Security and Protection | 1

UNIT 6: Security and Protection

Structure
6.0 Objective
6.1 Introduction
6.2 Security Threats and Goals
6.3 Penetration Attempts
6.4 Security Policies and Mechanisms
6.5 Authentication
6.6 Protection and Access Control
6.7 Worms and Viruses
6.8 Summary
6.9 Exercise
6.10 Suggested Readings

6.0 Objective

At the end of this chapter you will know:

What are the different security threats and goals?
Types of penetration attempts by adversaries
Authentication types and their features
Different access control mechanisms and their characteristics
Malicious software like viruses and worms and the security threats that they possess

6.1 Introduction

Nowadays computer systems have become more sophisticated and pervasive in their applications.
Therefore, the need to protect their integrity has also grown. As the system may contain confidential
data, we should be able to prevent unauthorized users from gaining access into the system. A set of
users who have access to a computer system may not all be assigned the same access rights. Some
users may be designated as superusers who will have more access rights as compared to others. Thus,
even if others are authorized to gain access to the system they may not be able to write into files or
make other modifications. Computer systems implement various access control mechanisms to
enforce such conditions. Authentication is a technique to ensure that the user who wants to gain
access into the system is indeed the person who he/she claims to be. Computer systems use various
2 | Operating System

authentication techniques to check the authenticity of the user, based on which he or she is granted or
denied the access into the system.

6.2 Security Threats and Goals

Operating system consists of collection of objects, software or hardware. Each object has a well-
defined name and can be accessed by set of operations. The security and protection of the OS ensures
that the object is accessed correctly and by the authorized user processes those have been granted
permission for the same.

Security talks about giving a protectedenvironment to computer system resources such as CPU, disk,
memory, software programs and most essentially to thedata or information kept in the computer
system. If a computer program is executed by an unapproved user, then s/he may createunavoidable
damage to system or data stored in it. So a computer system must be protected against unauthorized
access, malicious access to system memory, viruses, worms etc.

Security deals with shielding systems from thoughtful attacks both from internal or external, from
persons who deliberately trying to damage information, steal information, or otherwise purposely
wreak disorder in some manner.

6.2.1 Security Threats

Interruption: Interruption threat is a situation in which theservice of the system becomes

unavailable, lost or unusable. For example: removal of a data file or program, malicious
damage of a hardware device or failure of an operating system file manager so that it cannot
search a specific disk file.

Modification: In modification threat the unauthorized party not only uses the asset but
damages the service. For example, modify a program so that it makes an additional
calculation, somebody might modify the data in a database or alter the values to be
communicated electronically. It is even possible to change the hardware. Some
circumstances of modification can be distinguished with simple measures, but other, more
delicate, variations may be nearly impossible to notice.

Interception: If some unauthorized party gains access to a service, then this is an

interception threat. The external party can be a program, a person, or a computing system.
Examples of this type of failure are illegalreplication of data files or program, or
monitoringthe network to obtain data. Even though thedamage may be discovered rapidly, a
quiet interceptor may leave no hints by which the interference can be readily perceived.

Fabrication: Finally, an unauthorized party might generate a fabrication of forgery things on

a computing system. For example, the intruder may attachbogus transactions to a network
communication system or increasethe number of records to aprevailingdatabase. At times
these add-ons can be distinguished as forgeries, but if competently done, they are almost
indistinguishable from the actual thing.
 Security and Protection | 3

The most common types of damages include:

Confidentiality Breach- Stealing of personal or confidential information, such as trade secrets, credit-
card numbers, secret formulas, patents, medical information, manufacturing procedures, financial
information, etc.
Integrity Breach- Unauthorized alteration of information, which may have severe unintended
penalties. For example, a famous game or other program's source code could be changed to expose
up safety holes on users systems before being announced to the audience.
Availability Breach- Unauthorized devastation of data, often just for the "enjoy purpose" of
producing chaos and for self-important rites. Defacement of web-sites is a common practice of this
destruction.
Theft of Service - Unauthorized utilization of resources, such as stealing of cycles of CPU,
installation of daemons executing an unauthorized file server, or tapping into the target's networking
services or telephone.
Denial of Service, DOS- Stoppingthe authentic users from consuming the system, often by creating
congestion and overpowering the system with asurplusnumber of requests for a facility.
Masquerading- In this the attacker plays the role of a trusted third party. A distinction of this is the
man-in-the-middle, in which the invader pretenses as both ends of the dialogue to two targets.
Replay Attack- It involves restating a legal communication. At times this can be the complete attack,
(such as iterating a demand for a transfer of money), or other times the matter of the actual message
is substituted with malicious matter.

6.2.2 Security Goals

Security goals are the actions that a system executes while still preventing the unauthorized access. A
security goal defines the requirements that a system must achieve and a correct way of
implementation to be fulfilled. Security goals defines the how a resource is being accessed by the
system that must satisfy the following conditions CIA: confidentiality, integrity and availability as
shown in Figure 6.1. These are considered as pillars of security. A system defines the access level in
three terms: Subjects (who can perform access on element- process or user), operations (subject can
perform which action on element- read or write) and object (the element on which subject performs
the operation- files or sockets).
Confidentiality

SECURITY
GOALS
Integrity Availability

Figure 6.1: Security Goals

4 | Operating System

Confidentiality requires that there should be the limitation on an individual subjects operation
(read) over objects. As the object may contain some confidential information that need not to be
shared among all subjects. It helps to overcome the situation of interception.
Integrity requires that there should be limitation on an individual subject operation (write) over
certain objects. As objects may contain the information on which other subjects may depend for their
correct operation. Modification problem can be avoided by implementing the integrity requirement.
Availability requires that there should be limitation on the consumption of system resources (CPU
and storage) by a subject. As an individual subject may alone exhaust the system resources.
Interruption situation may not arise if this requirement is achieved.
Fabrication may be avoided when authenticity is implemented which says that the system is able to
verify the identity of a subject.
Main focus of the OS security is on confidentiality and integrity. Though availability indirectly may
affect these goals.

