Week 9: Operating System Security
1. Types of Security Threats
• Malware: Malicious software designed to damage or disrupt systems.
o Types:
▪ Virus: Attaches to files and spreads when the file is executed. Can
corrupt or delete files.
▪ Worm: Self-replicates and spreads through networks. Does not require
a host file.
▪ Trojan: Disguises itself as legitimate software to gain unauthorized
access.
• Phishing: Fraudulent attempts to acquire sensitive information by pretending to be a
trustworthy entity.
• Denial-of-Service (DoS) Attacks: Overload a system or network to make it unavailable
to users. Often achieved through flooding the target with excessive traffic.
2. Basic OS Security Mechanisms
• Access Controls: Regulate who can access resources and at what level. Includes:
o User Authentication: Verifies the identity of users (e.g., usernames and
passwords).
o Authorization: Determines what actions authenticated users can perform (e.g.,
read, write permissions).
• Encryption: Converts data into a secure format that can only be read or decrypted by
authorized entities.
o Types:
▪ Symmetric Encryption: Uses the same key for encryption and
decryption (e.g., AES).
▪ Asymmetric Encryption: Uses a pair of keys (public and private) for
encryption and decryption (e.g., RSA).
• Authentication: Verifies user identity through methods such as:
o Passwords: A common but less secure method of authentication.
o Biometrics: Uses physical characteristics (e.g., fingerprints, facial recognition)
for authentication.
� o Two-Factor Authentication (2FA): Combines two or more methods for
enhanced security.
3. User Authentication and Access Control
• Authentication: Methods for verifying user identities.
o Password-Based Authentication: Users provide a password to gain access.
o Biometric Authentication: Uses unique biological traits for verification (e.g.,
fingerprints).
o Two-Factor Authentication (2FA): Requires two forms of verification (e.g.,
password and a mobile device code).
• Access Control: Manages permissions and access rights for users and processes.
o Discretionary Access Control (DAC): Users have control over their own
resources and permissions.
o Mandatory Access Control (MAC): Access permissions are determined by the
system based on classification levels (e.g., military security classifications).
4. Secure OS Design Principles
• Principles:
o Least Privilege: Users and programs should operate with the minimum level of
access necessary to perform their tasks.
o Defense in Depth: Multiple layers of security should be implemented to protect
against threats.
o Secure Defaults: Systems should be configured securely out of the box to
minimize vulnerabilities.
