UNIT -V

System Protection: Goals of protection, Principles and domain of

protection, Access matrix, Access control, Revocation of access rights.
System Security: Introduction, Program threats, System and network
threats, Cryptography for security, User authentication, Implementing
security defenses, Firewalling to protect systems and networks,
Computer security classification.
Case Studies: Linux, Microsoft Windows.
System Protection
Protection refers to a mechanism which controls the access of
programs, processes, or users to the resources defined by a
computer system.
Need of Protection:
⚫ To prevent the access of unauthorized users
⚫ To ensure that each active programs or processes in the system.
⚫ To improve reliability by detecting errors.
Goals of Protection
⚫ prevent malicious misuse of the system by users or programs.
⚫ To ensure that each shared resource is used only in accordance
with system policies.
⚫ To ensure that errant programs cause the minimal amount
of damage possible.
⚫ protection systems only provide the mechanisms for enforcing
policies and ensuring reliable systems.
Principles of Protection
⚫ The principle of least privilege dictates that programs, users,
and systems be given just enough privileges to perform their
tasks.
⚫ This ensures that failures do the least amount of harm and
allow the least of harm to be done.
⚫ For example, if a program needs special privileges to
perform a task, it is better to make it a SGID program
with group ownership of "network" or "backup”.
⚫ Typically each user is given their own account, and has only
enough privilege to modify their own files.
⚫ The root account should not be used for normal day to
day activities .
Domain of Protection
⚫ A computer can be viewed as a collection of processes and objects
( both HW & SW ).
Domain Structure
A domain is defined as a set of < object, { access right set } > pairs,
as shown below. Note that some domains may be disjoint while
others overlap.
Access Matrix
⚫ The model of protection that can be viewed as an access
matrix, in which columns represent different system resources
and rows represent different protection domains.
⚫ Entries within the matrix indicate what access that domain
has to that resource.
⚫ Domain switching can be easily supported under this
model, simply by providing "switch" access to other
domains
Implementation of Access Matrix
⚫ Global Table
⚫ Access Lists for Objects
⚫ Capability Lists for Domains
⚫ A Lock-Key Mechanism
⚫ Comparison
Access Control
⚫ Role-Based Access Control, RBAC, assigns privileges to users,
programs. where "privileges" refer to the right to call certain
system calls, or to use certain parameters with those calls.
Role-based access control in Solaris
10
Revocation of Access Rights
The need to revoke access rights dynamically raises several
questions:
⚫ Immediate versus delayed
⚫ Selective versus general
⚫ Partial versus total
⚫ Temporary versus permanent
System Security
Security refers to providing a protection system to
computer system resources such as CPU, memory,
disk, software programs and most
importantly data/information stored in the
computer system.
⚫ Authentication
⚫ One Time passwords
Program Threats
If a user program made these process do malicious tasks, then it
is known as Program Threats.
example of program threat is a program installed in a computer
which can store and send user credentials via network to some
hacker.
⚫ Trojan Horse program traps user login credentials and
stores them to send to malicious user.
⚫ Trap Door perform illegal action without knowledge of user.
⚫ Logic Bomb when a program misbehaves only when certain
conditions met otherwise it works as a genuine program.
⚫ Virus replicate themselves on computer system.They are highly
dangerous and can modify/delete user files, crash systems.
System AND Network Threats
System and network threats refers to misuse of system services
and network connections to put user in trouble.
System threats can be used to launch program threats on a
complete network called as program attack.
⚫ Worm − A Worm process generates its multiple copies where each
copy uses system resources, prevents all other processes to get
required resources.Worms processes can even shut down an entire
network.
