1. Security & Protection 1

2.  The processes in an operating system must be
Protection
 The processes in an operating system must be
protected from one another’s activities.
 For that purpose, various mechanisms can be used to
ensure that the files, memory segments, CPU, and
other resources can be operated on by only those
processes that have gained proper authorization from
the operating system.
 Protection refers to a mechanism for controlling the
access of programs, processes, or users to the
resources defined by a computer system. 2

3.  Modern protection concept have evolved to
Goals of Protection
 Modern protection concept have evolved to
increase the reliability of any complex system that
makes use of shared resources.
 We need to provide protection for several
reasons. First reason is that need of prevent
mischievous, intentional violation of an access
restriction by a user.
 Another importance is that need to ensure that
each program component active in a system uses
system resources only in ways consistent with
stated policies. 3

4. An unprotected resource cannot defend against use by an unauthorized user.
A protection oriented system provides means to distinguish between authorized and unauthorized usage.
The role of protection in a computer system is to provide a mechanism for the enforcement of the policies governing resource use. 4

5. These polices can be established in a variety of ways,
some are fixed in the design of the system and others
are formulated by the management of a system.
Policies for resource use may vary by application, and
they may change over time.
Policy is distinct from mechanism. Mechanism
determine how something will be done, policy decide
what will be done.
The separation of policy and mechanism is important
for flexibility.
Policies are likely to change from place to place or time to time. 5

6.  A computer system is a collection of processes and
Domain of Protection
 A computer system is a collection of processes and
objects. By objects, we mean both hardware objects
(such as CPU, memory segments, printer, disks, and
tape drives), and software objects (such as files,
programs, and semaphores).
 Each object has a unique name that differentiates it
from all other objects in the system, and each can be
accessed only through well-defined and meaningful
operations.
 A process should be allowed to access only those
resources for which it has authorization. Furthermore,
at any time, a process should be able to access only
those resources that it currently requires to complete
its task. 6

7. Each domain defines a set of objects and the types of
Domain Structure
 To facilitate this scheme, a process operates within a
protection domain, which specifies the resources that
the process may access. 
Each domain defines a set of objects and the types of
operations that may be invoked on each object.
The ability to execute an operation on an object is an
access right.
A domain is a collection of access rights, each of
which is an ordered pair < object-name, rights-set>.
For example, if domain D has the access right < file F, {
read, write}>, then a process executing in domain D
can both read and write file F; it cannot, however,
perform any other operation on that object. 7

8.  Domains do not joint to be disjoint; they may share
access rights.
 For example, in figure, we have three domains: D1, D2,
and D3. The access right <O4, {print}> is shared by both
D2 and D3, implying that a process executing in either
of these two domains can print object O4.
 Note that a process must be executing in domain D1 to
read and write object O1. On the other hand, only
processes in domain D3 may execute object O1. 8

9.  Each user may be a domain. In this case, the set of
objects that can be accessed depends on the identity of
the user. Domain switching occurs when the user is
changed – generally when one user logs out and
another user logs in.
 Each process may be a domain. In this case, the set of
objects that be accessed depends on the identity of the
process. Domain switching corresponds to one process
sending a message to another process, and then
waiting for a response.
 Each procedure may be a domain. In this case, the set
of objects that can be accessed corresponds to the
local variables defined within the procedure. Domain
switching occurs when a procedure call is made 9

10.  Access matrix is used to implement the protection.
Access Matrix ( Reference from I. A. Dhotre)
 Access matrix is used to implement the protection.
Access matrix is implemented in various ways. Domain
is represented by rows and access matrix. Object is
represented by columns of access matrix. Each matrix
consists of a set of access rights. 10

11. 11

12. Process in domain D1 can read file F1 and file F3.
 The access matrix consists of four domains, four
objects, three files and one printer. The summary of
access matrix is as follows. 1) 2) 3) 4)
Process in domain D1 can read file F1 and file F3.
Process in domain D2 can only use printer.
Process in domain D3 can read file F1 and execute
file F3.
Process in domain D4 can read and write file F1 and
file F3
• Separates access mechanism from access policy. The
mechanism consists of implementing the access
matrix. Both hardware and software objects are
included in the access matrix. Users normally decide
the contents of the access matrix entries 12

13.  When a user creates a new object Oj, the column Oj
is added to the access matrix. Blank entries indicate
no access rights. A process is switched from one
domain to another domain by executing switch
operation on the object.
 Domain switching in controlled by user or operating
system. Each entry in the access matrix may be
modified individually. Domain switch is only possible
if and only if the access right switch access (i,j).
 Figure( on next slide) shows the access matrix with
domains as objects. A process executing in any
domain can switch to any domain. In figure process
change the domain as follows. 13

14. 1) 2) 3) Process in domain D2 can switch to domain D3 and domain D4.14

15.  Access matrix are inefficient for storage of access
rights in computer system because they tend to be
large and sparse.
 Column oriented list is called and access control list
(ACL). Unix uses access control list for the file
protection. Row oriented list is called a capability list.
List kept with the subjects. 15

16. Access list for objects Capability A lock key mechanism
Implementing Access Matrix
 It is implemented in several ways. Methods for
implementing access matrix are: 1) 2) 3) 4)
Global table
Access list for objects
Capability
A lock key mechanism 16

