PROTECTION AND SECURITY

Protection and Security

Protection mechanisms are essential for preventing processes from
interfering with each other and ensuring that only authorized processes can
access specific resources. They involve concepts like authorization,
protection domains, and access control lists.
Chapter 14: System Protection
System protection is a mechanism to control access to resources in a
computer, and it also ensure the that only authorized processes can access
resources like files, memory, CPU, etc.
Objectives:
 To discuss goals and principles of protection in a modern computer
system.
 To explain how protection domains, combined with an access matrix, are
used to specify the resources a process may access.
 To examine capability- and language-based protection systems.
 Goals of Protection

 Protection mechanisms are important for

ensuring system integrity and preventing
unauthorized access to resources. It highlights
the need of flexible and adaptable protection
mechanisms that can apply policies and respond
to system problems.
 Protection focuses on controlling access.
 Security ensures data integrity preservation.
Principles of Protection

The principle of least privilege is a guiding principle

in system design that dictates giving programs,
users, and even systems only the necessary
privileges to perform their tasks. This principle
minimizes damage in case of security breaches, as a
compromised component will have limited access
and therefore cause minimal damage. It’s analogous
to a security guard with a passkey who only allows
access to specific areas, minimizing damage if the
passkey is lost or misused.
 Domain of Protection
A computer system is comprised of processes and objects.
Objects can hardware (like the CPU, memory, printers, disks) or
software (like files, programs, and semaphores). Each object has
a unique name and is accessed through well-defined operations.
A process can only access those resources it has authorization
for and only those resources it needs to complete its task. This
is known as “need-to-know” principle , which helps limit the
damage a faulty process can cause. The principle of least
privilege, also applies here, minimizing the risks of security
violations.
 Domain Structure
 A protection domain is a mechanism that defines the
resources a process can access within a system. It specifies
the objects and types of operations that a process can
perform on each object. Each domain has an access right set,
which is a collection of access rights, each of which is an
ordered pair <object-name, rights-set>. For example, if
domain D has access right <file F, (read, write), then a
process executing in domain D can both read and right file F,
but cannot perform any other operation that object.
 Domains do not need to be disjoint; they may share access
rights. For example in figure 14.1, domains D2 and D3 share
access right <01, (print)>, meaning a process executing in
either of these two domains can print object 01
Domain allows a process to switch from one domain to
another. This is necessary when the access rights inquired by
a process change. Domain switching can be implemented in
various way, including switching based on user identity,
process identity, or procedure calls. It then introduces the
standard dual mode (monitor-user mode) model of operating
system execution, highlighting the need for more elaborate
protection schemas in multi programmed systems to ensure
user security and prevent unauthorized access.
 An Example: UNIX
In the UNIX operating system, domain is
associated with the user. Switching domains is
accomplished by changing the user
identification temporarily. This is done
through the file system, where a “setuid bit”
is associated with each file. When the setuid
bit is on, and a user executes that file, the
user ID is set to that of the owner of the file;
when the bit is off, however, the user ID does
not.
 An example: MULTICS
The MULTICS operating system uses a ring structure to organize protection domains
hierarchically, with each ring representing a single domain. The rings are numbered
from 0-7, with higher numbers indicating less privileged domains. A process executing
in a higher numbered ring cannot access segments associated with a lower numbered
ring, ensuring system security. This scheme is equivalent to the monitor user mode of
execution, where monitor mode corresponds to the innermost ring (D0) and user
mode corresponds to the next ring (D1). Each segment in MULTICS is associated with a
ring and a current ring number counter tracks the ring in which a process is currently
executing. This system allows the controlled access to resources based on the
privilege level of the process.
The MULTICS operating system uses a ring structure to control domain switching,
where a process can only access segments associated with its current ring or a
higher-numbered ring cannot access segments associated with a lower-numbered
ring, preventing unauthorized access and maintaining system security. To allow
controlled domain switching, the ring field of the segment descriptor is modified to
include an access bracket, a limit, and a list of gates. However the ring structured has
a disadvantage: it does not allow us to enforce the need-to-know principle, meaning
that every segment accessible in a higher-numbered ring is also accessible in lower-
numbered ring.
An operating system using matrix. The rows of the matrix represents
domains, and the columns represent objects. Each entry in the matrix
consist of a set of access rights. The access matrix provides a
mechanism for specifying a variety of policies, allowing for controlled
access to resources based on domain and objects.

Domain/ F1 F2 F3 printer
object
D1 read read
D2 print
D3 read execute
D4 read read
write write

Figure 14.3 Access matrix.

