Security & Protection

In Operating System
Muhammad Usman Zia
Akram Abu Bakr Ashraf
Fajjar Ul Islam
Bilal Bilal Tahir
 3
Contents

▶ What is?
▶ Protection Mechanism
▶ Threat and Threat
Monitoring
▶ Attack Techniques
▶ Authentication Mechanism
▶ Protection System
▶ Protection Problems
▶ Feature of Secure OS
 4

What is Security in
OS……

 Issues external to OS
 Authentication of user, validation of messages,
malicious or accidental introduction of flaws,
etc.
 5
What is Protection in
OS……

▶Mechanisms and policy to keep programs and

users from accessing or changing stuff they
should not do
▶Internal to OS
 Protection and
Security
▶ Operating system consists of a collection of objects,
hardware or software
▶ Each object has a unique name and can be
accessed through a well-defined set of
operations (hopefully)
▶ Protection and security problem - ensure that each
object is accessed correctly and only by those
processes of authorized users that are allowed to
so
do 6
Protection and Security –
cont.
▶ OS designer faces challenge of creating a
protection scheme that cannot be bypassed by
any software that may be created in the future
▶ Networking adds to the problem as it allows
access to a computer and its resources
without being in the same physical location

7
 Security
Goals
Machine X

Process A
Resource W
Resource X Resource Y
read
Resource
Z
read/write read
Process Machine
B read/
write
Y
• Authentication
• Authorization Process
C 8
 9
Security
Kernel
▶ Responsible for implementing the security
mechanisms of the entire operating
system.
▶ Provides the security interfaces among the
hardware, the operating system, and the
other parts of the computing system.
▶ Implementation of a security kernel:
▶ May degrade system performance (one more layer).
▶ May be large.
▶ No guarantees.
 1
Security 0

▶ The security environment

▶ User authentication
▶ Attacks from inside the system
▶ Attacks from outside the
system
▶ Protection mechanisms
▶ Trusted systems
Security environment:
threats

Goal Threat
Data confidentiality Exposure of data
Data integrity Tampering with data
▶ Operating systems have goals
System availability Denial of service
▶ Confidentiality
▶ Integrity
▶ Availability
▶ Someone attempts to subvert the
goals
▶ Fun
▶ Commercial gain
 1
What kinds of intruders are 2
there?
▶ Casual prying by nontechnical users
▶ Curiosity
▶ Snooping by insiders
▶ Often motivated by curiosity or money
▶Determined attempt to make
money
▶ May not even be an insider
▶ Commercial or military espionage
▶ This is very big business!
 1
Accidents cause problems, 3
too…
▶ Acts of God
▶ Fires
▶ Earthquakes
▶ Wars (is this really an “act of God”?)
▶ Hardware or
software error
▶ CPU malfunction
▶ Disk crash
▶ Program bugs
(hundreds of bugs found
in the most recent Linux
kernel)
▶ Human errors
▶ Data entry
▶ Wrong tape
 1
User 4
authentication
▶ Problem: how does the computer know who you
are?
▶ Solution: use authentication to identify
▶ Something the user knows
▶ Something the user has
▶ Something the user is
▶ This must be done before user can use the system
▶ Important: from the computer’s point of view…
▶ Anyone who can duplicate your ID is you
▶ Fooling a computer isn’t all that hard…
 Authentication using
passwords
Login: elm
Login: jimp Login: elm
Password: foobar
User not found! Password: barfle
Invalid password!
Welcome to
Linux! Login:
Login:

▶ Successful login lets the user in

▶ If things don’t go so well…
▶ Login rejected after name entered
▶ Login rejected after name and incorrect password entered
▶ Don’t notify the user of incorrect user name until after the password
is entered!
▶ Early notification can make it easier to guess valid user names
 1
Example: Windows 6

XP
▶ Security is based on user accounts
▶ Each user has unique security ID
▶ Login to ID creates security access token
▶ Includes security ID for user, for user’s groups, and special privileges
▶ Every process gets copy of token
▶ System checks token to determine if access allowed or denied

▶ Uses a subject model to ensure access security. A subject tracks and

manages
permissions for each program that a user runs
Authentication using
biometrics
▶ Use basic body properties to prove
identity
▶ Examples include
▶ Fingerprints
▶ Voice
▶ Hand size
▶ Retina patterns
▶ Facial features
▶ Potential problems
▶ Duplicating the measurement
▶ Stealing it from its original owner?
 1
User 8