6.3 Penetration Attempts

Requirements of any modern computing system is sharing and protection. As the sharing increases it
may give rise to security threats or penetration, thus it requires more level of protection. When PC
was designed, it was intended to be handled by single user. So, level of security/protection is not
much required in this OS environment as the possibility of penetration or misuse is not present in
this. As no two users are going to use the same data. Hence for PC and floppy disk, the security of
data present in them can only be achieved by physically locking the room. But todays as the number
of PCs are networked together here they can share data and programs, a need has arisen to provide
better security and protection mechanism.
The major threats to security in any computing environment can be categorized as following:
i) Tapping: unauthorized use of service
ii) Disclosure: unauthorized disclosure of information
iii) Amendment: Unauthorized deletion and alteration of information
iv) Fabrication: Unauthorized fabrication of information
v) Denial: Denial of service to authorized user.

Figure 6.2: Types of Security Threats or Penetration

 Security and Protection | 5

Tapping and disclosure is categorized as Passive Threat. And remaining three amendments,
fabrication and denial are classified as Active Threats. In case of tapping and disclosure the
information goes to third party. But there is a slight difference between the two. In tapping, the third
party access the information without knowing who is sender (A) and receiver (B). Whereas in
disclosure the source (A) knowingly or willingly reveals the information to the third party.

Security threats may arise due to deliberate or unintentional reasons. And there may be malicious or
casual attempts of penetration. Irrespective of its motivation and origin, the OS designers have to
build a security system to counter all probable penetration attempts.

The security system can be attacked and penetrated in following ways:

i) Authentication: It means access verification to the system resources. But an intruder

may steal password of some other user who has right to access the resources. Or intruder
may guess the username and password and then can access the resources of system.
Intruder may use the dummy program to fool the user asking for username and password.
The dummy code collects the information for later use.

ii) Browsing: In system there are files that are given permissive access control on them. An
intruder may browse the system to get this information and can later access the files and
databases that are unprotected in nature. Confidential information may also be read or
modified which is more dangerous for the system.

iii) Trap doors: Sometimes a software may require updates even after it is gone for
production. In that condition programmer leaves a secret door to enter in code that does
not require authorization to access some objects. Means the programmer bypass certain
validation checks and only software designer knows this. These secret points are known
as trap doors. These trapdoors are helpful in emergency situation but certain
unauthorized users may use these doors to penetrate in system.

iv) Invalid Parameters: Serious security measure may take place by passing certain invalid
parameters to the system or when system is unable to validate these parameters.

v) Line Tapping: A special terminal may be use to tap the information over
communication lines. This may allow the accessing of confidential data or modifying of
that data. The threat may be in form of tapping, amendment or fabrication if intruder gets
the line of communication.

vi) Electronic Data Capture: An intruder may use passive or active wire taps or
mechanism to pick up screen radiation and capture what is displayed on screen.

vii) Lost Line: It may happen at time of communication that the line may get lost. Then in
that condition the OS must logout the respective user and ask to reestablish the
connection before further communication. But some OS are incapable in doing so. In
such scenario the process before lost connection is still floating. Therefore, an intruder
6 | Operating System

may gain access of this floating process and can access the system resources accessible
by the process.

viii) Improper Access Control: Some OS does not allow the planning of rigorous and
meticulous access control mechanism. This may lead to a situation where a user is given
far excessive privileges and some user remain with too few. This situation may lead to
denial of service or unauthorized access of resources. And this is also violation of
security aspects.

ix) Waste Recovery: A penetrator may use technique to recover the deleted files or part of
them that contain password from the system. There may be a situation that a block from a
file is deleted, it is deal located from and has been added to free blocks part. However,
the content in the block is still there until it is being allocated to some other file or some
data is overwritten on it. A penetrator may use some mechanism to access these free
blocks for the information.

x) Rogue Software and Program Threats: This is an intentionally written programs or

part of it, planned to generate mischief. These programs vary in the complexity and
damage they create. The programs require deeper knowledge of OS and the underlying
hardware.

xi) Covert Channel: Conventionally the mechanism of protection imposes restrictions on

various subjects to access different objects. Despite of this unauthorized data transferring
may happen. This is because the objects or signaling devices use for protection
mechanism are not covered under protection mechanism. This undermines the
confidentiality which is hard to identify. The problem is associated with the control of
information flow and is known as covert channel problem or confinement problem.

6.4 Security Policies and Mechanisms

The first and the foremost step towards improving the security of any aspect of computing is to have
a security policy. Policies may vary but they normally include a statement of what is being secured.
For instance, a policy may state that users in a system should not share their passwords or that all the
emails that are directed towards the companys mail box should be filtered first. It is not possible for
users and administrators to know what is allowed, what is required and what is permissible, if the
security policy is not stated. A security policy in simple terms is a road map to security. It can be
used as a guide to make the system more secure. From time to time, the security policy should be
reviewed and modified if needed, to adapt to the growing needs of security.

A security mechanism is a method, tool, or procedure for enforcing a security policy. In the
following sections we will discuss various security mechanisms like authentication which requires
the user, who wants to gain access to a system to prove that he is indeed the person who he claims to
be. Next we will discuss some access control mechanisms that determine whether a user requesting
 Security and Protection | 7

an access to a resource should be given the permission or not based on the access rights already
specified for that user.

6.5 Authentication

User authentication is very different from message authentication. Message authentication is a

procedure in which the communicating parties verify that the contents of the message have not been
altered during transit and that the source is authentic. In this section we will discuss about user
authentication. Basically, there are three types of authentication methods which we will see.

Password-Based Authentication

Password-based authentication is a widely used procedure to check the authentication of users.

Almost all the network-based servers, multiuser systems and web-based e-commerce systems require
the user to give a password along with a user ID (identifier) to complete the authentication procedure.
The system compares the password to a previously stored password for that user ID which is
maintained in a system password file. The password authenticates the ID of the user who wishes to
log on to the system. The ID in turn, provides security in the following ways:

The ID decides whether the user is authorized or not to gain access to a system. Some
systems only allow that person who has an ID filed on the system, to gain access into the
system.

