0% found this document useful (0 votes)
74 views41 pages

IT3004 - Operating Systems and Computer Security 05 - General Purpose Operating Systems

The document discusses general purpose operating systems and computer security. It covers key concepts like access control, protected objects, separation, sharing, memory protection using techniques like segmentation and paging, access control to general objects using capabilities and access control lists, user authentication using passwords and biometrics, and attacks on password systems like brute force attacks and impersonation. It provides details on various memory protection and access control mechanisms used in operating systems to control access to resources and protect the system from unauthorized access.

Uploaded by

Mangala Semage
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
74 views41 pages

IT3004 - Operating Systems and Computer Security 05 - General Purpose Operating Systems

The document discusses general purpose operating systems and computer security. It covers key concepts like access control, protected objects, separation, sharing, memory protection using techniques like segmentation and paging, access control to general objects using capabilities and access control lists, user authentication using passwords and biometrics, and attacks on password systems like brute force attacks and impersonation. It provides details on various memory protection and access control mechanisms used in operating systems to control access to resources and protect the system from unauthorized access.

Uploaded by

Mangala Semage
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 41

Operating Systems and

Computer Security
General Purpose Operating Systems
Operating System
 Multi user
 Multi tasking

 Access control
◦ Controlling shared access
◦ Interface to allow that access
Protected Objects
 Memory
 Files on auxiliary storage
 I/O devices
 Programs and sub procedures
 Networks
 Data

◦ Supported by hardware
Separation
 Keeping one user's objects separate from
other users
◦ physical separation: Different processes use
different physical objects-separate printers for
different levels of security
◦ temporal separation: processes having different
security requirements are executed at different
times
◦ logical separation: users operate under the illusion
that no other processes exist
◦ cryptographic separation: processes cover their data
and computations
Sharing
 Do not protect
 Isolate

◦ Different processes are unaware of each other


◦ Deferent address space
◦ Files
 Share all or share nothing
◦ Declare public or private by user
 Share with access limitation
◦ Particular user’s access to a particular object
 Share by capabilities
◦ Degree of sharing depend on the owner
 Limit use of an object
◦ Deferent users have deferent rights for deferent objects
Memory and Address Protection
 Fence
◦ single-user operating systems
◦ Prevent System memory
◦ predefined memory address

 Drawback
◦ Space always reserved
Variable Fence Register
 Operating system can be protected
 Impossible to change the starting address
Relocation
 Application began at address 0
 Relocate all address reflect in actual memory
 Fence register
Base & Bounds Registers
 Base register (Variable fence)
◦ starting address
 Bounds register
◦ upper address limit

 context switch
◦ OS perform
◦ Change in execution
◦ Change register contents
 base and bounds

 User's address space


 User is perfectly protected
Two Pairs of Base & Bounds
 Secure user’s code & data
 Ability to split a program into two pieces
More pairs of registers
 Code
 Read-only data
 Modifiable data

 limit for practical computer design

 Drawbacks
◦ Shared subprogram from a common library
Tagged Architecture
 Word memory has extra bits
 Identify the access rights
 Set by privileged instructions

◦ (operating system)
Segmentation
 Dividing a program into separate pieces
 Fixed size segments
 Code or data within a segment is addressed

as the pair <name, offset>


Segmentation
 OS maintain a table of
◦ Segment names
◦ Segment addresses
Segmentation
 Advantages
◦ Any segment at any location
◦ Move any segment to any location
◦ Segment can be removed
◦ Address reference passes through the OS
 Perform security check

 Security benefits
◦ Each address reference is checked for protection.
◦ Different classes of data items can be assigned different levels of
protection.
◦ Users can share access to a segment, with different access rights.
◦ A user cannot generate an address or access to an unpermitted
segment
Segmentation
 Dynamic data structures
 Program can generate a reference to a invalid

offset beyond the end of the segment


 No solution
◦ Compilation or even a program is loaded
 Solution
◦ Translation table maintain segment length
◦ Check every generated address
◦ Efficiency issues
Paging
 Program -Equal-sized pieces – Pages
 Memory -Equal-sized units -page frames.

