JIGJIGA UNIVERSITY INSTITUTE OF TECHNOLOGY SCHOOL OF COMPUTING DEPARTMENT OF COMPUTER SCIENCE Course Title: Computer Security Presented by Names Mahamed Abdinasir Yusuf Mahamed Abdirisak Ahmed Nimo Tahir Mohamed Aneb Hussien Ahmed Abdiwahid Hassan Abdinor Guided by IdNo R/5184/10 R/5203/10 R/5240/10 R/5074/10 R/5381/10 Instructor: Hashim Abdi Contents Chapter 4 4. Security in conventional operating systems 4.1 Memory, time, file, object protection requirements and techniques 4.1.1 How to protect memory of one process from another? 4.1.2 Memory Segmentation 4.1.3 Paged virtual memory 4.2 One Time passwords SECURITY IN CONVENTIONAL Jun - 2021 2 1 Contents 4.3 Protection in contemporary operating systems 4.4 Identification and authentication 4.4.1 Identification goals 4.4.2 Authentication requirements 4.4.3 Human authentication 4.4.3.1 Something You Are 4.4.3.2 Something You Know 4.4.4 Machine authentication 5. References SECURITY IN CONVENTIONAL Jun - 2021 3 2 Chapter 4 4. Security in conventional operating systems OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised. OS security encompasses many different techniques and methods which ensure safety from threats and attacks. OS security allows different applications and programs to perform required tasks and stop unauthorized interference SECURITY IN CONVENTIONAL Jun- 2021 4 3 Chapter 4 Security refers to providing a protection system to computer system resources such as CPU, memory, disk, software programs and most importantly data/information stored in the computer system. If a computer program is run by an unauthorized user, then he/she may cause severe damage to computer or data stored in it. So a computer system must be protected against unauthorized access, malicious access to system memory, viruses, worms etc. Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised. SECURITY IN CONVENTIONAL Jun- 2021 5 3 Chapter 4 OS security may be approached in many ways, including adherence to the following: Performing regular OS patch updates Installing updated antivirus engines and software Scrutinizing all incoming and outgoing network traffic through a firewall Creating secure accounts with required privileges only (i.e., user management) SECURITY IN CONVENTIONAL Jun- 2021 6 3 Chapter 4 4.1 Memory, time, file, object protection requirements and techniques Memory protection is a way to control memory access rights on a computer, and is a part of most modern instruction set architectures and operating systems. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug or malware within a process from affecting other processes, or the operating system itself. Protection may encompass all accesses to a specified area of memory, write accesses, or attempts to execute the contents of the area. SECURITY IN CONVENTIONAL Jun- 2021 7 3 Chapter 4 Memory Protection: One of the important aspects of Operating system security is Memory Protection. Memory provides powerful indirect way for an attacker to circumvent security mechanism, since every piece of information accessed by any program will need to reside in memory at some point in time, and hence may potentially be accessed in the absence of memory protection mechanisms. Memory protection is a way for controlling memory usage on a computer, and is core to virtually every operating system. The main purpose of memory protection is to prevent a process running on an operating system from accessing the memory of other processes, or is used by the OS kernel. SECURITY IN CONVENTIONAL Jun- 2021 8 3 Chapter 4 4.1.1 How to protect memory of one process from another? The virtual memory mechanism supported on most OSes ensures that the memory of different processes are logically disjoint. The virtual addresses, which are logical addresses, are transformed into a physical memory address using address translation hardware. To speed up translation, various caching mechanisms are utilized. 1. First, most L1 processor caches are based on virtual addresses, so cache accesses don't need address translation. 2. Next, the paging hardware uses cache-like mechanisms (TLBs) to avoid performing bounds checks on every virtual access. In order to secure the virtual address translation mechanism, it is important to ensure that processes cannot tamper with the address translation mechanisms. SECURITY IN CONVENTIONAL Jun- 2021 9 3 Chapter 4 4.1.3 Paged virtual memory In paging the memory address space or segment is divided into equalsized blocks] called pages. Using virtual memory hardware, each page can reside in any location at a suitable boundary of the computer's physical memory, or be flagged as being protected. Virtual memory makes it possible to have a linear virtual memory address space and to use it to access blocks fragmented over physical memory address space. Most computer architectures which support paging also use pages as the basis for memory protection. SECURITY IN CONVENTIONAL Jun- 2021 10 3 Chapter 4 4.2 One Time passwords One-time passwords provide additional security along with normal authentication. In One-Time Password system, a unique password is required every time user tries to login into the system. Once a one-time password is used, then it cannot be used again. Program Threats Operating system's processes and kernel do the designated task as instructed. If a user program made these process do malicious tasks, then it is known as Program Threats. SECURITY IN CONVENTIONAL Jun- 2021 11 3 Chapter 4 System Threats System threats refers to misuse of system services and network connections to put user in trouble. System threats can be used to launch program threats on a complete network called as program attack. System threats creates such an environment that operating system resources/ user files are misused SECURITY IN CONVENTIONAL Jun- 2021 12 3 Chapter 4 4.3 Protection in contemporary operating systems Protection in contemporary in operating system refers to a mechanism which controls the access of programs, processes, or users to the resources defined by a computer system. We can take protection as a helper to multi programming operating system, so that many users might safely share a common logical name space such as directory or files. Need of Protection: To prevent the access of unauthorized users and To ensure that each active programs or processes in the system uses resources only as the stated policy, To improve reliability by detecting latent errors. SECURITY IN CONVENTIONAL Jun- 2021 13 3 Chapter 4 Role of Protection: The role of protection is to provide a mechanism that implement policies which defines the uses of resources in the computer system. Some policies are defined at the time of design of the system, some are designed by management of the system and some are defined by the users of the system to protect their own files and programs. Every application has different policies for use of the resources and they may change over time so protection of the