The ID determines what type pf privileges the user has been given. In some systems, a few
users are given the status of a super user. This means that these users can read files and
perform functions that are especially protected by the OS. Such systems may have guest
accounts for users who will have limited privileges.

The ID can be used for the purpose of discretionary access control. For instance, by listing
the IDs of the other users, a user may grant permission to them to read files owned by that
user.

(a) The use of Hashed Passwords

An extensively used password based security technique is the use of hashed passwords and a salt
value. This scheme is found on almost all UNIX variants and also on a number of other operating
systems. The user is either allowed to choose a password or is assigned a password by the system.
Then the password is combined with a fixed-length salt value. In older implementations, the salt
value is based on the time at which the user is assigned a password. However, newer implementations
use a pseudorandom or random number.
8 | Operating System

Figure 6.3: Loading a new password

The salt value and the password together serve as the input to a hashing algorithm to produce a fixed-
length hash code. The hash algorithm is designed in such a way so that it takes a lot of time to
execute. This is done to thwart attacks. Next, the hashed password is stored along with a plain text
copy of the salt in the password file for the corresponding user ID as shown in figure 6.3. The
hashed-password method has proved to be secure against a variety of cryptanalytic attacks.

When a user wishes to log on to a UNIX system, he provides the ID and the password. The OS uses
the ID to index into the password file. It then retrieves the encrypted password and the plaintext salt.
The user-supplied password and salt are used as input to the encryption routine as shown in figure
6.4. If the result matches the stored value, the password is accepted.

The purposes of salt serves are:

It prevents duplicate passwords from being displayed in the password file. Even if two users
pick the same password, those passwords are assigned different salt values. Therefore, the
hashed passwords of the two users will be different.

It greatly increases the difficulty of offline dictionary attacks. For a salt of length b bits, the
number of possible passwords is increased by a factor of 2b. This increases the difficulty of
guessing a password in a dictionary attack.

Thirdly, it is almost impossible to determine is a user with passwords on two or more

systems has used the same password on all of them.
 Security and Protection | 9

Figure 6.4: Verifying a password

To understand the second point, let us consider the way that an offline dictionary attack would work.
The attacker acquires a copy of the password file. Let us suppose that the salt is not used. The
objective of the attacker is to guess a single password. To that end, the attacker provides a large
number of probable passwords to the hashing function. If any of the guesses matches one of the
hashes in the file, then the attacker has found a password that is in the file. But in the UNIX scheme,
the attacker should take each guess and submit it to the hash function once for each salt value in the
dictionary file, multiplying the number of guesses that must be checked.

However, there are two threats to the UNIX password scheme. The first threat is that a user can gain
access on a machine using a guest account or by some other means. He can then run a password
guessing program, called a password cracker, on that machine. The attacker should be able to check
many thousands of possible passwords with little resource consumption. The second threat is that if
an opponent is able to acquire a copy of the password file, a cracker program can be run on another
machine at leisure. This allows the opponent to run through millions of possible passwords in a
reasonable period.

Token-Based Authentication

Tokens are objects possessed by a user that are used in the authentication process of the user. We will
examine two types of tokens that are widely used- Memory cards and Smart cards. Both these cards
resemble the bank cards that we use.
10 | Operating System

(a) Memory Cards

Memory cards can store data but cannot process data. For example, a bank card only stores a simple
security code in its magnetic stripe. This code can be read by an inexpensive card reader. There are
also memory cards that include an internal electronic memory.

In places like hotel rooms, memory cards alone can be used for the authentication process. But if you
go to the ATM (automatic teller machine) to withdraw some amount, you need to use the card along
with a password or a PIN (personal identification number). When the memory card is used with a
PIN the level of security is certainly increased.

There are some drawbacks of this scheme also which has been described below:

There is a requirement of a special card reader. This increases the cost of using the token.
Additionally, the card readers hardware and software should be protected.

If a token is lost, then the user loses access to the system temporarily. There is also an
administrative cost in getting a new token. If an adversary gets access to the token, then he
only needs the PIN to gain unauthorized access to the system.

Even though users may not face any difficulty in using a memory card for ATM access, its
use for computer access may be deemed inconvenient.

(b) Smart Cards

A wide range of devices can be used as smart tokens. These can be classified along three dimensions
that are not mutually exclusive:

Physical characteristics: Smart tokens have a microprocessor inside. A smart token that
resembles bank card is called a smart card. There can be some other smart tokens that look
like small portable objects such as keys or calculators.

Interface: Manual interfaces will contain a keypad and a display for human/token
interaction. Smart tokens with an electronic interface communicate with a compatible
reader/writer.

Authentication protocol: The basic functionality of a smart token is to provide a means for
user authentication. We can categorize the authentication protocols that are used with smart
tokens into three different categories:

o Static: In this case, the user authenticates himself to the token first and then the token
authenticates the user to the computer. The latter half of this protocol is just like the
operation of a memory token.

o Dynamic password generator: With dynamic password generator, the token

generates a unique password from time to time (for example once in every minute).
Next, this password is submitted into the system for authentication, either
electronically via the token or manually by the user. The token and the computer
 Security and Protection | 11

system must be initialized and kept synchronized so that the computer is always
aware of the password that is current for this token.

o Challenge-response: With challenge-response, the computer system generates a

challenge, such as a random string of numbers. Based on the challenge, the smart
token generates response.

Smart cards are widely used for user authentication to computer. A smart card looks like a credit
card. It has a microprocessor inside which includes processor, memory, and I/O ports. Some versions
include a special co-processing circuit for cryptographic operation. It makes encoding and decoding
of messages faster. It also speeds up the generation of digital signatures to validate the information
transferred. Some cards rely on an embedded antenna for wireless communication with the reader.
While in some cards, the I/O ports are directly accessible by a compatible reader by means of
exposed electrical contacts.

Biometric Authentication

A biometric authentication system tries to authenticate a user on the basis of his/her physical
characteristics. These characteristics can be static like hand geometry, facial characteristics, retinal
and iris patterns and fingerprints. They can also be dynamic like signature and voiceprint. In essence,
biometrics is based on pattern recognition. Biometric authentication is technically more expensive
and complex as compared to passwords and tokens. Although it is used in a number of specific
applications, biometrics has yet to mature as a standard tool for user authentication to computer
systems.

