UNIT II.

Controlling Files

Introduction
Data sharing poses a problem: If people can look at some information on a computer,
how do we prevent them from seeing all the information? This is the same problem as RAM
protection. If any user can read any information inside the computer, we can’t prevent users
from reaching any of its contents.

For most people, their most important assets reside in their files. Modern file systems
keep the hard drive organized and give us a way to reliably locate and save our data. All
modern systems use a hierarchical directory to organize files into groups. The directory forms
an inverted tree growing from the topmost directory, called a root directory. Many users think of
files as living in file folders instead of directories. In this chapter, we look at access control
mechanisms used to protect larger-scale resources like files and folders.

Learning Outcomes
At the end of this chapter, you should be able to:
1. Learn the file system and apply the file access rights.
2. Examine the structure of executable files and viruses.
3. Identify the goals and basic policies for file protection and sharing.
4. Comprehend the file security control based on “permission flags”.

The File System

Modern computers keep files in a hierarchy of names – a hierarchy of “folders” or “directories”
 Each file has a path name
– Identifies the directory entries to follow to find the file
– The file name selects the right file in the final directory in the path
 Files are owned by a user, usually the creator
– Access rights are tied to user identities
– Example: Bob can read the file, but Alice can’t.
 Figure 3.1 Process Ownership and Access

File and Directory Access Rights

 “CRUD” – Create, Read, Update, Delete
– Many systems let us control those rights
– Different effects on files and directories
 “Update” to directory = “delete” to its files
 Protecting a newly-created file: two strategies
– Use “Defaults” – apply the same access rights to all new files
 Use “Inheritance” – apply the access rights based on the enclosing

directories.

Figure 3.2 File and Directory Ownership

Executable Files
• Files that contain applications or other executable programs
– “Binary executables” are stored in a control section and executed by the CPU
– “Scripts” contain text interpreted by a programming language interpreter
• Execute Access Right
– Helps distinguish data files from programs
– Must have the “Execute” right to execute a file containing a program

Figure 3. 3 Format of a Binary Executable file

Figure 3. 4 Execute Access Rights

Computer Viruses
• A type of malware that enters computer systems.
– Malware = malicious software
• Viruses are carried by programs
– When the program executes, the virus spreads to other programs on the
computer
• Types of virus infection
– Application program infects when it is run
– Boot sector virus infects when bootstrapped
– USB virus infects when plugged in
– Email virus infects if attachment is run

Figure 3.5 An Infected Application Program

Examples of Modern Malware

 Waledac – spreads through email – creates a botnet that spreads spam and more
malware.
 Conficker or Downadup – spread through Internet via Windows vulnerabilities – created
a botnet used for spam and malware distribution.
 Pushdo/Cutwail – A botnet and spam package that used to produce 7 million messages
a day.
 ZeuS – creates botnet focused on financial fraud
 Stuxnet – attacks control logic in industrial plants; probable target was Iranian nuclear
sites

Sharing and Protecting Files

• Objectives for sharing files
– Provide computing for authorized users
– Preserve the Chain of Control
– Permit/prevent general sharing among users
• Risks – a generic set
1. Denial of service
2. Subversion
3. Masquerade
4. Disclosure
 5. Forgery

Policy Alternatives
• Global Policies – applied to all users by default
– Isolation Policy – keep users separate
– Sharing Policy – let users share their files
• Tailored Policies
– Modify rights for specific sets of files
– Specific tailorings
• Privacy – block some files from sharing
• Shared reading – share some blocked files
• Shared updating – full rights for some users
Underlying Policy on Shared System
• Our policy must make it possible for users to share application programs.
– Three policy statements below allow this while defending against related risks.

Table 3.1 Underlying system policy for a shared computer

No. Requirement Risks
1 All users shall be able to execute customary application programs 1
and operating system service programs.
2 Each user shall have a separate login and, optionally, a password. 3
3 Programs shall be protected from damage or other modifications by 1,2
regular users.

Figure 1.6 Executable Access Rights

A Global Isolation Policy
• By default, all personal files are kept private
• Specific shared files are available
– Addressed by the first 3 policy statements
• Global policy requires one added rule:
Table 3.2 Global Policy Rule
# Policy Statement Risks
4 Files belonging to one user shall be protected from any access (read or 1, 2, 5
write) by other users

Figure 3. 7 Isolation Policy

Bob’s Policy
• Bob perceives another risk:
– 6. Unauthorized access to client data
• To address this, he adds this requirement:

Table 3.3 Additional requirements for Bob’s particular situation

# Requirements Risks
A 5 The system shall have two regular users: Bob and Alice 4, 6
6 Bob shall have a password to protect his log in . 2, 4, 5, 6
7 Alice shall have a password to protect her login. 1

