Chapter 6

Security and Protection

6.1 Introduction
Protection mechanisms control access to a system by limiting the types of file access
permitted to users. In addition, protection must ensure that only processes that have gained
proper authorization from the operating system can operate on memory segments, the CPU,
and other resources.

Protection is provided by a mechanism that controls the access of programs, processes, or

users to the resources defined by a computer system. This mechanism must provide a means
for specifying the controls to be imposed, together with a means of enforcing them.

Security ensures the authentication of system users to protect the integrity of the information
stored in the system (both data and code), as well as the physical resources of the computer
system. The security system prevents unauthorized access, malicious destruction or alteration
of data, and accidental introduction of inconsistency.

6.2 Goals of Protection

Protection was originally conceived as an adjunct to multiprogramming operating systems, so
that untrustworthy users might safely share a common logical name space, such as a directory
of files, or share a common physical name space, such as memory. Modern protection
concepts have evolved to increase the reliability of any complex system that makes use of
shared resources. We need to provide protection for several reasons.

 The most obvious is the need to prevent mischievous, intentional violation of an

access restriction by a user.
 The need to ensure that each program component active in a system uses system
resources only in ways consistent with stated policies which may be set either by
system designers or by system administrators.
 Protection can improve reliability by detecting latent errors at the interfaces between
component subsystems. Early detection of interface errors can often prevent
contamination of a healthy subsystem by a malfunctioning subsystem.
 Protection systems only provide the mechanisms for enforcing policies and ensuring
reliable systems. It is up to administrators and users to implement those mechanisms
effectively.

6.3 Principles of Protection

 The principle of least privilege dictates that programs, users, and systems be given
just enough privileges to perform their tasks.
 Managing users with the principle of least privilege entails creating a separate account
for each user, with just the privileges that the user needs.
 This ensures that failures do the least amount of harm and allow the least of harm to
be done.
 Typically each user is given their own account, and has only enough privilege to
modify their own files.
 The root account should not be used for normal day to day activities - The System
Administrator should also have an ordinary account, and reserve use of the root
account for only those tasks which need the root privileges
1
6.4 Domain of Protection
 A computer system is a collection of processes and objects. By objects, we mean both
hardware objects (such as the CPU, memory segments, printers, disks, and tape
drives) and software objects (such as files, programs, and semaphores). Each object
has a unique name that differentiates it from all other objects in the system, and each
can be accessed only through well-defined and meaningful operations. The operations
that are possible may depend on the object. For example, a CPU can only be executed
on.
 A process should be allowed to access only those resources for which it has
authorization. Furthermore, at any time, a process should be able to access only those
resources that it currently requires to complete its task. This second requirement,
commonly referred to as the need-to-know principle, is useful in limiting the amount
of damage a faulty process can cause in the system.

6.4.1 Domain Structure

 A protection domain specifies the resources that a process may access.
 Each domain defines a set of objects and the types of operations that may be invoked
on each object.
 Domains may be realized in different fashions - as users, or as processes, or as
procedures. E.g. if each user corresponds to a domain, then that domain defines the
access of that user, and changing domains involves changing user ID.
 An access right is the ability to execute an operation on an object.
 A domain is defined as a set of <object, {access right set}> pairs, as shown below.
Note that some domains may be disjoint while others overlap.
 Domains do not need to be disjoint; they may share access rights. For example, in
Figure 6.1, we have three domains: D1, D2, and D3. The access right < O4, print}> is
shared by D2 and D3, implying that a process executing in either of these two
domains can print object O4.
 The association between a process and a domain may be either static, if the set of
resources available to the process is fixed throughout the process's lifetime, or
dynamic, if the set of resources available to the process can be changed throughout
the process's lifetime.

Figure 6.1: System with three protection domains.

6.5 Access Matrix

 Our model of protection can be viewed abstractly as a matrix, called an access
matrix.
The rows of the access matrix represent domains, and the columns represent objects.
 Each entry in the matrix consists of a set of access rights.
 Because the column defines objects explicitly, we can omit the object name from the
access right. The entry access (i, j) defines the set of operations that a process
executing in domain Di can invoke on object Oj.

