Download presentation
Presentation is loading. Please wait.
1
OPERATING SYSTEMS CS 3502 Fall 2017
Chapter 11 Security Dr. Donghyun (David) Kim Department of Computer Science College of Computing and Software Engineering Kennesaw State University
2
Protection Mechanisms to control what an authenticated user can do.
File Protection Memory Protection Web Protection
3
Protection Mechanism to keep unauthorized users from accessing the system Firewalls Virus Detection Spyware Detection
4
Encryption Scrambles data & messages so that eavesdroppers cannot read what is being transmitted Also used as part of Authentication to help ensure that someone is not posing as somebody else
5
People Lack of knowledge about security
People will not keep information secure People can be conned into giving out information they shouldn’t Poor System Administration
6
Types of Attacks Trojan Horse Trap Door Stack & Buffer Overflow Worm
Virus Denial of Service
7
Trojan Horse Program that appears to be a legitimate agent or process but really behaves in a different manner Viruses and Spyware are often introduced as Trojan Horses
8
Trap Door Program finds a way to bypass the normal security protections Often left in applications / systems to help support staff
9
Stack & Buffer Overflow
Send an incorrectly formatted command / message to a system. If system does not carry out adequate checking, it may execute some action it shouldn’t
10
Stack & Buffer Overflow
11
Stack & Buffer Overflow
How does this happen? Poorly Programmed Read Should be read(file,buffer,100) Instead of read(file,buffer) which reads as much data as the remote system sends Inadequate checking of the validity of the data that is received
12
Stack & Buffer Overflow
Security Design Rule Assume any data you receive is incorrectly formatted (until proven otherwise)
13
SQL Injection Application does inadequate validation of user input before putting it into an SQL statement Example SELECT BALANCE FROM ACCTS WHERE ACCT_ID=xxxx User Input for xxxx 104;UPDATE ACCTS SET BALANCE= WHERE ACCT_ID=104
14
Worm A program that automatically sends itself to another system
15
Virus Program that attacks a system to carry out some action the computer user does not want
16
Denial of Service Typical attack sends so many messages to a system, that system cannot execute anything except respond to those messages
17
Goal of Protection Ensure that resources (data) is available only to users that are authorized to access those resources A Protection Policy specifies the details of this goal for a particular system The Protection Policy is implemented via Protection Mechanisms
18
Example Protection Policies
Access by password knowledge Teresa can access the Personnel File if she knows a password Access by User ID Patty can modify the Personnel File Jonathon can read the file Brandon has no access to the file Access by Group Membership The HR dept can modify the Personnel File The Payroll dept can read the file Other employees have no access to the file
19
Protection Policies A Protection Policy says:
How a user can obtain access to a resource (data) What they can carry out with the resource / data (Access Rights)
20
Owner Most Protection Policies have the concept of the Owner of the data The Owner: Has all access rights to the data Can delegate Access Rights to other users / groups
21
Typical Access Rights Read Write Execute Delete
22
File Protection R W E Effect No access allowed 1
No access allowed 1 Execute Only – Program can be executed Write Only - not really useful Write-Execute – Not used Read Only – File can be read / copied Read-Execute – Program can be executed / copied Read-Write – Normal data file Read-Write-Execute – no protection
23
Protection Domains Defines the set of objects that a process can access and how they can be accessed Object Granularity Computer File Record in a file Field in a record
24
Two Protection Mechanisms
File Attributes Each file specify attributes for Owner, Group, Everyone Access Control Lists Associated with each protected resource Specifies which individuals and/or groups have what access rights
25
File Attributes Can specify Read, Write, Execute allowed
Can specify separately for Owner, Group, Everyone
26
Access Control Lists Each protected object has a list
The user/groups that can access it What each user/group’s access rights are
27
Access Control List Example
HR dept Read-Write Payroll Dept Read Others None
28
MS Windows NTFS File System has support for Access Control Lists
FAT file systems have no support for file protection
29
Unix, Linux Uses Attribute Scheme
Protection can only be controlled to the group level
30
Web Browser Protection
Applet
31
Web Browsers Web Browsers can execute programs (Applets) that are received from another computer Browsers can execute: Java Applets ActiveX Components (Internet Explorer)
32
Web Browsers Potentially a very untrustworthy situation
Some protection mechanism is required
33
Java Applets Run in a “sandbox” enforced by the Java Virtual Machine (JVM) JVM prevents applet from performing “bad” actions In general, Applets cannot access files or other resources on the browser’s machine – only on the web server that provided the applet A Signed Applet can access files/resources
34
ActiveX Components Execute native code
No sandbox Code can carry out any action it wants One should only allow Signed ActiveX components to run
35
What is a Signed component?
Signed Component includes a Digital Signature of the author of the component Browsers can verify that the Digital Signature is correct
36
Virus Protection Current Virus protection programs detect malware by use of a “signature” Better technology is needed Requires frequent updates Virus writers starting to be able to trick the signature detection mechanisms
37
Spyware Similar to Viruses
Detection programs use similar technology to find
38
Firewalls A Firewall prevents undesirable messages from getting past it A Hardware firewall can make systems behind the firewall invisible to the outside world Software firewall can also detect programs unexpectedly accessing internet
39
Trusted Computing Initiative
Rather than trying to detect “bad” programs Allow system to execute only “good” programs Uses Digital Signature technology and cryptography embedded into hardware What is a “good” program?
40
Encryption Two Primary Functions ciphertext = encrypt(plaintext,key1)
plaintext = decrypt(ciphertext,key2)
41
Symmetric Systems Key1 = key2 Both sides must know the key
Both sides MUST keep the key secret Requires a secure channel to distribute the key(s)
42
Symmetric Systems Examples DES (Data Encryption Standard)
56 bit keys 30 years old AES (Advanced Encryption Standard) Keys can be 128, 192, or 256 bits New standard
43
Asymmetric Systems Key1 ≠ key2 One key is published (to the world)
This a “public key” The other key is kept private This a “private key” Also known as Public Key encryption
44
Asymmetric Systems Examples RSA (Rabin, Shamir, Adelman)
Based on the difficulty of factoring very large numbers ECC (Elliptic Curve Cryptography) Based on the difficulty of calculating the coefficients of an ellipse
45
Asymmetric Systems To send a message to Bob:
Encrypt the message with Bob’s public key Bob can decrypt the message with his private key and read the message Nobody else can read the message
46
Asymmetric Systems If Alice wants to “sign” a document:
She computes hash of the document An irreversible computation Encrypts hash with her private key Anybody can verify that Alice signed the document by decrypting the hash with her public key
47
Symmetric vs Asymmetric
Flexibility Asymmetric systems are much more flexible Speed Symmetric systems are much faster
48
Public Key Infrastructure (PKI)
A business structure using Digital Certificates Certificate Authorities
49
Digital Certificates A Digital Certificate identifies the author of a Signed Component Contains name of the author Public key of the author The Certificate Authority (CA) that validated the author’s public key Signed by Certificate Authority
50
Verifying a Digital Certificate
Get name of Certificate Authority Lookup their public key (comes with OS) Use CA’s public key to decrypt certificate hash Verify Hash
51
Verifying Digital Certificate
OS Certificate CA Name CA Public Key Decrypt Encrypted Hash
52
Hackers & Encryption The IT Director of a company is quoted in the press as saying: “Yes, a hacker did break into our system and get a copy of the files containing customer’s credit card numbers. But, those files are encrypted, so he can’t use the information.” Is he correct?
53
Security of Encryption
At least 1 key must be kept secret A break in the other security components can allow unauthorized access to the secret key On some systems, the encryption is done on a separate physical secure device
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.