CHAPTER 6

OPERATING SYSTEM &

DATABASE SECURITY

1
Operating System Security

2
 INTRODUCTION
What is an Operating System?
 In simple words, OS is a computer program that manages all

other programs on the machine.

 Every general-purpose computer must have an operating

system to run other programs.

 OS performs basic tasks, such as recognizing input from the

keyboard, sending output to the display screen, keeping track
of files and directories on the disk, and controlling peripheral
devices such as disk drives and printers.

3
 INTRODUCTION
What is Multiprogramming?
 The concurrent execution of multiple programs by a single
processing unit.
 Concurrent execution of several different programs by sharing
the same central processing unit (CPU).
 A form of processing in which a computer holds more than
one program in memory and works on them in round-robin
fashion that is, by sharing out the processor's time so that each
program receives some attention some of the time. This way
of working is in contrast to using the processor to run one
program at a time.

4
 SECURITY METHODS OF
OPERATING SYSTEMS
 The basis of protection is separation – keeping one
user’s objects separate from other users.
 According to Rushby and Randell (1983) separation
in OS can occur in several ways:
 Physical separation – processes use different physical
objects such as separate printers for output requiring
different level of security.
 Temporal separation – processes having different security
requirements are executed at different times.

5
 SECURITY METHODS OF
OPERATING SYSTEMS
 According to Rushby and Randell (1983) separation
in OS can occur in several ways:
 Logical separation – users operate under the illusion that
no other processes exist as when an OS constraints a
program accesses so that it cannot access objects outside its
permited domain.
 Cryptographic separation – processes conceal their data
and computations in such a way that they are unintelligible
outside processes.

But separation is only half of the answer – although we want to separate

users and their objects, at the same time we want to be able to provide
sharing for some of those objects. 6
 SECURITY METHODS OF
OPERATING SYSTEMS
 Besides separation, OS may offer protection at any of
several levels:
 No protection – these systems are appropriate when
sensitive procedures are being run at separate time.
 Isolation – different processes running concurrently are
unaware of the presence of each other. Each process has its
own address space, files and other objects.
 Share all or share nothing – with this form of protection
the owner of an object declares it to be public (available to
all users) or private (available only to its owner).

7
 SECURITY METHODS OF
OPERATING SYSTEMS
 Besides separation, OS may offer protection at any of several levels:
 Share via access limitation – the OS checks the allowability of

each potential access. Access control is implemented for a

specific user and a specific object – the OS acts as a guard
between users and objects ensuring that only authorized accesses
occur.
 Share by capability – an extension of limited access sharing,

where it allows dynamic creation of sharing rights for objects.

The degree of sharing can depend on the owner or on the object
itself.
 Limit use of and object – it limits not just the access to an object

but the use made of that object after it has been accessed. For
example : a user may have the right to view a sensitive document
but not allow to print a copy of it.
8
Protecting Access to General Objects

 The term object and subject will be used

interchangeably where subject will refer to the user (a
programmer, a program, etc.) who uses the
computing system objects.
 Here are some examples of the kinds of objects for
which protection is desirable:
 Memory
 A file or data set on an auxiliary storage device
 Directory files
 Instructions
 Passwords and the user authentication mechanisms
9
Protecting Access to General Objects
 There are several ways to protect access to
general object:
 Directory
 Access Control List
 Access Control Matrix
 Capability

10
Protecting Access to General Objects
Directory
 Each user has a file directory which lists all

the files to which that users has access.

 No user can be allowed to write in the file

directory because that would be a way to forge

access to a file.

11
Protecting Access to General Objects
Access Control List
 This differs from the directory list because there is

one access control list per object while a directory is

created for each subject.
 Although this difference seems small, there are some

significant advantages.
 For example if subjects A and S both have access to

object F, the OS will maintain just one access list for

F showing the access rights for A and S.

12
 Access Control List - ACL

X Y Z
An access list which specifies for
each object, the list of valid A: r A: w A: r
subjects which can access it. B: r A: x
E.g. For objects X, Y and Z with B: x B: r
subjects A, B and C C: r
C: x
X : A (read), B (read, execute)
Y : A (write) Each column is stored with the
Z : A (read, execute), B (read), C object corresponding to that
(read, execute) column

13
Protecting Access to General Objects
Access Control Matrix
 It is a table in which each row represents a subject,

each column represents an object and each entry is

the set of rights for that subject to that object.

Data 1 Data 2 Prog 1 Prog 2

Alice RW RW E X
Bob X R RWE RW
Carol X W X E
14
Protecting Access to General Objects
Capability
 A capability is analogous to a ticket to a movie or an

ID card that cannot be duplicated

 Is an unforgeable token giving the possessor certain

rights to an object.
 One way to make an unforgeable ticket is not to give

the ticket directly to the user – instead the OS holds

all the tickets on behalf of the users.
 A capability can be created only by specific request

from a user to the OS.

