Chapter: Protection and Security

Objectives

 Discuss the goals and principles of protection in a

modern computer system
 Explain how protection domains combined with an
access matrix are used to specify the resources a
process may access
 Examine capability and language-based protection
systems
 Goals of Protection

 Process in OS must be protected from the one another.

 Protection refers to a mechanism for controlling the access
of the programs, processes or users to the resources defined
by the computer system.
 Protection improves reliability.
 Protection Mechanism determine: how some thing will be
done
 Policy determine: what is to be done.
 Protection refers to a mechanism for controlling the access
of programs, processes, or users to the resources defined by
a computer system.
 This mechanism must provide a means for specifying the
controls to be imposed, together with a means of
enforcement.
 Protection in Computer System

 System with Contiguous memory allocation:

 Protection is achieved by Use of Limit
Registers
 In Paging System:
 Protection is achieved by use of Page Table.
Each process has its own page table.
 In System with Segmentation:
 Protection is achieved by Use of Segment
Table – Each table is protected by base
address and limit register
 In System with files stored on Secondary Storage:
 Protection is achieved by Access Rights
 Access Control

Method that determines:

 What types of access are permitted on different
resources
 Under what circumstances
 By Whom
 Access Control

Access Control Model has 3 basic components:

 Subjects (S) or Domain: Represents a finite set of
entities that have access to current object.
 Subject may be: User , Process or Procedure
 Objects (O): Represents a finite set of resources that
need access.
 Object may be: H/w device ( processor, memory) Or
S/W resources ( page table, files etc)
 Rights ( R): Represents a finite set of Operations that
a Subject can perform on Object.
 Access Control Policies

Protection Domain: is a collection of objects and

access rights (Permissions –rwx-)

1. Discretionary Access Control

 In this model, Each object is owned by some
subject/domain and Owner of the object decides
which what kind of access rights are there.
2. Mandatory Access Control
 System Administrator enforce a policy for all
users.
3. Role-Based Access Control
 Access control is based on roles that users have
within the system
 Discretionary Access Control/ Access
Matrix

 Discretionary Access Control Model is represented

by Access Matrix.
 It is used to describe which users have access to
what objects or resources.
 Access Matrix consists of Rows and Columns
 Rows represent : Current Subject / Domain
 Column represent: Current Object
 Discretionary Access Control/ Access
Matrix

 View protection as a matrix (access matrix)

 Rows represent domains

 Columns represent objects

 Access(i, j) is the set of operations that a

process executing in Domaini can invoke on
Objectj
Access Matrix
 Use of Access Matrix

 If a process in Domain Di tries to do “op” on

object Oj, then “op” must be written in the
access matrix

 Can be expanded to dynamic protection

 Operations to add, delete access rights
 Special access rights:
owner of Oi
copy op from Oi to Oj
control – Di can modify Dj access rights
transfer – switch from domain Di to Dj
 Use of Access Matrix (Cont)

 Access matrix design separates mechanism from

policy

 Mechanism (Method)
Operating system provides access-matrix +
rules
If ensures that the matrix is only manipulated by
authorized agents and that rules are strictly
enforced

 Policy (Rules)
User dictates policy
Who can access what object and in what mode
 Implementation of Access Matrix
 There are 2 methods:
 1. Access Control Lists
 ACL can be created by dividing Access Matrix
Column Wise.
 Separate list is maintained for each domain and
each object.
 It skips blank row entries in each domain.

 2. Capability List
 Can be created by dividing Access Matrix Row Wise.
 It is list of access rights that a user / domain or a
process has for a object.
 It is divided into 2 fields:
 Object Descriptor
 Access Rights
Implementation of Access Matrix
 Each column = Access-control list for one object

Defines who can perform what operation.

Domain 1 = Read, Write

Domain 2 = Read
Domain 3 = Read


 Each Row = Capability List (like a key)
For each domain, what operations allowed on
what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
Access Matrix With Domains as Objects

Figure B
 Operation on Access Matrix
Entries
 1. Copy
 It allows the access right
to be copied only within
the column (for an object)
 Ability to copy an access
right from one domain
(row) to another is
denoted by asterisk ( * )
 A process executing in
domain D2 can copy read
operation into any entry
associated with file F2
 The ability to copy rights
is denoted by an asterisk,
indicating that processes
in that domain have the
right to copy that access
within the same column
Access Matrix with Copy Rights
For example, in
Figure
(a), a process
executing in domain
D2 can copy the read
operation into any
entry associated with
file F2.