A number of physical characteristics are either in use or under study for user authentication. The
most common physical characteristics that are used for user authentication are:

Face recognition

Out of the numerous biometric identification methods, face recognition is one of the most
flexible. It works even when the subject is unaware that he or she is being scanned. It also
shows promise as a way to search through masses of people who spent only seconds in front
of a "scanner" - that is, an ordinary digital camera.

Face recognition systems work by systematically analyzing specific features that are
common to everyone's face - the distance between the eyes, width of the nose, position of
cheekbones, jaw line, chin and so forth. These numerical quantities are then combined in a
single code that uniquely identifies each person.

Fingerprint identification

Fingerprints remain constant throughout life. In over 140 years of fingerprint comparison
worldwide, no two fingerprints have ever been found to be alike, not even those of identical
twins. Good fingerprint scanners have been installed in PDAs like the iPaq Pocket PC; so
scanner technology is also easy. Might not work in industrial applications since it requires
clean hands.
12 | Operating System

Fingerprint identification involves comparing the pattern of ridges and furrows on the
fingertips, as well as the minutiae points (ridge characteristics that occur when a ridge splits
into two, or ends) of a specimen print with a database of prints on file.

Hand geometry biometrics

Hand geometry readers work in harsh environments, do not require clean conditions, and
forms a very small dataset. It is not regarded as an intrusive kind of test. It is often the
authentication method of choice in industrial environments.

Retina scan

There is no known way to replicate a retina. As far as anyone knows, the pattern of the blood
vessels at the back of the eye is unique and stays the same for a lifetime. However, it requires
about 15 seconds of careful concentration to take a good scan. Retina scan remains a standard
in military and government installations.

Iris scan

Like a retina scan, an iris scan also provides unique biometric data that is very difficult to
duplicate and remains the same for a lifetime. The scan is similarly difficult to make (may be
difficult for children or the infirm). However, there are ways of encoding the iris scan
biometric data in a way that it can be carried around securely in a "barcode" format.

Signature

A signature is another example of biometric data that is easy to gather and is not physically
intrusive. Digitized signatures are sometimes used, but usually have insufficient resolution to
ensure authentication.

Voice analysis

Like face recognition, voice biometrics provide a way to authenticate identity without the
subject's knowledge. It is easier to fake (using a tape recording); it is not possible to fool an
analyst by imitating another person's voice.

6.6 Protection and Access Control

In simple terms, protection in operating system is the collection of mechanisms and policies to keep
programs and users from accessing or changing stuff they should not do. Computer systems
implement various protection techniques to prevent adversaries from doing things that they are not
authorized to do. In this section we will discuss some of the protection techniques that are
implemented by computer systems.
 Security and Protection | 13

1. Cryptography as a Security Tool

Cryptography is a technique of storing and transferring data in such a way so that only those for
whom it is intended can read and process it. Let us try to understand some basic terms before we
proceed.

Plaintext: It is the message that we have to transmit. It is in a human readable form.

Encryption algorithm: It is the mathematical process to produce a ciphertext, given the

plain text and the encryption key.

Ciphertext: It is the encrypted message that is produced after the encryption process is over.

Decryption algorithm: It is the mathematical process which retrieves the plain text, given
the cipher text and the decryption algorithm.

Encryption key: It is a value that is used by the sender as an input to the encryption
algorithm, besides the plain text, to compute the cipher text.

Decryption key: It is a value used by the receiver as an input to the decryption algorithm,
besides the cipher text, to compute the plain text.

Basically there are two types of encryption techniques Symmetric encryption and Asymmetric
encryption.

(a) Symmetric Encryption

In symmetric encryption, the same key (secret key) is used for encryption as well as decryption. This
is the simplest encryption technique. The disadvantage however lies in the fact that all the
participants of the communication should be aware of the secret key. Therefore, the secret key should
be exchanged before the communication starts. Figure 6.5 shows how the symmetric encryption
works.

Figure 6.5: Symmetric Encryption

14 | Operating System

(b) Asymmetric Encryption

Asymmetric encryption is also known as public key cryptography. It uses two keys- public key and
private key. The public key of a person is accessible to everyone, whereas the private key of that
person is only known to him. If a person A wants to send a message to a person B, then A can
encrypt the message with the public key of B. On the other side, B can use his own private key to
decrypt the encrypted message. Similarly, if B wants to send something he can encrypt the message
using his own private key and A can decrypt the message with the public key of B. Figure 6.6 shows
the working of asymmetric encryption.

Figure 6.6: Asymmetric encryption

2. Intrusion Detection

Intrusion detection technique can be defined as the real-time monitoring and analysis of data and
network activity to check for potential vulnerabilities and attacks in progress. Intrusion detection
systems (IDS) can be classified into many categories network-based and host-based, active and
passive, and knowledge-based and behavior-based. Let us see all these types of intrusion detection
systems in detail.

(a) Active and Passive IDS

An active IDS, also known as an intrusion prevention system (IPS), is a system that is specifically
designed to automatically block suspected attacks in progress. It does not require any human
intervention to do this. However, it has some disadvantages as well. We have to place the IPS at the
network boundary. Hence, there is always a risk that the IPS itself may become the victim of an
attack. Secondly, an adversary may try to flood the IPS with alarms, causing it to block connections
 Security and Protection | 15

until no connections or bandwidth is available. This type of attack is called a Denial of Service (DoS)
attack.

A passive IDS is a system that is designed only to monitor and analyze the network traffic activity
and warn the operator if it finds any potential vulnerabilities or any attacks in progress. It cannot
perform any corrective or protective functions on its own. But the advantage is that passive IDSec
can be easily and rapidly deployed. Moreover, they are not usually susceptible to attack themselves.

(b) Network-based and Host-based IDS

A network-based IDS consists of a NIC (Network Interface Card) and a network appliance or sensor.
The IDS is placed along the network boundary or a network segment and monitors all traffic on that
segment.

