Prepared By: Jerusalem Y.

Security and Protection 5/25/2019 1

 Overview of system security
 Policy/mechanism separation
 Protection, access, and authentication
 Memory protection
 Encryption
 Recovery management

Security and Protection 5/25/2019 2

 Operating system security (OS security) is the process of
ensuring OS integrity, confidentiality and availability.
 OS security refers to specified steps or measures used to
protect the OS from threats, viruses, worms or remote hacker
intrusions.
 OS security encompasses all preventive-control techniques,
which safeguard any computer assets capable of being stolen,
edited or deleted if OS security is compromised.

Security and Protection 5/25/2019 3

Security
 Policy: Whether a person can become a user of the system. The
system administrator employs the policy while registering new
users.
 Mechanisms: Add or delete users, verify whether a person is a
registered user ( i.e. perform authentication), perform
encryption to ensure confidentiality of passwords.
Protection
 Policy: The file owner specifies the authorization policy for a
file. It decides which user can access a file and in what manner.
 Mechanisms: Set or change authorization information for a
file. Check whether a file processing request conforms to the
user’s privileges.

Security and Protection 5/25/2019 4

1. Confidentiality: This term covers two related concepts:
 Data confidentiality: Assures that private or confidential
information is not made available or disclosed to unauthorized
individuals
 Privacy: Assures that individuals control or influence what
information related to them may be collected and stored and
by whom and to whom that information may be disclosed
2. Integrity: This term covers two related concepts
 Data integrity: Assures that information and programs are
changed only in a specified and authorized manner
 System integrity: Assures that a system performs its intended
function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system

Security and Protection 5/25/2019 5

3. Availability: Assures that systems work properly and
service is not denied to authorized users.

Security and Protection 5/25/2019 6

 To prevent malicious misuse of the system by users or
programs.
 To ensure that each shared resource is used only in accordance
with system policies, which may be set either by system
designers or by system administrators.
 To ensure that errant programs cause the minimal amount of
damage possible.
Note
 Protection systems only provide the mechanisms for enforcing
policies and ensuring reliable systems.
 It is up to administrators and users to implement those
mechanisms effectively.

Security and Protection 5/25/2019 7

 Separation: keeping one user’s objects separate from other
users’ basis of protections is separation (keeping user objects
away from other users)
 Methods of Separation:
◦ Physical – nothing shared
◦ Temporal – operating things a different times
◦ Logical – running together but can’t access each other
◦ Cryptographic - running together but hidden

Security and Protection 5/25/2019 8

 Do not Prevent – no protection when procedure are being run
at different times
 Isolate – running concurrently but aware of each other;
separate space, objects and files
 Share all or share nothing – owner of objects declare it
public or private (all or none)
 Share via access limitation – each user is checked for access
availability of an object
 Share by compatibilities- dynamic creation of shared objects

 Limit use of an object- user has varying access to an object

each has a varying level of granularity - Greater granularity

creates greater access control

Security and Protection 5/25/2019 9

 Security refers to providing a protection system to computer
system resources such as CPU, memory, disk, software
programs and most importantly data/information stored in the
computer system.
 If a computer program is run by an unauthorized user, then
he/she may cause harsh damage to computer or data stored in
it.
 So a computer system must be protected against unauthorized
access, malicious access to system memory, viruses, worms
etc.

Security and Protection 5/25/2019 10

 Authentication refers to identifying each user of the system
and associating the executing programs with those users.
 It is the responsibility of the Operating System to create a
protection system which ensures that a user who is running a
particular program is authentic.
 Operating Systems generally identifies/authenticates users
using following three ways
1. Username / Password − User need to enter a registered
username and password with Operating system to login into
the system.

Security and Protection 5/25/2019 11

2. User card/key − User need to punch card in card slot, or
enter key generated by key generator in option provided by
operating system to login into the system.
3. User attribute - fingerprint/ eye retina pattern/
signature − User need to pass his/her attribute via
designated input device used by operating system to login
into the system.

Security and Protection 5/25/2019 12

 One-time passwords provide additional security along with
normal authentication.
 In One-Time Password system, a unique password is required
every time user tries to login into the system.
 Once a one-time password is used, then it cannot be used
again.
 One-time password are implemented in various ways.
1. Random numbers − Users are provided cards having
numbers printed along with corresponding alphabets. System
asks for numbers corresponding to few alphabets randomly
chosen.

Security and Protection 5/25/2019 13

2. Secret key − User are provided a hardware device which
can create a secret id mapped with user id. System asks for
such secret id which is to be generated every time prior to
login.
3. Network password − Some commercial applications send
one-time passwords to user on registered mobile/ email
which is required to be entered prior to login.