Global Sharing Policy

• By default, all personal files are shared
– Readable by others but not writeable
• Application files are also shared
 – Addressed by the first 3 policy statements
• Global policy requires two statements
– Replaces #4 in the global isolation policy

Table 3.4 Global Sharing Policy

# Policy Statement Risks
4 Files belonging to one user shall be readable by others 1
5 Files belonging to one user shall be protected from writing by others. 1, 3, 5

Security Controls
• An operating system can protect files as long as:
1. The OS protections are always applied when we access our files, and
2. There is no way to bypass the OS protections
• Basic Principle: Deny by Default
1. We always start by granting no access
2. We add access rights
3. This makes it easier to assign the right permissions and achieve Least Privilege

Managing Access Rights

• Access Matrix contains two dimensions
– A full matrix is too large for practical use
– We can organize access rights by clustering in one dimension or the other
• Cluster by Column = Capability-Based Security
– We associate rights with users, processes, or other active entities
– A key-ring is a set of capabilities: ownership grants access to the locked items
– Tickets provide capabilities
Cluster by Row = File Permissions
• Currently the most popular strategy in OSes
– Access rights are associated with resources like files, devices, storage areas,
etc.
– The list of rights tells which users/processes have which access rights.
• Implementations Today
– File Permission Flags – Unix
– Access Control Lists – Windows, OS X
 – Detailed examples – Next Chapter
Permission Flags in General
• Sets of flags to specify access rights. Example:
– RWX = Read, Write, Execute access rights
• A set of flags for each type of process
– Processes belonging to the file’s owner
– Processes belonging to the system
– Processes belonging to others – the world
• Still too redundant: owner and system often have full access to the files anyway
• Compact access rules specify world rights only.
Compact access rules for Bob’s Files
• A simple way to list file security controls to enforce basic or global security policies
– Specify the files, their owners, and the access rights for the other users on the
system.

Table 3.5 Compact Access Rule for Bob’s Isolation Policy

# File Type File Owner World Access Requirement
6 Executable programs System R-X 3.4
7 Bob’s data files Bob - 5
8 Bob’s directory Bob - 5
9 Alice’s data files Alice - 5
1o Alice’s directory Alice - 5

States and State Diagrams

• A technique to illustrate a system’s behavior
– Each state is a separate situation
– Arrows between states show transitions
• A transition indicates both cause and effect
• An event causes the transition
• An action may take place at the transition
• A door may be Open or Closed – two states
• The events Opening or Closing cause the transition between the states

Information States
• Data or information may be in these basic states
– Storage state
• Stored in a computer, not being processed
• “Data at rest”
– Processing state
• Being used by an active process
• Usually stored in RAM
– Transmission state
• Being moved from one place to another (“Data in motion)

Figure 3.8 Example: Bob’s Essay

The Security Patch Race

• A race begins when a security problem arises
– The software developer races to develop a fix to eliminate the problem
– Attackers race to write software that exploits the problem and lets them attack
computers
• Attack software is called an exploit
• Any computer that doesn’t patch the problem may be vulnerable to the exploit
• Window of vulnerability = time during which an exploit exists but computers aren’t
patched
Patching Security Flows
• The Patching Process
– Collect error reports
– Prioritize errors and assign to engineers
– Engineer develops software to fix the error
– Software fixes are chosen for a patch
– The patch is tested
– The patch is released
• This applies to all flaws including security flaws
– Security fixes may have higher priority

Figure 3.9 The Risks of Delayed Patching

9am – 10am – 11am – 12pm – 1pm – 2pm – 3pm…

(Accelerated time frame)

Figure 3.0 A State Model of Patching

Assessment
Exercise

Instruction: Answer the following by discussing concisely. Please write your answer in a
separate sheet of short paper. (5 points each)

1. Explain the role of a file name and path in locating a file on a hard drive and give
reasons why user should protect a file from a read or write access by other users.
2. Search on the internet for information on different malware packages, like those
discussed on the text. Find a description of a malware package not described in the text.
Provide the following information
a. What is the malware called?
b. How does it propagate?
c. What does it do to the computer?
 3. Identify the objectives and policies for file protection and sharing.
4. Bob would like to be able to look at files in the “Suitemates” folders without having to log
in as Suitemates. Take this steps to create a security plan to achieve this goal.
a. Create a revised policy to reflect this objective.
b. Draw a diagram illustrating access rights that implement this policy.
c. Create a table of compact access rules that implements the revised policy. Use
the format shown in table 3.5.

Reference
Richard E. Smith. Elementary Information Security 2’nd Edition: Controlling Files. Jones and
Barlett Publishers, Inc. (19, April 2015).