A host-based IDS requires us to install small programs or agents on the systems that have to be
monitored. The agents monitor all the inbound and outbound packets of the systems on which they
are installed. If they detect any suspicious activity, then they alert the user or the administrator.

(c) Knowledge-based and Behavior-based IDS

A knowledge-based or signature-based IDS refers to a database of previous attack profiles and known
system vulnerabilities to recognize active intrusion attempts. It is more widely used as compared to
behavior-based IDS. The advantage of knowledge-based IDS is that it has lower false alarm rates
compared to behavior-based IDS. The disadvantages are that the signature database must be
continuously updated and that new types of attacks may not be detected as the system will not find
the corresponding signature in the database.

A behavior-based or statistical anomalybased IDS refers to a baseline or learned pattern of normal

system activity to recognize active intrusion attempts. An alarm is triggered if any deviation from this
baseline or pattern is found. The advantages of behavior-based IDSes are that they dynamically adapt
to new attacks and that they are less dependent on identifying specific OS vulnerabilities. The
disadvantage lies in the fact that the rate of false alarms is higher as compared to knowledge-based
IDS.

3. Access Control Mechanisms

An access control policy determines what types of accesses are allowed, under what conditions, and
by whom. Access control policies can be classified in the following way:

Discretionary access control (DAC)

Controls access on the basis of the identity of the requestor and on access rules
(authorizations). It states what each requestor is allowed to do or not to do. This policy is
termed discretionary as an entity may have the access rights that permit it to allow another
entity to access some resource based on the formers wish.

Mandatory access control (MAC)

16 | Operating System

Controls access on the basis of the comparison of security labels (which indicate how critical
or sensitive system resources are) with security clearances (which indicate system entities are
qualified to access certain resources).This policy is termed mandatory as an entity that has
clearance to access a resource may not enable another entity to access that resource based on
the formers wish.

Role-based access control (RBAC)

Controls access based on the roles that users have within the system and on rules stating what
accesses are allowed to users in given roles.

These three policies are not mutually exclusive. An access control mechanism can employ two or
even all three of these policies to cover different classes of system resources as shown in figure 6.7.

Figure 6.7: Access control policies

(a) Discretionary Access Control

The discretionary access control model considers a set of subjects, a set of objects, and a set of rules
that determine how the objects are accessed by the subjects. We define the protection state of a
system as the set of information, at a particular time point, that states the access rights for each
subject with respect to each object. Three requirements can be identified i.e. representation of the
protection state, enforcement of the access rights, and permission to subjects to alter the protection
state in certain ways. The model addresses all three requirements, giving a general, logical
description of a DAC system.

To characterize the protection state, the universe of objects is extended to include the following in the
access control matrix:

Processes: Access rights include the ability to delete a process, to stop (block) a process and
to wake up a process.
 Security and Protection | 17

Devices: Access rights include the ability to control the operation of a device, read or write
the device and to block or unblock the device.

Memory locations or regions: Access rights include the ability to read or write certain
memory locations that are protected.

Subjects: Access rights include the ability to grant or delete the access rights of a subject to
other objects.

Figure 6.8 is an example of an access control matrix. For any access control matrix A, each entry
A[S, X] specifies the access rights of subject S to object X. For instance, read appears in A[ S1, F1],
which specifies that subject S1 is able to read file F1.

Figure 6.8: Access Control Matrix

From a functional point of view, a different access control module is linked with each type of object
as shown in figure 6.9. The module assesses each request that comes from a subject to access an
object, to determine if the access right exists. The following steps are executed when a subject tries to
access an object:

1. For an object X, a subject S0 issues a request of type .

2. The request causes the system to create a message which is in the form (S0, , X) and sends it
to the controller for object X.

3. The controller probes access matrix A to decide if is in A[S0, X].

4. If so, then access is allowed. If not, then access is not allowed and a protection violation
occurs. The violation triggers a warning and an appropriate action.
18 | Operating System

In figure 6.9, we can see that every access to an object by a subject has to go through the controller
for that object. The controller decides whether to grant access or not by looking into the contents of
the access matrix. Additionally, some subjects hold the right to make certain changes to the access
matrix. A request to change the contents of the access matrix is also treated as accessing the matrix.
In this case, individual entries are treated as the objects. These accesses have to pass through the
access matrix controller which controls modifications to the matrix.

Figure 6.9: An Organization of the Access Control Function

 Security and Protection | 19

The model also contains rules that govern changes to the access matrix as shown in table 6.1. To
serve the purpose, access rights owner and control have been introduced along with the concept of a
copy flag. The first three rules, as can be seen in the table, are related to transferring, granting and
deleting access rights. If there is an entry in A[S0, X], then this means that S0 has the access right
to object X. Moreover, S0 can transfer this right to some other subject, with or without copy flag, as is
expressed by rule R1 in the table.

Rule R2 indicates that if S0 is the owner of object X, then S0 can grant any other subject access right
to that object. In specific terms we can say that if S0 has the owner access to object X, it can add any
access right to A[S, X] where S can be any subject.

Table 6.1: Access Control System Commands

20 | Operating System

Now let us try to understand what rule R3 states. Basically, R3 allows S0 to delete any access right
from any matrix entry in a row for which S0 controls the subject and for any matrix entry in a column
for which S0 owns the object. Rule R4allows a subject to read that portion of the matrix that is owned
or controlled by the subject. Rule R5 says that a subject can create a new object. In this case, the
subject owns the object and can grant and delete access to the object. Rule R6 states that the owner of
an object can destroy the object, which will result in the deletion of the corresponding column from
the matrix. Rule R7 says that any subject can create a new subject. In this case, the creator owns the
newly created subject and the newly create subject has control access to itself. Rule R8 states that the
owner of a subject can delete the row and column of the access matrix that are designated by the
subject.

Apart from the rules that we saw in table 6.1, there are some alternative or additional rules that can be
included. We can define a transfer-only right, so that the transferred right is added to the target
subject and deleted from the transferring subject. By not allowing the copy flag to accompany the
owner right, we can restrict the number of owners of a subject or an object.

