2. Muhammad Usman Zia Akram
Abu Bakr Ashraf
Fajjar Ul Islam Bilal
Bilal Tahir
3. Contents
What is?
Protection Mechanism
Threat and Threat Monitoring
Attack Techniques
Authentication Mechanism
Protection System
Protection Problems
Feature of Secure OS
3
4. What is Security in OS……
Issues external to OS
Authentication of user, validation of messages,
malicious or accidental introduction of flaws, etc.
4
5. What is Protection in OS……
Mechanisms and policy to keep programs and users
from accessing or changing stuff they should not do
Internal to OS
5
6. 6
Protection and Security
Operating system consists of a collection of objects,
hardware or software
Each object has a unique name and can be
accessed through a well-defined set of operations
(hopefully)
Protection and security problem - ensure that each
object is accessed correctly and only by those
processes of authorized users that are allowed to do
so
7. 7
Protection and Security – cont.
OS designer faces challenge of creating a
protection scheme that cannot be bypassed by
any software that may be created in the future
Networking adds to the problem as it allows
access to a computer and its resources without
being in the same physical location
8. 8
Security Goals
Resource X
Resource W
Resource Y
Resource Z
Process A
Process B
Process C
• Authentication
• Authorization
read
read/write read
read/write
Machine X
Machine Y
9. Security Kernel
Responsible for implementing the security
mechanisms of the entire operating system.
Provides the security interfaces among the
hardware, the operating system, and the other
parts of the computing system.
Implementation of a security kernel:
May degrade system performance (one more layer).
May be large.
No guarantees.
9
10. Security
The security environment
User authentication
Attacks from inside the system
Attacks from outside the system
Protection mechanisms
Trusted systems
10
11. 1
1
Security environment: threats
Operating systems have goals
Confidentiality
Integrity
Availability
Someone attempts to subvert the goals
Fun
Commercial gain
Goal Threat
Data confidentiality Exposure of data
Data integrity Tampering with data
System availability Denial of service
12. What kinds of intruders are there?
Casual prying by nontechnical users
Curiosity
Snooping by insiders
Often motivated by curiosity or money
Determined attempt to make money
May not even be an insider
Commercial or military espionage
This is very big business!
12
13. Accidents cause problems, too…
Acts of God
Fires
Earthquakes
Wars (is this really an “act of God”?)
Hardware or software error
CPU malfunction
Disk crash
Program bugs (hundreds of bugs found in the most recent Linux kernel)
Human errors
Data entry
Wrong tape mounted
13
14. User authentication
Problem: how does the computer know who you are?
Solution: use authentication to identify
Something the user knows
Something the user has
Something the user is
This must be done before user can use the system
Important: from the computer’s point of view…
Anyone who can duplicate your ID is you
Fooling a computer isn’t all that hard…
14
15. 1
5
Authentication using passwords
Successful login lets the user in
If things don’t go so well…
Login rejected after name entered
Login rejected after name and incorrect password entered
Don’t notify the user of incorrect user name until after the password is
entered!
Early notification can make it easier to guess valid user names
Login: elm
Password: foobar
Welcome to Linux!
Login: jimp
User not found!
Login:
Login: elm
Password: barfle
Invalid password!
Login:
16. Example: Windows XP
Security is based on user accounts
Each user has unique security ID
Login to ID creates security access token
Includes security ID for user, for user’s groups, and special privileges
Every process gets copy of token
System checks token to determine if access allowed or denied
Uses a subject model to ensure access security. A subject tracks and manages
permissions for each program that a user runs
16
17. 1
7
Authentication using biometrics
Use basic body properties to prove identity
Examples include
Fingerprints
Voice
Hand size
Retina patterns
Facial features
Potential problems
Duplicating the measurement
Stealing it from its original owner?
19. Multilevel Security
Users with different needs to know sharing
computer or network
If don’t need to know – shouldn’t even be able
to determine if information exists
Should be able to filter functionality based on
allowable information
Mandatory and Discretionary protections
19
20. Monitor Model
General Schema:
Takes user's request.
Consults access control information.
Allows or disallows request.
Advantages
Easy to implement.
Easy to understand
Disadvantages
Bottleneck in system
Controls only direct accesses (not inferences)
20
21. Military Security Model
Information is ranked:
Unclassified
Confidential
Secret
Top Secret
Least Privilege: Subject should have access to fewest objects
needed for successful work
The system backup program may be allowed to bypass read
restrictions on files, but it would not have the ability to modify files.