Hence, the access

matrix of Figure (a)
can be modified to
the access matrix
shown in Figure(b).
 Operation on Access Matrix
Entries
 2. Owner
 It allows addition or removal of access rights.
 If any access includes owner right then a
process executing in domain Di can add or
remove any access right in entry of that column.

 Copy and Owner allow a process to change the

entry in column.
 If access(i, j) includes the owner’s right, then a
process executing in domain Di can add and
remove any right in any entry in column j.
Access Matrix With Owner Rights
For example, in Figure (a),
domain D1 is the owner of
F1 and thus can add and
delete any valid right in
column F1.

Similarly, domain D2
owns F2 and F3 and thus
can add and remove
any valid right within
these two columns. Thus,
the access matrix of
Figure
(a) can be modified to the
access matrix shown in
 Operation on Access Matrix
Entries
 3. Control Right
 Control right mechanism used to change entries in a row.
 Control right is applicable only to domain objects.
 If access( i , j ) includes control right, then a process executing in
domain Di can remove any access right from row j.
 Switch operation works for column only
 For example, suppose that, we include the control right in
access(D2, D4). Then, a process executing in domain D2 could
modify domain D4, as shown.
 Operation on Access Matrix
Entries
 3. Control Right

For example, suppose we include the control right in access(D2,

D4). Then, a process executing in domain D2 could modify
domain D4, as shown.
 Implementation of Access Matrix
1. GLOBAL TABLE:
 Global Table consisting of a ordered set of triples
<domain, object, right set>
 Before every operation on any object in any domain, the
global table is searched for triple.
 If a triple is found, the operation is allowed to
continue, otherwise, an exception or error condition
is raised.
 Drawbacks:
 Table is large. Can not be kept in the main memory. So
additional I/O is needed.

2. ACCESS LISTS FOR OBJECTS:

Each column can be implemented as an access list.
Resultant list consists of: <domain, right sets>an
 Security

 Method of protecting information stored in the system

from un-authorized access.
 Security must consider external environment of the
system, and protect it from:
 unauthorized access.
 malicious modification or destruction
 accidental introduction of inconsistency.

 Security violation can be categorized as intentional or

accidental.
 Security is a measure of confidence that the integrity
of a system and its data will be preserved.
 Some Security Violations
 Breach of Confidentiality: Unauthorized reading of data.
Theft of information
 Breach of integrity: Unauthorized modification of data.
 Breach of availability: Unauthorized destruction of data/
website defacement:
A website defacement is an attack on a website that
changes the visual appearance of the site or a webpage.
 Theft of service: Unauthorized use of resources.
 Denial of service: Send invalid data to applications or
network services, which cause abnormal termination.

Flood a computer or the entire network with traffic until a

shutdown occurs because of the overload.
 Security Measure Levels

To protect our system, we must take security

measures at 4 levels:

 Physical - Secure Hardware Components

 Human – Use Passwords for protection

 Operating system – Use Valid Login and

Password

 Network – Use authentication and anti-virus to

protect data/ resources over the network.
 Program Threats

 Writing a program that creates a breach of security or

causing a normal process to change its behavior and
create a breach is the common goal of crackers

 Malware: A destructive program that pretend to be a

gentle application.

 A back door is a means of access to a computer

program that bypasses security mechanisms.
 Program Threats

1. Trojan horse
 A Trojan horse, or Trojan, is software
that appears to perform a desirable
function for the user, but steals
information or harms the system.

 Trojan horse is a program in which

harmful code is contained in such a way
that it can get control and do its chosen
form of damage
 1. Trojan horse

 Many systems have mechanisms for allowing

programs written by some users to be executed by
other users.
 If these programs are executed in a domain that
provides the access rights of the executing user,
the other users may misuse these rights.

 For example: A text-editor program, may include

code to search the file to be edited for certain
keywords. If any are found, the entire file may be
copied to a special area accessible to the creator
of the text editor.