2
To illustrate these concepts, we consider the access matrix shown in Figure 6.2. There are
four domains and four objects-three files (F1, F2, F3) and one laser printer. A process
executing in domain D1 can read files F1 and F3. A process executing in domain D4 has the
same privileges as one executing in domain D1; but in addition, it can also write onto files F1
and F3. Note that the laser printer can be accessed only by a process executing in domain D2.

Figure 6.2: Access matrix.

6.6 Security
Protection, as we discussed earlier is strictly an internal problem: How do we provide
controlled access to programs and data stored in a computer system? Security, on the other
hand, requires not only an adequate protection system but also consideration of the external
environment within which the system operates. A protection system is ineffective if user
authentication is compromised or a program is run by an unauthorized user. Computer
resources must be guarded against unauthorized access, malicious destruction or alteration,
and accidental introduction of inconsistency. These resources include information stored in
the system (both data and code), as well as the CPU, memory, disks, tapes and networking
that are the computer.

6.6.1 The Security Problem

In many applications, ensuring the security of the computer system is worth considerable
effort. Systems that contain data pertaining to corporate operations may be of interest to
unscrupulous competitors. A system is secure if its resources are used and accessed as
intended under all circumstances. Unfortunately, total security cannot be achieved.
Nonetheless, we must have mechanisms to make security breaches a rare occurrence, rather
than the norm.

Security violations (or misuse) of the system can be categorized as intentional (malicious) or
accidental. It is easier to protect against accidental misuse than against malicious misuse. For
the most part, protection mechanisms are the core of protection from accidents. In our
discussion of security, we will use the terms intruder and cracker for those attempting to
breach security. In addition, a threat is the potential for a security violation, such as the
discovery of vulnerability, whereas an attack is the attempt to break security. The following
list includes forms of accidental and malicious security violations.
 Breach of confidentiality: This type of violation involves unauthorized reading of
data (or theft of information) such as credit-card numbers, trade secrets, patents,

3
 secret formulas, manufacturing procedures, medical information, financial
information, etc.
 Breach of integrity: This violation involves unauthorized modification of data,
which may have serious indirect consequences. For example a popular game or other
program's source code could be modified to open up security holes on users systems
before being released to the public.
 Breach of availability: This violation involves unauthorized destruction of data,
often just for the “fun” of causing havoc and for bragging rights. Vandalism of web
sites is a common form of this violation
 Theft of service: Unauthorized use of resources, such as theft of CPU cycles,
installation of daemons running an unauthorized file server, or tapping into the
target’s telephone or networking services.
 Denial of service (DOS): Preventing legitimate users from using the system, often by
overloading and overwhelming the system with an excess of requests for service.

To protect a system, we must take security measures at four levels:

1. Physical: The site or sites containing the computer systems must be physically
secured against armed or surreptitious entry by intruders.
2. Human: Authorizing users must be done carefully to assure that only appropriate
users have access to the system. Even authorized users, however, may be
"encouraged" to let others use their access (in exchange for a bribe, for example).
However more and more attacks today are made via social engineering, which
basically means fooling trustworthy people into accidentally breaching security.
Following are types of social-engineering attack:
a. Phishing involves sending an innocent-looking e-mail or web site designed to
fool people into revealing confidential information. E.g. spam e-mails
pretending to be from e-Bay, PayPal, or any of a number of banks or credit-
card companies.
b. Dumpster Diving involves searching the trash or other locations for
passwords that are written down. (Note: Passwords that are too hard to
remember, or which must be changed frequently are more likely to be written
down somewhere close to the user’s station).
c. Password Cracking involves divining users passwords, either by watching
them type in their passwords, knowing something about them like their pet’s
names, or simply trying all words in common dictionaries.
3. Operating system: The system must protect itself from accidental or purposeful
security breaches.
4. Network: Much computer data in modern systems travels over private leased lines,
shared lines like the Internet, wireless connections, or dial-up lines. Intercepting these
data could be just as harmful as breaking into a computer; and interruption of
communications could constitute a remote denial-of-service attack, diminishing users’
use of and trust in the system.

