Operating Systems

UNIT - 5 PROTECTION & SECURITY

STRUCTURE

5.0 Learning Objectives

5.1 Introduction

5.2 Security and Protection - Overview

5.2.1 Protection

5.2.2 Goals of Protection

5.3 Protection Domain

5.4 Access Matrix

5.5 Implementation of Access Matrix

5.6 Revocation of Access Rights

5.7 Security

5.7.1 The Security Problem

5.8 Authentication

5.9 One-time Passwords

5.10 Threats

5.11 Let Us Sum Up

5.12 Keywords

5.13 Some Useful Books

5.14 Answer to Check Your Progress

5.15 Terminal Question

5.0 LEARNING OBJECTIVES

After studying this unit, you will be able to:

• Understand various security challenges.

• Explain the mechanism to counter the security challenges.
 Operating Systems
• Describe the various approaches for protection.
• Explain the access rights, its management and revocation.
• Elaborate the types of threats and options to contain them.

5.1 INTRODUCTION

Both protection and security are vital to computer systems.

Security is a measure of confidence that the integrity of a system and its

data will be preserved.

Protection is the set of mechanisms that control the access of processes

and users to the resources defined by a computer system.

Operating systems employ security and protection measures to prevent a

person from illegally using resources in a computer system or interfering
with them in any manner. These measures ensure that data and programs
are used only by authorized users and only in a desired manner, and that
they are neither modified nor denied to authorized users. Security
measures deal with threats to resources that come from outside a computer
system, while protection measures deal with internal threats.

Passwords are the principal security tool. A password requirement

thwarts attempts by unauthorized persons to masquerade as legitimate
users of a system. The confidentiality of passwords is upheld by
encryption. Computer users need to share data and programs stored in files
with collaborators, and here is where an operating system’s protection
measures come in. The owner of a file informs the OS of the specific
access privileges other users are to have—whether and how others may
access the file. The operating system’s protection function then ensures
that all accesses to the file are strictly in accordance with the specified
access privileges.

5.2 SECURITY AND PROTECTION - OVERVIEW

Ensuring non-interference with the computations and resources of users is

one of the three fundamental goals of an OS.
Operating Systems

A resource could be a hardware resource such as an I/O device, a software

resource such as a program or data stored in a file, or a service offered by
the OS. Several kinds of interference can arise during operation of a
computer system; we call each of them a threat. Some of the threats depend
on the nature of specific resources or services and the manner of their use,
while others are of a generic nature.

Unauthorized access to resources is an obvious threat in an OS. Persons

who are not registered users of a computer system may try to access its
resources, while registered users may try to access resources that they have
not been authorized to use. Such persons may maliciously try to corrupt or
destroy a resource. This is a potent threat for programs and data stored in
files. A less obvious threat is interference in legitimate access of resources
and services by users. It tends to disrupt computational activities of users
by preventing them from using resources and services of an OS. This threat
is called denial of service.

Operating systems use two categories of techniques to counter threats to

data and programs:

• Security measures guard a user’s data and programs against

interference from persons or programs outside the operating system;
we broadly refer to such persons and their programs as nonusers.

• Protection measures guard a user’s data and programs against

interference from other users of the system.

Two key methods used by operating systems for implementing security

and protection are Authentication and Authorization.

Authentication is aimed at security, consists of verifying the identity of a

person. Computer-based authentication rests on either of two kinds of
assumptions. One common assumption is that a person is the user he
claims to be if he knows something that only the OS and the user are
expected to know, e.g., a password. It is called authentication by
knowledge. The other authentication method relies on things that only the
user is assumed to possess. For example, biometric authentication is based
on some unique and inalterable biological feature such as fingerprints,
retina, or iris.
 Operating Systems
Authorization is the key method of implementing protection. It consists
of: (1) granting an access privilege for a resource to a user, which is a right
to access the resource in the specified manner, and (2) determining
whether a user possesses the right to access a resource in a specific manner.

Figure 5-1: Generic security and protection setups in an operating

system

Figure 5.1 above shows a generic scheme for implementing security and
protection in an operating system. The security setup is shown in the
dashed box in the upper part of the figure. It consists of the authentication
service and the authentication database. The authentication database
contains a pair of the form (login id, validating information) for every
registered user of the operating system, where the validating information
is typically an encrypted form of a user’s password. To log into the system,
a person submits his login id and password to the kernel.

The kernel passes this information to the authentication service, which

encrypts the password and compares it with the validating information for
the user stored in the authentication database. If the check succeeds, the
authentication service generates an authentication token for the user and
passes it back to the kernel. The authentication token is typically the user
id assigned to the user.
Operating Systems

Whenever the user or a process initiated by the user makes a request to

access a resource, the kernel appends the user’s authentication token to the
request to facilitate making of protection checks.