The ability of one subject to create another subject and to have owner access right to that subject can
be used to define a hierarchy of subjects. For instance, in figure 6.8, S2 and S3 are owned by S1.
Hence, S2 and S3 are subordinate to S1. According to the rules of table 6.1, S1is able to grant and
delete to S2 access rights that S1already has. So, a subject is able to create another subject with a
subset of its own access rights. This may be useful, for instance, if a subject is invoking an
application that cannot be trusted fully, and the subject does not want that application to be able to
transfer access rights to other subjects.

(b) Role-Based Access Control

Classical DAC systems state the access rights of individual users and the access rights of user groups.
On the contrary, Role-based access control (RBAC) system has been designed on the basis of the
roles that users assume in a system and not on the basis of their identities. Basically, a RBAC model
defines a role as a job function within an organization. RBAC systems do not assign access rights to
individual users but their roles. Based on their responsibilities, users are assigned different roles,
either statically or dynamically. RBAC is widely being used commercially nowadays.

As shown in figure 6.9, there is a many-to-many relationship from users to roles. Similarly, there is a
many-to-many relationship from roles to resources or system objects. In some environments, the set
of users may change frequently, thereby making the assignment of a user to one or more roles
dynamic. However, the set of roles is usually static in all kinds of environments. Occasionally, there
may be some additions and deletions. Each role has specific access rights to one or more resources.
The set of resources and the specific access rights associated with a particular role are also likely to
change infrequently.
 Security and Protection | 21

Figure 6.9: Users, Roles, and Resources

As shown in figure 6.10, the key elements of an RBAC system can be depicted using an access
matrix. The upper matrix shows that which user is assigned which role. Generally, the number of
users is more as compared to the number of roles. As you can see, each matrix entry is either blank or
marked. If an entry is marked, then it indicates that the user is assigned to this role. It should be noted
that a single user can be assigned a number of different roles (more than one mark in a row).
Similarly, a single role can be assigned to multiple users (more than one mark in a column).

The lower matrix has the same structure as the DAC matrix but roles are being treated as subjects in
this matrix. Generally, the number of roles is less than the number of resources or objects. In this
matrix the entries are the specific access rights enjoyed by the roles. It should be noted that a role can
be treated as an object, allowing the definition of role hierarchies.
22 | Operating System

Figure 6.10: Users, Roles, and Resources

 Security and Protection | 23

6.7 Worms and Viruses

Viruses

A computer virus is a software that can infect other programs by modifying them. Here modification
means that the virus injects the victim program with a routine to make copies of the virus program.
These copies are then used to infect other programs. In biological terms, viruses are tiny scraps of
genetic code i.e. DNA or RNA. They take over the machinery of a living cell and trick it into making
thousands of replicas of the original virus. In the same way a computer virus carries the recipe for
making perfect copies of itself in its instructional code. The virus infects a program on a computer.
When an uninfected piece of software comes into contact with the infected computer, a fresh copy of
the virus is passed into the new program. This infection can spread from one computer to another
without the knowledge of users when they exchange disks or send programs to one another over a
network.

A virus is capable of doing anything that a program can do. The basic difference however lies in the
fact that a virus attaches itself to the host program and secretly executes when the host program is
run. While executing, a virus can perform any function for which the privileges have been granted by
the current user. The privileges may even allow the virus to delete files and programs.

Basically a computer virus has three parts which have been described below:

Infection mechanism: The mechanism by which a virus spreads. Actually it enables the
virus to replicate.

Trigger: This is the condition or the event which decides when the payload is delivered or
activated.

Payload: Whatever the virus does apart from spreading, can be referred to as the payload.
The payload can involve damage or any noticeable activity.

Usually a virus goes through the following four phases during its lifetime.

Dormant phase: In this phase the virus is idle. It will be activated eventually by some event
like presence of a program or file, a specific data or the capacity of the disk exceeding some
limit. All the viruses do not go through this phase.

Propagation phase: The virus places one identical copy of itself into a program or into a
certain system area on the disk. The infected program now contains a copy of the virus which
will itself enter a propagation phase.

Triggering phase: In this phase the virus is activated to perform the task for which it was
intended.
24 | Operating System

Execution phase: In this phase the virus performs its function. The function may be
harmless, such as displaying a message on the screen, or it can be damaging, such as deleting
files and programs.

A majority of the viruses work in a manner that is specific to a particular OS. In some situations, the
working mechanism can also be specific to a particular hardware platform. Hence, viruses are
themselves designed to exploit the details and weaknesses of specific systems.

(a) Virus Structure

A virus can be appended to the beginning or to the end of an executable program. It can also be
inserted in some other way. The basic working mechanism is however the same. When the infected
program is invoked, it first executes the code of the virus and then executes its own code.

Figure 6.11 is the basic representation of the structure of a virus. The virus code V is appended to the
beginning of the infected program. The infected program starts with the virus code and it works in the
following way.

i) The first line of code is a jump to the main virus program.

ii) The second line is used by the virus as a special marker to determine whether or not the virus
has been injected into the program.

iii) As soon as the program is invoked, control is transferred to the main virus program.

iv) First the virus program may look for uninfected executable files to infect them.

v) The next step may be to perform some action so that some damage is done to the system.

vi) The action could be performed every time the program is invoked or every time a certain
condition holds.

vii) Lastly, control is transferred from the virus to the original program.
 Security and Protection | 25

Figure 6.11: A simple virus

It is easy to detect the type of virus that we just saw. It is so because the length of the infected
program would be more as compared to the length of the corresponding uninfected one. But there is a
way to thwart this means of detection. The infected program can be compressed so that its length
matches with the length of the corresponding uninfected one. Figure 6.12 shows the logic for a
compression virus. The important lines in this virus have been numbered. It has been assumed that a
virus CV has infected a program P1.
26 | Operating System

Figure 6.12: Logic for a Compression Virus

With the invocation of the program, the control is passed to the virus. The virus then performs the
following steps:

i) The virus compresses every uninfected fileP2that it encounters. The size of the compressed
file P'2, when combined with the size of the virus, should be equal to the size of file P2.

ii) Next, a copy of the virus is appended to the beginning of the compressed program.

iii) The compressed version of the original infected program, P'1, is uncompressed.

iv) Finally, the uncompressed original program is executed.