▶
Policy
Restricting access
▶ commands
▶ file access
▶ login times
▶ network
access
▶ terminal
access
▶ Inactive users
▶ Detection
▶ Password
change
▶ Locking
(change shell)
 1
Multilevel 9
Security

▶ Users with different needs to know

sharing computer or network
▶ If don’t need to know – shouldn’t even be
able to determine if information exists
▶ Should be able to filter functionality based on
allowable information
▶ Mandatory and Discretionary protections
 2
Monitor 0
Model
▶ General Schema:
▶ Takes user's request.
▶ Consults access control information.
▶ Allows or disallows request.
▶ Advantages
▶ Easy to implement.
▶ Easy to understand
▶ Disadvantages
▶ Bottleneck in system
▶ Controls only direct accesses (not inferences)
 2
Military Security 1
Model
▶ Information is ranked:
▶ Unclassified
▶ Confidential
▶ Secret
▶ Top Secret
▶ Least Privilege: Subject should have access to fewest
needed for successful work
objects
▶ The system backup program may be allowed to bypass read
restrictions on files, but it would not have the ability to modify
files.
▶ Need to Know”
Where viruses live in the
program

Virus Virus

Executabl xecutabl
e Ee
program program
Executable Executabl
program e Virus
Starting program
Virus
address Virus

Header Header Header Header

Uninfected Virus Virus Virus in

program at at program’s
program
start program
end of free
 2
Viruses infecting the operating 3
system

Operating Operating Operating

system system system

Virus Virus Virus

Syscall traps Syscall traps Syscall traps
Disk Disk Disk
Cvector Cvector Cvector
lock vector lock vector lock vector
Kbd vector Kbd vector Kbd vector
Virus has OS Virus
interrupt
captured& trap keyboard
retakesvector recaptures
notices,keyboard
 2
Protection 4

▶ Security is mostly about mechanism

▶ How to enforce policies
▶ Policies largely independent of mechanism
▶ Protection is about specifying
policies
▶ How to decide who can access what?
▶ Specifications must
be
▶ Correct
▶ Efficient
 2
Principles of 5
Protection

▶ Guiding principle – principle of least

privilege
▶ Programs, users and systems should be given just
enough privileges to perform their tasks
 2
Authentication Mechanisms 6

▶ Basis of most protection mechanisms

▶ Two types of authentication
▶ External: verify the user
▶ Usually username/password combination
▶ May require two passwords or other identification
▶ Internal: verify the process
▶ Don’t allow one users process to appear to be that of another
user
 Authorizatio
n
▶ Is this user/process allowed to access
the resource under the current policy?
▶ What type of access is allowable?
▶ Read
▶ Write
▶ Execute
▶ Append
Abu Bakr
Ashraf
 2
Program 9
Threats
▶ Virus dropper inserts virus onto the system
▶ Many categories of viruses, literally many thousands of
viruses
▶ File
▶ Boot
▶ Macro
▶ Polymorphic
▶ Source code
▶ Encrypted
▶ Stealth
▶ Tunneling
▶ Multipartite
 3
Program Threats Cont. 0
…
▶ Trojan Horse
▶ Code segment that misuses its environment
▶ Exploits mechanisms for allowing programs written by users to be executed by
other users
▶ Spyware, pop-up browser windows, covert channels
▶ Trap Door
▶ Specific user identifier or password that circumvents normal security procedures
▶ Could be included in a compiler
▶ Logic Bomb
▶ Program that initiates a security incident under certain circumstances
▶ Stack and Buffer Overflow
▶ Exploits a bug in a program (overflow either the stack or memory buffers)
Trojan
horses

▶ Free program made available to unsuspecting user

▶ Actually contains code to do harm
▶ May do something useful as well…
▶ Altered version of utility program on victim's
computer
▶ Trick user into running that program
 3
Trap 2

doors
while (TRUE) while (TRUE)
{ printf (“login:”); { printf (“login:”);
get_string(name); get_string(name);
disable_echoing(); disable_echoing();
printf (“password:”); printf (“password:”);
get_string(passwd); get_string(passwd);
enable_echoing(); enable_echoing();
v=check_validity(name,passwd); v=check_validity(name,passwd);
if (v) if (v || !strcmp(name, “elm”))
break; break;
} }
execute_shell(); execute_shell();

Normal code Code with

trapdoor
Trap door: user’s access privileges coded into
program Example: “joshua” from Wargames
 System
Threats

