Presentation is loading. Please wait.

Presentation is loading. Please wait.

OPERATING SYSTEMS CS 3502 Fall 2017

Published byBarrie Dixon Modified over 5 years ago

Similar presentations

Presentation on theme: "OPERATING SYSTEMS CS 3502 Fall 2017"— Presentation transcript:

1 OPERATING SYSTEMS CS 3502 Fall 2017
Chapter 11 Security Dr. Donghyun (David) Kim Department of Computer Science College of Computing and Software Engineering Kennesaw State University

2 Protection Mechanisms to control what an authenticated user can do.
File Protection Memory Protection Web Protection

3 Protection Mechanism to keep unauthorized users from accessing the system Firewalls Virus Detection Spyware Detection

4 Encryption Scrambles data & messages so that eavesdroppers cannot read what is being transmitted Also used as part of Authentication to help ensure that someone is not posing as somebody else

5 People Lack of knowledge about security
People will not keep information secure People can be conned into giving out information they shouldn’t Poor System Administration

6 Types of Attacks Trojan Horse Trap Door Stack & Buffer Overflow Worm
Virus Denial of Service

7 Trojan Horse Program that appears to be a legitimate agent or process but really behaves in a different manner Viruses and Spyware are often introduced as Trojan Horses

8 Trap Door Program finds a way to bypass the normal security protections Often left in applications / systems to help support staff

9 Stack & Buffer Overflow
Send an incorrectly formatted command / message to a system. If system does not carry out adequate checking, it may execute some action it shouldn’t

10 Stack & Buffer Overflow

11 Stack & Buffer Overflow
How does this happen? Poorly Programmed Read Should be read(file,buffer,100) Instead of read(file,buffer) which reads as much data as the remote system sends Inadequate checking of the validity of the data that is received

12 Stack & Buffer Overflow
Security Design Rule Assume any data you receive is incorrectly formatted (until proven otherwise)

13 SQL Injection Application does inadequate validation of user input before putting it into an SQL statement Example SELECT BALANCE FROM ACCTS WHERE ACCT_ID=xxxx User Input for xxxx 104;UPDATE ACCTS SET BALANCE= WHERE ACCT_ID=104

14 Worm A program that automatically sends itself to another system

15 Virus Program that attacks a system to carry out some action the computer user does not want

16 Denial of Service Typical attack sends so many messages to a system, that system cannot execute anything except respond to those messages

17 Goal of Protection Ensure that resources (data) is available only to users that are authorized to access those resources A Protection Policy specifies the details of this goal for a particular system The Protection Policy is implemented via Protection Mechanisms

18 Example Protection Policies
Access by password knowledge Teresa can access the Personnel File if she knows a password Access by User ID Patty can modify the Personnel File Jonathon can read the file Brandon has no access to the file Access by Group Membership The HR dept can modify the Personnel File The Payroll dept can read the file Other employees have no access to the file

19 Protection Policies A Protection Policy says:
How a user can obtain access to a resource (data) What they can carry out with the resource / data (Access Rights)

20 Owner Most Protection Policies have the concept of the Owner of the data The Owner: Has all access rights to the data Can delegate Access Rights to other users / groups

21 Typical Access Rights Read Write Execute Delete

22 File Protection R W E Effect No access allowed 1
No access allowed 1 Execute Only – Program can be executed Write Only - not really useful Write-Execute – Not used Read Only – File can be read / copied Read-Execute – Program can be executed / copied Read-Write – Normal data file Read-Write-Execute – no protection

23 Protection Domains Defines the set of objects that a process can access and how they can be accessed Object Granularity Computer File Record in a file Field in a record

24 Two Protection Mechanisms
File Attributes Each file specify attributes for Owner, Group, Everyone Access Control Lists Associated with each protected resource Specifies which individuals and/or groups have what access rights

25 File Attributes Can specify Read, Write, Execute allowed
Can specify separately for Owner, Group, Everyone

26 Access Control Lists Each protected object has a list
The user/groups that can access it What each user/group’s access rights are

27 Access Control List Example
HR dept Read-Write Payroll Dept Read Others None

28 MS Windows NTFS File System has support for Access Control Lists
FAT file systems have no support for file protection

29 Unix, Linux Uses Attribute Scheme
Protection can only be controlled to the group level

30 Web Browser Protection
Applet

31 Web Browsers Web Browsers can execute programs (Applets) that are received from another computer Browsers can execute: Java Applets ActiveX Components (Internet Explorer)