Domain F1 F2 F3 Laser D1 D2 D3 D4
/object printer
D1 read read switc
h
D2 print switch switc
h
D3 read execute
D4 read read switch
write
Figure write
14.4 Access matrix of Figure 14.3 with domains and objects.
Domain/ F1 F2 F3
object
D1 execute write
D2 execute read execute
D3 execute
(a)
Domain/ F1 F2 F3
object
D1 execute write
D2 execute read execute
D3 execute read
(b)
Figure 14.5 Access matrix with copyrights
Domain/ F1 F2 F3
object
D1 owner write
execute
D2 read read
owner owner
write
D3 execute

(a)
Domain/ F1 F2 F3
object
D1 owner write
execute
D2 owner read
Read owner
write write
D3 write write
(b)
Figure 14.6 Access matrix with owner
right.
Domain F1 F2 F3 laser D1 D2 D3 D4
/ printer
object
D1 read read switch
D2 print switch switch
control
D3 read execut
e
D4 write write switc
Figure 14.7 Modified access matrix
h of figure 14.4.
Implementation of Access matrix
Global Table – the simplest implementation of the access matrix consisting of
a set of ordered triples < domain, object, rights-set >. Whenever an operation
M is executed on an object O within domain D, the global table is searched for
a triple < Di, Dj,Rk >, with M element of Rk. If triple is found, the operation is
allowed to continue; otherwise, an exception (or error) condition is raised.
Access lists for objects – the resulting list for each object consists of ordered
pairs
<domain, rights-set> , which define all domains with a non empty set of
access rights for the object. This approach can be extended easily to define a
list plus a default set of access rights.
Capability lists for domains – an alternative approach to access matrices for
implementing protection in operating systems. Instead of associating
columns with objects, capability lists associate each row with a domain,
representing the operations a process executing in that domain can perform
on objects. They are protected, never directly accessible to a process, and
can only be access indirectly by the user. Capability lists provide a foundation
for protection that can be extended up to the application level. Several
capability-based protection system was developed, including the Mach OS.
A Lock-key Mechanism – it is a compromise between
access lists and capability lists. Each object has a list of
unique bit patterns, called locks, similarly with domains.
Comparison of access lists and capabilities used in many
systems:
 Global table are simple but inefficient, requiring large
memory and potentially causing performance issues.
 Access lists are more efficient for localizing information
but can be time-consuming to search.
 Capability lists are efficient for searching but do not
directly corresponds to the needs of a given process.
 The lock-key mechanisms is a compromise between
access lists and capability lists, offering both
effectiveness and flexibility.
 Access Control
Role-based Access Control (RBAC) is a method for managing access rights to resources
based on the roles assigned to users. It works in the Solaris 10 OS, where users are
assigned roles and privileges based on their responsibilities. This allows users to
execute programs with specific privileges, reducing the security risk associated with
superusers and setuid programs. RBAC is a more granular and flexible approach to
access control than traditional methods, as it allows for finer-grained control over
access rights and makes it easier to manage permission for large numbers of users
and resources.

USER 1
role 1
privileges
Figure 14.8 role based access control in Solaris 10
1
privileges
2