 A code segment that misuses its environment is

called a Trojan horse.
 1. Trojan horse

 A variation of the Trojan horse is a program that

emulates (copy) a login program.
 An unsuspecting user starts to log in at a terminal
and notices that he has apparently mistyped his
password. He tries again and is successful.
 What has happened is that his authentication key
and password have been stolen by the login
emulator, which was left running on the terminal by
the thief.
 The emulator stored away the password, printed
out a login error message, and exited; the user was
then provided with a genuine login prompt.
 2. Spyware

 A software that secretly monitors the user's

computing.

 Spyware is a type of malware that can be installed

on computers, and which collects small pieces of
information about users without their knowledge.

 The presence of spyware is typically hidden from the

user, and can be difficult to detect.

 Sometimes, Spywares are installed by the owner of a

shared, corporate, or public computer in order to
secretly monitor other users.
 2. Spyware

 Spyware sometimes accompanies a

program that the user has chosen to
install.

 The goal of spyware is to download ads to

display on the user’s system, create pop-up
browser windows when certain sites are
visited, or capture information from the
user’s system and return it to a central
site.
 3. Trap Door

 The designer of a program or system might

leave a hole in the software that only
designer is capable of using. This type of
security breach is called trap door.
 For instance, the code might check for a
specific user ID or password, and it might
circumvent normal security procedures
 A clever trap door could be included in a
compiler. The compiler could generate
standard object code as well as a trap door,
regardless of the source code being
compiled.
 3. Trap Door

 Trap doors pose a difficult problem

because, to detect them we have to
analyze all the source code for all
components of a system.
 4. Logic Bomb

 Consider a program that initiates a security

incident only under certain circumstances.
 Under normal operations, there would be no
security hole. However, when a predefined set
of parameters was met, the security hole would
be created. This scenario is known as a logic
bomb.
 for example, A programmer, might write code to
detect whether he is still logged in if that check
failed, a daemon could be generated to allow
remote access, or code could be launched to
cause damage to the site.
 5. Stack and Buffer Overflow

 The stack- or buffer-overflow attack is the most

common way for an attacker outside the
system, on a network or dial-up connection, to
gain unauthorized access to the target system.

 the attacker exploits a bug in a program. The

bug can be a simple case of poor programming,
in which the programmer neglected to code
bounds checking on an input field. In this case,
the attacker sends more data than the program
was expecting.
 6. VIRUS
 VIRUS: Vital Information Resource Under Seize or
Very Important Resource Under Seize

 Fragment of malicious code embedded in a genuine

program.
 designed to “infect” other programs.
 Specific to architecture, operating systems and
applications.
 Needs human intervention to move from host to host.
 Needs some one to actually take that program from
one device and run it onto other device
 Does not self replicate itself
Main categories:
A VIRUS:
 FILE: infects system by appending itself to a file.
Changes start. Execution jumps to its code,
returns control, executes unnoticed.
 BOOT: infects boot sector, executing every time
system is booted. Infects other bootable
media(Floppy disks).
 MACRO: these viruses are triggered when a
program capable of executing the macro is run.
 Source Code: looks for source code and modifies
it to include the virus and to help spread the virus.
 Polymorphic: this virus changes every time it is
installed to avoid detection by antivirus software.
Changes don’t change its functionality but change
virus functionality.
Main categories:
A VIRUS:
 Encrypted. An encrypted virus includes
decryption code along with the encrypted virus,
again to avoid detection. The virus first decrypts
and then executes.
 Stealth. This tricky virus attempts to avoid
detection by modifying parts of the system that
could be used to detect it. For example, it could
modify the read system call so that if the file it
has modified is read, the original form of the
code is returned rather than the infected code.
 Tunneling. This virus attempts to bypass
detection by an antivirus scanner by installing
itself in the interrupt-handler chain. Similar
viruses install themselves in device drivers.
Main categories:
 Multipartite Avirus of this type is able to infect
multiple parts of a system,including boot
sectors, memory, and files. This makes it
difficult to detect and contain.
 Armored. An armored virus is coded to make it
hard for antivirus researchers to unravel and
understand. It can also be compressed to avoid
detection and disinfection. In addition, virus
droppers and other full files that are part of a
virus infestation are frequently hidden via file
attributes or unviewable file names.
 System and Network Threats

 Program threats typically use a breakdown in the

protection mechanisms of a system to attack
programs.

