Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operating Systems Unit 11: – Security Operating Systems.

Published byCameron Gardner Modified over 9 years ago

Similar presentations

Presentation on theme: "Operating Systems Unit 11: – Security Operating Systems."— Presentation transcript:

1 Operating Systems Unit 11: – Security Operating Systems

2 COP 5994 - Operating Systems2 Security prevent unauthorized access to resources and information maintained by computers issues: –Guarantee the privacy and integrity of data –Restricting the use of computer resources –Providing resilience against malicious attempts to incapacitate the system

3 COP 5994 - Operating Systems3 Security Mechanisms Encryption: –Transform data into something that an attacker cannot understand (confidentiality) –check whether something has been modified (integrity) Authentication: –verify the identity of a subject Authorization: –determine if a subject is permitted to request service Auditing: –trace subjects and requests –can help catch an attacker

4 COP 5994 - Operating Systems4 Encryption Goal: data readable only to intended reader Cryptography: –encode and decode data –based on cypher: function to encode/decode data ex: substitution cypher, transposition cypher –modern cypher has key parameter to encoding/decoding function

5 COP 5994 - Operating Systems5 Cryptography issue: key length –64bit, 128bit, … symmetric –1 key for encoding and decoding –problem: key needs to be known to both parties asymmetric –2 keys

6 COP 5994 - Operating Systems6 Secret-Key Cryptography symmetric cryptography one secret key to encrypt / decrypt message –Sender Encrypts a message using the secret key Sends encrypted message to the intended recipient –Recipient Decrypts the message using the same secret key

7 COP 5994 - Operating Systems7 Secret-Key Cryptography

8 COP 5994 - Operating Systems8 Secret-Key Cryptography: Key distribution Problem: parties must agree on secret key

9 COP 5994 - Operating Systems9 Public-Key Cryptography Asymmetric: –Employs two inversely related keys: Public key –Freely distributed Private key –Kept secret by its owner –If the public key encrypts a message, only the corresponding private key can decrypt it

10 COP 5994 - Operating Systems10 Public-Key Cryptography Scenarios: –sender encrypts message with receivers public key –receiver decrypts message with private key –result: sender has authorized receiver

11 COP 5994 - Operating Systems11 Public-Key Cryptography Scenarios: –sender encrypts message with private key –receiver decrypts message with sender’s public key –result: receiver has authenticated sender

12 COP 5994 - Operating Systems12 Full Public-Key Cryptography

13 COP 5994 - Operating Systems13 PK-Infrastructure: Certificates Limitation of public-key cryptography –if users share the same set of keys, it is difficult to establish each party’s identity Solution: –certify public key –public key is part of certificate –published by certificate authority –certificate authorization hierarchy rooted at Internet Policy Registration Authority

14 COP 5994 - Operating Systems14 Authentication goal: identify user –unique characteristic of the person signature fingerprint, voiceprint, retina scan –ownership of an item key, badge, id-card, smart card –user knowledge passwords personal identification numbers (PINs) lock combination

15 COP 5994 - Operating Systems15 Digital Signatures The electronic equivalents of written signatures –Authenticate senders’ identities Idea: –run hash function on document to produce hash value –create signature as encrypted hash value –message is sent with document, signature, hash function –receiver decrypts signature, runs hash function, compare hash values

16 COP 5994 - Operating Systems16 Authorization Server: Kerberos protection against internal security attacks –open-source protocol/server developed at MIT employs secret-key cryptography –to authenticate users in a network –to maintain the integrity and privacy of network communications components: –authentication server –Ticket Granting Service

17 COP 5994 - Operating Systems17 Kerberos Scenario 1.Client submits username/password to authentication server 2.If valid, the authentication server issues a Ticket-Granting Ticket (TGT) encrypted with the client’s secret key 3.Client sends decrypted TGT to the TGS when requesting a resource. If valid, TGS issues a service ticket encrypted with client’s secret key. 4.Client decrypts service ticket, which it uses to access network resources

18 COP 5994 - Operating Systems18 Authentication: Single Sign- On Simplifies authentication process –one log in using a single password to access multiple applications across multiple computers –Important to secure single sign-on passwords examples: –distributed file system –ACM digital library

19 COP 5994 - Operating Systems19 Authorization Discretionary Access Control (DAC) –File owner controls permissions –ex: read, write, execute, access control list Mandatory Access Control (MAC) –Predefine a central permission scheme

20 COP 5994 - Operating Systems20 Access Control Security Models role based access control (RBAC) model elements –subject has role has privilege to access object –subject can have multiple roles –role has multiple privileges –privilege defines object access very flexible

21 COP 5994 - Operating Systems21 Auditing log all system and network activity host protection –tripwire.org Intrusion Detection Systems –commercial and open source systems snort.org, dshield.org, lids.org –detection strategies statistical anomaly pattern-matching

22 COP 5994 - Operating Systems22 Security Attacks Crypt-analytic attacks Viruses and worms Denial-of-service attacks –Domain name system (DNS) attack Software exploitation –Buffer overflow System penetration –Web defacing