5.2.1 Protection

The protection setup is shown in the dashed box in the lower part of the
Figure 5.1. It consists of the authorization service and the authorization
database. The authorization database contains triples of the form
(authentication token, resource id, privileges). When a user wishes to grant
access privileges for one of his files to some users or withdraw some
previously granted access privileges for the file, he makes a request to the
kernel. As shown in above Figure 5.1, the kernel passes on the request to
the authorization service along with the authentication token for the user.
The authorization service now makes appropriate changes in the
authorization database. To access a resource, a user or his process makes
a resource request to the service and resource manager. The request
contains the id of a resource, the kind of access desired to it, and the
authentication token of the user. The service and resource manager passes
the request to the authorization service, which determines whether the user
possesses the privilege to use the resource in the desired manner and sends
a yes/no reply to the service and resource manager. Depending on this
reply, the service and resource manager decides whether the user’s request
should be granted. Not all operating systems incorporate all the elements
shown in the above Figure in their security and protection setups.

The distinction between security and protection provides a neat separation

of concerns for the OS. In a conventional operating system, the security
concern is limited to ensuring that only registered users can use the system.
A security check is performed when a person logs in. It decides whether
the person is a user of the OS and determines his user id. Following this
check, all threats to information stored in the system are protection
concerns; the OS uses the user id of a person to determine whether he can
access a specific file in the OS. In a distributed system, however, security
concerns are more complex because of the presence of the networking
component.
 Operating Systems
Mechanisms and Policies

Table 5.1 below describes mechanisms and policies in security and

protection. Security policies specify whether a person should be allowed
to use a system. Protection policies specify whether a user should be
allowed to access a specific file. Both these policies are applied outside
the OS domain—a system administrator decides if an individual should be
permissible to become a user of a system, and a user specifies what users
may access his files. Security and protection mechanisms implement these
policies by maintaining the authentication and authorization databases and
using their contents to make specific checks during system operation.

Security • Policy: Anyhow a person could be a user of the

system. The system administrator employs the
policy while registering new users.
• Mechanisms: Add or delete users, confirm if a
person is a registered user (i.e., perform
authentication), perform encryption to ensure
confidentiality of passwords.

Protection • Policy: The file owner specifies the authorization

policy for a file. It decides which user could
retrieve a file and in what manner.
• Mechanisms: Set or change authorization
information for a file. Check whether a file
processing request conforms to the user’s
privileges.

Table 5-1: Policies and mechanisms in security and protection

5.2.2 Goals of Protection

Goal Description

Secrecy Only authorized users should be able to access

information. This goal is also called confidentiality.
Operating Systems

Privacy Information should be used only for the purposes for

which it was intended and shared.

Authenticity It should be possible to verify the source or sender of

information, and also verify that the information has
been preserved in the form in which it was created or
sent.

Integrity It should not be possible to destroy or corrupt

information, for example, by erasing a disk.

Table 5-2: Goals of computer security and protection

Table 5-2 describes the four goals of security and protection, namely,
secrecy, privacy, authenticity, and integrity of information. Of the four
goals, only privacy is exclusively a protection concern. An OS addresses
privacy through the authorization service and the service and resource
manager. The authorization service verifies whether a user possesses the
privilege to access a resource in a specific manner, and the service and
resource manager disallows requests that do not conform to a user’s
privileges.

It is up to users to ensure privacy of their information by using this setup.

A user who wishes to share his data and programs with a few other users
should set the authorization for his information according to the well-
known need-to-know principle: Only those persons who need to use some
information for a legitimate function should be authorized to access it.

Secrecy, authenticity, and integrity are both protection and security

concerns. As protection concerns, secrecy, authenticity, and integrity are
easy to satisfy because the identity of a user would have already been
verified and the service and resource manager would use the authorization
information, which is a part of the protection setup. However, elaborate
arrangements are needed to satisfy secrecy, authenticity, and integrity as
security concerns.
 Operating Systems
Check Your Progress-1

1. What is protection and security in the context of computer systems?

__________________________________________________________
__________________________________________________________
________________________________________________________

2. Why is protection and security important in computer systems?

__________________________________________________________
__________________________________________________________
________________________________________________________

3. What are the fundamental principles of protection and security?

__________________________________________________________
__________________________________________________________
________________________________________________________

5.3 PROTECTION DOMAIN

The access control matrix, access control list, or capability list is used to
confer access privileges on users. This arrangement serves the secrecy goal
of security and protection because only authorized users can access a file.
However, the privacy goal of security and protection requires that
information should be used only for intended purposes and this
requirement could be violated as follows: A user is granted an access
privilege for a file because some process initiated by the user requires it.
However, every other process initiated by the user also has the same access
privilege for the file; some of these processes may access the file in an
unintended manner, thus violating the privacy requirement.

