Software TypesSoftware TypesOperating Systems

◦Also called Systems Software◦Manage the computer resources◦Ex: Linux, Windows, MacOS

Applications Software◦Specific tasks◦Rely on OS◦Ex: MS Office, CAD/CAM, PhotoShop

OS TypesOS TypesMainframesWorkstationsServersPersonal

Computers Mobile DevicesReal TimeEmbedded

04/24/23 2

IBM 370SunOS, VAXWin Server 2008Windows, MacOSWindows CEpSOSEmbedded NT,

embedded Linux

Live Chat 7

Operating System Operating System FunctionsFunctionsAccess Control

◦Who can access resources.Identity and credential

management◦Account management and

verification.Information flow.Audit and Integrity protection.

◦Logs & permissions.

What needs Protection?What needs Protection?Memory.I/O devices: disksRe-useable I/O devices: printers.Programs and sub-processes.Networks.Data.

Security Methods of Operating Security Methods of Operating SystemsSystemsSeparation: basis of protection

◦Physical: different devices for different security levels.

◦Temporal: processes execute at different times.

◦Logical: illusion that a user is operating alone.

◦Cryptographic: conceal data and computations.

Only half the answer ◦must share some objects.

Protection LevelsProtection LevelsDo not protect.Isolate: processes unaware of each

other.Share all or share nothing. Owner

declares.Share via access limitation: OS checks.Share by capabilities: dynamic creation

of sharing rights for objects.Limit use of object: view but not print.

Protection Ring ModelProtection Ring Model

UNIX Operating System UNIX Operating System SecuritySecurityRoot Accounts

◦ Sudo an alternative.Permissions

◦ -rwxr--r-- /etc/passwd◦ Owner, group, world.

SUID◦ -rwSrwxrwx 1 root wheel 3412 Jan 1 2011

program.sh◦ Dangerous, anyone can edit and execute

as root.

UNIX Operating System UNIX Operating System SecuritySecurity Iptables: Host based firewall.OSSEC: Host based intrusion detection.AIDE: log monitoring.Only run required services

◦ Center for Internet Security Instructions to lock down and secure most operating systems.

Extra secure operating systems◦ SELinux: security enhanced Linux with security

modules.◦ OpenBSD: listed #1 in a top ten list.

Windows OS SecurityWindows OS SecurityFirewall: turn it on.Automatic updates: set a time.Anti-Virus: must have.Anti-Spyware: good to have.HIDS: 3rd party products.Event Monitoring: centralize

logging.User Permissions: audit

permissions.

Windows Security ToolsWindows Security ToolsSecunia: monitor for product patches.AVG: free Anti-virus.Malwarebytes: anti-malware.Spybot Search and Destroy: rm

spyware.JavaRA & PureRA: keep java up to

date.Parental/worker controls: block web

sites.Use at your own risk.

Memory ProtectionMemory ProtectionProtect the memory space of data &

programs.◦Fence: confine to one side of a boundary.◦Fence Register: address at the end of the

Operating System. Restrictive, too much memory could be reserved.

Variable fence register: location can change◦Protects in one direction. Users compete for

Memory.

Figure 4-1  Fixed Fence.

Figure 4-2  Variable Fence Register.

Figure 4-3  Pair of Base/Bounds Registers.Variable Register = Base Register

Figure 4-4  Two Pairs of Base/Bounds Registers.

Tagged ArchitectureTagged ArchitectureBase/bounds registers are all or

nothing.Tagged Architecture

◦Every word of memory is tagged with extra bits to identify access rights to the word.

◦Compatibility of code can be a problem.

Figure 4-5  Example of Tagged Architecture.

SegmentationSegmentationDivide a program into separate pieces

◦Code of a procedure, an array, data values.

◦Each piece can have its own access rights.◦A segment has a name and an offset

value.◦Usually one OS segment address table per

executing process.◦Segments can exist at any location, can be

moved and can be checked for protection.

Figure 4-6  Logical and Physical Representation of Segments.

Figure 4-7  Translation of Segment Address.

Paging a Segmentation Paging a Segmentation AlternativeAlternativeDivide program into equal-sized

pieces.Memory divided into equal-sized

page frames so no fragmentation concerns.

Operating System maintains a table of pages to true memory address.

Programmers do not have to worry about page boundaries unlike segmentation.

Figure 4-8  Page Address Translation.

Combine Paging & Combine Paging & SegmentationSegmentationPaging offers implementation

efficiency.Segmentation offers logical

protection.Combine them to form paged

segmentation.◦Program divided into logical segments◦Break each segment into fixed page sizes.◦Hardware improvement improved

efficiency for paged segmentation.

Figure 4-9  Paged Segmentation.

Directory AccessDirectory AccessEach user controls access to their files.Each user has their own directory.

◦ Also has copies of files they can access.Permissions: Read, Write, eXecute.Difficulty if there are many shared

objects.◦ Space consumption.

