Protection & Security

Lecture 6

Soumyabrata DEV
https://soumyabrata.dev/
Protection

2
Protection

• Protection: controlling the access of programs, processes, or users to

the resources defined by a computer system (files, memory
segments, CPU. . . )

• protection is a necessary condition (but not sufficient) to achieve

security in a computer system

• protection was originally conceived as an adjunct to

multiprogramming OSs:
• allow untrustworthy users to safely share a logical or physical name space (such as
a directory or memory, respectively)

3
Goals of Protection

• Modern protection concepts address two basic goals:

• to prevent intentional violation of access to a resource by a user
• e.g.: distinction between authorised and unauthorised use of a resource
• to ensure that each active process uses resources only in ways
consistent with OS policies -> reliability
• e.g.: error detection at the interfaces between subsystems
• early detection at the interface level can avoid malfunction propagation from
one subsystem to another, improving system reliability

4
OS Protection

• OS protection: mechanisms for the enforcement of the system

policies governing resource use
• policy: what will be done about resource use (dictated by administrators,
users, etc)
• mechanism: how a policy will be implemented and enforced

• General mechanisms are more desirable, as policies may change

from place to place or from time to time

5
Formal Model for Protection in Computer System

• Any computer system is a collection of:

1. Objects: entities to which access must be controlled
• hardware: CPU, memory segments, printers. . .
• software: files, semaphores. . .

2. Subjects: entities that access objects (processes, users)

3. Rules: manner in which subjects may access objects

• the operations depend on the object
• CPU can be made to execute instructions
• memory can be read or written
• files can be read, written or executed

6
Principles of Protection

• A process should only be allowed access to those resources

1. for which it has authorisation
• example: even if any file can be read per se, we allow certain files
to be read only by certain processes/users

2. and that are currently needed to complete its task: need-

to-know principle, also called least privilege principle
• it limits the amount of damage by a faulty process
• example: a kernel mode process should have its access rights limited
when doing everyday unimportant tasks

7
Domain of Protection

Definition
• A process operates within a protection domain, which specifies the
resources that the process may access

Formal Definition

• Protection domain is a set of ordered pairs <object-name, right-set>

• Example: D = <file F, {read, write}>. Any process operating in D can

both read and write file F

8
Domain example

D2 and D3 share < O4, {print}> so domains do not need to

be disjointed

9
 Association Between Processes & Domains

• Depending on whether it is fixed or not during the process lifetime,

the association between process and domain may be:

• Static: fixed association

• however, this can potentially violate the need-to-know principle
• example: if a process needs read and write access in two different phases and the
domain is static with both r/w access, the principle is violated unless we modify
the domain dynamically to reflect the minimum necessary rights

• Dynamic: variable association

• a mechanism to allow a process to switch from one domain to another must be
available

10
Realisation of a Domain

• Depending on the OS, a domain is realised in a number of ways;

1. Each user may be a domain: domain switching occurs when the
user identity is changed
2. Each process may be a domain: domain switching is implemented
by a process sending a message to a process in a different domain
and waiting for a response
3. Each procedure may be a domain: domain switching occurs when
a procedure call is made

11
 Access Matrix
• Access matrix (AM): abstract view of protection model
• i-th row of AM: domain Di
• j-th column of AM: object Oj
• Entry ai,j in AM: set of operations that a process executing in Di can invoke on Oj
•Example: three files F1, F2, F3 and a printer
F1 F2 F3 Printer

D1 read read

D2 print

D3 read exec

D4 Read write Read write

• The AM defines the OS protection policy

12
Enforcement of Access Constraints

• Protection mechanism: AM implementation ensuring that its

semantic properties hold
• In order to enforce the policy established in the AM, we need a
monitor that controls access to objects
• when a process executing in domain Di attempts
to perform an operation M on an object Oj
• the triple (Di, Oj, M) is formed by the system and passed to the
object monitor
• the object monitor returns the Boolean value {M ∈ ai,j}
• if true, the operation is allowed to proceed

13
Problems with Access Control

• It must be enforced at every step

• e.g.: what happens if a process opens and begins reading
a file for which it has access rights, but then the access is
revoked?
• It does not dictate information propagation, only initial
access
• e.g.: what happens if a process A copies a file to a location
accessible by process B, which could not initially access it?
• this is the confinement problem, which is in general
unsolvable

14
Dynamic Protection State

• The dynamic protection state of a process can also be represented by means

of a directed graph with labelled edges

15
Security

16
Security

• A protection mechanism is useless if, for instance,

• an unauthorised person is able to log into the system
• vulnerabilities enable the protection system to be bypassed by
someone legally logged in

• An OS is secure if its resources are used and accessed as

intended under all circumstances
• total security cannot be achieved, but there are mechanisms that
make security breaches a rare occurrence

17
Classification of Security Threats

• Intentional (malicious)
• unauthorised reading of data, information theft, or traffic analysis
(passive threats, affecting data confidentiality)
• unauthorised destruction, tampering or fabrication of data (active
threats, affecting data integrity or authenticity)
• prevention of legitimate use of system (active threats, affecting
system availability)
• Accidental: human errors, hardware/software errors, natural
disasters. . .