15
 ..Capabilities

e.g. for objects X, Y and Z with A X/r, Y/r, Z/w, Z/x

subjects A, B and C
B X/r, X/x, Z/r

A: X (read), Y (read), Z (write, C Z/r, Z/x

execute)
B: X (read, execute), Z (read)
C: Z (read, execute)
Each row is stored with the
subject corresponding to
that row.

16
 PROTECTING MEMORY &
ADDRESSING
 The most obvious problem of multiprogramming is
preventing one program from affecting the memory
of other programs.
 There are several ways to protect memory and
addressing :
 Fence
 Relocation
 Base and Bound Registers
 Tagged Architecture
 Segmentation
 Paging
17
 PROTECTING MEMORY &
ADDRESSING

Fence
 Is a method to confine users to one side of the boundary.

 The fence is a predefine memory address, so that the OS

resided on one side and the user on the other.

 The implementation is very restrictive because a predefined

amount of space was reserved for the OS – and if less than that
amount of space was required, the excess space was wasted
and the OS could not grow beyond the fence boundary.
 Another alternative is to implement the fence register.

18
 PROTECTING MEMORY &
ADDRESSING

Fence Register
 Contained the address of the end of the OS.

 This location of this fence could be changed.

 Each time a user program generated an address for data

modification, the address was automatically compared against

the fence address – the address was greater than the fence
address (in the user area) the instruction was executed – if it
was less than the fence address (in the OS area) an error
condition was raised.

19
 PROTECTING MEMORY &
ADDRESSING
Relocation
 Is the process of taking a program written as if it

began at address 0 and changing all addresses to

reflect the actual address at which the program is
located in memory.
 Conveniently, the fence register can be used in this

situation to provide an important extra benefit.

20
 PROTECTING MEMORY &
ADDRESSING
Base and Bound Registers
 The concept is similar to fence register but have

additional value since fence registers only acts as

base registers (stating the starting address but not the
upper address).
 Bound registers are often added to indicate the upper

address limit.
 In this way, a program’s addresses are neatly

confined to the space between the base and the bound

register.

21
 PROTECTING MEMORY &
ADDRESSING
Tagged Architecture
 Error in coding is bound to happen and this

easily compromise the security based on

base/bound registers techniques.
 Solve with tagged architecture – every word of

machine memory has one or extra bits to

identify the access rights to that word.
 These access bit are tested every time an

instruction accesses that location.

22
 PROTECTING MEMORY &
ADDRESSING
Segmentation
 The notation of dividing a program into

separate pieces.
 Each segment has a unique name.

 A code or data item within a segment is

addressed as a pair of <name, offset> where

name is the name of the segment and offset is
its location within the segment.
23
 PROTECTING MEMORY &
ADDRESSING
Paging
 Alternative to segmentation

 Each address is a two part object < page, offset>

 The program is divided into equal size pieces

called pages and memory is divided into the

same sized units called page frames.

24
Designing Trusted Operating System

What is a trusted system?

 Security professionals speak of trusted rather

than secure OS – connoting the ones that meet

their intended security requirements and
justify confidence in the quality.

25
Designing Trusted Operating System
Secure versus Trusted
Secure Trusted
 Either-or concept  Graded – there are degree of

“trustedness”
 Property of presenter  Property of receiver

 Asserted: based on product  Judged: based on evidence and

characteristics analysis
 Absolute: not qualified as to  Relative: viewed in context of

how, where, when or by whom use

used
 A goal  A characteristics 26
 Designing Trusted Operating System
Among the components underpinning trusted OS are:
 Security policy : a statement of the security we expect the
system to enforce.
 Model: the representation of the policy that the OS will
enforce.
 Design: covers both what the trusted OS is and how it is
to be constructed
 Trust: based on two aspects that is features (the OS has
all the necessary functionality needed to enforce the
expected security policy) and assurance (the OS has been
implemented in a such a way that we have confidence it
will enforce the security policy).
27
 Security Policies

 A Security policy is a statement of the

security we expect the system to enforce

28
 Military Security Policies
(MSP)
 MSP is based on protecting classified information
 Five Levels-

1-unclassified
2-restricted
3-confidential
4-secret
5-top secret

29
 Classified information may be associated with one
or more projects called compartment
 The combination of rank and compartment is
called the class or classification of a piece of
information
 Clearance - a person is trusted to access certain
information up to a level of sensitivity called
dominance

30
A subject can read an object only if

a) The clearance level of the subject is at least as

high as that of the information
b) The subject has a need to know about all
compartments for which the information is
classified

31
Military Security Policy

Information classified <secret, {sweden}> can access/read

by
• <top secret, {sweden, crypto> or
• <secret, {sweden, crypto}>

But can’t access/read by

• <top secret, {crypto}> or
• <confidential, {sweden}>
32
 Chinese Wall Security Policy
A conflict of interest exists when one person can obtain sensitive
information on competing companies.