Violation of privacy raises a major reliability concern, as the correctness

of data would depend not only on correct manipulation by processes that
are supposed to access it, but also on harmlessness of the accesses made
by processes that are not supposed to access it. The concept of a protection
domain is used to prevent privacy violations. We can think of a protection
domain as a conceptual “execution environment”: Access privileges are
granted to a protection domain rather than to a user or his process.
Operating Systems

A process operates “within” a protection domain and can access those

files for which the protection domain has access privileges. This
arrangement facilitates implementation of the need-to-know principle with
a fine granularity—a process should be allowed to operate within a
protection domain only if it needs to access the files for which the
protection domain has access privileges. The following example illustrates
how this approach ensures privacy of information.

Privacy can be enhanced by permitting a process to access some resources

only during specific phases in its operation. It is facilitated by letting a
process change its protection domain during operation, subject to some
conditions. Using this domain change facility, user ui would have been
able to use a single process to perform some personal computing, make
some investment decisions using program invest owned by user uj , and
write some memos and notes using a standard package. The process would
be initiated in domain D1. After performing personal computing in this
domain, the process would change its domain to D2 and call program
invest, so that invest could only view ui’s financial details but not modify
either those details or any of ui’s personal information. The process would
later change to domainD3 for writing memos and notes, using the standard
package.

Classifications of Computer Security

A security policy specifies the roles of entities—whether individuals or

programs—in ensuring that resources of a computer system are used in a
legitimate manner. A security policy would specify roles of system
administrators and programs used by them to maintain the authentication
and authorization databases and the roles of OS programs that constitute
the authentication and authorization services.

5.4 ACCESS MATRIX

The general model of protection can be viewed abstractly as a matrix,

called an access matrix. The rows of the access matrix represent domains,
and the columns represent objects.
 Operating Systems
Each entry in the matrix consists of a set of access rights. Because the
column defines objects explicitly, we can omit the object name from the
access right. The entry access (i,j) defines the set of operations that a
process executing in domain Di can invoke on object Oj.

Figure 5.2 Access matrix

Take the access matrix described in Figure 5.2. There are four domains
and four objects—three files (F1, F2, F3) and one laser printer. A process
executing in domain D1 can read files F1 and F3. A process executing in
domain D4 has the same privileges as one executing in domain D1; but in
addition, it could also write onto files F1 and F3. The laser printer could
be retrieved only by a process executing in domain D2.

The access-matrix scheme gives us with the method for identifying a range
of policies. The method comprises of applying the access matrix and
confirming that the semantic properties we have outlined hold. More
precisely, we should make sure that a procedure executing in domain Di
could retrieve only those objects specified in row i, and then only as
approved by the access-matrix entries. It could apply policy decisions
regarding protection. The policy decisions involve which rights must be
contained in the (i, j)th entry.

We should also choose the domain in which every procedure performs.

This last policy is typically chosen by the operating system. The users
generally determine the contents of the access-matrix entries. When a user
makes a new object Oj, the column Oj is inserted to the access matrix with
the correct initialization entries, as directed by the creator. The user might
choose to enter few rights in some entries in column j and other rights in
other entries, as required.
Operating Systems

The access matrix gives an apt mechanism for describing and applying
strict control for both static and dynamic association between processes
and domains. When we switch a process from one domain to another, we
are executing an operation (switch) on an object (the domain). We can
control domain shifting by including domains among the objects of the
access matrix. Similarly, when we change the content of the access matrix,
we are performing an operation on an object: the access matrix. Again, we
can control these changes by including the access matrix itself as an object.
Since each entry in the access matrix can be modified individually, we
must consider each entry in the access matrix as an object to be protected.
Now, we need to consider only the operations possible on these new
objects (domains and the access matrix) and decide how we want
processes to be able to execute these operations.

Processes should be able to switch from one domain to another. Switching

from domain Di to domain Dj is allowed if and only if the access right
switch ∈ access (i, j). Thus, in Figure 17.6, a process executing in domain
D2 can switch to domain D3 or to domain D4. A process in domain D4
can switch to D1, and one in domain D1 can switch to D2. Allowing
controlled change in the contents of the access-matrix entries requires
three additional operations: copy, owner, and control.

Access Control Matrix

An access control matrix (ACM) is a protection structure that gives

efficient access to both access benefits of users for numerous files, and
access control information for files. Each element of the ACM contains
access privileges of one user for one file. Each user has a row in the
ACM, while each file has a column in it. This way, a row in the ACM
describes one user’s access privileges for all files in the system, and each
column describes the access control information for a file.