(b) Initial Infection

After a virus has entered the system by infecting a single program, it is capable of spreading into
other programs when the infected program is executed. So, to prevent viral infection, the virus should
be prevented from gaining entry in the first place. But, prevention is extremely difficult as any
program outside the system may be infected. A common way of blocking the infection is not
allowing normal users to modify the programs on the system. Modern PC operating systems are
equipped with efficient access control mechanisms. Therefore, traditional machine code based
viruses have become less prevalent nowadays.
 Security and Protection | 27

(c) Virus Classification

If viruses are classified based on the type of targets that they infect, then the classification will
include the following categories:

Boot sector infector: This type of virus infects the boot record and spreads into a system
when the infected disk is used to boot the system.

File infector: This type of virus infects executable files.

Macro virus: This type of virus infects files with macro code that is interpreted by an
application.

If viruses are classified on the basis of how they conceal themselves from users and antivirus
software, then the classification will include the following categories:

Encrypted virus: A portion of the virus creates a random encryption key to encrypt the other
portion. The key is stored with the virus. When an infected program is invoked, the virus
uses the key to decrypt the virus. When the virus is replicated, a different random key is
selected. As the bulk of the virus is encrypted with a different key for each instance, there is
no constant bit pattern to observe.

Stealth virus: This type of virus has been designed explicitly to conceal itself from antivirus
software.

Polymorphic virus: This type of virus mutates with every infection. Thus, detection through
observation of the signature becomes impossible.

Metamorphic virus: A metamorphic virus also mutates with every infection. But the
difference is that metamorphic virus completely rewrites itself at each iteration. Thus the
detection becomes even more difficult. This type of virus can change their appearance as
well as their behavior.

One example of stealth virus is the virus that we discussed about in figure 6.12. The virus first
compresses the host file and then appends itself to the file. So, the length of the infected file is same
as the length of the uninfected file. Some more sophisticated techniques are also present. For
instance, a virus can place intercept logic in disk I/O routines. When these routines are used to read
the suspected portions of the disk, then the virus will present back the original uninfected program.

A polymorphism virus creates a copy with every replication procedure. The function of each copy
will remain the same, however the signature of each copy will vary. The motive is the same as a
stealth virus, i.e. to hide from programs that look for viruses. To be able to achieve this variation, the
virus may change the order of independent instructions or it may randomly insert some superfluous
instructions. Encryption is a far more effective technique. The portion of the virus that generates the
random key and performs the encryption and decryption is called the mutation engine. With each use,
the mutation engine itself is modified.
28 | Operating System

(d) Macro viruses

Macro viruses are considered threatening due to the following reasons.

Macro viruses are platform independent. A lot of macro viruses infect Microsoft office
documents or Microsoft word documents. Any OS or hardware platform that supports these
applications can also be infected.

Macro viruses do not infect executable codes. Rather they infect documents. Almost all the
information that we introduce onto a computer system is in the form of documents, and not
programs.

Macro viruses can spread very easily. Electronic mail, for example, is the most common
method.

As micro viruses infect documents rather than programs, it is difficult for traditional file
system access controls to prevent them from spreading.

Macro viruses take advantage of a feature called the macro. This feature is available in Microsoft
Office applications like Excel and Word. A macro is basically an executable program which is
embedded in a word processing document of any other type of file. It is used to automate repetitive
tasks and thus, save keystrokes. The macro language is typically some form of the Basic
programming language. To make things convenient for himself, a user may define a macro for a
sequence of keystrokes. The macro can be invoked by pressing a function key or a special short
combination of keys.

Recent versions of the MS office provide an increased protection against macro viruses. For instance,
Microsoft provides an optional Macro Virus Protection tool. This tool detects suspicious word files
and warns the user about the risks involved in opening a file with macros. Tools for detecting and
correcting macro viruses are also available through numerous product vendors.

(e) E-mail Viruses

An e-mail virus is a more recent development in malicious software. Melissa, for example, is a fast
spreading e-mail virus that makes use of a Microsoft Word macro which is embedded in an
attachment. The Word macro is activated as soon as the recipient opens the e-mail attachment. The
virus then performs the following actions.

The e-mail virus forwards itself to every person on the mailing list in the users e-mail
package.

The virus does local damage on the users system.

Amore powerful form of the e-mail virus appeared in 1999. It can be activated just by opening the e-
mail that contains the virus. The virus even does not require the user to open the attachment to
become activated. The virus uses the Visual Basic scripting language supported by the e-mail
 Security and Protection | 29

package. The virus is activated either by opening the e-mail attachment or simply by opening the e-
mail. It then rapidly spreads to all the e-mail addresses known to the infected host. An e-mail virus
can reach all its targets in a matter of hours.

Worms

A worm is a program that can create multiple copies of itself and send those copies from one
computer to another computer over the network. Once it has arrived on some system, it may be
activated to replicate and propagate again. Usually a worm performs some unwanted operations in
addition to propagation. A worm in similar to an e-mail virus considering the fact that it propagates
from one system to another just like an e-mail virus. However, unlike e-mail viruses, worms are
standalone software and do not require a host program or human help to propagate. A worm keeps
searching for machines that it can infect. Each infected machine works wonderfully, as an automated
launching pad to launch attacks on other machines.

Network worm programs take the help of network connections to propagate from one system to
another. After a network worm becomes active within a system, it can behave as a virus or bacteria,
or can even implant Trojan horse programs.

A network worm uses some kind of network vehicle to make duplicates of itself. The following are
some examples:

Electronic mail facility: A worm mails a copy of itself to other systems. When the e-mail or
the attachment is received or viewed, the code is automatically executed.

Remote execution capability: A worm executes a copy of itself on another machine. This
can be done either by exploiting a program flaw in a network service to disrupt its operations
or by using an explicit remote execution facility.