6.7 Program Threats

There are many common threats to modern systems. Only a few are discussed here.

6.7.1 Trojan Horse

 A Trojan Horse is a program that secretly performs some maliciousness in addition to
its visible actions. Some Trojan horses are deliberately written as such, and others are
the result of legitimate programs that have become infected with viruses.

4
  A variation of the Trojan horse is a login emulator program that emulates a login
program. An unsuspecting user starts to log in at a terminal and notices that he has
apparently mistyped his password. He tries again and is successful. What has
happened is that his authentication key and password have been stolen by the login
emulator, which was left running on the terminal by the thief.

 Another variation on the Trojan horse is spyware. It is often included in free software
downloaded off the Internet. Spyware programs generate pop-up browser windows,
and may also accumulate information about the user and deliver it to some central
site. Another common task of spyware is to send out spam e-mail messages, which
then purportedly come from the infected user.

6.7.2 Trap Door

 A Trap Door is when a designer or a programmer deliberately inserts a security hole
that they can use later to access the system.
 Because of the possibility of trap doors, once a system has been in an untrustworthy
state, that system can never be trusted again. Even the backup tapes may contain a
copy of some cleverly hidden back door.
 A clever trap door could be inserted into a compiler, so that any programs compiled
with that compiler would contain a security hole. This is especially dangerous,
because inspection of the code being compiled would not reveal any problems.

6.7.3 Logic Bomb

 A Logic Bomb is code that is not designed to cause havoc all the time, but only when
a certain set of circumstances occurs, such as when a particular date or time is reached
or some other noticeable event.
 A classic example is the Dead-Man Switch, which is designed to check whether a
certain person (e.g. the author) is logging in every day, and if they don't log in for a
long time (presumably because they’ve been fired), then the logic bomb goes off and
either opens up security holes or causes other problems.

6.7.4 Viruses
 A virus is a fragment of code embedded in an otherwise legitimate program, designed
to replicate itself (by infecting other programs), and (eventually) wreaking havoc.
 Viruses are more likely to infect PCs than other multi-user systems, because programs
in the latter systems have limited authority to modify other programs or to access
critical system structures.
 Once a virus reaches a target machine, a program known as a virus dropper inserts the
virus onto the system. The virus dropper is usually a Trojan horse, executed for other
reasons but installing the virus as its core activity.

6.8 System and Network Threats

Most of the threats described above are termed program threats, because they attack specific
programs or are carried and distributed in programs. The threats in this section attack the
operating system or the network itself, or leverage those systems to launch their attacks.

 Worms: A worm is a process that makes copies of itself in order to wreak havoc on a
system. Worms consume system resources, often blocking out other, legitimate

5
 processes. Worms that propagate over networks can be especially problematic, as they
can tie up vast amounts of network resources and bring down large-scale systems.
 Port Scanning: Port Scanning is technically not an attack, but rather a search for
vulnerabilities to attack. The basic idea is to systematically attempt to connect to
every known (or common or possible) network port on some remote machine, and to
attempt to make contact. Once it is determined that a particular computer is listening
to a particular port, then the next step is to determine what daemon is listening, and
whether or not it is a version containing a known security flaw that can be exploited.
There are also port scanners available that administrators can use to check their own
systems, which report any weaknesses found but which do not exploit the weaknesses
or cause any problems.
 Denial of Service: Denial of Service (DOS) attacks do not attempt to actually access
or damage systems, but merely to clog them up so badly that they cannot be used for
any useful work. Tight loops that repeatedly request system services are an obvious
form of this attack. DOS attacks can also involve social engineering, such as the
Internet chain letters that say “send this immediately to 10 of your friends, and then
go to a certain URL”, which clogs up not only the Internet mail system but also the
web server to which everyone is directed.