⚫ Port Scanning − Port scanning is a mechanism or means by which a
hacker can detects system vulnerabilities to make an attack on the system.
⚫ Denial of Service − Denial of service attacks normally prevents user
to make legitimate use of the system. For example, a user may not be able
to use internet if denial of service attacks browser's content settings.
Computer Security Classifications
⚫ As per the U.S. Department of Defence Trusted Computer
System's Evaluation Criteria there are four security
classifications in computer systems:A, B, C, and D.
Cryptography for security
Cryptography is technique of securing information and
communications through use of codes, so that only those person
for whom the information is intended can understand it and
process it.
Thus preventing unauthorized access to information.
Features Of Cryptography are as follows:
⚫ Confidentiality:
Information can only be accessed by the person for whom it is
intended and no other person except him can access it.
⚫ Integrity:
Information cannot be modified in storage or transition between
sender and intended receiver.
⚫ Non-repudiation:
The sender of information cannot deny his intention to send
information at later stage.
⚫ Authentication:
The identities of sender and receiver are confirmed. As well as
destination/origin of information is confirmed.
Types Of Cryptography:
In general there are three types Of cryptography:
1. Symmetric Key Cryptography
2. Hash Functions
3. Asymmetric Key Cryptography
⚫ Symmetric Key Cryptography:
It is an encryption system where the sender and receiver of message use
a single common key to encrypt and decrypt messages.
Symmetric Key Systems are faster and simpler.
⚫ Hash Functions:
There is no usage of any key in this algorithm.
A hash value with fixed length is calculated as per the plain text which
makes it impossible for contents of plain text to be recovered.
Many operating systems use hash functions to encrypt passwords.
⚫ Asymmetric Key Cryptography:
Under this system a pair of keys is used to encrypt and decrypt
information.
A public key is used for encryption and a private key is used for
decryption.
Public key and Private Key are different.
User authentication
⚫ User authentication process is used to identify who the
owner is or who the identified person is.
⚫ In personal computer, generally, user authentication can be
perform using password.
User can be authenticated through one of the
following way:
⚫ User authentication using password
⚫ User authentication using physical object
⚫ User authentication using biometric
⚫ User authentication using countermeasures
User authentication using password
⚫ Password should be minimum of eight characters
⚫ Password should contain both uppercase and lowercase letters
⚫ Password should contain at least one digit and one special characters
⚫ Don't use dictionary words and known name such as stick, mouth, sun,
albert etc.
User authentication using physical object
Here, physical object may refer to Bank's Automated Teller Machine (ATM) card
or any other plastic card that is used to authenticate.
User authentication using biometric
⚫ This method measures the physical characteristics of the user that are very
hard to forge.These are called as biometrics.
⚫ User authentication using biometric's example is a fingerprint, voiceprint, or
retina scan reader in the terminal could verify the identity of the user.
User authentication using countermeasures
⚫ For example, a company could have their policy that the employee
working in the Computer Science (CS) department are only allowed to
log in from 10 A.M. to 4 P.M., Monday to Saturday, and then only
from a machine in the CS department connected to company's Local
Area Network (LAN).
⚫ Now, any attempt to log in by a CS department employee at any
wrong time or from any wrong place would be treated or handled as
an attempted break in and log in failure.
 User Authentication
 Crucial to identify user correctly, as protection systems depend
on user ID
 User identity most often established through passwords, can be
considered a special case of either keys or capabilities
 Also can include something user has and /or a user attribute
 Passwords must be kept secret
 Frequent change of passwords
 Use of “non-guessable” passwords
 Log all invalid access attempts