23 COP 5994 - Operating Systems23 Cryptanalytic Attack Attempt to decrypt encrypted text Goal is to determine the key Encryption algorithm is analyzed to find relations between bits of the encryption key and bits of the encrypted text Weak statistical trends between encrypted text and keys can be exploited to gain knowledge about the key

24 COP 5994 - Operating Systems24 Viruses executable code –attachment to an e-mail message –hidden within as audio clips, video clips and games if code is execute, mischief occurs: –file corruption –change application behavior –send emails –erase hard drive, … replicates itself –via send email

25 COP 5994 - Operating Systems25 Virus Types boot sector virus –controls OS transient virus –runs with another program resident virus –operates while OS is active logic bomb –executes its payload at given time

26 COP 5994 - Operating Systems26 Worms Executable code that spreads by infecting files over a network –Rarely requires any user action to propagate –Does not need to be attached to another program or file to spread Once a virus or worm is released, it can spread rapidly, often infecting millions of computers worldwide within minutes or hours

27 COP 5994 - Operating Systems27 Denial-of-Service (DoS) Attacks prevent system from servicing legitimate requests unauthorized traffic saturates a network’s resources, restricting access for legitimate users typical: flood servers with data packets attach is carried out by network of computers

28 COP 5994 - Operating Systems28 Buffer overflow attacks –occurs when an application sends more data to a buffer than it can hold –can push the additional data into adjacent buffers, corrupting or overwriting existing data –can replace executable code in an application’s stack to alter its behavior malicious code that will then be able to execute with the same access rights as the application it attacked –depending on the user and application, the attacker may gain access to the entire system

29 COP 5994 - Operating Systems29 Attack Prevention and Security Solutions Firewalls Antivirus software Security patches Secure file systems

30 COP 5994 - Operating Systems30 Firewall Protect against intruders outside the network –Police inbound and outbound traffic for the LAN Types of firewalls –Packet-filtering firewall allows only defined traffic Inspects packets for inconsistencies such as incorrect source address –Application-level gateways Inspect packets for malicious payloads

31 COP 5994 - Operating Systems31 Antivirus Software Attempts to protect against virus attack –monitor file access –identify and remove viruses many commercial and open source packages –www.clamav.net

32 COP 5994 - Operating Systems32 Detection techniques Signature scanning –Uses a known virus list Relies on knowledge about the structure of the computer virus’s code Can be ineffective against variants and polymorphic viruses Heuristic scanning –looks for virus-like behavior: Replication, residence in memory and/or destructive code –can detect viruses that have not yet been identified

33 COP 5994 - Operating Systems33 Security Patches Code releases that address security flaws –Simply releasing a patch for a security flaw is insufficient to improve security Developers should address security flaws by: –Notifying their users quickly –Providing software that facilitates the process of applying security patches Example: Hotfixes –Microsoft Automatic Updates

34 COP 5994 - Operating Systems34 Secure File Systems Protect sensitive data regardless of how the data is accessed Encrypting File System (EFS) –Uses cryptography to protect files and folders in an NTFS file system –Uses secret-key and public-key encryption to secure files

35 COP 5994 - Operating Systems35 Secure Communication Protocols Developed to provide security in several layers of the traditional TCP/IP stack Secure Sockets Layer (SSL) –common extension to http Internet Protocol Security (IPSec) –needed for IPv4 Virtual Private Network (VPN) –uses IPSec channel to virtually extend LAN

36 COP 5994 - Operating Systems36 Wireless Security Wired Equivalent Privacy (WEP) protocol –encrypts transmitted data –prevents unauthorized access to the wireless network –shared single key Wi-Fi Protected Access (WPA) –provides improved data encryption –uses authentication server enables user authentication session key for each user

37 COP 5994 - Operating Systems37 Steganography The practice of hiding information within other information –For example: a message or image, within another image, message or other form of multimedia Digital watermarks –Used to protect intellectual property –Exploit unused portions of files to store hidden messages, while the digital files maintain their intended semantics

38 COP 5994 - Operating Systems38 Agenda for next week: –Project Presentations –Final Exam

Download ppt "Operating Systems Unit 11: – Security Operating Systems."

Similar presentations

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Computer and Network Security Risanuri Hidayat, Ir., M.Sc.

Computer and Network Security Risanuri Hidayat, Ir., M.Sc.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Chapter 20: Network Security Business Data Communications, 4e.

Chapter 20: Network Security Business Data Communications, 4e.
 2001 Prentice Hall, Inc. All rights reserved. Chapter 7 – Computer and Network Security Outline 7.1Introduction 7.2Ancient Ciphers to Modern Cryptosystems.

 2001 Prentice Hall, Inc. All rights reserved. Chapter 7 – Computer and Network Security Outline 7.1Introduction 7.2Ancient Ciphers to Modern Cryptosystems.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Similar presentations

Ads by Google