The ACM provides medium-grained protection. Although, it is large in

size because an OS has a huge number of users and contains a huge
number of files. Accordingly, a large area of memory must be committed
to hold the ACM, or parts of it, in memory during system operation.
Operating systems use two approaches to decrease the size of access
control information.
 Operating Systems
In the first approach, the number of rows is reduced by assigning access
privileges to groups of users rather than to individual users. This
approach retains the basic advantage of the ACM, namely efficient
access to both access privileges of users and access control information
of files. However, it leads to coarse-grained protection because all users
in a group have identical access privileges for a file.

The second approach to reducing size of the protection structure exploits

the fact that a typical user possesses access privileges for only a few
files. Thus, most elements in an ACM contain null entries, so space can
be conserved by organizing the protection information in the form of lists
containing only nonnull access privileges. This method does not affect
the granularity of protection; however, it compromises access
productivity of the protection structure. We present two list-organized
protection structures in the following sections.

Access Control Lists (ACLs)

The access control list (ACL) of a file is a representation of its access

control information; it contains the non-null entries that the file’s column
would have contained in the ACM. It is stored as a list of pairs of the
form (user_id, access privileges).

Even though use of an ACL eliminates the need to store null access
privileges, presence of a large number of users in a system leads to large
ACL sizes, and thereby to large disk and memory overhead in the file
system. The time overhead is also high because the ACL has to be
searched for validating a file access. Both memory and CPU time can be
conserved at the cost of using coarse-grained protection by specifying
protection information for groups of users rather than for individual
users. Such an ACL could be small enough to be stored in the directory
entry of a file.

5.5 IMPLEMENTATION OF ACCESS MATRIX

To be implemented access matrix effectively, the matrix will be sparse;

that is, most of the entries will be empty.
Operating Systems

Although data structure techniques are available for representing sparse

matrices, they are not particularly useful for this application, because of
the way in which the protection facility is used. Here, we first explain
numerous techniques of applying the access matrix and then compare the
methods.

Global Table

The easiest execution of the access matrix is a global table comprising of

a set of ordered triples <domain, object, rights-set>. Whenever an
operation M is executed on an object Oj within domain Di, the global
table is searched for a triple <Di, Oj, Rk>, with M ∈ Rk. If this triple is
found, the operation can continue; otherwise, an exception (or error)
condition is raised.

This execution has numerous downsides. The table is generally huge and
therefore could not be held in main memory, so additional I/O is
required. Virtual memory methods are usually utilized for handling this
table. In addition, it is challenging to take benefit of special groupings of
objects or domains. For example, if everyone can read a particular object,
this object should have a distinct entry in every domain.

Access Lists for Objects

Each column in the access matrix can be implemented as an access list

for one object, discarded. The subsequent list for each object comprises
of ordered pairs <domain, rights-set>, which define all domains with a
nonempty set of access rights for that object.

This approach can be extended easily to define a list plus a default set of
access rights. When an operation M on an object Oj is attempted in
domain Di, we search the access list for object Oj, looking for an entry
<Di, Rk> with M ∈ Rk. If the entry is found, we allow the operation; if it
is not, we check the default set. If M is in the default set, we allow the
access. Otherwise, access is refused, and an exception condition occurs.
For efficiency, we may check the default set first and then search the
access list.
 Operating Systems
Capability Lists for Domains

Rather than associating the columns of the access matrix with the objects
as access lists, we can associate each row with its domain. A capability
list for a domain is a list of objects together with the operations allowed
on those objects. An object is often characterized by its physical name or
address, known as capability. To execute operation M on object Oj, the
procedure performs the operation M, identifying the capability (or
pointer) for object Oj as a parameter. Simple control of the ability
implies that access is authorized.

The capability list is related with a domain, although it is never directly

available to a procedure applying in that domain. Instead, it is itself a
protected object, kept by the operating system and retrieved by the user
only indirectly. Capability-based protection depend on the fact that the
capabilities are never permitted to migrate into any address space directly
accessible by a user procedure (where they can be altered). If all
capabilities are secure, the object they protect would also be protected
against unsanctioned access.

A Lock–Key Mechanism

The lock –key scheme is a compromise between access lists and

capability lists. Every object has a list of distinctive bit patterns known as
locks. Likewise, every domain has a list of distinctive bit patterns known
as keys. A procedure implementing in a domain could retrieve an object
only if that domain has a key that matches one of the locks of the object.
As with capability lists, the list of keys for a domain should be handled
by the operating system on behalf of the domain. Users are not permitted
to analyze or alter the list of keys (or locks) directly.

Comparison

Selecting a method for applying an access matrix includes numerous

trade-offs. Make use of a global table is easy; though, the table could be
very large and frequently could not take benefit of special groupings of
objects or domains. Access lists communicate directly to the
requirements of users. When a user creates an object, he can specify
which domains could access the object, also what operations are allowed.
Operating Systems

However, because access-right data for a specific domain is not

localized, deciding the set of access rights for every domain is
challenging. Moreover, each access to the object should be examined,
needing a search of the access list. In a large system with long access
lists, this search could be time exhausting.