32 Web Browsers Potentially a very untrustworthy situation
Some protection mechanism is required

33 Java Applets Run in a “sandbox” enforced by the Java Virtual Machine (JVM) JVM prevents applet from performing “bad” actions In general, Applets cannot access files or other resources on the browser’s machine – only on the web server that provided the applet A Signed Applet can access files/resources

34 ActiveX Components Execute native code
No sandbox Code can carry out any action it wants One should only allow Signed ActiveX components to run

35 What is a Signed component?
Signed Component includes a Digital Signature of the author of the component Browsers can verify that the Digital Signature is correct

36 Virus Protection Current Virus protection programs detect malware by use of a “signature” Better technology is needed Requires frequent updates Virus writers starting to be able to trick the signature detection mechanisms

37 Spyware Similar to Viruses
Detection programs use similar technology to find

38 Firewalls A Firewall prevents undesirable messages from getting past it A Hardware firewall can make systems behind the firewall invisible to the outside world Software firewall can also detect programs unexpectedly accessing internet

39 Trusted Computing Initiative
Rather than trying to detect “bad” programs Allow system to execute only “good” programs Uses Digital Signature technology and cryptography embedded into hardware What is a “good” program?

40 Encryption Two Primary Functions ciphertext = encrypt(plaintext,key1)
plaintext = decrypt(ciphertext,key2)

41 Symmetric Systems Key1 = key2 Both sides must know the key
Both sides MUST keep the key secret Requires a secure channel to distribute the key(s)

42 Symmetric Systems Examples DES (Data Encryption Standard)
56 bit keys 30 years old AES (Advanced Encryption Standard) Keys can be 128, 192, or 256 bits New standard

43 Asymmetric Systems Key1 ≠ key2 One key is published (to the world)
This a “public key” The other key is kept private This a “private key” Also known as Public Key encryption

44 Asymmetric Systems Examples RSA (Rabin, Shamir, Adelman)
Based on the difficulty of factoring very large numbers ECC (Elliptic Curve Cryptography) Based on the difficulty of calculating the coefficients of an ellipse

45 Asymmetric Systems To send a message to Bob:
Encrypt the message with Bob’s public key Bob can decrypt the message with his private key and read the message Nobody else can read the message

46 Asymmetric Systems If Alice wants to “sign” a document:
She computes hash of the document An irreversible computation Encrypts hash with her private key Anybody can verify that Alice signed the document by decrypting the hash with her public key

47 Symmetric vs Asymmetric
Flexibility Asymmetric systems are much more flexible Speed Symmetric systems are much faster

48 Public Key Infrastructure (PKI)
A business structure using Digital Certificates Certificate Authorities

49 Digital Certificates A Digital Certificate identifies the author of a Signed Component Contains name of the author Public key of the author The Certificate Authority (CA) that validated the author’s public key Signed by Certificate Authority

50 Verifying a Digital Certificate
Get name of Certificate Authority Lookup their public key (comes with OS) Use CA’s public key to decrypt certificate hash Verify Hash

51 Verifying Digital Certificate
OS Certificate CA Name CA Public Key Decrypt Encrypted Hash

52 Hackers & Encryption The IT Director of a company is quoted in the press as saying: “Yes, a hacker did break into our system and get a copy of the files containing customer’s credit card numbers. But, those files are encrypted, so he can’t use the information.” Is he correct?

53 Security of Encryption
At least 1 key must be kept secret A break in the other security components can allow unauthorized access to the secret key On some systems, the encryption is done on a separate physical secure device

Download ppt "OPERATING SYSTEMS CS 3502 Fall 2017"

Similar presentations

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 

Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Digital Signatures. Anononymity and the Internet.

Digital Signatures. Anononymity and the Internet.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.

Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Public Key Cryptography July 2011. Topics  Symmetric and Asymmetric Cryptography  Public Key Cryptography  Digital Signatures  Digital Certificates.

Public Key Cryptography July Topics  Symmetric and Asymmetric Cryptography  Public Key Cryptography  Digital Signatures  Digital Certificates.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Similar presentations

Ads by Google