Protection and Security

❖ Four-layered model of security:

To protect a system, we must take security measures at four levels:
1. Physical. The site or sites containing the computer systems must be physically secured
against entry by intruders. Both the machine rooms and the terminals or computers that have
access to the target machines must be secured, for example by limiting access to the building
they reside in, or locking them to the desk on which they sit.
2. Network. Most contemporary computer systems—from servers to mobile devices to Internet
of Things (IoT) devices—are networked. Networking provides a means for the system to
access external resources but also provides a potential vector for unauthorized access to the
system itself.
Further, computer data in modern systems frequently travel over private leased lines, shared
lines like the Internet, wireless connections, and dial-up lines. Intercepting these data can be
just as harmful as breaking into a computer, and interruption of communications can constitute
a remote denial-of-service attack, diminishing users’ use of and trust in the system.
3. Operating system. The operating system and its built-in set of applications and services
comprise a huge code base that may harbor many vulnerabilities. Insecure default settings,
misconfigurations, and security bugs are only a few potential problems. Operating systems
must thus be kept up to date (via continuous patching) and “hardened”—configured and
modified to decrease the attack surface and avoid penetration. The attack surface is the set of
points at which an attacker can try to break into the system.
4. Application. Third-party applications may also pose risks, especially if they possess
significant privileges. Some applications are inherently malicious, but even benign
applications may contain security bugs. Due to the vast number of third-party applications and
their disparate code bases, it is virtually impossible to ensure that all such applications are
secure.

❖ Program Threats:
Processes, along with the kernel, are the only means of accomplishing work on a computer.
Therefore, writing a program that creates a breach of security, or causing a normal process to
change its behavior and create a breach, is a common goal of attackers.

Malware: Malware is software designed to exploit, disable or damage computer

systems. There are many ways to perform such activities, and we explore the major variations
in this section. Many systems have mechanisms for allowing programs written by a user to be
executed by other users. If these programs are executed in a domain that provides the access
rights of the executing user, the other users may misuse these rights. A program that acts in a
clandestine or malicious manner, rather than simply performing its stated function, is called a
Trojan horse. If the program is executed in another domain, it can escalate privileges. As an
example, consider a mobile app that purports to provide some benign functionality—say, a
flashlight app—but that meanwhile surreptitiously accesses the user’s contacts or messages
and smuggles them to some remote server.
A classic variation of the Trojan horse is a “Trojan mule” program that emulates a login
program.
Another variation on the Trojan horse is spyware. Spyware sometimes accompanies a program
that the user has chosen to install.
Ransomware encrypts some or all of the information on the target computer and renders it
inaccessible to the owner. The information itself has little value to the attacker but lots of value
to the owner. The idea is to force the owner to pay money (the ransom) to get the decryption
key needed to decrypt the data.

Code Injection:
Most software is not malicious, but it can nonetheless pose serious threats to security due to a
code-injection attack, in which executable code is added or modified. Even otherwise benign
software can harbor vulnerabilities that, if exploited, allow an attacker to take over the program
code, subverting its existing code flow or entirely reprogramming it by supplying new code.

Viruses and Worms:

Another form of program threat is a virus.Avirus is a fragment of code embedded in a
legitimate program. Viruses are self-replicating and are designed to “infect” other programs.
They can wreak havoc in a system by modifying or destroying files and causing system crashes
and program malfunctions. As with most penetration attacks (direct attacks on a system),
viruses are very specific to architectures, operating systems, and applications. Viruses are a
particular problem for users of PCs. UNIX and other multiuser operating systems
generally are not susceptible to viruses because the executable programs are protected from
writing by the operating system. Even if a virus does infect such a program, its powers usually
are limited because other aspects of the system are protected. Viruses are usually borne via
spam e-mail and phishing attacks. They can also spread when users download viral programs
from Internet file-sharing services or exchange infected disks.Adistinction can be made
between viruses, which require human activity, and worms, which use a network to replicate
without any help from humans.
 ❖System and Network Threats:
Program threats, by themselves, pose serious security risks. But those risks are compounded
by orders of magnitude when a system is connected to a network. Worldwide connectivity
makes the system vulnerable to worldwide attacks.