Capability lists do not respond directly to the requirements of users,

although they are beneficial for localizing information for a mentioned
procedure. The procedure trying access should present a potential for that
access. Subsequently, the protection system requires only to confirm that
the capability is valid. Withdrawal of capabilities, though, might be
wasteful.

The lock–key mechanism, as stated, is a compromise between access

lists and capability lists. The procedure could be both efficient and
adaptable, varying on the length of the keys. The keys could be passed
freely from domain to domain. Additionally, access benefits could be
effectively withdrawn by the effortless method of altering few of the
locks linked with the object Nearly All systems make use of a
combination of access lists and capabilities. When a procedure first tries
to access an object, the access list is searched. If access is rejected, an
exception condition happens. Or Else, a capability is generated and
assigned to the procedure. Additional references utilize the capability to
show promptly that access is allowed. Following the last access, the
capability is destroyed.

This approach was used in the MULTICS system and in the CAL system.
As an example of how such a strategy works, consider a file system in
which each file has an associated access list. When a process opens a file,
the directory structure is searched to find the file, access permission is
checked, and buffers are allocated. All this information is recorded in a
new entry in a file table associated with the process. The operation
returns an index into this table for the newly opened file. All operations
on the file are made by specification of the index into the file table. The
entry in the file table then points to the file, and its buffers. When the file
is closed, the file-table entry is deleted. Since the file table is maintained
by the operating system, the user cannot accidentally corrupt it.
 Operating Systems
Thus, the user can access only those files that have been opened. Since
access is checked when the file is opened, protection is ensured. This
strategy is used in the UNIX system.

The right to access must still be checked on each access, and the file-
table entry has a capability only for the allowed operations. If a file is
opened for reading, then a capability for read access is placed in the file-
table entry. If an attempt is made to write onto the file, the system
identifies this protection violation by comparing the requested operation
with the capability in the file table entry.

5.6 REVOCATION OF ACCESS RIGHTS

In a dynamic protection system, we might occasionally require

withdrawing access rights to objects shared by various users. Numerous
questions about revocation might occur:

• Immediate versus delayed. Does revocation happen closely, or is it

delayed? If revocation is behind, could we find out when it would
take place?
• Selective versus general. When an access right to an object is
withdrew, does it put impact on all the users who have an access right
to that object, or could we define a select group of users whose
access rights should be revoked?
• Partial versus total. Could a subset of the rights associated with an
object be cancelled, or should we cancel all access rights for this
object?
• Temporary versus permanent. Could access be cancelled forever
(which means the cancelled access right would never again be
accessible), or could access be cancelled and could be obtained again
afterwards?

With an access-list scheme, revocation is easy. The access list is searched

for any access rights to be revoked, and they are erased from the list.
Revocation is instant and could be general or selective, total or partial,
and permanent or temporary. Capabilities, although, present a much
more challenging revocation problem, as given earlier.
Operating Systems

Meanwhile the capabilities are circulated throughout the system, we

should find them before we could revoke them.

Schemes that apply revocation for capabilities comprise the following:

• Reacquisition. Regularly, capabilities are erased from every domain.

If a procedure wants to utilize a capability, it might discover that
capability has been removed. The procedure might then try to
reacquire the capability. If access has been cancelled, the procedure
will not be able to reacquire the capability.
• Back-pointers. A list of pointers is preserved with every object,
pointing to all capabilities linked with that object. When revocation is
essential, we could follow these pointers, altering the capabilities as
needed. This scheme was accepted in the MULTICS system. It is
quite general, but its implementation is costly. Indirection. The
capabilities point indirectly, not directly, to the objects. Every
capability point to an exclusive entry in a global table, which in turn
points to the object. We apply revocation by searching the global
table for the chosen entry and deleting it. Afterwards, when an access
is tried, the capability is found to point to an illegal table entry. Table
entries could be reused for other capabilities without trouble,
meanwhile both the capability and the table entry comprise the
exclusive name of the object. The object for a capability and its table
entry should match. This scheme was implemented in the CAL
system. It does not permit selective revocation.
• Keys. A key is an exclusive bit pattern that could be linked with a
capability. It is defined when the capability is created, and it could be
neither altered nor reviewed by the procedure that possesses the
capability. A master key is related with every object; it could be
described or swapped with the set-key operation. When a capability
is formed, the present value of the master key is linked with the
capability. When the capability is implemented, its key is associated
with the master key. If the keys match, the operation can continue;
else, an exception condition is raised. Revocation substitutes the
master key with a new value via the set-key operation, nullifying all
prior capabilities for this object.
 Operating Systems
This scheme does not permit selective revocation, as only one master
key is linked with every object. If we link a list of keys with every
object, then selective revocation could be applied. Lastly, we could
group all keys into one global table of keys. A capability is effective
only if its key matches some key in the global table. We apply
revocation by eliminating the matching key from the table. With this
scheme, a key could be associated with several objects, and several
keys could be associated with every object, giving maximum
flexibility.
In key-based schemes, the operations of defining keys, inserting them
into lists, and deleting them from lists should not be available to all
users. In particular, it would be acceptable to permit only the owner
of an object to set the keys for that object. This choice, though, is a
policy decision that the protection system could apply but should not
describe.

