UNIT-2

 An operating system has two goals:

o controlling shared access
o implementing an interface to allow that access
 Underneath those goals are support activities, including
identification and authentication, naming,
filingobjects,scheduling,communication among processes, and
reclaiming and reusing objects
 Operating system functions can be categorized as
o access control
o identity and credential management
o information flow
o audit and integrity protection
 Each of these activities has security implications.
1.Protected Objects and Methods of
Protection
Protected Objects
 the rise of multiprogramming meant that several aspects of a
computing system required protection:
o memory
o sharable I/O devices, such as disks
o serially reusable I/O devices, such as printers and tape drives
o sharable programs and subprocedures
o networks
o sharable data
Security Methods of Operating Systems
 The basis of protection is separation: keeping one user's objects
separate from other users.
o physical separation, in which different processes use
different physical objects
o temporal separation, in which processes having different
security requirements are executed at different times
o logical separation, in which users operate under the
illusion that no other processes exist, as when an operating
 system constrains a program's accesses so that the program
cannot access objects outside its permitted domain
o cryptographic separation, in which processes conceal
their data and computations in such a way that they are
unintelligible to outside processes
An operating system can support separation and sharing in several
ways, offering protection at any of several levels.
o Do not protect. Operating systems with no protection are
appropriate when sensitive procedures are being run at
separate times.
o Isolate. When an operating system provides isolation,
different processes running concurrently are unaware of
the presence of each other. Each process has its own
address space, files, and other objects. The operating
system must confine each process somehow so that the
objects of the other processes are completely concealed.
o Share all or share nothing. The owner of an object
declares it to be public or private. A public object is
available to all users, whereas a private object is
available only to its owner.
o Share via access limitation. With protection by access
limitation, the operating system checks the allowability
of each user's potential access to an object. That is,
access control is implemented for a specific user and a
specific object.
o Share by capabilities. An extension of limited access
sharing, this form of protection allows dynamic creation
of sharing rights for objects. The degree of sharing can
depend on the owner or the subject, on the context of the
computation, or on the object itself.
o Limit use of an object. Limits not just the access to an
object but the use made of that object after it has been
accessed. For example, a user may be allowed to view a
sensitive document, but not to print a copy of it.
2. Memory and Address Protection

Fence - a method to confine users to one side of a boundary.

Fence register - used a hardware register containing the address of the
end of the operating system. The fence cannot protect one user from
another user
Relocation - the process of taking a program written as if it began at
address 0 and changing all addresses to reflect the actual address at
which the program is located in memory.
Base/Bounds Registers
o With two or more users, none can know in advance where a
program will be loaded for execution.
o The relocation register solves the problem by providing a base or
starting address.
o A variable fence register is generally known as a base register.
o A bounds register is an upper address limit.
Tagged Architecture
o In some cases you may want to protect some data values but not
all
o Every word of machine memory has one or more extra bits to
identify the access rights to that word.
o These access bits can be set only by privileged (operating system)
instructions.
o The bits are tested every time an instruction accesses that location.
Segmentation
o Involves the simple notion of dividing a program into separate
pieces
o Each piece has a logical unity, exhibiting a relationship among all
of its code or data values.
o Each segment has a unique name.
o A code or data item within a segment is addressed as the pair
<name, offset>, where name is the name of the segment
containing the data item and offset is its location within the
 segment
Translation of Segment Address.
o The operating system can place any segment at any location or
move any segment to any location, even after the program begins
to execute.
o A segment can be removed from main memory (and stored on an
auxiliary device) if it is not being used currently.
o Every address reference passes through the operating system, so
there is an opportunity to check each one for protection.
Segmentation offers these security benefits:
o Each address reference is checked for protection.
o Many different classes of data items can be assigned different
levels of protection.
o Two or more users can share access to a segment, with potentially
different access rights.
o A user cannot generate an address or access to an unpermitted
segment.
Paging
o The program is divided into equal-sized pieces called pages.
o The memory is divided into equal-sized units called page frames.

Combined Paging with Segmentation

o Paging offers implementation efficiency, while segmentation
offers logical protection characteristics
o The IBM 390 family of mainframe systems used a form of paged
segmentation
3. Control of Access to General Objects
Directory

o Several difficulties can arise.

o The list becomes too large if many shared objects
o Revocation of access - If owner A has passed to user B the right to
read file F, an entry for F is made in the directory for B. If A later
 questions that trust, A may want to revoke the access right of B.
Then ….
o Pseudonyms. Owners A and B may have two different files named
F, and they may both want to allow access by S. The directory for
S cannot contain two entries under the same name for different
files.
Access Control List
o There is one such list for each object, and the list shows all
subjects who should have access to the object and what their
access is.
Access Control Matrix
o a table in which each row represents a subject, each column
represents an object, and each entry is the set of access rights for
that subject to that object.
Capability - an unforgeable token that gives the possessor certain rights
to an object.
o One possible access right to an object is transfer or propagate.
o A subject having this right can pass copies of capabilities to other
subjects.
o In turn, each of these capabilities also has a list of permitted types
o of accesses, one of which might also be transfer.
Kerberos
o Kerberos implements both authentication and access authorization
o by means of capabilities, called tickets, secured with symmetric
cryptography
o Kerberos requires two systems, called the authentication server
o (AS) and the ticket-granting server (TGS), which are both part of
o the key distribution center (KDC)
o A user presents an authenticating credential (such as a password)
to the authentication server and receives a ticket showing that the
user has passed authentication.
o Suppose Joe wants to access a resource R (for example, a
file,printer, or network port).
o Joe sends the TGS his authenticated ticket and a request to use R.
 o Assuming Joe is allowed access, the TGS returns to Joe two
tickets:
o One shows Joe that his access to R has been authorized
o The second is for Joe to present to R in order to access R.