executes with role 1

privileges

proces
s
Revocation of Access Rights
Various questions about revocation may arise:
 Immediate vs. delayed. Does revocation occur
immediately, or is it delayed? If revocation is delayed,
can we found out when it will take place?
 Selective vs. general. When an access right to an object
is revoked, does it affect all the users who have an
access right to that object, or can we specify a select
group of users whose access rights should be revoked?
 Partial vs. total. Can a subset of the rights associated
with an objects be revoked, or must we revoke all
access rights for this object?
 Temporary vs. permanent. Can access be revoked
permanently (that is, the revoke access right will never
again be available), or can access be revoked and later
be obtained again?
Schemas that implement revocation
for capabilities:
1. Reacquisition – capabilities are periodically deleted from each domain. If a process
wants to use a capability, it may find that capability has been deleted. The process
may then try to reacquire the capability. If access has been revoked, the process will
not be able to reacquire the capability.
2. Back pointers – are a list of pointers maintained with each object, pointing to all
capabilities associated with that object. When revocation is required, we can follow
these pointers, changing the capabilities as necessary. These scheme was adopted in
the MULTICS system. It is quite general, but its implementation is costly.
3. Indirection – is a technique for revoking capabilities in capability-based systems. It
involves pointing capabilities indirectly to objects through a global table. Each
capability points to a unique entry in the global table, which in turn points to the
objects. When revocation is required, the global table entry for the desired capability
is deleted.
 Capability-based Systems
An example: Hydra
Hydra is a capability-based protection system that offers flexible and secure
access control. Hydra implements a fixed set of basic access rights, but users can
also declare additional rights. The interpretation of these user-defined rights is
handled solely by user’s program. The system provides access protection for both
user-defined and system-defined rights, contributing to significant advancement
in security technology. Operations of objects are defined procedurally. To access
these procedures indirectly, the protection system needs to identify them based
on user-defined type. When the definition of an object is made known to Hydra,
the names of operations become “auxiliary rights”.
Hydra relies on the concept of “trustworthy processes”, which can adhere to a
formal parameter and execute procedures within their defined rights. This
ensures that a process will not exceed its authorized access.
Hydra uses mechanism called “amplification” to allow indirect access to data
through another process. This is necessary when a process needs to access data
that is not directly accessible to it. Amplification ensures that access is controlled
and limited to specific purposes defined by the capability
Hydra’s procedure-call mechanism ensures that a process cannot
modify data passed as arguments to another process without explicit
permission. This prevents unintended modifications and maintains
data integrity.
Hydra addresses the problem of “mutually suspicious subsystems”,
where different programs may need to share data but cannot be fully
trusted. Hydra’s solution involves careful design of access rights and
procedures to ensure that data is used correctly and securely.
Hydra’s approach to subsystem involves a layered security model
where subsystems are built on top of the protection kernel and
interact with it through kernel-defined primitives. The capability
system enforces access control, and programmers can use system-
defined procedures to access resources securely. This allows for a
flexible and secure way to manage complex systems with multiple
subsystems.
An example: Cambridge CAP System
This system is a simpler and less powerful capability-based protection
system compared to Hydra. It utilizes two types of capabilities:
1. Data capabilities – interpreted by the microcode.
2. software capabilities – interpreted by protection procedures.
Data capabilities grant standard access to objects, while software
capabilities grant specific rights to a particular subsystem. The
interpretation of software capabilities left to subsystem, allowing for a
variety of protection policies. The CAP system prioritizes the security of
the overall system, ensuring that a single unprotected procedure
cannot compromise the entire system by restricting access to storage
segments and capabilities.
 Language-based Protection
Language-based protection is a new approach in
operating system. It addresses the limitations of
traditional protection mechanism, which often rely on
OS kernels and acquire significant overhead for access
validation.
Language-based protection aims to integrate security
into the programming language itself, allowing for
more flexible and efficient protection. This approach
leverages concepts of abstract data types and objects
to define access rights and policies, ensuring that
resources are protected from unauthorized access and
tampering. It also enables the definition of user
defined functions and policies, making the system
more adaptable to different applications and needs.
 Compiler-based management
This argues that specifying protection needs declaratively in in a
programming language offers several advantages over traditional methods
based on OS kernels:
1. Protection needs are simply declared, rather than programmed as a
sequence of calls on procedures of an OS.
2. Protection requirements can be stated independently of the facilities
provided by particular OS.
3. The means for enforcement need not be provided by the designer of
subsystem.
4. A declarative notation is natural because access privileges are closely
related to the linguistic concept of data type.
Integrate protection requirements directly into the language’s typing
system, allowing the designer to specify access rights and resource usage
within the program itself. This approach eliminates the need for separate
protection specifications and simplifies the enforcement process. While
compiler-based enforcement might not be as powerful as kernel-based
enforcement, it offers a more flexible and efficient way to ensure security
by relying on assumptions about the operational state of the system and
treating different protection mechanism =s differently.
Security. Kernel-based enforcement provides a greater degree of
security for the protection system itself compared to compiler-based
enforcement. The reason is that kernel-based enforcement relies on the
correctness of the translator, the underlying mechanism of storage
management, and ultimately, the security of files from which a program
is loaded. While these considerations also apply to software-supported
protection kernels, their impact is less significant because the kernel
typically resides in fixed physical storage segments and is loaded only
from a designated file.
Flexibility. Compiler-based enforcement offers greater flexibility than a
protection kernel. While a kernel may provide facilities for enforcing
user-defined policies, using a programming language allows for a more
adaptable approach. Protection policies can be declared and enforce as
needed with minimal disruption to the system.
Efficiency. The greatest efficiency in protection enforcement is achieved
when it’s directly supported by a hardware or microcode. When software
support is required, language-based enforcement offers advantages like
off-line verification at compile time and the ability for an intelligent
compiler to tailor the enforcement mechanism to specific needs,
reducing the overhead of kernel calls.
 Protection in Java
Java’s protection mechanisms are designed to run in a distributed
environment. Java programs are composed of classes, each
containing data fields and functions. The JVM loads a class in
response to a request to create instances (or objects) of that class.
One of the most novel and useful features of Java is its support for
dynamically loading untrusted classes over a network and for
executing mutually distrusting classes within the name JVM.
Protection in Java is handled within the JVM. When the JVM loads a
class, it assigns the class to a protection domain that gives the
permissions of that class. The protection domain to which the class is
assigned depends on the URL from which the class was loaded and
any digital signatures on the class file. A configurable policy file
determines the permissions granted to the domain. Example: classes
loaded from a trusted server might be placed in a protection domain
that allows them to access files in the user’s home directory,
whereas classes loaded from an untrusted server might have no file
access permission at all.
It uses a stack inspection approach to determine if a
method is allowed to access a protected resource. This
inspection examines the stack frames of the calling thread,
starting from the most recently added frame and working
towards the oldest. If the stack frame is found that has the
doPrivileged() annotation, then the checkpermission()
method immediately and silently allows the access. If a
stack frame is found for which access is disallowed based
on the protection domain of the methods class, then
checkpermission() throws an AccessControlException. The
stack inspection exhausts the stack without finding either
type of frame, then whether access is allowed depends on
the implementation (for example some implementations of
the JVM may allow access, while other implementations may
disallow it).
protection
domain:
socket
permission:

Class:

Figure 14.9 Stack inspection.

 th e
o f
E n d r
p te
C h a
 Chapter 15

System security
Chapter objectives:
 To discuss security threats and attacks.
 To explain the fundamentals of encryption,
authentication, and hasting.
 To examine the uses of cryptography in
computing.
 To describe various countermeasures to
security attacks.
 The security problem

The security problem arises from the fact that

systems containing sensitive data, such as
payroll or financial information, are inviting
targets for thieves, competitors, and others who
may seek to exploit vulnerabilities for personal
gain or malicious intent. The loss of such data,
whether by accident or fraud, can severely
impair the ability of the corporation to function.
 Five types of security breaches:
 Breach of Confidentiality: unauthorized reading r theft of information,
often with the goal of capturing secret data from a system or data
stream. Exampes include credit card information theft or identity theft.
 Breach of integrity: unauthorized modification of data, which lead to
passing liability to an innocent party or modification of source code for
important commercial applications.
 Breach of availability: unauthorized destruction of data, often done to
wreak havoc and gain status or bragging rights rather than financial
gain. Web-site defacement is a common example.
 Theft of service: unauthorized use of resource. For example, an intruder
might install a daemon on a system that acts as a file server.
 Denial of service: preventing legitimate use of the system. Denial-of-
service, or DoS, attacks are sometimes accidental. The original internet
worm turned into a DoS attack when a bug failed to delay its rapid
spread.
 norma
l
sender communicati receiver
on

attacker
masquerading

sender receiver

cat i on
muni
co m
attacker

Man-in-the-middle

receiver
sender
comm i cat i on
unicat u n
ion comm
attacker
Figure 15.1 Standard security attack
 To protect system, we must take security measures at for
levels:
1. Physical. The site or sites containing the computer systems must be
physically secured against armed or surreptitious entry by intruders. Both the
machine rooms and the terminals or workstations that have access to the
machine must be secured.
2. Human. Authorization must be done carefully to assure that only appropriate
users have access to the system. Even authorized users may be tricked into
granting access to others, either through bribery or social engineering
techniques like phishing or dumpster diving.
3. Operating system. The system must protect itself from accidental or
purposeful security breaches. A runaway process could constitute an
accidental denial-of-service attack. A query to a service could reveal
password. A stack overflow could allow the launching of an unauthorized
process. The list of possible breaches is almost endless.
4. Network. Much computer data in modern systems travel over private leased
lines, shared lines like the Internet, wireless connection, or dial-up lines.
Intercepting these data could be just a harmful as breaking into a computer;
and interruption of communications could constitute a remote denial-of-
 Program Threats
Program threats arise from the fact that
processes, along with the kernel, are the only
means of accomplishing work on a computer.
Therefore, writing a program that creates a
breach of security or causing a normal process
to change its behavior and create a breach, is a
common goal of crackers. Even most
nonprogram security events have as their goal
causing a program threat. For example, while it
is useful to log in to a system without
authorization, it is quite a lot more useful to
leave behind a backdoor that provides
 Trojan horse
Trojan horse is a type of malware that is used to gain unauthorized access to a
system or steal sensitive information.
The trojan horse works by exploiting the trust that users place in programs. For
example, a user might download a program that they believed is a game or a utility,
but the program actually contains malicious code.
Once the trojan horse is installed, it has the ability to steal password and other
sensitive information, install other malware, and give the attacker remote access to
the system. One way to protect against trojan horses is to be careful about the
programs we download or install. Only download programs from trusted sources,
and be sure to read reviews before installing any net software. You should also keep
your OS and antivirus software up to date.
Another variation of trojan horse is the spyware. Spyware often accompanies other
programs, such as freeware or shareware, and its goal is to download adds, create
pop-up browser windows, or capture information from the user’s system and sent it
to a central site.
 Trap Door
A trap door is a hidden feature in a program or system that allows unauthorized
access or bypasses security measures. It’s a type of security breach often used
for malicious purposes, like stealing data or gaining control of a system. Trap
doors are designed to be hidden, making them difficult to detect. They can be
created by programmers who deliberately insert them or through unintentional
coding. Detecting trap doors requires thorough code auditing, security testing,
and monitoring system activity for unusual patterns.

