30.1 Lecture 30 Security II Based on Silberschatz & Galvin’s slides And Stallings’ slides
30.2 System Threats Most operating systems provide a means for processes to spawn other processes. In such an environment, it is possible to create a situation where operating-system resources and user files are misused Methods for achieving this misuse –Worms –Viruses –Bacteria
30.3 System Threats Worms –Use network connections to spread form system to system –Electronic mail facility a worm mails a copy of itself to other systems –Remote execution capability a worm executes a copy of itself on another system –Remote log-in capability a worm logs on to a remote system as a user and then uses commands to copy itself from one system to the other
30.4 System Threats Viruses –Program that can infect other programs by modifying them modification includes copy of virus program the infected program can infect other programs
30.5 Virus Stages Dormant phase –virus is idle Propagation phase –virus places an identical copy of itself into other programs or into certain system areas on the disk
30.6 Virus Stages Triggering phase –virus is activated to perform the function for which it was intended –caused by a variety of system events Execution phase –function is performed
30.7 Types of Viruses Parasitic –attaches itself to executable files and replicates –when the infected program is executed, it looks for other executables to infect Memory-resident –lodges in main memory as part of a resident system program –once in memory, it infects every program that executes
30.8 Types of Viruses Boot sector –infects boot record –spreads when system is booted from the disk containing the virus Stealth –designed to hide itself form detection by antivirus software –may use compression
30.9 Types of Viruses Polymorphic –mutates with every infection, making detection by the signature of the virus impossible –creates copies of itself that are functionally equivalent but have distinctly different bit patterns
30.10 Antivirus Approaches First-generation –scanner identifies virus by its signature –virus has same structure and bit pattern in all copies –maintains a record of the length of the programs and looks for changes in length
30.11 Antivirus Approaches Second-generation –uses heuristic rules to search for probable virus infection –looks for fragments of code that are often associated with viruses
30.12 Antivirus Approaches Third-generation –memory-resident programs that identify a virus by its actions rather than its structure –intervene when these actions take place
30.13 Antivirus Approaches Fourth-generation –consists of a variety of antivirus techniques used in conjunction
30.14 System Threats Bacteria –Purpose is to replicate themselves –Reproduce exponentially take up all the processor capacity take up memory take up disk space deny users access to resources
30.15 Threat Monitoring Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing. Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures. Scan the system periodically for security holes; done when the computer is relatively unused.
30.16 Threat Monitoring (Cont.) Check for: –Short or easy-to-guess passwords –Unauthorized set-uid programs –Unauthorized programs in system directories –Unexpected long-running processes –Improper directory protections –Improper protections on system data files –Dangerous entries in the program search path (Trojan horse) –Changes to system programs: monitor checksum values