Remote login capability: A worm logs on to a remote machine as a user. Then it uses
commands to send copies of itself to other machines, where it then executes.

A network worm undergoes the same phases in its lifetime as a computer virus: a dormant phase, a
propagation phase, a triggering phase and an execution phase.

The propagation phase generally performs the following functions:

i) Search for other potential victims (systems) by exploring host tables or similar repositories to
find addresses of remote systems.

ii) Establish a connection with a remote system.

iii) Send a copy to the remote system and execute the copy.

The network worm may also try to learn if the potential victim has already been infected before
sending a copy to it. In a multiprogramming system, the network worm may mask its presence by
naming itself as a system process or using a name that does not make the system operator suspicious.
Network worms are difficult to deal with, just like viruses.
30 | Operating System

(a) State of Worm Technology

The state of the art in worm technology includes the following:

Multiplatform: Newer worms are not limited to Windows machines. They canattack a
variety of platforms, especially the popular varieties of UNIX.

Polymorphic: Worms adopt the polymorphic technique of virus to foil real time analysis,
skip past filters and evade detection. Each copy of the worm has new code generated on the
fly using functionally equivalent instructions and encryption techniques.

Multiexploit: There are many ways in which new worms penetrate a system. For instance,
browsers, file sharing, e-mail, web servers and other network-based applications.

Ultrafast spreading: To accelerate spreading of a worm, a prior internet scan can be

conducted so that internet addresses of vulnerable machines are accumulated.

Metamorphic: Metamorphic worms not only change their appearance but also their
behaviour at different stages of propagation.

Transport vehicles: As worms can compromise a large number of systems in a short span of
time, they are ideal for spreading other distributed attack tools, such as distributed denial of
service bots.

Zero-day exploit: In order to achieve maximum surprise and distribution, a worm must
exploit an unknown vulnerability that is only discovered by the general network community
when the worm is launched.

6.8 Summary

Security deals with shielding systems from thoughtful attacks both from internal or external, from
persons who deliberately trying to damage information, steal information, or otherwise purposely
wreak disorder in some manner. There can be various types of security threats like interruption,
modification, interception and fabrication. Basically, there are three security goals- confidentiality,
integrity and availability. Confidentiality means protecting the information from unauthorized access.
Integrity means avoiding unauthorized modifications to the information. Availability means ensuring
that the information is always available to the authorized users. Computer systems employ various
authentication mechanisms to prevent unauthorized users from gaining access to the system. In a
password based authentication system, the user has to use a password along with his/her
identification proof to gain access to the system. In a token based authentication system, the user has
to produce a memory card or a smart card in the authentication process. In a biometric authentication
system, the physical characteristics of the user like his fingerprints, hand geometry, signature or voice
print etc. are used in authentication procedure. Computer systems also employ various access control
mechanisms to define access rights for each user of the system. These access rights determine what
type of access this user can perform on a particular resource or object.
 Security and Protection | 31

6.9 Exercise

1. In computer security, . means that computer system assets can be modified

only by authorized parities.

A) Confidentiality B) Integrity C) Availability D) Authenticity

2. Which of the following is independent malicious program that need not any host program?

A) Trap doors B) Trojan horse C) Virus D) Worm

3. State whether true of false.

i) A worm mails a copy of itself to other systems.
ii) A worm executes a copy of itself on another system.
A) True, False B) False, True C) True, True D) False, False
4. What special feature makes the smartcard so flexible to use?

A) the ability to protect stored information

B) the use of a microprocessor and programmable memory
C) the high speeds at which it is able to operate
D) the capability of storing huge amounts of information per unit of area
5. What is the main purpose of access control?
A) to authorize full access to authorized users
B) to limit the actions or operations that a legitimate user can perform
C) to stop unauthorized users accessing resources
D) to protect computers from viral infections
6. Which of the following virus overtake computer system, when it boots and destroy
information?

A) System infectors B) Trojan C) Boot infectors D) Stealth virus

7. Which of the following would most likely not be a symptom of a virus?

A) The web browser opens to an unusual home page

B) Odd message or images are displayed on the screen
C) Existing program files and icons disappear
D) The CDROM stops functioning
8. A virus that migrates freely within a large population of unauthorized email user is called a
-------------------------
32 | Operating System

A) flame war B) worm C) macro D) plagiarism

9. Which of the following is least secure method of authentication?
A) Key card B) fingerprint C) retina pattern D) Password
10. From the following, which is not a common file permission?
A) Write B) Execute C) Stop D) Read
11. What is a security threat? Explain the different types of security threats in detail.

12. What are the different ways in which the security system can be penetrated? Describe them.

13. What do you mean by smart cards? How are they used for user authentication to computers?

14. Consider an automated teller machine (ATM) in which users provide a personal identification
number (PIN) and a card for account access. Give examples of confidentiality, integrity, and
availability requirements associated with the system and, in each case, indicate the degree of
importance of the requirement.

15. Draw an access control matrix for a Discretionary Access Control System and explain how the
system ensures that unauthorized users are prevented from accessing any resource.

16. How does a compression virus work? Give an example to support your answer.

17. List and briefly describe the principal physical characteristics used for biometric identification.

18. Discuss a means by which managers of systems connected to the Internet could design their
systems to eliminate or limit the damage done by worms. What are the drawbacks of making
the change that you suggest?

19. In what ways is a computer worm different from a computer virus? Write down the distinctive
features of a worm that make it dangerous.

20. How are the access-matrix facility and the role-based access-control facility similar? How do
they differ?

21. What is the purpose of using a "salt" along with the user-provided password? Where should the
"salt" be stored, and how should it be used?

22. What is an Intrusion Detection System? Explain with the help of an example.

23. How does encryption help in protecting our data? Which one do you think is more secure-
symmetric encryption or asymmetric encryption. Justify your statement.
 Security and Protection | 33

6.10 Suggested Readings

1. Operating System Concepts by Abraham Silberschatz, Peter B. Galvin, Greg Gagne, Wiley.

2. Operating Systems: Internals and Design Principles by William Stallings, Pearson.