Logic Bomb
It is a type of malicious code that is designed to trigger a security incident only
under certain circumstances. It’s difficult to detect because it appears harmless
under normal operations. However, when a predefined set of parameters are
met, the logic comb activates, creating a security hole that can be exploited for
malicious purposes. Example, a programmer might write code to check if they
are still employed, if not, a logic bomb could be triggered to allow remote
access or cause damage to the system.
 Stack and Buffer Overflow
A stack buffer overflow is a common way for attackers to gain
unauthorized access to a system. This attacks exploits a bug in a
program where the programmer neglected the code bunds checking
on an input field. This means the attacker can send more data than
the program was expecting, causing the program to crash or allow
the attacker to execute malicious code.
How it flow:
1. Overflow: the attacker sends more data than the program expects,
overflowing the allocated space in the buffer or stack.
2. Overwrite: the attacker overwrites the return address on the stack
with address of their malicious code.
3. Execute: when the program returns, it jumps to the attacker’s code
instead of the intended location, allowing the attacker to execute
their malicious code.
 This C code demonstrate a buffer overflow vulnerability

#include <stdio.h>
#define BUFFER_SIZE 246

int main(int arg, char *argv[])

{
char buffer [BUFFER_SIZE] ;

if (arg < 2)
return -1 ;
else {
strcp(buffer ,argv[1] ;
return 0;
}
}

Figure 15.2 C program with buffer-overflow condition

Stack Frame – is a data structure used to store
information related to a function call and it contains:
Parameters – values passed to the function.
Automatic Variables – variables declared within the
function.
Saved Frame Pointer – a pointer to the previous stack
frame.
Return address – the address where the program
should return after the function completes.
 bottom
return address frame pointer

saved frame pointer

grows

automatic variables

parameter/s

top

Figure 15.3 the layout for a typical stack frame

#include <stdio.h>

int main (int arg, char *argv[])

{
execvp(‘ ‘\bin\sh’ ’, ‘ ‘\bin \sh’ ’ , NULL) ;
return 0 ;
}
 return address address of modified
shell code

saved frame pointer

.
buffer(BUFFER_SIZE –
.
1)
.
copie NO_OP
…
d .
.
.
buffer(1)
modified shell code

buffer(0)

(a) (b)

Figure 15.4 hypothetical stack frame for figure 15.2, (a) before and (b) after
 Viruses
Virus is a fragment of code embedded in a legitimate program. Viruses
are self replicating and are designed to “infect” other program. They
wreak havoc in a system by modifying or destroying files and causing
system crashes and program malfunctions. As with most penetration
attacks viruses are very specific to architectures, OS, and applications.
Viruses are a particular problem for users of PC’s, UNIX and other
multiuser OS generally are not susceptible to viruses because the
executable programs are protected from writing by the operating
system. Viruses can be spread through email attachments, file-sharing
services, infected disks, or macros embedded in documents. A virus
dropper is a program that installs a virus onto a system, often
disguised as a legitimate program or file. There are many types of
viruses, each with its own unique characteristics and methods of
spreading. To protect your system from viruses, it is important to use
antivirus software, keep your software updated, be careful about
opening email attachments, and download software from trusted
sources.
 Types of viruses and how they infect system

1. File viruses: these virus attach themselves to executable files

and modify the code to include their own code. They often run
alongside the original program without being noticed.
2. Boot viruses: these virus infect the boot sector of a hard drive,
which is the area that loads the OS. They can spread to other
bootable media like floppy disks.
3. Macro viruses: these viruses are written in high-level languages
like Visual Basic and are triggered when a program capable of
executing macros is run. They can be found in spreadsheets
and other apps.
4. Source code viruses: these viruses target source code,
modifying it to include the virus code and help spread it further.
Figure 15.5 a boot-sector computer virus

Virus
replaces
original boot
block with
itself
The system boot, virus
decreases physical
memory, hides in memory
above new limit