system is not only concern of the designer of the operating system. Application programmer should also design the protection mechanism to protect their system against misuse. Policy is different from mechanism. Mechanisms determine how something will be done and policies determine what will be done. Policies are changed over time and place to place. Separation of mechanism and policy is important for the flexibility of the system. SECURITY IN CONVENTIONAL Jun- 2021 14 3 Chapter 4 4.4 Identification and authentication Identification is the ability to identify uniquely a user of a system or an application that is running in the system. "Who are you?" – Users supply information to identify themselves, such as name, username, and user ID. Supplying identification information does not prove that the user is who he says he is. Authentication is the ability to prove that a user or application is genuinely who that person or what that application claims to be. "Prove your identification" – The user verifies her identity. Some examples of authentication mechanisms are user-selected passwords, system-generated passwords, passphrases, question-and-answer passwords, tokens, and various biometrics characteristics. For most systems, identification and authentication are the first line of defense to prevent unauthorized users from entering the system. SECURITY IN CONVENTIONAL Jun- 2021 15 3 Chapter 4 4.4.1 Identification goals Identification occurs when a user (or any subject) claims or professes an identity. This can be accomplished with a username, a process ID, a smart card, or anything else that can uniquely identify a subject. Security systems use this identity when determining if a subject can access an object. Many information systems involve data about people. In order reliably to associate data with particular individuals, it is necessary that an effective and efficient identification scheme be established and maintained. There is remarkably little in the information technology literature concerning human identification. Seeks to overcome that deficiency by undertaking a survey of human identity and human identification. SECURITY IN CONVENTIONAL Jun- 2021 16 3 Chapter 4 4.4.2 Authentication requirements In the context of communications across a network, the following attacks can be identified: 1. Disclosure: Release of message contents to any person or process not possessing the appropriate cryptographic key. 2. Traffic analysis: Discovery of the pattern of traffic between parties. In a connectionoriented application, the frequency and duration of connections could be determined. In either a connection-oriented or connectionless environment, the number and length of messages between parties could be determined. 3. Masquerade: Insertion of messages into the network from a fraudulent source. This includes the creation of messages by an opponent that are purported to come from an authorized entity. Also included are fraudulent acknowledgments of message receipt or non-receipt by someone other than the message recipient. SECURITY IN CONVENTIONAL Jun- 2021 17 3 Chapter 4 4. Content modification: Changes to the contents of a message, including insertion, deletion, transposition, and modification. 5. Sequence modification: Any modification to a sequence of messages between parties, including insertion, deletion, and reordering. 6. Timing modification: Delay or replay of messages. In a connectionoriented application, an entire session or sequence of messages could be a replay of some previous valid session, or individual messages in the sequence could be delayed or replayed. In a connectionless application, an individual message (e.g., datagram) could be delayed or replayed. 7. Source repudiation: Denial of transmission of message by source. 8. Destination repudiation: Denial of receipt of message by destination. SECURITY IN CONVENTIONAL Jun- 2021 18 3 Chapter 4 4.4.3 Human authentication People aren't computers. They don't have the computational or storage capacity. So the mechanisms to authenticate humans are considerably different from the mechanisms to authenticate machines. (Though they both have in common the notion of secrets.) Something you know: you demonstrate knowledge of secret, e.g., password Something you have: you demonstrate possession of object, e.g., prox card Something you are: you demonstrate some feature of yourself, e.g., fingerprint SECURITY IN CONVENTIONAL Jun- 2021 19 3 Chapter 4 4.4.3.1 Something You Are "Something you are" is authentication based on biometrics. Biometrics are a measurement of your physical or behavioral traits, e.g., your fingerprint, face, iris, retina, hands, or DNA. To be usable for authentication, a biometric must be (i) an identifier within the population; (ii) invariant over time (N.B., kids' fingerprints change); difficult to spoof (proof of life?); and easy to measure. Biometric measurement suffers from the problems of false positives and false negatives, so biometric authentication mechanisms can incorrectly accept or incorrectly reject an authentication request. Which is better depends on context. And both are bad: on commercial flights, a false negative or false positive rate of just 1% could have serious consequences. SECURITY IN CONVENTIONAL Jun- 2021 20 3 Chapter 4 4.4.3.2 Something You Know "Something you know" is authentication based on a human's knowledge of a secret. The secret is usually a PIN (short numeric code), password (short string), or passphrase (longer string). I'll write "password" from now on, but everything we talk about is relevant to all three. Passwords have a life cycle: Create: user chooses password Store: system stores password with user identifier Use: user supplies password to authenticate Change (Recover/Reset): user forgets; wants or needs to change SECURITY IN CONVENTIONAL Jun- 2021 21 3 Chapter 4 4.4.4 Machine authentication Machine authentication is the authorization of an automated human-tomachine or machine-to-machine (M2M) communication through verification of a digital certificate or digital credentials. Machine authentication is used to authorize machine interactions on both wired and wireless networks to enable computers and other machines to interact and exchange information autonomously. The processes of machine authentication can be performed by simple devices such as sensors and meters in infrastructure. . SECURITY IN CONVENTIONAL Jun- 2021 22 3 Chapter 4 5. References Operating systems concept 9Th edition A security guide security system design and equipment selection and installation Operating system security tutorials point Operating system security 6Th edition by willan Stallings Security ordinary operating systems Operating system security rules Operating system security –research gate Operating system security |sematic. Scholar Operating system security –Andrew.cmd.ed System protection operating systems-geeks for geeks SECURITY IN CONVENTIONAL Jun- 2021 23 3 24