18
Classification of Intentional Security Threats

• A (Alice) and B (Bob) and C (Carol)

19
Classification of Intentional Security Threats

• “A” and “B” are authorised parties, “C” is the intruder

• This classification model is commonly used to examine
security threats
• Additional characters can also exist

20
User Authentication

• Protection relies on users being who they say they are

• user authentication is the first line of security in any OS
• without being inside the system many attacks are not possible

• Determining a user’s identity uses one or more of

• user knowledge (user identifier and password); most common
• user possession (key or smart card)
• user attributes (biometrics)

21
Passwords

• Passwords can be considered as capabilities (keys)

• Password vulnerabilities:
• they can be guessed
• they can be exposed or sniffed
• they can be illegally transferred
• Secure passwords should
• be strong, which means
• being long, to avoid brute-force attacks
• not being frequent or obvious (i.e., unrelated to natural languages, etc), to avoid
the use of dictionaries by attackers
• change frequently, to decrease the likelihood of illegal use on
interception

22
Password Strength

• Length: with n bytes, there are 28n different passwords

• Frequency: a password is stronger if it is less frequent an

attacker will have more uncertainty when trying to guess it

• Entropy: rigorous measure of uncertainty

• If common words are used, then an attacker can use a dictionary
attack , just checking a few thousand common passwords instead of
having to try all possible combinations.

23
Changeable Passwords

• To help aid security , changeable passwords can be used

• One-time passwords
• extreme form of changeable passwords; intercepting them won’t give any
advantage to an adversary in the future as they are only used once.

24
Password Protection Measures

1. Limit number/frequency of logins

2. Access control on password file (not enough if an intruder
accesses it through some exploit)
3. Encrypt password file: store f (p) instead of p to keep secret even
if password file can be accessed
• e.g.: p =”password” → f (p) =”%s73da*wr”

25
 What Is Cryptography ?
Cryptography ⎯ making “secret codes”
is the study of mathematical techniques related to
aspects of information security.

Cryptanalysis: ⎯ breaking “secret codes”

the study of mathematical techniques for
attempting to defeat information security
services.

Cryptology: ⎯ The art & science of making + breaking “secret

codes”
the study of cryptography and cryptanalysis.
 What is a Cryptosystem?
❑ A cipher or cryptosystem is used to encrypt (e) the
plaintext (p)
❑ The result of encryption is ciphertext (c)
❑ We decrypt (d) ciphertext to recover plaintext
❑ A key (k) is used to configure a cryptosystem
❑ d K (e K (p) ) = p

encryption decryption
p c c p
e d
k k
 Cryptosystem
❑ Basic assumptions
o The system is completely known to the attacker
o Only the key is secret
o That is, crypto algorithms (ciphers) are not secret
❑ This is known as Kerckhoffs’ Principle
❑ Why do we make such an assumption?
o Experience has shown that secret algorithms tend to be
weak when exposed
o Secret algorithms never remain secret
o Better to find weaknesses beforehand
Characteristics of a Good Cipher

A cryptosystem should be secure even

if everything about the system, except the key, is
public knowledge
 Simple Substitution
❑ Plaintext: fourscoreandsevenyearsago
❑ Key:

❑ Ciphertext:
IRXUVFRUHDQGVHYHQBHDUVDJR
❑ Shift by 3 is “Caesar’s cipher”
 Ceasar’s Cipher Decryption
❑ Suppose we know a Caesar’s cipher is
being used:

Plaintext ab c d e f g h i j k l mn o p q r s t u vwx y z

Ciphertext D E F G H I J K L MNO P Q R S T U VWX Y Z A B C

❑ Given ciphertext:
VSRQJHEREVTXDUHSDQWV
❑ Plaintext: spongebobsquarepants
Not-so-Simple Substitution
❑ Shift by n for some n ∈ {0,1,2,…,25}
❑ Then key is n
❑ Example: key n =7
Cryptanalysis I: Try Them All
❑ A simple substitution (shift by n) is used
o But the key is unknown
❑ Given ciphertext: CSYEVIXIVQMREXIH
❑ How to find the key?
❑ Only 26 possible keys ⎯ try them all!