 System and network threats involve the abuse of

services and network connections.
 System and network threats create a situation in
which operating-system resources and user files are
misused.
 1. Worms
 Self propagating.
 A worm is a process that uses the spawn mechanism to
duplicate itself. The worm spawns copies of itself, using
up system resources and perhaps locking out all other
processes.

 If a device gets infected, it sends the copies of itself

onto the network to other devices.

 Sometimes more disturbing, it might go into your email,

find your contacts, sends copies of itself to all the
contacts.
 2. Port Scanning
 Port scanning is not an attack but rather a means for a
cracker to detect a system’s vulnerabilities (bug) to
attack.
 3. Denial of Service
 denial-of-service attacks are aimed not at gaining
information or stealing resources but rather at
disrupting genuine use of a system or facility.
 Denial-of-service attacks are generally network based.
 They fall into two categories:

1. Attacks in the first category use so many facility

resources that, in essence no useful work can be done.
2. The second category involves disrupting the network of
the facility.
 Authentication

 Process of verifying the identity of user or

information
 1. User Authentication
 Process of verifying the identity of user when
user logs into a computer system.

Main Objective: Allow authorized users to

access the computer.

Authentication Process consists of 2 steps:

1. Identification Step
2. Verification Step
 Measures of Authentication

 False Acceptance Ratio: % of unauthorized users

incorrectly entered the system

 False Rejection Ratio: % of authorized users that

fails to access the system due to failure of
authentication.
General Methods of Authentication

 Include a Password

 Include electronic key or smart cards

 Static Biometric – Recognition by finger print, retina

or face.

 Dynamic Biometric – Recognition by Voice,

Handwriting or Typing Pattern.
 Password Verification

 Password Verification – Authentication Mechanism

 Password- a secret text that is supposed to be

known only to users.

 System allows authorized users who have valid user

name and password to access the system.
 Threat Monitoring

 Check for suspicious patterns of activity – several incorrect

password attempts may signal password guessing.

 Audit log – Check audit logs to see the time a user is trying
to accesses an object
 Useful for recovery from a violation and developing
better security measures.

 Scan the system periodically for security holes; done when

the computer is relatively unused.
 Threat Monitoring (Cont.)

 Check for:
 Short or easy-to-guess passwords
 Unauthorized set, user id’s
 Unauthorized programs in system directories
 Unexpected long-running processes
 Improper directory protections
 Improper protections on system data files
 Changes to system programs
 FireWall

 A firewall is a device or set of devices designed to

allow or deny network transmissions based upon a set
of rules.

 Firewall is frequently used to protect networks from

unauthorized access.

 A firewall is placed between trusted and untrusted

hosts.
 Encryption

Encryption is the process of encoding messages or

information in such a way that only authorized parties can
read it

 Plaintext: The original intelligible message

 Cipher text: The transformed message

 Encryption

 Key: Information used by the cipher, known only

to the sender& receiver

 Encipher (encode) The process of converting

plaintext to cipher text using a cipher and a key

 Decipher (decode) the process of converting

cipher text back into plaintext using a cipher
and a key
 Encryption/ Decryption Method
Encryption/Decryption methods fall into two categories:
 Symmetric key
 Public key
1. Symmetric key algorithms: the encryption and decryption keys
are known both to sender and receiver.
2. Public key algorithms: Encryption key is made public
 Encryption

 Properties of good encryption technique:

 Should be simple for authorized users to encrypt and
decrypt data.
 Encryption technique should be able to encrypt the data by
generating a the encryption key.
 Should be extremely difficult for an intruder to determine
the encryption key.

 Data Encryption:
 Convert the data into a secret message on the basis of an
encryption key provided to authorized users.
 Public-key Technique

 Invented in 1976 by Whitfield Diffie and Martin

Hellman. So also called Diffie-Hellman encryption.

 Also called asymmetric encryption because it uses

two keys instead of one key

 Require two separate keys:

 One to encrypt the plaintext
 Other to decrypt the cipher text.
 Neither key will do both functions.
 One of these keys is published or public and the other
is kept private.
 Private key encryption

 Symmetric encryption (also called private-key

encryption or secret-key encryption) involves
using the same key for encryption and
decryption.

 Encryption involves applying an operation (an

algorithm) to the data to be encrypted using the
private key to make them unintelligible.
Communication
Encryption and Decryption using
Keys