6.9 Cryptography as a Security Tool

Within a given computer the transmittal of messages is safe, reliable and secure, because the
OS knows exactly where each one is coming from and where it is going. On a network,
however, things aren’t so straightforward - A rogue computer (or e-mail sender) may spoof
their identity, and outgoing packets are delivered to a lot of other computers besides their
(intended) final destination, which brings up two big questions of security:
 Trust: How can the system be sure that the messages received are really from the
source that they say they are, and can that source be trusted?
 Confidentiality: How can one ensure that the messages one is sending are received
only by the intended recipient?

Cryptography can help with both of these problems, through a system of secrets and keys. In
the former case, the key is held by the sender, so that the recipient knows that only the
authentic author could have sent the message; In the latter, the key is held by the recipient, so
that only the intended recipient can receive the message accurately. Keys are designed so that
they cannot be divined from any public information, and must be guarded carefully.

6.9.1 Encryption
Because it solves a wide variety of communication security problems, encryption is used
frequently in many aspects of modern computing. The basic idea of encryption is to encode a
message so that only the desired recipient can decode and read it. Encryption has been around
since before the days of Caesar, and is an entire field of study in itself.

The steps in the procedure and some of the key terminology are as follows:
 The sender first creates a message, M in plaintext.
 The message is then entered into an encryption algorithm, E, along with the
encryption key, Ke.
 The encryption algorithm generates the ciphertext, C, = E(Ke)(M). For any key K,
E(K) is an algorithm for generating ciphertext from a message, and both E and E(K)
should be efficiently computable functions.

6
  The ciphertext can then be sent over an unsecure network, where it may be received
by attackers.
 The recipient enters the ciphertext into a decryption algorithm, D, along with the
decryption key, Kd.
 The decryption algorithm re-generates the plaintext message, M, = D(Kd)(C). For any
key K, D(k) is an algorithm for generating a clear text message from a ciphertext, and
both D and D(k) should be efficiently computable functions.
 The algorithms described here must have this important property: Given a ciphertext
C, a computer can only compute a message M such that c = E(k)(M) if it possesses
D(k). In other words, the messages can't be decoded unless you have the decryption
algorithm and the decryption key.

[Link] Symmetric Encryption

With symmetric encryption the same key is used for both encryption and decryption, and
must be safely guarded. There are a number of well-known symmetric encryption algorithms
that have been used for computer security:

The Data-Encryption Standard (DES), developed by the National Institute of Standards,

NIST, has been a standard civilian encryption standard for over 20 years. Messages are
broken down into 64-bit chunks, each of which are encrypted using a 56-bit key through a
series of substitutions and transformations. Some of the transformations are hidden (black
boxes), and are classified by the U.S. government.

DES is known as a block cipher, because it works on blocks of data at a time. Unfortunately
there is vulnerability if the same key is used for an extended amount of data. As modern
computers become faster and faster, the security of DES has decreased, to where it is now
considered insecure because its keys can be exhaustively searched within a reasonable
amount of computer time. An enhancement called triple DES encrypts the data three times
using three separate keys (actually two encryptions and one decryption) for an effective key
length of 168 bits. Triple DES is in widespread use today.

The Advanced Encryption Standard, AES, developed by NIST in 2001 to replace DES uses
key lengths of 68, 192, or 256 bits, and encrypts in blocks of 68 bits using 10 to 6 rounds of
transformations on a matrix formed from the block.

[Link] Asymmetric Encryption

With asymmetric encryption, the decryption key, Kd, is not the same as the encryption key,
Ke, and more importantly cannot be derived from it, which means the encryption key can be
made publicly available, and only the decryption key needs to be kept secret.

One of the most widely used asymmetric encryption algorithms is RSA, named after its
developers - Rivest, Shamir, and Adleman.

Note that asymmetric encryption is much more computationally expensive than symmetric
encryption, and as such it is not normally used for large transmissions. Asymmetric
encryption is suitable for small messages, authentication, and key distribution

6.10 User Authentication

If a system cannot authenticate a user, then authenticating that a message came from that user
is pointless. Thus, a major security problem for operating systems is user authentication. A

7
user normally identifies herself. How do we determine whether a user's identity is authentic?
Generally, user authentication is based on one or more of three things: the user’s possession
of something (a key or card), the user’s knowledge of something (a user identifier and
password), and/or an attribute of the user (fingerprint, retina pattern, or signature).