Attacking Network Traffic:

Networks are common and attractive targets, and hackers have many options for mounting
network attacks. As shown in Figure 16.6, an attacker can opt to remain passive and intercept
network traffic (an attack commonly referred to as sniffin ), often obtaining useful information
about the types of sessions conducted between systems or the sessions’ content. Alternatively,
an attacker can take a more active role, either masquerading as one of the parties (referred to
as spoofin ), or becoming a fully active man-in-the-middle, intercepting and
possibly modifying transactions between two peers. Next, we describe a common type of
network attack, the denial-of-service (DoS) attack. Note that it is possible to guard against
attacks through such means as encryption and authentication, which are discussed later in the
chapter. Internet protocols do not, however, support either encryption or authentication by
default.

Denial of Service:
As mentioned earlier, denial-of-service attacks are aimed not at gaining information or stealing
resources but rather at disrupting legitimate use of a system or facility. Most such attacks
involve target systems or facilities that the attacker has not penetrated. Launching an attack
that prevents legitimate use is frequently easier than breaking into a system or facility. Denial-
of-service attacks are generally network based. They fall into two
categories. Attacks in the first category use so many facility resources that, in essence, no
useful work can be done. For example, a website click could download a Java applet that
proceeds to use all available CPU time or to pop up windows infinitely. The second category
involves disrupting the network of the facility. There have been several successful denial-of-
service attacks of this kind against major websites. Such attacks, which can last hours or days,
have caused partial or full failure of attempts to use the target facility. The attacks are usually
stopped at the network level until the operating systems can be updated to reduce their
vulnerability.
Generally, it is impossible to prevent denial-of-service attacks. The attacks use the same
mechanisms as normal operation. Even more difficult to prevent and resolve are Distributed
Denial-of-Service (DDoS) attacks. These attacks are launched frommultiple sites at once,
toward a common target, typically by zombies. DDoS attacks have become more common and
are sometimes associated with blackmail attempts. A site comes under attack, and the attackers
offer to halt the attack in exchange for money. Sometimes a site does not even know it is under
attack. It can be difficult to determine whether a system slowdown is an attack or just a surge
in system
use. Consider that a successful advertising campaign that greatly increases traffic to a site
could be considered a DDoS.
There are other interesting aspects of DoS attacks. For example, if an authentication algorithm
locks an account for a period of time after several incorrect attempts to access the account,
then an attacker could cause all
authentication to be blocked by purposely making incorrect attempts to access all accounts.
Similarly, a firewall that automatically blocks certain kinds of traffic could be induced to block
that traffic when it should not. These examples suggest that programmers and systems
managers need to fully understand the algorithms and technologies they are deploying. Finally,
computer science classes are notorious sources of accidental system DoS attacks. Consider the
first programming exercises in which students learn to create subprocesses
or threads. A common bug involves spawning subprocesses infinitely. The system’s free
memory and CPU resources don’t stand a chance.