Revocation of access can be time consuming.◦ Given the number of copies.

Figure 4-10  Directory Access.

Alternative Access PathsAlternative Access PathsDirectory problems with

pseudonyms.◦Owners have files with same name.◦Want to grant access to these files to

another user.◦Multiple permissions may exist to

same object for a single user.◦The directory approach is considered

too simple for most object protection situations.

Figure 4-11  Alternative Access Paths.

Access Control ListsAccess Control ListsOne list maintained for each

object.List shows all subjects with

access.One access control list per

object.Each subject has a directory.ACLs use wild cards “*”.

Figure 4-12  Access Control List.

Domains and Name SpaceDomains and Name SpaceA capability is an unforgettable token

allowing certain rights to an object.Each capability identifies a single

object in a domain.A domain is a collection of objects

which a process has access too.A user may have access to a domain

which includes programs, files, data, I/O devices.

Figure 4-13  Process Execution Domain.

Domain Object PassingDomain Object PassingA collection of capabilities defines a

domain.Calling a sub-procedure can pass

objects.Capabilities are a straight forward way to

track of access rights during execution. capabilities backed up by control matrix

or an access control list.Capabilities must be stored in memory

inaccessible to users.

Figure 4-14  Passing Objects to a Subject.

AAA Authentication Authorization AAA Authentication Authorization and Accountabilityand Accountability

Identity is often left out. Should be IAAAIdentity is a claim. “I am So&So”Authentication is proving an identity

claim.◦Password, 2-factor, credentials.

Authorization defines what you can doAccountability hold users accountable for

their actions.◦Logging, auditing.

Triple A ModelTriple A Model

04/24/23 37

Authentication Authorization

AccountingSource: Jayaswal, K. (2006). Administering data centers: Servers, storage, and voice over IP. Indianapolis, IN: Wiley Publishing, Inc.

Live Chat 10

AAAAAAAuthentication

◦Who you areAuthorization

◦What you are permitted to doAccounting

◦What you actually did

04/24/23 38

Source: Jayaswal, K. (2006). Administering data centers: Servers, storage, and voice over IP. Indianapolis, IN: Wiley Publishing, Inc.

Live Chat 10

AuthenticationAuthenticationAuthentication is the process

used to identify who you are based on:◦User name/password combination◦Certificates◦Biometrics

Fingerprints Retina scan Other?

04/24/23 39

Source: Jayaswal, K. (2006). Administering data centers: Servers, storage, and voice over IP. Indianapolis, IN: Wiley Publishing, Inc.

Live Chat 10

AuthenticationAuthenticationPassword-based authentication

◦ User name/passwordToken-based authentication

◦ One-time password generated by encrypting a time stamp with secret key (SecurID)

Digital Certificate-based authentication◦ Electronic or digital certificate◦ Contains public key, user information,

issuer’s information, and valid period

04/24/23 40

Source: Jayaswal, K. (2006). Administering data centers: Servers, storage, and voice over IP. Indianapolis, IN: Wiley Publishing, Inc.

Live Chat 10

Authorization ProcessAuthorization ProcessAs users attempt to gain access

to network resources, credentials are presented

Request sent to an AAA serverServer authenticates user and

determines authorizationAccounting keeps track of

resource usage

04/24/23 41

Source: Jayaswal, K. (2006). Administering data centers: Servers, storage, and voice over IP. Indianapolis, IN: Wiley Publishing, Inc.

Live Chat 10

Authentication Authentication MechanismsMechanismsSomething the user knows

◦Password, pass phrase, PIN, a secret.Something the user has:

◦Badge, keys, identification, token.Something the user is

◦Biometrics2-Factor: require two of the

above.

Figure 4-15  Users’ Password Choices.

Password AttacksPassword AttacksPassword cracking: John-the-ripperBrute force attacks: take time, effective.Rainbow Table: a database of password hash

values.Hybrid attack: append or pre-pend

characters before hashing. ◦Attack against complex passwords.

Dictionary attacks: use word lists.Salt: a random value used when creating

password hashes.

BiometricsBiometricsEnrollment: registering with the system.Throughput: how long to authenticate. 6-10Accuracy

◦False Rejection Rate(FRR) Authorized subject rejected

◦False Accept Rate Unauthorized person accepted as valid

◦Crossover Error Rate: accuracy Where FRR =FAR

Biometric DevicesBiometric DevicesRetina Scan: laser scan of capillaries.Iris Scan: passive, high accuracy, each iris is

unique, no body fluids exchanged.Hand Geometry: specific points on hand.Keyboard dynamics: measure pressure and rhythm.Dynamic Signature: how a person signs their

name. Voice Print: tone of voice. Vulnerable to a replay

attack.Facial scan: high cost. Used at Super Bowl to

identify criminals.

Discussion QuestionsDiscussion QuestionsBiometric Objections.

◦What are some reasons people are reluctant to use biometrics?

◦How can you counter these objections?