3 Levels of Abstraction:-
i) Objects- lowest levels are elementary objects example:-files
each file contains information concerning only one group
company
ii) Company group- all object concerning each company are
grouped together
iii) Conflict classes- at the highest level, all groups of objective
for competing companies are clustered.
Each object thus belonging to a unique company group,and
each company group contained in a unique conflict class
33
A conflict class may contain one or more
company group

Chinese wall policy is a commercially inspired

confidentiality policy where as commercial
policies focus on integrity

34
 Conflict class

Air Asia Cadbury TNB

MAS Vochele

Hershey Someone have a data on six

company groups
ACCESS SCHEME – a
Company group person can access any
information as long as person
as never accessed
information from different
company in the same conflict
class
Inspired confidentiality policy

35
 Security Features of Trusted
Operating Systems
 The features of trusted operating systems include:
 User identification: Trusted OS requires identification of
individuals and each individual must be uniquely identified.
 Mandatory access control: access control policy decisions
are made beyond the control of the individual owner of an
object – a central authority determines what information is
to be accessible by whom and the user cannot change the
access rights.
 Discretionary access control: the owner can determine who
should have access rights to an object and what those rights
should be.

36
 Security Features of Trusted
Operating Systems
 The features of trusted operating systems
include:
 Object reuse protection: to prevent object reuse
leakage, OS clear (overwrite) all space to be
reassigned.
 Complete mediation: all accesses are checked.
 Trusted path: for critical operations such as setting
a password or changing access permission – users
would required communication through a trusted
path.
37
 Security Features of Trusted
Operating Systems
 The features of trusted operating systems
include:
 Accountability and audit: maintaining a log of
security-relevant events that have occurred, listing
each event and the person responsible.
 Intrusion detection system: software builds usage
patterns of the normal system and triggers an
alarm anytime the usage is abnormal.

38
 Hardening Your OS
Operating System Hardening
 
 Hardening of operating systems is the first step towards safeguarding
systems from intrusion. Workstations and servers typically arrive from the
vendor, installed with a multitude of development tools and utilities,
which, although beneficial to the new user, also provide potential back-
door access to an organisation's systems.

 Hardening of an operating system involves the removal of all non essential

tools, utilities and other systems administration options, any of which
could be used to ease a hacker's path to your systems. Following this, the
hardening process will ensure that all appropriate security features are
activated and configured correctly. Again, 'out of the box' systems will
likely be set up for ease of access with access to 'root' / Administrator
account. Some vendors have now recognised that a market exists for pre-
hardened systems.

39
Database Security

40
 Introduction
 Database is a collection of data and set of rules that
organize the data by specifying certain relationships
among data.
 Through these rules, the user describes a logical
format for the data.
 The user interacts with the data base through a
program called a database manager or database
management system (DBMS) informally known as a
front end.

41
 Introduction
Advantages of Using Databases
 Shared Access – so that many users can use one common,

centralized set of data.

 Minimal Redundancy – so that individual users do not have to

collect and maintain their own sets of data.

 Data consistency – so that a change to a data value affects all

users of the data value.

 Data integrity – so that data values are protected against

accidental or malicious incorrect changes.

 Controlled access – so that only authorized users allowed to

view or modify data values.

42
 Security Requirements

 Physical data base integrity – so that the data of a

database is immune to physical problems such as
power failures and so that someone can reconstruct
the database if it is destroy through a catastrophe.
 Logical database integrity – so that the structure of
the database is preserved. With logical integrity of a
database, a modification to the value of one field does
not affect other fields.

43
 Security Requirements
 Element integrity – so that the data contained
in each element is accurate.
 Auditability – to be able to track who has
accessed (or modified) the elements in the
database.
 Access control – so that a user is allowed to
access only authorized data and so that
different users can be restricted to different
modes of access (such as read or write).
44
 Security Requirements
 User authentication – to ensure that every user
is positively identifed, both for the audit trail
and for permission to access certain data.
 Availability – meaning that users can access
the database in general and all the data for
which they are authorized.

45
 Sensitive Data
 Sensitive data is data that should not made
public.
 Determining which data items are sensitive
depends on the individual database and the
underlying meaning of the data.
 Example: Library Public Catalog (no sensitive
data) Military and Defense Databases (all
sensitive data), a university Databases (some
but not all sensitive).
46
 Types of Disclosure
 Exact Data – the most serious disclosure is the exact
value of the sensitive data itself.
 Bounds – indicating that a sensitive value (y) is
between values L and H.
 Negative result – Sometimes one can word a query to
determine a negative results (z is not the value of y).
 Existence – the existence of data itself a sensitive
piece of data regardless of the actual value.
 Probable value – it may be possible to determine the
probability that a certain element has a certain value.

47
 Proposals for Secure Multilevel
Databases
Partitioning
 The database is divided into separate

databases, each at its own level of sensitivity.

 This approach is similar to maintaining

separate files in separate file cabinets.

48
 Proposals for Secure Multilevel
Databases
Encryption
 If sensitive data is encrypted, a user who

accidentally receives sensitive data cannot

interpret the data.

49