Os Security Mussab and Zeeshan Badshah
-
Upload
musaab-qamar -
Category
Documents
-
view
225 -
download
0
Transcript of Os Security Mussab and Zeeshan Badshah
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
1/42
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
2/42
SECURITY IN OPERATING SYSTEM
Security breaches
Security goals
Protected objects of the general purpose operating
system Protection of objects
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
3/42
BREACHES
Exposure
A form of possible loss or harm in a computing system
Vulnerability
Weakness that might be exploited to cause loss or harm
Threats
circumstances that have the potential to cause loss orharm
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
4/42
THREATS
Interruption
Interception
Modification
Fabrication
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
5/42
THREATS THROUGH SOFTWARES
Intruders
Malware,Trapdoor,Backdoor
Virus
Worm
Logic bomb
Trojan Horse
Downloaders
Spams
Flooders
Spywares
Adwares Bot
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
6/42
INTRUDERS
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
7/42
MALWARE, TRAPDOOR,BACKDOOR
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
8/42
VIRUS
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
9/42
WORM
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
10/42
LOGIC BOMB & TIME BOMB
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
11/42
TROJAN HORSE
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
12/42
DOWNLOADERS
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
13/42
SPAMS
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
14/42
FLOODERS
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
15/42
SPYWARES
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
16/42
ADWARES
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
17/42
BOT
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
18/42
SECURITY GOALS
Confidentiality
the assets of a computing system are accessible only byauthorized parties.
Integrity assets can be modified only by authorized parties or only in
authorized ways.
Availability
assets are accessible to authorized parties.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
19/42
PROTECTION IN GENERAL-
PURPOSE OS
Protected Objects and Methods
Protecting Memory and Addressing
Protecting Access to General Objects
File Protection Mechanisms
User Authentication
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
20/42
PROTECTED OBJECTS AND METHODS
Protected Objects
Security Methods of Operating Systems
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
21/42
PROTECTED OBJECTS
Memory
Sharable I/O devices, such as disks
serially reusable I/O devices, such as
printers and tape drives
sharable programs and sub-procedures
sharable data
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
22/42
SECURITY METHODS OF
OPERATING SYSTEMS
Separation: keeping one users objects separatefrom other users
Physical Separation
Temporal Separation
Logical Separation
Cryptographic Separation
Granularity of Control
the larger the level of object controlled,
the easier it is to implement access control.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
23/42
PROTECTING MEMORY AND
ADDRESSING
Fence
Relocation
Base/Bounds Registers
Tagged Architecture
Segmentation
Paging
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
24/42
FENCE
A fence is a method to confine users to one
side of a boundary.
Usually, fence is implemented via a hardware
register.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
25/42
RELOCATION
Relocation is the process of taking a programwritten as if it began at address 0 and changingall addresses to reflect the actual address atwhich the program is located in memory.
Fence register can be used within relocationprocess. To each program address, thecontents of the fence register are added. Thisboth relocates the address and guaranteesthat no one can access a location lower than afence address.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
26/42
BASE/BOUNDS REGISTERS
In a multiuser, multiprogrammingenvironment, fence register is variable. In thiscase fence register is called base register.Fence registers only provide a lower bound
(a starting address), but not an upper one. Asecond register, called a bounds register canbe used to provide a upper bound. In thisway, a programs addresses are neatlyconfined to the space between the base
and the bounds registers.This technique protects a programsaddresses from modification by another user.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
27/42
TAGGED ARCHITECTURE
The disadvantage of Base/Bounds
technique
Tagged Architecture
Every word of machine memory has one or more extra bits
to identify the access rights to that word.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
28/42
SEGMENTATION
Segmentation divides a program into separate pieces. Eachpiece has a logical unity, a relationship among all of its code ordata value.
Segmentation was developed as a feasible means to have theeffect of an unbounded number of base/bounds registers: aprogram could be divided into many pieces having differentaccess rights.
The operating system must maintain a table of segment names
and their true addresses in memory. The program address is in theform . OS can retrieve the real address via lookingfor the table then making a simple calculation:
address of the name + offset
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
29/42
PAGING
An alternative to segmentation is paging. The program isdivided into equal-sized pieces called pages, andmemory is divided into the same sized units, called pageframes. Each address is represented in a form .
Operating system maintains a table of user pagenumbers and their true addresses in memory. The pageportion of every reference is converted
to a page frame address by a table lookup; the offsetportion is added to the page frame address to producethe real memory address of the object referred to as.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
30/42
PROTECTING ACCESS TO GENERAL
OBJECTS
Directory
Access Control List
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
31/42
GENERAL OBJECTS
Memory
a file or data set on an auxiliary storage device
an executing program in memory
a directory of files
a hardware device a data structure, such as a stack.
A table of the operating system
instructions, especially privileged instructions
passwords
the protection mechanism itself
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
32/42
DIRECTORY
This technique works like a file directory. Imagine theset of objects to be files and the set of subjects tobe users of a computing system. Every file has aunique owner who possesses control access
rights, including the right to declare who has whataccess and to revoke access to any person at anytime. Each user has a file directory, which lists all thefiles to which that user has access.
OS maintains all directories. Each user has a list(directory) that contains all the objects that user isallowed to access.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
33/42
ACCESS CONTROL LIST
Each object has an access control list. This list shows allsubjects who should have access to the object and what theaccess is.
This technique is widely used in Distributed File Systems.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
34/42
FILE PROTECTION MECHANISMS
Basic Forms of Protection
Single Permissions
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
35/42
BASIC FORMS OF PROTECTION
All-None ProtectionThe principal protection was trust, combined with ignorance.
Group Protection
Users in the same group have the same right for objects.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
36/42
SINGLE PERMISSIONS
Password or other token
assign a password to a file
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
37/42
USER AUTHENTICATION
Use of Passwords
Attacks on Passwords
Password Selection Criteria
The Authentication Process
Flaws in the Authentication Process
Authentication Other Than Passwords
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
38/42
USE OF PASSWORDS
Passwords are mutually agreed-upon codewords, assumed to be known only to the userand the system.
The use of of passwords is fairly straightforward.A user enters some piece of identification, suchas a name or an assigned user ID, if theidentification matches that on file for the user,
the user is authenticated to the system. If theidentification match fails, the user is rejected bythe system.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
39/42
ATTACKS ON PASSWORDS
Try all possible passwords exhaustive or brute force attack
Try many probable passwords
Users do not likely select a password uncommon, hardto spell or pronounce, very long
Try passwords likely for the user Password generally is meaningful to the user
Search for the system list of passwords Finding a plain text system password list
Ask the user Get the password directly from the user.
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
40/42
PASSWORD SELECTION CRITERIA
Use characters other than just A-Z
Choose long passwords
Avoid actual names or words
Choose an unlikely password
Change the password regularly
Dont write it down
Dont tell anyone else
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
41/42
THE AUTHENTICATION PROCESS
Intentionally slow
This makes exhaustive attack infeasible
identify intruder from the normal user
some who continuously fails to login may not bean authorized user.
System disconnect a user after three to five failedlogins
-
7/31/2019 Os Security Mussab and Zeeshan Badshah
42/42
QUESTION AND QUERIES