Need to Know”
21
22. Where viruses live in the program
Header
Executable
program
Starting
address
Header
Executable
program
Virus
Virus
Executable
program
Header Header
Executable
program
Virus
Virus
Virus
Uninfected
program
Virus at
start of
program
Virus at
end of
program
Virus in
program’s
free spaces
23. Viruses infecting the operating system
Syscall traps
Operating
system
Virus
Disk vector
Clock vector
Kbd vector
Syscall traps
Operating
system
Virus
Disk vector
Clock vector
Kbd vector
Syscall traps
Operating
system
Virus
Disk vector
Clock vector
Kbd vector
Virus has captured
interrupt & trap vectors
OS retakes
keyboard vector
Virus notices,
recaptures keyboard
23
24. Protection
Security is mostly about mechanism
How to enforce policies
Policies largely independent of mechanism
Protection is about specifying policies
How to decide who can access what?
Specifications must be
Correct
Efficient
Easy to use (or nobody will use them!)
24
25. Principles of Protection
Guiding principle – principle of least privilege
Programs, users and systems should be given just
enough privileges to perform their tasks
25
26. Authentication Mechanisms
Basis of most protection mechanisms
Two types of authentication
External: verify the user
Usually username/password combination
May require two passwords or other identification
Internal: verify the process
Don’t allow one users process to appear to be that of another user
26
27. Authorization
Is this user/process allowed to access the
resource under the current policy?
What type of access is allowable?
Read
Write
Execute
Append
29. 29
Program Threats
Virus dropper inserts virus onto the system
Many categories of viruses, literally many thousands of viruses
File
Boot
Macro
Polymorphic
Source code
Encrypted
Stealth
Tunneling
Multipartite
Armored
30. Program Threats Cont.…
Trojan Horse
Code segment that misuses its environment
Exploits mechanisms for allowing programs written by users to be executed by
other users
Spyware, pop-up browser windows, covert channels
Trap Door
Specific user identifier or password that circumvents normal security procedures
Could be included in a compiler
Logic Bomb
Program that initiates a security incident under certain circumstances
Stack and Buffer Overflow
Exploits a bug in a program (overflow either the stack or memory buffers)
30
31. Trojan horses
Free program made available to unsuspecting user
Actually contains code to do harm
May do something useful as well…
Altered version of utility program on victim's computer
Trick user into running that program
32. Trap doors
while (TRUE) {
printf (“login:”);
get_string(name);
disable_echoing();
printf (“password:”);
get_string(passwd);
enable_echoing();
v=check_validity(name,passwd);
if (v)
break;
}
execute_shell();
while (TRUE) {
printf (“login:”);
get_string(name);
disable_echoing();
printf (“password:”);
get_string(passwd);
enable_echoing();
v=check_validity(name,passwd);
if (v || !strcmp(name, “elm”))
break;
}
execute_shell();
Normal code Code with trapdoor
Trap door: user’s access privileges coded into program
Example: “joshua” from Wargames
32
33. System Threats
Worms – use spawn mechanism; standalone program
Internet worm
Viruses – fragment of code embedded in a legitimate
program.
34. Threat Monitoring
Check for suspicious patterns of activity – i.e.,
several incorrect password attempts may signal
password guessing.
Audit log – records the time, user, and type of
all accesses to an object; useful for recovery
from a violation and developing better security
measures.
Scan the system periodically for security holes;
done when the computer is relatively unused.
35. Threat Monitoring – Cont.
Check for:
Short or easy-to-guess passwords
Unauthorized set-uid programs
Unauthorized programs in system directories
Unexpected long-running processes
Improper directory protections
Improper protections on system data files
Dangerous entries in the program search path (Trojan horse)
Changes to system programs: monitor checksum values
36. Kerberos Network Authentication
A set of network protocols used to authenticate access to a
computer by a user at a different computer using an
unsecure network
Assumes information over network could be tampered with
Does not assume OS on either machine is secure
Developed at MIT in 80’s; widely used
40. 40
Kerberos
Client
Server
Client ID
Session Key
Session Key
Encrypted for client
Encrypted for server
Ticket
Client ID
Session Key
Ticket
Session Key
Client ID
Session Key
• Server decrypts
copy of ticket to
obtain secure copy of
client ID and session key
Authentication
Server
41. Services, Mechanisms, Attacks
(OSI Security Architecture)
Attack – action that compromises the security of
information owned by an organization
Mechanisms – detect, prevent or recover from a security
attack
Services – enhance the security of data processing
systems and xfers – counter security attacks
41
51. 51
Protection System
Set of objects
Set of subjects
Set of rules specifying protection policy
Represents accessibility of objects by subjects
Guarantees that the protection state is checked
for each access of an object by a subject
57. 57
Lampson’s Protection Model
Active parts (e.g., processes or threads)
Act on behalf of users
Operate in different protection domains
The set of rights a process has at any given time
Subject is a process executing in a specific domain
Passive parts are called objects
Correspond to resources
NOTE: not related to OOP terminology