❑ Exhaustive key search

❑ Solution: key is n = 4
 Simple Substitution:
General Case
❑ In general, simple substitution key can be any
permutation of letters
o Not necessarily a shift of the alphabet
❑ For example

Plaintext ab c d e f g h i j k l mn o p q r s t u vwx y z

Ciphertext J I C A X S E Y V D KWB Q T Z R H F M P N U L G O

❑ Then 26! > 288 possible keys

Cryptanalysis II: Be Clever
❑ We know that a simple substitution is used
❑ But not necessarily a shift by n
❑ Find the key given the ciphertext:
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOX
BTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQ
WAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGD
PEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTY
FTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQV
APBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHF
QAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWF
LQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFH
XAFQHEFZQWGFLVWPTOFFA
 Cryptanalysis II
❑ Cannot try all 288 simple substitution keys
❑ Can we be more clever?
❑ English letter frequency counts…
 Cryptanalysis II
❑ The Caesar cipher can be easily broken even in a
ciphertext-only scenario. Two situations can be considered:
1) an attacker knows (or guesses) that some sort of simple
substitution cipher has been used, but not specifically
that it is a Caesar scheme;
Hint: Frequency analysis, attacker notice the regularity.

2) an attacker knows that a Caesar cipher is in use, but does

not know the shift value.
Hint: brute-force attack
Cryptanalysis: Terminology
❑ Cryptosystem is secure if best know
attack is to try all keys
o Exhaustive key search, that is
❑ Cryptosystem is insecure if any
shortcut attack is known
❑ But theninsecure cipher might be
harder to break than a secure cipher!
 Double Transposition
❑ Plaintext: attackxatxdawn

Permute rows
and columns

❑ Ciphertext: xtawxnattxadakc
❑ Key is matrix size and permutations:
(3,5,1,4,2) and (1,3,2)
 One-Time Pad: Encryption

e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Encryption: Plaintext ⊕ Key = Ciphertext

h e i l h i t l e r
Plaintext: 001 000 010 100 001 010 111 100 000 101
Key: 111 101 110 101 111 100 000 101 110 000
Ciphertext: 110 101 100 001 110 110 111 001 110 101

s r l h s s t h s r
 One-Time Pad: Decryption

e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Decryption: Ciphertext ⊕ Key = Plaintext

s r l h s s t h s r
Ciphertext: 110 101 100 001 110 110 111 001 110 101
Key: 111 101 110 101 111 100 000 101 110 000
Plaintext: 001 000 010 100 001 010 111 100 000 101

h e i l h i t l e r
 One-Time Pad

Double agent claims following “key” was used:

s r l h s s t h s r
Ciphertext: 110 101 100 001 110 110 111 001 110 101
“key”: 101 111 000 101 111 100 000 101 110 000
“Plaintext”: 011 010 100 100 001 010 111 100 000 101

k i l l h i t l e r
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
 One-Time Pad

Or claims the key is…

s r l h s s t h s r
Ciphertext: 110 101 100 001 110 110 111 001 110 101
“key”: 111 101 000 011 101 110 001 011 101 101
“Plaintext”: 001 000 100 010 011 000 110 010 011 000

h e l i k e s i k e
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
 One-Time Pad Summary

❑ Provably secure
o Ciphertext provides no info about plaintext
o All plaintexts are equally likely
❑ BUT, only when be used correctly
o Pad must be random, used only once
o Pad is known only to sender and receiver
❑ Note: pad (key) is same size as message
Real-World One-Time Pad

❑ Project VENONA
o Encrypted spy messages from U.S. to Moscow in
30’s, 40’s, and 50’s
o Nuclear espionage, etc.
o Thousands of messages
❑ Spy carried one-time pad into U.S.
❑ Spy used pad to encrypt secret messages
❑ Repeats within the “one-time” pads made
cryptanalysis possible
A Taxonomy of Security Threats

• Threats can also be classified by their “modus operandi”

• Bacteria
• program that consumes system resources by replicating itself
• Logic bomb
• logic embedded in a program that checks for a certain set of conditions to be
present on the system; when conditions are met, it executes some unwanted
function
• Trapdoor
• secret undocumented entry point into a program, used to grant access
without normal methods of authentication

46
A Taxonomy of Security Threats

• Trojan horse
• secret undocumented routine embedded within a useful program; execution
of the program results in execution of the secret routine (example: login
spoofing)
• Virus
• code embedded within a program that causes itself to be inserted in one or
more other programs and which performs unwanted functions
• Worm
• program that can replicate itself and send copies across network connections

47
Preventative Security

• Install Anti-Virus programs

• Install Anti-Spyware programs
• In mission critical software systems, the design and verification of
programs should be done using a system such as Evaluation
Assurance Level

48
Evaluation Assurance Level

• International Standard for a Common Criteria security evaluation

• It does not guarantee security but suggests a system has been
rigorously tested and evaluated.
• Starts at EAL1 (functionally test) to EAL 7 (Formally Verified Design
and tested)
• Windows 8 is at EAL 4 , very few systems are higher as to get to level
5 or 6 would be incredibly expensive.
• For an OS as complex as Windows 8 to get to EAL 7 would require an
inconceivable amount of work as every component would have to be
formally verified.

49
 Thank you!

See you next class!

16 October, Monday, 8am to 9:35am, TB3-202

50