from which compiled code is executed, and, ultimately, on the
security of files from which a program is loaded.
 Some of these considerations also apply to a softwaresupported protection
kernel, but to a lesser degree, since the kernel may reside in fixed physical
storage segments and may be loaded only from a designated file. With a tagged-
capability system, in which all address computation is performed either by
hardware or by a fixed microprogram, even greater security is possible.
 42

Hardware-supported protection is also relatively immune to protection violations

that might occur as a result of either hardware or system software malfunction.
 Flexibility. There are limits to the flexibility of a protection kernel in
implementing a user-defined policy, although it may supply adequate facilities for
the system to provide enforcement of its own policies. With a programming
language, protection policy can be declared and enforcement provided as needed
by an implementation. If a language does not provide sufficient flexibility, it can
be extended or replaced with less disturbance than would be caused by the
modification of an operating-system kernel
 Efficiency. The greatest efficiency is obtained when enforcement of protection is
supported directly by hardware (or microcode). Insofar as software support is
required, language-based enforcement has the advantage that static access
enforcement can be verified off-line at compile time. Also, since an intelligent
compiler can tailor the enforcement mechanism to meet the specified need, the
fixed overhead of kernel calls can often be avoided.

4.22.2 Protection in Java

• The Java virtual machine—or JVM—has many built-in protection mechanisms.

Java programs are composed of classes, each of which is a collection of data
fields and functions (called methods) that operate on those fields. The JVM
loads a class in response to a request to create instances (or objects) of that
class. One of the most novel and useful features of Java is its support for
dynamically loading untrusted classes over a network and for executing
mutually distrusting classes within the same JVM.
• Because of these capabilities, protection is a paramount concern. Classes
running in the same JVM may be from different sources and may not be
equally trusted.
• As a result, enforcing protection at the granularity of the JVM process is
insufficient. Intuitively, whether a request to open a file should be allowed
will generally depend on which class has requested the open. The operating
system lacks this knowledge.
 This implementation approach is called stack inspection. Every thread in
the JVM has an associated stack of its ongoing method invocations.
 When a caller may not be trusted, a method executes an access request
within a doPrivileged block to perform the access to a protected resource
directly or indirectly. doPrivileged() is a static method in the
AccessController class that is passed a class with a run() method to invoke.
 When the doPrivileged block is entered, the stack frame for this method is
annotated to indicate this fact. Then, the contents of the block are
executed. When an access to a protected resource is subsequently
requested, either by this method or a method it calls,
 a call to checkPermissions() is used to invoke stack inspection to
determine if the request should be allowed. The inspection examines stack
frames on the calling thread’s stack, starting from the most recently added
frame and working toward the oldest.
 If a stack frame is first found that has the doPrivileged() annotation, then
checkPermissions() returns immediately and silently, allowing the access. If
a stack frame is first found for which access is disallowed based on the
protection domain of the method’s class, then checkPermissions() throws
an AccessControlException.
 43

 If the stack inspection exhausts the stack without finding either type of
frame, then whether access is allowed depends on the implementation (for
example, some implementations of the JVM may allow access, while other
implementations may not).