Port Scanning:
Port scanning is not itself an attack but is a means for a hacker to detect a system’s
vulnerabilities to attack. (Security personnel also use port scanning —for example, to detect
services that are not needed or are not supposed to be running.) Port scanning typically is
automated, involving a tool that attempts to create a TCP/IPconnection or send a UDP packet
to a specific port or a range of ports. Port scanning is often part of a reconnaissance technique
known as fingerprinting, in which an attacker attempts to deduce the type of operating system
in use and its set of services in order to identify known vulnerabilities. Many servers and clients
make this easier by disclosing their exact version number as part of network protocol headers
(for example, HTTP’s “Server:” and “User-Agent:” headers). Detailed analyses of
idiosyncratic behaviors by protocol handlers can also help the attacker figure out what
operating system the target is using—a necessary step for successful exploitation. Network
vulnerability scanners are sold as commercial products. There are also tools that perform
subsets of the functionality of a full scanner. For example, nmap (from
http://www.insecure.org/nmap/) is a very versatile open source utility for network exploration
and security auditing. When pointed at a target, it will determine what services are running,
including application names and versions. It can identify the host operating system. It can also
provide information about defenses, such as what firewalls are defending the target. It does
not exploit known bugs. Other tools, however (such as Metasploit), pick up where the port
scanners leave off and provide payload construction facilities that can be used to test for
vulnerabilities—or exploit them by creating a specific payload that triggers the bug.
The seminal work on port-scanning techniques can be found in
http://phrack.org/issues/49/15.html. Techniques are constantly evolving, as are measures to
detect them (which form the basis for network intrusion detection systems, discussed later).

❖ Cryptography as a Security Tool

There are many defenses against computer attacks, running the gamut from methodology to
technology. The broadest tool available to system designers and users is cryptography. In this
section, we discuss cryptography and its use in computer security. Note that the cryptography
discussed here has been simplified for educational purposes; readers are cautioned against
using any of the schemes described here in the real world. Good cryptography libraries
arewidely available and would make a good basis for production applications.
In an isolated computer, the operating system can reliably determine the sender and recipient
of all interprocess communication, since it controls all communication channels in the
computer. In a network of computers, the
situation is quite different. A networked computer receives bits “from the wire” with no
immediate and reliable way of determining what machine or application sent those bits.
Similarly, the computer sends bits onto the network with no way of knowing who might
eventually receive them. Additionally, when either sending or receiving, the system has no
way of knowing if an eavesdropper listened to the communication.
Commonly, network addresses are used to infer the potential senders and receivers of network
messages. Network packets arrive with a source address, such as an IP address. And when a
computer sends a message, it names the intended receiver by specifying a destination address.
However, for applications where security matters, we are asking for trouble if we assume that
the source or destination address of a packet reliably determines who sent or received that
packet. A rogue computer can send a message with a falsified
source address, and numerous computers other than the one specified by the destination
address can (and typically do) receive a packet. For example, all of the routers on the way to
the destination will receive the packet, too. How, then, is an operating system to decide
whether to grant a request when it cannot trust
the named source of the request? And how is it supposed to provide protection for a request or
data when it cannot determine who will receive the response or message contents it sends over
the network?
It is generally considered infeasible to build a network of any scale in which the source and
destination addresses of packets can be trusted in this sense. Therefore, the only alternative is
somehow to eliminate the need to trust the network. This is the job of cryptography. Abstractly,
cryptography is used to constrain the potential senders and/or receivers of a message. Modern
cryptography is based on secrets called keys that are selectively distributed to computers in a
network and used to process messages. Cryptography enables a recipient of a message to verify
that the message was created by some computer possessing a certain key. Similarly, a sender
can encode its message so that only a computer with a certain key can decode the message.
Unlike network addresses, however, keys are designed so that it is not computationally feasible
to derive them from the messages they were used to generate or from any other public
information. Thus, they provide a much more trustworthy means of constraining senders and
receivers of messages.
Cryptography is a powerful tool, and the use of cryptography can cause contention. Some
countries ban its use in certain forms or limit how long the keys can be. Others have ongoing
debates about whether technology vendors (such as smartphone vendors) must provide a back
door to the included cryptography, allowing law enforcement to bypass the privacy it provides.
Many observers argue, however, that back doors are an intentional security weakness that
could be exploited by attackers or even misused by governments.
Finally, note that cryptography is a field of study unto itself, with large and small complexities
and subtleties. Here, we explore the most important aspects of the parts of cryptography that
pertain to operating systems.

Note:
Source: Chapter 16: A. Silberschatz, P.B. Galvin and G. Gagne, Operating System
Concepts, 10th ed. Wiley, 2018.