◦ Page size = 512 - 4096 bytes


 OS maintain a table of
◦ Page numbers
◦ Page addresses
 Address
◦ <page, offset>
Paging with Segmentation
 Segments : logical units
 Fixed-size pages
 Additional hardware
Access Control to General Objects
 Goals in protecting objects
◦ Check every access
◦ Enforce least privilege
◦ Verify acceptable usage

◦ Objects
◦ Subjects
◦ Unique owner - possesses "control" access rights
Directory
 User wise
 Maintained by OS
 Rights

◦ Read
◦ Write
◦ Execute
◦ Owner
Directory
 Disadvantages
◦ Deferent directory for each user
◦ Large data structures
◦ Entry for unwanted objects
◦ Time consuming operations
◦ Two entries under the same name for different files
Directory
 A:F (or B:F)
 Rename by third user
Access Control List
 One list for each object
 One directory for each subject
Access Control Matrix
 <subject, object, rights>
Capability
 keep track of the access rights of subjects to
objects during execution
 Ticket giving permissions
 Access to an object
 Un-forgeable

◦ Don’t give the ticket directly to the user


◦ OS holds
 Encrypted
◦ key available only to the access control mechanism
Domain
 Local name space
 Collection of objects to which process has

access
 Collection of capabilities
Procedure Calls
 Calling sub procedure
 Deferent domain
 Passing rights

◦ R,RW
 OS create New capabilities
Procedure based Access Control
 Procedure that controls access to objects
 Accesses to an object be made through a

trusted interface
 Users or general operating system routines

cant access
 No simple, fast access
Role Based Access Control
 Deferent users
◦ Administrators
◦ Users or guests
 Associate privileges
◦ Users
◦ Groups

 Control access rights by job


File Protection Mechanisms
 All-None Protection
◦ Trust combined with ignorance
◦ All files are public
◦ Protected system files by system administrator

◦ Drawbacks
 Lack of trust
 Too coarse- not possible to configure selected users
 Rise of sharing
 Complexity
 File listings
File Protection Mechanisms
 Group Protection
◦ User groups
◦ Common requirements
 Common project
 Department
 class

◦ Drawbacks
 Group affiliation - single user in two groups.
 Multiple personalities- redundant , inconvenient
 Limited sharing
File Protection Mechanisms
 Individual Permissions

◦ Persistent permissions
 Number of access lists
 Revocation is not easy
◦ Temporary Acquired Permission
 Temporarily acquires access permission
 Only for execution of the program
Per-Object & Per-User Protection
User Authentication
 Something the user knows
◦ Passwords, PIN numbers
 Something the user has
◦ Driver's license
 Something the user is –biometrics
◦ Fingerprint
◦ Voice pattern
◦ Retina and iris
Passwords
 Problems
◦ Loss
 forgotten password
◦ Use
 Password for each access
 Time consuming
◦ Disclosure
 Unauthorized individual
◦ Revocation.
 Change password
Additional Authentication
 Multifactor authentication
◦ Department
◦ Branch
◦ Workstation
◦ Time period
Attacks on Passwords
 Try all possible passwords
◦ Exhaustive or brute force attack
 Try frequently used passwords
◦ Qwe,asd
 Try passwords likely for the user
◦ Meaningful to user
 Search for the system list of passwords
 Ask the users
Good Practice
 Good passwords
 Choose long passwords
 Avoid meaningful words
 Unlikely password
 Change the password regularly
 Don't write it down
 Don't tell anyone else
Loose-Lipped Systems

◦ UNKNOWN USER ENTER USER NAME:

adams is not the name


Exhaustive Attack
 Brute force attack
Impersonation of Login
 User trust the system
 Programmer capture the entry parameters
 User should interrupt any running process

◦ Break key
◦ Ctrl+Alt+Del

You might also like