Check Your Progress-2

1. How does an access matrix enforce access control policies?

__________________________________________________________
__________________________________________________________
________________________________________________________

2. What are the limitations of an access matrix?

__________________________________________________________
__________________________________________________________
________________________________________________________

5.7 SECURITY

In a conventional OS its authentication procedures ensure that only

registered users can log into the system and initiate processes. Hence, the
OS knows which user has initiated a specific process, and with that
knowledge it can readily check whether a process should be allowed to use
a specific resource.
Operating Systems

When processes communicate with other processes, OS actions

concerning communication are also confined to the same computer
system. Hence an illegal access to a resource or a service by a process and
an attempt to tamper with messages are both protection threats rather than
security threats.

The situation is different when a system has an Internet connection and a

user downloads data or programs from the Internet. Some person or
programs external to the OS may be able to corrupt the data and programs
being downloaded. Threats raised by such data and programs are, by
definition, security threats.

Security threats can arise more easily in a distributed OS. An interprocess

message may cross boundaries between nodes as it travels between a
sender and a receiver. Communication between nodes takes place over
open communication links, including public links. Hence it is possible for
an external entity to tamper with messages.

5.7.1 The Security Problem

In many applications, guaranteeing the protection of the computer system

is worth substantial attempt. Large commercial systems comprising
payroll or other financial data are inviting targets to thieves. Systems that
include data concerning to corporate operations might be of interest to
unscrupulous competitors. Moreover, loss of such data, if by accident or
fraud, could seriously harm the capability of the corporation to function.
Even raw computing resources are appealing to attackers for bitcoin
mining, for sending spam, and as a resource from which to anonymously
attack other systems.

Mechanisms that the operating system could offer (with proper aid from
the hardware) that permit users to defend their resources, containing
programs and data. These methods work well only as long as the users
conform to the expected use of and access to these resources. A system is
secure if its resources are utilized and retrieved as intended under all
circumstances. Unfortunately, total security could not be attained.
Nonetheless, we should have procedures to make security breaches an
unusual event, rather than the norm.
 Operating Systems
Security violations (or misuse) of the system can be categorized as
intentional (malicious) or accidental. It is easier to defend against
unintentional misuse than against malevolent misuse. For the most part,
protection methods are the focal point of accident avoidance. The
following list contains numerous forms of accidental and malicious
security violations. Note that in our discussion of security, we utilize the
terms intruder, hacker, and attacker for those trying to breach security.
Additionally, a threat is the possibility for a security violation, like the
discovery of a weakness, whereas an attack is an attempt to break security.

• Breach of confidentiality. This kind of violation includes

unapproved reading of data (or theft of information). Usually, a
violation of confidentiality is the aim of an intruder. Capturing secret
data from a system or a data stream, such as credit-card information
or identity information for identity theft, or unreleased movies or
scripts, can result directly in money for the intruder and
embarrassment for the hacked institution.

• Breach of integrity. This violation includes unapproved revision of

data. Such attacks could, for an instance, consequence in passing of
liability to an innocent party or alteration of the source code of an
essential commercial or open-source application.

• Breach of availability. This breach includes unapproved destruction

of data. Some attackers would rather create chaos and get status or
bragging rights than gain financially. Website destruction is a
frequent instance of this kind of security breach.

• Theft of service. This violation includes unapproved utilization of

resources. For an instance, an intruder (or intrusion program) might
install a daemon on a system that functions as a file server

• Denial of service. This violation includes avoiding reasonable use of

the system. Denial-of-service (DOS) attacks are occasionally
accidental. The original Internet worm turned into a DOS attack
when a bug failed to postpone its swift spread.
Operating Systems

Attackers utilize various basic techniques in their efforts to breach

security.

The most ordinary is masquerading, in which one participant in a

interaction pretends to be someone else (another host or another person).
By masquerading, attackers violate authentication, the accuracy of
identification; they could then get access that they will not usually be
permitted. An Additional ordinary attack is to replay a captured exchange
of data. A replay attack involves of the malicious or fraudulent repeat of a
valid data transmission.