Virus attaches to disk

read-write interrupt,
monitors all disk
activity

Whenever new It has a logic

removable R/W It blocks any bomb to wreak
disk is installed, attempts of other havoc at a certain
it infects that as programs to write the date
well
boot sector
Polymorphic – it is a virus that changes each time it is installed to
avoid direction by antivirus software. The changes do not affect the
virus functionality but rather change the virus signature. A virus
signature is a pattern that can be used to identify a virus, typically a
series of bytes that make up the virus code.
Encrypted – an encrypted virus includes decryption code along with
the encrypted virus, again to avoid detection. The virus first decrypts
and then executes.
Stealth – this tricky virus attempts to avoid detection by modifying
parts of the system that could be use to detect it. For example, it
could modify the read system call so that if the file it has modified is
read, the original form of the code is returned rather than the
infected code .
Tunneling – this virus attempts to bypass detection by an antivirus
scanner by installing itself in the interrupt-handler chain. Similar
viruses install themselves in device drivers.
Multipartite – a virus of this type is able to infect multiple parts of a
system, including boot sectors, memory, and files. This makes it
 System and network threats
System and network threats target the infrastructure of a system,
exploiting vulnerabilities in services, network connections, and OS
sources.
System and network threats can create situations where resources
are misused, user files are compromised, or even launch program
attacks.
The more services an OS has enabled, the more opportunities for
vulnerabilities and bugs to exist. Modern OS strive to be secure by
default, often disabling unnecessary services during installation
and requiring administrators to specifically enable them. This
minimizes the system’s attack surface, reducing the ways an
attacker can try to break into the system.
Attacks are more effective and difficult to counter when multiple
systems are involve. Example, within a single computer, the OS
can track the sender and receiver of messages, even if the sender
 Worms
A worm is a process that uses the spawn mechanism to ravage system
performance. The worm spawns copies of itself, using up system resources
and perhaps locking out all other processes. On computer networks, worms
are particularly potent, since they may reproduce themselves among
systems and thus shut down the entire network.
The Morris Worm – the Morris Worm created by Robert Tappan Morris Jr. in
1988, is a famous example of a worm that caused significant damage to UNIX
systems on the internet.
Worms was made up of two programs: a) grappling hook - also known as
“bootstrap vector” that uses various methods: rsh, finger, sendmail . b) main
worm program – it was uploaded to the target system after the “grappling
hook” established a connection. It then replicate itself and spread to other
systems.
Morris Worms impact:
 Caused significant damage to UNIX systems, resulting in the loss of
system resources and admin time.
 Exploited vulnerabilities in the UNIX OS and used the rsh utility for remote
The Morris Worm used three main infection methods to spread:
 Remote access: the worm exploited vulnerabilities in the rsh
utility to gain access to systems without a password. Once
access was established, the worm program was executed.
 Operating system bugs: the Worm also took advantage of
bugs in the UNIX finger and sendmail programs. These bugs
allowed the worm to inject itself into these programs and
spread to other systems.
 The finger utility: the finger utility functions as an electronic
telephone directory, allowing users to retrieve information
about other users on the system. The worm exploited
vulnerabilities in the finger utility to spread to other systems.
grappling
hook

worm
worm
 Port Scanning
Port scanning is a technique used by hackers (often called crackers) to identify
potential vulnerabilities in computer systems. I’s not an attack itself but rather a
way to gather info that can be used for future attacks. Port scanning works by
automated, using a tool that attempts to create a TCP/IP connection to a specific
port or range of ports. The tool tries to connect to known vulnerabilities, such as a
bug in a specific service or port that is open but shouldn’t be. If the connection is
successful, the tool can attempt to communicate with the service to determine if
it’s the intended service and, if so, what version it is. This can help identify
potential vulnerabilities in the software. The information gathered from port
scanning can then be used to exploit vulnerabilities and gain access to the system.
Tools and techniques:
1. Nmap – popular open source utility for network exploration and security
auditing.
2. Nessus – a tool that performs a similar function to Nmap, but also includes a
database of known bugs and explot.
Port scanning can be a concern because they are often launched
from compromised systems called “zombies”, which are
controlled by attackers. This makes it difficult to trace the source
of the attack. And port scanning can be used to launch denial-of-
service attacks, which overwhelm a system with requests,
making it unavailable to legitimate users.
Securing Systems
Firewall protection – implementing a firewall to block
unauthorized access to ports.
Regular updates – keeping software up-to-date to patch known
vulnerabilities.
Security monitoring – monitoring network traffic for suspicious
activity.
 Denial-of-service (DoS)
It is a type of cyberattack aimed at disrupting the legitimate use of a system or
service. Instead of trying to steal info. or gain unauthorized access, DoS attacks aim
to make the system unavailable to its intended users.
Types of DoS:
1. Resource exhaustion: these attacks overwhelm the system with a flood of
requests, consuming its resources and making it unable to respond to users. This
include flooding a website with traffic, sending excessive emails, or making a
numerous connection attempts.
2. Network disruption: these attacks target the network infrastructure that
connects the system to the internet, disrupting the flow of data and making the
system unreachable.
Characteristics of DoS:
• Intention: the goal is to disrupt service
• Impact: can cause temporary or permanent outages
• Difficulty of prevention: difficult due to complexity of network security and
constant evolution of attack mehtods
How to mitigate the risk of DoS:
1. Firewall
protection: use to block traffic and
prevent unauthorized access to the system.
2. Network monitoring: for suspicious activity and
identifying potential DoS attacks
3. Loadbalancing: distributing traffic across multiple
servers to prevent a single server from being
overwhelmed
4. Securityupdates: keeping systems and software
updated to patch vulnerabilities that could be
exploited by attackers
 Cryptography as a Security Tool
Cryptography is a fundamental security tool that is
important in protecting data and communications in
computer system. It involves using mathematical techniques
to transform data (plaintext) into an unreadable format
(ciphertext), making it secure from unauthorized access.
Cryptography works by ensuring that only authorized parties
can access sensitive information. It protects data during
transmission and storage, preventing eavesdropping or
unauthorized decryption. It also verify the authenticity and
integrity of data. They ensure that data hasn’t been
tampered. Cryptography also helps verify the identity of
users and systems. It allows parties to authenticate
themselves and establish trust in digital environments.
 Encryption
Encryption is a means for constraining the possible receivers of a
message. An encryption algorithm enables the sender of a message
to ensure that only a computer possessing a certain key can read
the message.
Encryption consist of the ff components:
• A set K of keys.
• A set M of message.
• A set C of ciphertexts.
• A function E : K (M C).
• A function D : K (C M).
 message m