17.  One of the simplest method of implementation of
Global Table
 One of the simplest method of implementation of
access matrix. Global table consists of domain,
object and right set. The order of syntax is
< domain, object, right-set>
 If operation P is executed on an object Oj within
domain Dj, the global table is searched for a triple
< Dj, Oj, Rk > with P € Rk.
 If the above triple is found, then opeation is
allowed to continue. If suppose the triple is not
found then an exception error condition occurs. 17

18. Limitation of Global table1) 2) 3) 4)
Global table is large
Global table can not be kept in memory and
additional Input / Output is required.
Virtual memory is required
Grouping of object or domain is not easily possible. 18

19.  Matrix is decomposed by columns, yielding access
Access List for Objects
 Matrix is decomposed by columns, yielding access
control list. For each object, list users and their
permitted access rights. Access control list
contains a default or public entry. Access list are
frequently used in file system. In system that
employ access lists, a separate list is maintained
for each object.
 Only the owner has the authority to modify and
define the access list. Deleting the related entry in
the access list is possible by owner for grantting to
the particular subject or domain. 19

20. Drawbacks Searching overhead for verification1) 2) 3)
Searching overhead for verification
Weakens protection by opening the file
In Unix operating system, access lists are reduced to
three entries per file, one each for the owner, group
and all other user. 20

21. A capability list for a domain is a list of object together with the
 A capability is a unique,global name for an access right to an object in a system.Decomposition by rows yields capability
tickets.
A capability is a token or ticket that gives permission to access a specific object in the specified manner.
A capability list for a domain is a list of object together with the
operation allowed on those object.
Capabilities are used in today operating system to
implement a protection mechanism and to span address among subjects.
 A capability serves two purposes
It provides an address for a resource in a very large address space.
Possession of the capability represents the authorization of the subject to the described object. 21

22. When a subject obtain a capability, authentication occurs.
Once the capability has been issued,it is not necessary for a
runtime monitor and access matrix to check each access. 22

23. Properties The values taken on by a capability must be derived from a
large name space.
Capabilities must be very difficult to guess.
Capabilities must be distinguishable from randomly
generated bit patterns
Capabilities must be unique and not reused once they have
been assigned
Capabilities need to be distinguishable from spurious
names
Capabilities are implementing by two ways. Either they
may be wholly implemented within the operating system
address space or the hardware may incorporate specialized
support for capabilities. 1) 2) 3) 4) 5) • 23

24. Each object has a tag to denote its type as either a
 Capabilities are usually distinguished from other data in one
of two ways.
Each object has a tag to denote its type as either a
capability or as accessible data
The address space associated with a program can be split
into two parts. A segmented memory space is useful to
support this approach 1. 2. 24

25. Lock-Key Mechanism
 Lock and key method associates a lock with each object in the system and a key that is held by a domain. This method is a compromise between access list and
capability lists.
There are unique bit patterns with a specific key unlocking a single lock.
When a process tries to access an object, the operating system checks to see if the domain holds a key for that object.
 Keys can be copied from one domain to another or from one object to a domain in a variety of ways. 25

26.  All of theses have advantage and disadvantage. Access lists are
Comparison
 All of theses have advantage and disadvantage. Access lists are
good for the user and are easy to manage. It is easy for an
owner to remove access rights to an object for a given
domain. If there are lots of domain in the system the access
list can get very long. Also there has to be unique access list
for every object, on the other hand require far fewer lists in
general.
 However it is much more difficult for an object owner to
remove access rights because it would have to check all of the
capability lists to see if that domain has access.
 Key lists are flexible but again key lists can be very long.
Revocation of capabilities may be inefficient. Most systems
use a combination of access lists and capabilities. 26

27.  Password vulnerabilities  Encrypted passwords  One-time passwords
User Authentication
 Passwords
 Password vulnerabilities
 Encrypted passwords
 One-time passwords
 Biometrics 27

28.  a Trojan horse is a malicious program that is disguised as
Program Threats
Trojan Horse
 a Trojan horse is a malicious program that is disguised as
legitimate software.
 Like the gift horse left outside the gates ofTroy by the
Greeks,Trojan Horses appear to be useful or interesting to an
unsuspecting user,but are actually harmful 28

29.  erasing or overwriting data on a computer
Types of Trojans
 erasing or overwriting data on a computer
 corrupting files in a subtle way
 spreading other malware,such as viruses.In this case theTrojan
horse is called a 'dropper'. 
setting up networks of zombie computers in order to launch DoS
attacks or send Spam.
logging keystrokes to steal information such as passwords and
credit card numbers (known as a key logger)
phish for bank or other account details,which can be used for
criminal activities.
installing a backdoor on a computer system. 29

30.  A computer virus is a computer program that can copy
itself and infect a computer without permission or
knowledge of the user.
 “a program that replicates by“infecting”other programs,
so that they contain a copy of the virus” 30

31.  Worms are a subset of viruses
 The differ in the the method of attachment;rather than
attaching to a file like a virus a worm copies itself across
the network without attachment.
 Infects the environment rather than specific objects
 MorrisWorm,WANK,CHRISTMA EXEC 31