Occasionally the replay includes the entire attack—for an instance, in a

copy of a request to move money. But regularly it is performed along with
message modification, in which the attacker changes data in a
communication without the sender’s knowledge. Consider the destruction
that can be done if a demand for verification had a legitimate user’s
information replaced with an unauthorized user’s. Still another sort of
attack is the man-in-the-middle attack, in which an attacker sits in the data
flow of a communication, masquerading as the sender to the receiver, and
vice versa. In a network communication, a man-in-the-middle attack might
be led by a session hijacking, in which an active communication session
is stopped.

Another broad class of attacks is targeted at privilege escalation. Each

system allocates benefits to users, still if there is just one user and that user
is the administrator. Generally, the system includes various sets of
privileges, one for every user account and few for the system. Often,
privileges are also allocated to nonusers of the system (like users from
across the Internet accessing a web page without logging in or anonymous
users of services such as file transfer). Even a sender of email to a remote
system could be believed to have privileges—the privilege of sending an
email to a receiving user on that system. Privilege escalation gives
attackers more privileges than they are supposed to have. For example, an
email containing a script or macro that is executed exceeds the email
sender’s privileges. Masquerading and message modification, mentioned
above, are often done to escalate privileges. There are many more
 Operating Systems
examples, as this is a very common type of attack. Indeed, it is difficult to
detect and prevent all of the various attacks in this category.

Total protection of the system from malevolent misuse is impossible, yet

the price to the perpetrator could be made sufficiently high to discourage
most intruders. In few cases, like a denial-of service attack, it is better to
stop the attack but enough to notice it so that countermeasures could be
taken (like up-stream filtering or adding resources such that the attack is
not rejecting services to legitimate users).

To protect a system, we should take security measures at four levels:

1. Physical. The site or sites comprising the computer systems should

be physically protected against entry by violator. Both the machine
rooms and the terminals or computers that have access to the target
machines ought to be protected, for an instance by restricting access
to the building they live in or locking them to the desk on which they
sit.

2. Network. Most contemporary computer systems—from servers to

mobile devices to Internet of Things (IoT) devices—are networked.
Networking provides a means for the system to access external
resources but also provides a potential vector for unauthorized access
to the system itself. Further, computer data in modern systems often
take a trip over private leased lines, shared lines like the Internet,
wireless connections, and dial-up lines. Intercepting these data could
be just as harmful as breaking into a computer, and disruption of
transmissions could constitute a remote rejection-of-service attack,
reducing users’ use of and trust in the system.

3. Operating system. The operating system and its built-in set of

applications and services comprise a huge code base that may harbor
many vulnerabilities. Insecure default settings, misconfigurations,
and security bugs are only a few potential problems. Operating
systems must thus be kept up to date (via continuous patching) and
“hardened”—configured and modified to decrease the attack surface
and avoid penetration. The attack surface is the set of points at which
an attacker can try to break into the system.
Operating Systems

4. Application. Third-party applications may also pose risks, especially

if they possess significant privileges.

Some applications are inherently malicious, but even benign

applications may contain security bugs. Due to the vast number of
third-party applications and their disparate code bases, it is virtually
impossible to ensure that all such applications are secure.

The four-layer model of security is like a chain made of links: a

vulnerability in any of its layers can lead to full system compromise. In
that respect, the old adage that security is only as strong as its weakest link
holds true. Another factor that cannot be overlooked is the human one.
Authorization must be performed carefully to ensure that only allowed,
trusted users have access to the system. Even permitted users, though,
might be malevolent or may be “encouraged” to let others use their
access—whether willingly or when duped through social engineering,
which uses deception to persuade people to give up confidential
information. One kind of social-engineering attack is phishing, in which a
genuine-considering e-mail or web page misinforms a user into entering
classified information. Sometimes, all it takes is a click of a link on a
browser page or in an email to inadvertently download a malicious
payload, compromising system security on the user’s computer. Usually
that PC is not the end target, but rather some more valuable resource. From
that compromised system, attacks on other systems on the LAN or other
users ensue.

5.8 AUTHENTICATION

Authentication is typically performed through passwords, using few

schemes. For every registered user, the system stores a pair of the form
(login id, <validating_info>) in a passwords table, where
<validating_info> =Ek(password). To authenticate a user, the system
encrypts his password using Ek and compares the result with his validating
information stored in the passwords table. The user is considered to be
authentic if the two match.
 Operating Systems
If an intruder has access to the passwords table, he can launch one of the
attacks to determine Ek. Alternatively, the intruder may launch an attack
to crack the password of an individual user.

In the scheme described above, if two users use identical passwords, the
encrypted forms of their passwords would also be identical, which would
facilitate an intruder’s attempts at cracking of a password if the passwords
table is visible to him. Hence the encryption function E takes two
parameters. One parameter is the encryption key k, and the other parameter
is a string derived from the user’s login id. Now, identical passwords yield
distinct encrypted strings.