Procedure-Oriented Access Control

o Ensure that accesses to an object be made through a trusted
interface
Role-Based Access Control
o Associate privileges with groups
4. File Protection Mechanisms
Basic Forms of Protection
All-None Protection
o Unacceptable for several reasons
o Lack of trust
o Too coarse
o Rise of sharing
o Complexity
o File listings
Group Protection
o Focused on identifying groups of users who had some common
relationship.
o All authorized users are separated into groups.
o A group may consist of several members working on a common
project, a department, a class, or a single user.
o The basis for group membership is need to share.
o A key advantage of the group protection approach is its ease of
implementation.
o Group affiliation. A single user cannot belong to two groups.
o Multiple personalities. To overcome the one-person one-group
restriction, certain people might obtain multiple accounts,
permitting them, in effect, to be multiple users.
 o All groups. To avoid multiple personalities, the system
administrator may decide that Tom should have access to all his
files any time he is active.
o Limited sharing. Files can be shared only within groups or with
the world.
Individual Permissions
o Persistent Permission
o Temporary Acquired Permission
o Unix+ operating systems provide an interesting permission scheme
based on a three-level user-group-world hierarchy.
o The Unix designers added a permission called set userid (suid)
Per-Object and Per-User Protection
o The primary limitation of these protection schemes is the ability to
create meaningful groups of related users who should have similar
access to related objects
5. User Authentication
o Authentication mechanisms use any of three qualities to confirm a
user's identity.
o Something the user knows. Passwords, PIN numbers,
passphrases, a secret handshake, and mother's maiden name are
examples of what a user may know.
o Something the user has. Identity badges, physical keys, a driver's
license, or a uniform are common examples of things people have
that make them recognizable.
o Something the user is. These authenticators, called biometrics,
are based on a physical characteristic of the user,
Passwords as Authenticators
Use of Passwords
o Passwords are mutually agreed-upon code words, assumed to be
known only to the user and the system.
o Suffer from some difficulties of use:
o Loss. Depending on how the passwords are implemented, it is
possible
o that no one will be able to replace a lost or forgotten password
 o Use. Supplying a password for each access to a file can be
inconvenient
o and time consuming.
o Disclosure. If a password is disclosed to an unauthorized
individual, the file becomes immediately accessible.
o Revocation.To revoke one user’s access right to a file,someone
must change the password,thereby causing the same problems as
disclosure
Additional Authentication Information
o Using additional authentication information is called multifactor
o authentication.
o Two forms of authentication (which is known as two-factor
authentication)
o are better than one, assuming of course that the two forms are
strong.
o But as the number of forms increases, so also does the
inconvenience.
Attacks on Passwords
o Some ways you might be able to determine a user's password, in
decreasing order of difficulty.
o Try all possible passwords.
o Try frequently used passwords.
o Try passwords likely for the user.
o Search for the system list of passwords.
o Ask the user.
Loose-Lipped Systems
E.g.,
WELCOME TO THE XYZ COMPUTING SYSTEMS
ENTER USER NAME: adams
INVALID USER NAME / UNKNOWN USER
ENTER USER NAME:
An alternative arrangement of the login sequence is shown below.
WELCOME TO THE XYZ COMPUTING SYSTEMS
ENTER USER NAME: adams
ENTER PASSWORD: john
INVALID ACCESS
ENTER USER NAME:
ENTER USER NAME: adams
ENTER PASSWORD: john
INVALID ACCESS
ENTER USER NAME: adams
ENTER PASSWORD: johnq
WELCOME TO THE XYZ COMPUTING SYSTEMS
Exhaustive Attack
In an exhaustive or brute force attack, the attacker tries all possible
passwords, usually in some automated fashion
Probable Passwords
Passwords Likely for a User
password guessing steps:
o no password
o the same as the user ID.
o is, or is derived from, the user's name
o common word list (for example, "password," "secret," "private")
plus
o common names and patterns (for example, "asdfg," "aaaaaa")
o short college dictionary
o complete English word list
o short college dictionary with capitalizations (PaSsWorD) and
substitutions
o (0 for O, and so forth)
o complete English with capitalizations and substitutions
o common non-English dictionaries with capitalization and
substitutions
o brute force, lowercase alphabetic character
o bsrute force, full character set
Plaintext System Password List
Encrypted Password File
Indiscreet Users - Get it directly from the user! People often tape a
password to the side of a terminal or write it on a card just inside the top
desk drawer.
Password Selection Criteria
o Use characters other than just AZ
o Choose long passwords.
o Avoid actual names or words.
o Choose an unlikely password
o Change the password regularly.
o Don't write it down.
o Don't tell anyone else. The easiest attack is social engineering, in
which the attacker contacts the system's administrator or a user to
elicit the password in some way.

One-Time Passwords
􀁹 Biometrics: Authentication Not Using Passwords
􀁹 Identification vs Authentication
􀁹 Much reliable, but less effective