Security and Protection 5/25/2019 14

 Operating system's processes do designated task as instructed.
 If a user program made these process do malicious tasks, then
it is known as Program Threats.
 One of the common example of program threat is a program
installed in a computer which can store and send user
credentials via network to some hacker.
 Following is the list of some well-known program threats.
 Trojan Horse − Such program traps user login credentials
and stores them to send to malicious user who can later on
login to computer and can access system resources.
 Trap Door − If a program which is designed to work as
required, have a security hole in its code and perform illegal
action without knowledge of user then it is called to have a
trap door.
Security and Protection 5/25/2019 15
 Logic Bomb − Logic bomb is a situation when a program
misbehaves only when certain conditions met otherwise it
works as a genuine program. It is harder to detect.
 Virus − Virus as name suggest can replicate themselves on
computer system.
 They are highly dangerous and can modify/delete user files,
crash systems.
 A virus is generally a small code embedded in a program.
 As user accesses the program, the virus starts getting
embedded in other files/ programs and can make system
unusable for user

Security and Protection 5/25/2019 16

 System threats refers to misuse of system services and
network connections to put user in trouble.
 System threats can be used to launch program threats on a
complete network called as program attack.
 System threats creates such an environment that operating
system resources/ user files are misused.
 Following is the list of some well-known system threats.
 Worm − Worm is a process which can choke down a system
performance by using system resources to extreme levels.
 A Worm process generates its multiple copies where each copy
uses system resources, prevents all other processes to get
required resources.
 Worms processes can even shut down an entire network.

Security and Protection 5/25/2019 17

 Port Scanning − Port scanning is a mechanism or means by
which a hacker can detects system vulnerabilities to make an
attack on the system.
 Denial of Service − Denial of service attacks normally
prevents user to make legitimate use of the system.
 For example, a user may not be able to use internet if denial of
service attacks browser's content settings.

Security and Protection 5/25/2019 18

 Examples of security threats:
◦ Threats raised by data and programs downloaded from the
Internet
 Examples of protection threats:
◦ Illegal access to a resource or a service by a process
◦ An attempt to tamper with messages
 Security threats can arise more easily in a distributed OS

Security and Protection 5/25/2019 19

1. Keep The Operating System Updated
 The first step in protecting your computer from any malicious
there is to ensure that your operating system is up-to-date.
 This is essential if you are running a Microsoft Windows OS.
 Secondly, you need to have anti-virus software installed on
your system and ensure you download updates frequently to
ensure your software has the latest fixes for new viruses,
worms, and Trojan horses.
 Additionally, you want to make sure your anti-virus program
has the capability to scan e-mail and files as they are
downloaded from the internet, and you also need to run full
disk scans periodically.
 This will help prevent malicious programs from even reaching
your computer.

Security and Protection 5/25/2019 20

2. Use a Firewall
 You should also install a firewall.
 A firewall is a system that prevents unauthorized use and
access to your computer.
 A firewall can be either hardware or software.
 Hardware firewalls provide a strong degree of protection from
most forms of attack coming from the outside world and can
be purchased as a stand-alone product or in broadband routers.
 Unfortunately, when battling viruses, worms and Trojans, a
hardware firewall may be less effective than a software
firewall, as it could possibly ignore embedded worms in out
going e-mails.

Security and Protection 5/25/2019 21

 For individual home users, the most popular firewall choice is
a software firewall.
 A good software firewall will protect your computer from
outside attempts to control or gain access your computer, and
usually provides additional protection against the most
common Trojan programs or e-mail worms.
 The downside to software firewalls is that they will only
protect the computer they are installed on, not a network.
 It is important to remember that on its own a firewall is not
going to rid you of your computer virus problems, but when
used in conjunction with regular operating system updates and
a good anti-virus scanning software, it will add some extra
security and protection for your computer or network.

Security and Protection 5/25/2019 22

 Security and Protection deal with the control of unauthorized
use and the access to resources of a computer system.
 Protection refers to mechanism while security refers to policy.
 Protection system consists of mechanisms to control user
access to system hardware and software resources or to control
information flow in the system.
 Protection domain of a process specifies the resources that it
can access and the types of operations that the process can
perform on the resources. This limits a process's access to only
needed resources.

Security and Protection 5/25/2019 23

 Protected Objects and Methods
 Protecting Memory and Addressing
 Protecting Access to General Objects
 File Protection Mechanisms
 User Authentication

Security and Protection 5/25/2019 24

 Memory
 Sharable I/O devices, such as disks
 Serially reusable I/O devices, such as printers and
tape drives
 Sharable programs and sub-procedures
 Sharable data

Security and Protection 5/25/2019 25

 Memory protection is a way to control memory access rights on
a computer, and is a part of most modern instruction set
architectures and operating systems.
 The main purpose of memory protection is to prevent a process
from accessing memory that has not been allocated to it.
 This prevents a bug or malware within a process from affecting
other processes, or the operating system itself.
 An attempt to access unowned memory results in a hardware fault,
called a segmentation fault or storage violation exception,
generally causing abnormal termination of the offending process.
 Memory protection for computer security includes additional
techniques such as address space layout
randomization and executable space protection.