6.10.1 Passwords
 Passwords are the most common form of user authentication. If the user is in
possession of the correct password, then they are considered to have identified
themselves.
 In theory separate passwords could be implemented for separate activities, such as
reading this file, writing that file, etc. In practice most systems use one password to
confirm user identity, and then authorization is based upon that identification. This is
a result of the classic trade-off between security and convenience.

6.10.2 Password Vulnerabilities

 Passwords can be guessed.
o Intelligent guessing requires knowing something about the intended target in
specific, or about people and commonly used passwords in general.
o Brute-force guessing involves trying every word in the dictionary, or every
valid combination of characters. For this reason good passwords should not be
in any dictionary (in any language), should be reasonably lengthy, and should
use the full range of allowable characters by including upper and lower case
characters, numbers, and special symbols.
 “Shoulder surfing” involves looking over people’s shoulders while they are typing in
their password.
o Even if the lurker does not get the entire password, they may get enough clues
to narrow it down, especially if they watch on repeated occasions.
o Common courtesy dictates that you look away from the keyboard while
someone is typing their password.
o Passwords echoed as stars or dots still give clues, because an observer can
determine how many characters are in the password.
 “Packet sniffing” involves putting a monitor on a network connection and reading
data contained in those packets.
 Long hard to remember passwords are often written down, particularly if they are
used seldom or must be changed frequently.
 Passwords can be given away to friends or co-workers, destroying the integrity of the
entire user-identification system.
 Most systems have configurable parameters controlling password generation and what
constitutes acceptable passwords.
o They may be user chosen or machine generated.
o They may have minimum and/or maximum length requirements.
o They may need to be changed with a given frequency. ( In extreme cases for
every session. )
o A variable length history can prevent repeating passwords.
o More or less stringent checks can be made against password dictionaries.

6.10.3 Encrypted Passwords

 Modern systems do not store passwords in clear-text form, and hence there is no
mechanism to look up an existing password.

8
  Rather they are encrypted and stored in that form. When a user enters their password,
that too is encrypted, and if the encrypted version matches, then user authentication
passes.
 The encryption scheme was once considered safe enough that the encrypted versions
were stored in the publicly readable file "/etc/passwd".
 They always encrypted to a 13 character string, so an account could be disabled by
putting a string of any other length into the password field.
 Modern computers can try every possible password combination in a reasonably short
time, so now the encrypted passwords are stored in files that are only readable by the
super user. Any password-related programs run as root to get access to these files.
 A random seed is included as part of the password generation process, and stored as
part of the encrypted password. This ensures that if two accounts have the same plain-
text password that they will not have the same encrypted password.

6.10.4 One-Time Passwords

 One-time passwords resist shoulder surfing and other attacks where an observer is
able to capture a password typed in by a user.
 These are often based on a challenge and a response. Because the challenge is
different each time, the old response will not be valid for future challenges.
 For example, The user may be in possession of a secret function f( x ). The system
challenges with some given value for x, and the user responds with f( x ), which the
system can then verify. Since the challenger gives a different (random) x each time,
the answer is constantly changing.
 Another option is to have some sort of electronic card with a series of constantly
changing numbers, based on the current time. The user enters the current number on
the card, which will only be valid for a few seconds. A two-factor authorization also
requires a traditional password in addition to the number on the card, so others may
not use it if it were ever lost or stolen.
 A third variation is a code book, or one-time pad. In this scheme a long list of
passwords are generated and each one is crossed off and cancelled as it is used.
 Obviously it is important to keep the pad secure.

6.10.5 Biometrics
 Biometrics involve a physical characteristic of the user that is not easily forged or
duplicated and not likely to be identical between multiple users.
 Fingerprint scanners are getting faster, more accurate, and more economical.
 Palm readers can check thermal properties, finger length, etc.
 Retinal scanners examine the back of the users’ eyes.
 Voiceprint analyzers distinguish particular voices.
 Difficulties may arise in the event of colds, injuries, or other physiological changes.