 Passwords may also either be encrypted or allowed to be used

only once

Operating System Concepts – 8th Edition Silberschatz, Galvin and Gagne ©2009

Implementing Security Defenses

 Defense in depth is most common security theory – multiple
layers of security
 Security policy describes what is being secured
 Vulnerability assessment compares real state of system
/ network compared to security policy
 Intrusion detection endeavors to detect attempted or successful
intrusions
 Signature-based detection spots known bad patterns
 Anomaly detection spots differences from normal behavior
 Can detect zero-day attacks
 False-positives and false-negatives a problem
 Virus protection
 Auditing, accounting, and logging of all or specific system
or network activities
Operating System Concepts – 8th Edition Silberschatz, Galvin and Gagne ©2009
 Firewalling to Protect Systems and Networks

 A network firewall is placed between trusted and untrusted hosts

 The firewall limits network access between these two security
domains
 Can be tunneled or spoofed
 Tunneling allows disallowed protocol to travel within
allowed protocol (i.e. telnet inside of HTTP)
 Firewall rules typically based on host name or IP address
which can be spoofed
 Personal firewall is software layer on given host
 Can monitor / limit traffic to and from the host
 Application proxy firewall understands application protocol
and can control them (i.e. SMTP)
 System-call firewall monitors all important system calls and apply
rules to them (i.e. this program can execute that system call)

Operating System Concepts – 8th Edition Silberschatz, Galvin and Gagne ©2009

Network Security Through Domain Separation Via Firewall

 Operating System Concepts – 8th Edition Silberschatz, Galvin and Gagne ©2009

computer security
Computer security refers to protecting and securing computers and their related data,
networks, software, hardware from unauthorized access, misuse, theft, information loss,
and other security issues
Types of computer security

Computer security can be classified into four types:

1. Cyber Security: Cyber security means securing our computers, electronic devices,
networks , programs, systems from cyber attacks. Cyber attacks are those attacks that
happen when our system is connected to the Internet.

2. Information Security: Information security means protecting our system’s information

from theft, illegal use and piracy from unauthorized use. Information security has mainly
three objectives: confidentiality, integrity, and availability of information.

3. Application Security: Application security means securing our applications and data
so that they don’t get hacked and also the databases of the applications remain safe and
private to the owner itself so that user’s data remains confidential.

4. Network Security: Network security means securing a network and protecting the
user’s information about who is connected through that network. Over the network
hackers steal, the packets of data through sniffing and spoofing attacks, man in the
middle attack, war driving, etc, and misuse the data for their benefits.
Case Studies Linux and Windows
Linux: Linux could be a free and open supply OS supported operating system standards.
It provides programming interface still as programme compatible with operating system
primarily based systems and provides giant selection applications. A UNIX operating
system additionally contains several severally developed parts, leading to UNIX
operating system that is totally compatible and free from proprietary code.

Windows: Windows may be a commissioned OS within which ASCII text file is

inaccessible. it’s designed for the people with the angle of getting no programming
information and for business and alternative industrial users. it’s terribly straightforward
and simple to use. The distinction between Linux and Windows package is that Linux is
completely freed from price whereas windows is marketable package and is expensive.
Associate operating system could be a program meant to regulate the pc or computer
hardware Associate behave as an treater between user and hardware. Linux is a open
supply package wherever users will access the ASCII text file and might improve the
code victimisation the system. On the opposite hand, in windows, users can’t access
ASCII text file, and it’s a authorized OS. Let’s see that the difference between Linux and
windows:

S.N
O Linux Windows

While windows are the not the

1. Linux is a open source operating system.
open source operating system.

2. Linux is free of cost. While it is costly.

While it’s file name is case-

3. It’s file name case-sensitive.
insensitive.

While in this, hybrid kernel is

4. In linux, monolithic kernel is used.
used.

Linux is more efficient in comparison of While windows are less

5.
windows. efficient.

While there is back slash is

There is forward slash is used for Separating
6. used for Separating the
the directories.
directories.

While it provides less security

7. Linux provides more security than windows.
than linux.

While windows does not

Linux is widely used in hacking purpose
8. provide much efficiency in
based systems.
hacking.

9. There are 3 types of user account – There are 4 types of user

account –
(1) Regular , (2) Root , (3) Service account
(1) Administrator , (2)
S.N
O Linux Windows

Standard , (3) Child , (4) Guest

Administrator user has all

Root user is the super user and has all
10. administrative privileges of
administrative privileges.
computers.

Linux file naming convention in case In Windows, you cannot have 2

11. sensitive. Thus, sample and SAMPLE are 2 files with the same name in the
different files in Linux/Unix operating system. sam