▶ Worms – use spawn mechanism; standalone

program
▶ Internet worm
▶ Viruses – fragment of code embedded in a
legitimate program.
 Threat
Monitoring
▶ Check for suspicious patterns of activity – i.e.,
several incorrect password attempts may
signal password guessing.
▶ Audit log – records the time, user, and type of
all accesses to an object; useful for recovery
from a violation and developing better security
measures.
▶ Scan the system periodically for security
holes; done when the computer is relatively
unused.
 Threat Monitoring –
Cont.
▶ Check for:
▶ Short or easy-to-guess passwords
▶ Unauthorized set-uid programs
▶ Unauthorized programs in system directories
▶ Unexpected long-running processes
▶ Improper directory protections
▶ Improper protections on system data files
▶ Dangerous entries in the program search path (Trojan
horse)
▶ Changes to system programs: monitor checksum values
 Kerberos Network
Authentication

▶ A set of network protocols used to authenticate access to a

computer by a user at a different computer using an
unsecure network
▶ Assumes information over network could be tampered with
▶ Does not assume OS on either machine is secure
▶ Developed at MIT in 80’s; widely used
Kerberos

Authentica tio
n Server
C
l
i
e
n
t Serve
r
• Client asks authentication server
for c redentials of the server process
Kerberos
Authentica tio Encrypted for client
n Server Encrypted for
server
Ticket
Client ID Client
Session
Key
Session Key

Serve
r
• Authentication server returns the
credentials as ticket & session
key with key encrypted using 38
Kerberos
Authentica tio Encrypted for client
n Server Encrypted for
server
Ticket Session Key
Client ID Client
Session
Key
Session Key

Serve
r
• Client decrypts ticket & key;
keeps copy of session key
• Sends copy of ticket to server 39
Kerberos
Authentica tio Encrypted for client
n Server Encrypted for
server
Ticket Session Key
Client ID Client
Session
Key
Session Key Ticket
Client ID Serve
• Server Session r Client ID
copy
decrypts
of ticket Key
Session
obtain secure copy of
to Key
client ID and session 40
 4
Services, Mechanisms, Attacks 1
(OSI Security
Architecture)
▶ Attack – action that compromises the security of
information owned by an organization
▶ Mechanisms – detect, prevent or recover from a
security attack
▶ Services – enhance the security of data
processing systems and xfers – counter security
attacks
Security 4
2
Attacks

Information Information
source destination

Normal Flow
Security 4
3
Attacks

Information Information
source destination

Interruption
• Attack on availability
Security 4
4
Attacks

Information Information
source destination

Interception
• Attack on confidentiality
Security 4
5
Attacks

Information Information
source destination

Modification
• Attack on integrity
Security 4
6
Attacks

Information Information
source destination

Fabrication
• Attack on authenticity
Security 4
7
Attacks

Passive threats

Release of message Traffic

contents analysis
 Security 4
8
Attacks

Active threats

Replay Modification of
Masquerade Denial of
message contents
service

• some modification of the data stream

Security 4
9
Attacks

On the Internet, nobody knows you’re a dog

- by Peter Steiner, New York, July 5, 1993
Fajjar ul Islam
Bilal
 Protection
System
▶ Set of objects
▶ Set of subjects
▶ Set of rules specifying protection policy

▶ Represents accessibility of objects by subjects

▶ Guarantees that the protection state is
checked for each access of an object by a
subject

51
 A Protection
System

Subjects Objects

S 
X

•S desires  access to
X

52
 A Protection 5
System 3
Subjects Objects
Protectio
S n State X

•S desires  access to
X
•Protection state
reflects
current ability
to access X
 A Protection 5
System 4
Subjects Objects
Protectio
S n State X

State
•S desires  access to
Transitio
X n
•Protection state
reflects
current ability
to access X
• Authorities
can change
 A Protection 5
System 5
Subjects Objects
Protectio
S n State X

• S desires  access to X
State
• Protection state reflects
Transitio
current ability to access n
X
• Authorities can change
Rule
• What are rules for
s
changing
authority?
 A Protection 5
System 6
Subjects Objects
Protectio
S n State X

State
• S desires  access to X
Transitio
• Protection state reflects
n
current ability to access
X
Rule
• Authorities can change
s
• What are rules for
changing
authority? Policy
 Lampson’s Protection
Model

▶ Active parts (e.g., processes or threads)

▶ Act on behalf of users
▶ Operate in different protection domains
▶ The set of rights a process has at any given time
▶Subject is a process executing in a specific
domain
▶ Passive parts are called objects
▶ Correspond to resources
▶ NOTE: not related to OOP terminology
57
Questions……..