Encryptio
n
algorithm
E
Key
exchang
e

Decryptio
n
algorithm
D

message
m
 Symmetric encryption
Symmetric encryption uses the same key for both encryption
and decryption. This means the key must be kept secret to
protect the security for both encrypted and decrypted data.
This algorithms work by performing a series of
transformations on the data, often using substitutions and
permutations. Some algorithm use “black-box”
transformations, where the specific steps are hidden to make
the algorithm more secure.
One popular example of a symmetric encryption algorithm is
the Data Encryption Standard. However, DES is now
considered insecure because its key can be easily crack with
modern computing power. A more secure alternative is the
Advanced Encryption Standard (AES), which uses longer keys
and more complex transformations.
 Asymmetric Encryption
It uses a private key to decrypt data that was encrypted using a
public key. The most common example of this is the RSA (Rivest,
Shamir, and Adleman). RSA is a block-cipher public-key algorithm
and is the most widely used asymmetrical algorithm.
Advantages of Asymmetric Encryption:
1. Secure key contribution: the public key can be shared publicly
without compromising the security of the private key.
2. Flexibility: asymmetric encryption can be used for various
purposes, including digital signatures, secure communication.
Disadvantages:
1. computational complexity: computationally more expensive
than symmetric
2. Key management: managing multiple public and private keys
can be challenging.
 Authentication
It is used to verify the identity of a sender or receiver of a message. It
ensures that the message originated form the claimed source and hasn’t
been tampered with during the transmission.
Components of authentication:
 Keys: authentication algorithm use a set of keys to generate unique
identifiers(authenticators) for messages.
 Authenticators: these are the values generated by the authentication
function, acting as digital signatures for the message.
 Verification: the receiver of the message uses the sender’s public key to
verify the authenticity of the message by comparing the receive
authenticator with a calculated one.
Types:
 Message authentication code (MAC)
 Digital Signature
 Key distribution
It is the process of securely sharing cryptographic keys
between parties who need to communicate securely. It’s a
critical challenge in cryptography, specially for symmetric
algorithms where both parties need the same secret key.
The challenges in key distribution are sharing keys
physically is inefficient and vulnerable to interception. And
managing a large number of keys for communication with
multiple users is complex. And also sharing keys over
insecure channels can lead to attackers intercepting and
exploiting them.
 Implementation of cryptography
Network protocols are structured in layers, each layer acting as a client to the one
below it. When a protocol generates a message to send to its peer on another
machine, it hands its message to the protocol below it in the network-protocol stack
for delivery to that machine. Example, in an IP network, TCP (transport layer protocol).
TCP packets are passed down to IP for delivery to the TCP peer at the other end of the
TCP connection. It encapsulates the TCP packet in an IP packet, which it similarly
passes down to the data-link layer to be transmitted across the network to its IP peer
on the destination computer. This IP peer then delivers the TCP packet up to the TCP
peer on that machine. All in all, the ISO reference Model, which has been almost
universally adopted as a model for data networking, defines seven such protocol
layers.
Common security protocols:
SSL/TLS Secure Sockets Layer)/ (Transport Layer Security) – provides security at the
transport layer, ensuring secure communication between web browsers and servers.
Ipsec (Internet Protocol Security) – standardizes security at the network layer,
providing authentication and encryption for IP packets.
Virtual Private Network (VPN) – use IPsec to create secure connections over public
networks, making communication private and secure.
 An example: SSL (Secure Sockets Layer)
SSL is a cryptographic protocol that enables secure communication
between two computers. It’s the most commonly used
cryptographic protocol on the internet today, used by web browsers
to communicate securely with web servers.
SSL works by:
Handshake – the client and server exchange messages to establish
a secure connection. This involves verifying each other’s identities
and generating a shared secret key.
Encryption – once the handshake is complete, the client and server
use the shared secret key to encrypt all subsequent
communication. This ensures that only the intended recipient can
read the messages.
Message authentication – SSL also uses MAC’s (Message
Authentication Codes) to verify integrity of messages. This prevents
attackers from tampering with the messages during transmission.
 Passwords