Security and Protection 5/25/2019 26

 Some of memory protection methods are:
1. Segmentation
2. Paged virtual memory
3. Protection keys
4. Simulated segmentation
5. Capability-based addressing
6. Dynamic tainting
Measures
 The protection level of a particular implementation may be
measured by how closely it adheres to the principle of
minimum privilege.

Security and Protection 5/25/2019 27

 The principle of least privilege is the idea that at any user,
program, or process should have only the bare minimum
privileges necessary to perform its function.
 For example, a user account created for pulling records from
a database doesn’t need admin rights, while a programmer
whose main function is updating lines of legacy code doesn’t
need access to financial records.
 The principle of least privilege can also be referred to as the
principle of minimal privilege (POMP) or the principle of least
authority (POLA).

Security and Protection 5/25/2019 28

 The principle of least privilege works by allowing only
enough access to perform the required job.
 In an IT environment, adhering to the principle of least
privilege reduces the risk of attackers gaining access to critical
systems or sensitive data by compromising a low-level user
account, device, or application.
 Implementing the POLP helps contain compromises to their
area of origin, stopping them from spreading to the system at
large.

Security and Protection 5/25/2019 29

 The principle of least privilege can be applied to every level of
a system.
 It applies to end users, systems, processes, networks,
databases, applications, and every other facet of an IT
environment.
 Below are just a few examples of how the principle can work
in practice.
1. User Account with Least Privilege
 With the principle of least privilege, an employee whose job is
to enter info into a database only needs the ability to add
records to that database.

Security and Protection 5/25/2019 30

2. MySQL Accounts with Least Privilege
 A MySQL setup follows the principle of least privilege when
it employs several different accounts to perform unique tasks.
 Ideally, an online form that lets users sort data should use a
MySQL account that only has sorting privileges.
 That way, an attacker who exploits the form has only gained
the power to sort records.
 Conversely, if the account is given the power to delete records,
the attacker can now wipe out the entire database.

Security and Protection 5/25/2019 31

There are many benefits of implementing the principle of least
privilege:
 Better security

 Minimized attack surface

 Limited malware propagation

 Better stability

 Improved audit readiness

Security and Protection 5/25/2019 32

 The translation of data into a secret code.
 Encryption is the most effective way to achieve data security.
 To read an encrypted file, you must have access to a secret
key or password that enables you to decrypt it.
 Unencrypted data is called plain text
 Encrypted data is referred to as cipher text.
 Encryption is widely used on the internet to protect user
information being sent between a browser and a server,
including passwords, payment information and other personal
information that should be considered private.
 Organizations and individuals also commonly use encryption
to protect sensitive data stored on computers, servers and
mobile devices like phones or tablets.

Security and Protection 5/25/2019 33

 Unencrypted data, often referred to as plaintext, is encrypted
using an encryption algorithm and an encryption key.
 This process generates cipher text that can only be viewed in
its original form if decrypted with the correct key.
 Decryption is simply the inverse of encryption, following the
same steps but reversing the order in which the keys are
applied.
 Today's most widely used encryption algorithms fall into two
categories: symmetric and asymmetric.

Security and Protection 5/25/2019 34

Security and Protection 5/25/2019 35
 The primary purpose of encryption is to protect the
confidentiality of digital data stored on computer systems or
transmitted via the internet or any other computer network.
 A number of organizations and standards bodies either
recommend or require sensitive data to be encrypted in order
to prevent unauthorized third parties or threat actors from
accessing the data.
 For example, the Payment Card Industry Data Security
Standard requires merchants to encrypt customers' payment
card data when it is both stored at rest and transmitted across
public networks.

Security and Protection 5/25/2019 36

 Backup and recovery refers to the process of backing up data
in case of a loss and setting up systems that allow data
recovery due to data loss.
 Backing up data requires copying and archiving computer
data, so that it is accessible in case of data deletion or
corruption.
 Data from an earlier time may only be recovered if it has been
backed up.

Security and Protection 5/25/2019 37

 Backup is the act of creating copies of information such that it
may be recovered
 Archive is to keep these backups for a long period of time in
order to meet some legal aspects
 Should the backup be kept online or offline?

 Online makes easier access, faster recover

 Offline is more secure, harder to recover

Why not both?

 Users should keep their own offline backups, in case online
backup gets removed
 Data may be lost accidentally (hardware failures, human
mistake) or intentionally

Security and Protection 5/25/2019 38