Os Security Mussab and Zeeshan Badshah

7/31/2019 Os Security Mussab and Zeeshan Badshah

1/42


2/42

SECURITY IN OPERATING SYSTEM

Security breaches

Security goals

Protected objects of the general purpose operating

system Protection of objects


3/42

BREACHES

Exposure

A form of possible loss or harm in a computing system

Vulnerability

Weakness that might be exploited to cause loss or harm

Threats

circumstances that have the potential to cause loss orharm


4/42

THREATS

Interruption

Interception

Modification

Fabrication


5/42

THREATS THROUGH SOFTWARES

Intruders

Malware,Trapdoor,Backdoor

Virus

Worm

Logic bomb

Trojan Horse

Downloaders

Spams

Flooders

Spywares

Adwares Bot


6/42

INTRUDERS


7/42

MALWARE, TRAPDOOR,BACKDOOR


8/42

VIRUS


9/42

WORM


10/42

LOGIC BOMB & TIME BOMB


11/42

TROJAN HORSE


12/42

DOWNLOADERS


13/42

SPAMS


14/42

FLOODERS


15/42

SPYWARES


16/42

ADWARES


17/42

BOT


18/42

SECURITY GOALS

Confidentiality

the assets of a computing system are accessible only byauthorized parties.

Integrity assets can be modified only by authorized parties or only in

authorized ways.

Availability

assets are accessible to authorized parties.


19/42

PROTECTION IN GENERAL-

PURPOSE OS

Protected Objects and Methods

Protecting Memory and Addressing

Protecting Access to General Objects

File Protection Mechanisms

User Authentication


20/42

PROTECTED OBJECTS AND METHODS

Protected Objects

Security Methods of Operating Systems


21/42

PROTECTED OBJECTS

Memory

Sharable I/O devices, such as disks

serially reusable I/O devices, such as

printers and tape drives

sharable programs and sub-procedures

sharable data


22/42

SECURITY METHODS OF

OPERATING SYSTEMS

Separation: keeping one users objects separatefrom other users

Physical Separation

Temporal Separation

Logical Separation

Cryptographic Separation

Granularity of Control

the larger the level of object controlled,

the easier it is to implement access control.


23/42

PROTECTING MEMORY AND

ADDRESSING

Fence

Relocation

Base/Bounds Registers

Tagged Architecture

Segmentation

Paging


24/42

FENCE

A fence is a method to confine users to one

side of a boundary.

Usually, fence is implemented via a hardware

register.


25/42

RELOCATION

Relocation is the process of taking a programwritten as if it began at address 0 and changingall addresses to reflect the actual address atwhich the program is located in memory.

Fence register can be used within relocationprocess. To each program address, thecontents of the fence register are added. Thisboth relocates the address and guaranteesthat no one can access a location lower than afence address.


26/42

BASE/BOUNDS REGISTERS

In a multiuser, multiprogrammingenvironment, fence register is variable. In thiscase fence register is called base register.Fence registers only provide a lower bound

(a starting address), but not an upper one. Asecond register, called a bounds register canbe used to provide a upper bound. In thisway, a programs addresses are neatlyconfined to the space between the base

and the bounds registers.This technique protects a programsaddresses from modification by another user.


27/42

TAGGED ARCHITECTURE

The disadvantage of Base/Bounds

technique

Tagged Architecture

Every word of machine memory has one or more extra bits

to identify the access rights to that word.


28/42

SEGMENTATION

Segmentation divides a program into separate pieces. Eachpiece has a logical unity, a relationship among all of its code ordata value.

Segmentation was developed as a feasible means to have theeffect of an unbounded number of base/bounds registers: aprogram could be divided into many pieces having differentaccess rights.

The operating system must maintain a table of segment names

and their true addresses in memory. The program address is in theform . OS can retrieve the real address via lookingfor the table then making a simple calculation:

address of the name + offset


29/42

PAGING

An alternative to segmentation is paging. The program isdivided into equal-sized pieces called pages, andmemory is divided into the same sized units, called pageframes. Each address is represented in a form .

Operating system maintains a table of user pagenumbers and their true addresses in memory. The pageportion of every reference is converted

to a page frame address by a table lookup; the offsetportion is added to the page frame address to producethe real memory address of the object referred to as.


30/42

PROTECTING ACCESS TO GENERAL

OBJECTS

Directory

Access Control List


31/42

GENERAL OBJECTS

Memory

a file or data set on an auxiliary storage device

an executing program in memory

a directory of files

a hardware device a data structure, such as a stack.

A table of the operating system

instructions, especially privileged instructions

passwords

the protection mechanism itself


32/42

DIRECTORY

This technique works like a file directory. Imagine theset of objects to be files and the set of subjects tobe users of a computing system. Every file has aunique owner who possesses control access

rights, including the right to declare who has whataccess and to revoke access to any person at anytime. Each user has a file directory, which lists all thefiles to which that user has access.

OS maintains all directories. Each user has a list(directory) that contains all the objects that user isallowed to access.


33/42

ACCESS CONTROL LIST

Each object has an access control list. This list shows allsubjects who should have access to the object and what theaccess is.

This technique is widely used in Distributed File Systems.


34/42

FILE PROTECTION MECHANISMS

Basic Forms of Protection

Single Permissions


35/42

BASIC FORMS OF PROTECTION

All-None ProtectionThe principal protection was trust, combined with ignorance.

Group Protection

Users in the same group have the same right for objects.


36/42

SINGLE PERMISSIONS

Password or other token

assign a password to a file


37/42

USER AUTHENTICATION

Use of Passwords

Attacks on Passwords

Password Selection Criteria

The Authentication Process

Flaws in the Authentication Process

Authentication Other Than Passwords


38/42

USE OF PASSWORDS

Passwords are mutually agreed-upon codewords, assumed to be known only to the userand the system.

The use of of passwords is fairly straightforward.A user enters some piece of identification, suchas a name or an assigned user ID, if theidentification matches that on file for the user,

the user is authenticated to the system. If theidentification match fails, the user is rejected bythe system.


39/42

ATTACKS ON PASSWORDS

Try all possible passwords exhaustive or brute force attack

Try many probable passwords

Users do not likely select a password uncommon, hardto spell or pronounce, very long

Try passwords likely for the user Password generally is meaningful to the user

Search for the system list of passwords Finding a plain text system password list

Ask the user Get the password directly from the user.


40/42

PASSWORD SELECTION CRITERIA

Use characters other than just A-Z

Choose long passwords

Avoid actual names or words

Choose an unlikely password

Change the password regularly

Dont write it down

Dont tell anyone else


41/42

THE AUTHENTICATION PROCESS

Intentionally slow

This makes exhaustive attack infeasible

identify intruder from the normal user

some who continuously fails to login may not bean authorized user.

System disconnect a user after three to five failedlogins


42/42

QUESTION AND QUERIES

Os Security Mussab and Zeeshan Badshah

Documents

Transcript of Os Security Mussab and Zeeshan Badshah