Passwords are the most common way to

authenticate a user’s identity in computer systems.
When a user identifies themselves with a user ID or
account name, they are typically asked for a
password. If the password matches the one stored in
the system, the system assumes that the account is
being accessed by the owner of that account.
 Password vulnerabilities
Password are vulnerable for reasons:
• Easy to guess – password that are easy to remember
or based on personal information can be easily guest
by attackers
• Exposure – passwords written down or stored in easily
accessible locations can be easily compromised.
• Sniffing – network traffic can be intercept to steal
passwords.
• Illegal transfer – passwords can be transferred from
authorized users to unauthorized ones.
 Encrypted passwords
The traditional approach of storing password in plain text is vulnerable security breaches.
To address this, the UNIX system uses encryption to protect password.
1. Encryption – passwords are encrypted a one-way function. This means that it’s easy to
compute the encrypted value from the original password but impossible to reverse the
process and get the original password from the encrypted one.
2. Storage – only the encrypted password are stored in the system.
3. Authentication – when a user enters their password, the system encrypts it using the
same function and compares the encrypted value with the stored encrypted password.
If they match, the user is authenticated.
This method provides a degree of security, as even if an attacker gains access to the
encrypted password, they cannot easily recover the original one. However, there are still
some vulnerabilities:
• Dictionary attacks – attackers can use dictionaries to try and guess passwords by
comparing the encrypted password with a list of known encrypted passwords.
• Brute force attackers – attackers can try different combinations of characters until they
find the correct password.
• Superuser access – in some systems, only the superuser can read the encrypted
password, making it vulnerable to attacks targeting the superuser account .
To further enhance security, it is better to used techniques like “salting” (adding
random characters to the password before encryption) an limiting the length of
passwords to make them less susceptible to dictionary attacks.
One-Time Password
One-time password are a security measure designed to prevent password sniffing
and shoulder surfing. They use a unique password for each login session, making it
impossible to reuse a password from a previous session.
One-time password works by:
Secret and seed – the system generates a unique password using a secret (a shared
value known to both the user and the system) and a seed (a random number or
alphanumeric sequence generated by the system)
Password calculation – the secret and sed are used as input to a function, and the
result of this function is the one-time password.
Authentication – the user enters the one-time password, and the system perfprms
the same calculation using the secret and seed. If the results match, the user is
authenticated.
New seed for each session – for each new session, a new seed is generated,
ensuring that the one-time password is different for each other.
 Biometrics
Biometrics is also a security measures that uses unique biological
characteristics to authenticate users. It’s an alternative to passwords,
which are often vulnerable to attacks.
It works by collecting unique biological data, such as fingerprints, facial,
features, or iris scans. The collected data is stored in a secure database,
often encrypted. When a user attempts access to a system, the
biometric system compares the user’s biometric data with the stored
data, this is called the authentication. And if the data matches, the user
is authenticated.
Biometric systems are becoming increasingly popular due to their
accuracy and convenience. They offer a higher level of security than
password, as they are difficult to forge or steal. However, it’s important
to note that biometric systems are not foolproof and can be vulnerable
to spoofing attacks.
Multi-factor authentication combines multiple authentication methods,
such as a PIN and a fingerprint scan, for even stronger security so that
 Implementing Security Defenses
Security Policy
Security policy is a measures and guidelines for any aspect of computing.
It defines what is being secured, what is permissible, what is required,
and what is not allowed. It acts as a roadmap to achieving a secure
environment, guiding users and admins on how to move from less secure
to more secure practices.
Aspects of security policy:
Clear statement of scope – it defines what is being secured, including
specific systems, data, or apps.
Detailed guidelines – it provides specific rules and procedure for various
security aspects, such as password management, access control, and
network security.
Living document – a security policy should be a dynamic document that
is reviewed and updated periodically to ensure it remains relevant and
effective.
 Vulnerability Assessment
Vulnerability assessment is a process of identifying and evaluating security
weakness in a system or network. It aims to determine if a security policy
is effectively implemented and to uncover potential vulnerabilities that
could be exploited by attackers.
Aspects of Vulnerability Assessment:
Purpose – to identify and address security weakness before they are
exploited by attackers.
Scope – covers a wide range of security aspects, from social engineering to
technical vulnerabilities.
Methods – involves various techniques, including penetration testing, risk
assessment, and vulnerability scanning.
Timing – vulnerability scans are typically conducted during periods of low
computer use to minimize impact on operations.
Target systems – assessments are often performed on test systems rather
than production systems to avoid disrupting critical operations
Intrusion Detection
 Prepared By:
Dupingay, Cris An
Guinyang, Nora
Omela, Anilyn