Intruders may use password cracking programs to discover passwords of

individual users. Their task is simplified by users’ tendency to use
passwords that are not difficult to guess, such as dictionary words and
vehicle numbers, or use simple keyboard sequences. For infrequently used
accounts, users often choose simple passwords that are easy to remember,
the common refrain being that they do not have many important files in
that account. However, a password is the proverbial weakest link in the
security chain. Any password that is cracked provides an intruder with
opportunities for launching further security attacks. Consequently, a large
number of security problems relate to use of poor passwords.

Operating systems use a set of techniques to defeat attacks on passwords.

Table 5-3 below summarizes these techniques. Password aging limits the
exposure of passwords to intruders, which is expected to make passwords
more secure. System chosen passwords ensure use of strong passwords,
which cannot be cracked by simple techniques like looking for parts of
names or dictionary words in the passwords. Their use would force an
intruder to use an exhaustive attack to crack a password, which is
impractical.

Technique Description

Password aging Encourage or force users to change their

passwords frequently, at least once every 6
months. It limits the exposure of a password to
intruder attacks.
Operating Systems

System-chosen A system administrator uses a methodology to

passwords generate and assign strong passwords to users.
Users are not allowed to change these passwords.
An intruder would have to use an exhaustive
attack to break such passwords.

Encryption of The encrypted form of passwords is stored in a

passwords system file; however, the ciphertext form of
passwords is visible to all users in the system. An
intruder can use one of the attacks to find Ek, or
launch an exhaustive attack to crack an individual
user’s password.

Encrypt and hide The encrypted form of passwords is not visible to

password any person within or outside the system. Hence
information an intruder cannot use any of the attacks

Table 5-3: OS techniques for defeating attacks on passwords

Protection Structures

A protection structure is the classical name for the authorization database.

It contains information indicating which users can access which files in
what manner. An access privilege for a file is a right to make a specific
form of access to the file, e.g., a read access or a write access. A user may
hold one or more access privileges for a file, e.g., he may be permitted to
only read a file, or read and write a file but not execute it. An access
descriptor is a representation of a collection of access privileges for a file.
The access control information for a file is a collection of access
descriptors; it represents access privileges for the file held by all users in
the system.

Granularity of Protection

Granularity of protection signifies the degree of discrimination a file

owner can exercise concerning protection of files. Table 5-4 below defines
three levels of granularity:
 Operating Systems

Granularity Description

Coarse-grained Access privileges for a file can be specified only for

protection groups of users. Each user in a group has identical
access privileges for the file.

Medium- Access privileges for a file can be specified

grained individually for each user in the system.
protection

Fine-grained Access privileges for a file can be specified for a

protection process, or for a phase in operation of a process.

Table 5-4: Granularity of protection

Coarse-grained protection implies that users are clubbed into groups and
access privileges are specified for a group of users, whereas medium-
grained protection implies that the owner of a file can specify access
privileges individually for each user in the system. Fine-grained protection
permits access privileges to be specified for a process or for different
phases in operation of a process. This way, different processes created by
the same user may possess different access privileges for a file, or the same
process may possess different access privileges for the file at different
times. It helps in ensuring privacy of information Users desire medium- or
fine-grained protection. However, such protection leads to a large size of
the protection structure. This is why operating systems resort to coarse-
grained protection.

5.9 ONE-TIME PASSWORDS

To avoid the problems of password sniffing and shoulder surfing, a system

can use a set of paired passwords. When a session begins, the system
randomly selects and presents one part of a password pair; the user must
supply the other part. In this system, the user is challenged and must
respond with the correct answer to that challenge.
Operating Systems

This approach can be generalized to the use of an algorithm as a password.

In this scheme, the system and the user share a symmetric password. The
password pw is never transmitted over a medium that allows exposure.
Rather, the password is used as input to a function, along with a challenge
ch presented by the system. The user then computes the function H(pw,
ch). The result of this function is transmitted as the authenticator to the
computer. Because the computer also knows pw and ch, it can perform the
same computation. If the results match, the user is authenticated. The next
time the user needs to be authenticated, another ch is generated, and the
same steps ensue. This point, the authenticator is separate. These
algorithmic passwords are not prone to use again. Which means, a user
could type in a password, and no entity intercepting that password would
be able to use it again. This one-time password system is one of only a few
ways to avoid inappropriate verification because of password disclosure.

One-time password systems are applied in numerous approaches.

Commercial implementations use hardware calculators with a display or a
display and numeric keypad. These calculators generally take the shape of
a credit card, a key-chain dongle, or a USB device. Software running on
computers or smartphones provides the user with H (pw, ch); pw can be
input by the user or generated by the calculator in synchronization with
the computer. Sometimes, pw is just a personal identification number
(PIN). The output of any of these systems shows the one-time password.
A one-time password generator that requires input by the user involves
two-factor authentication. Two distinct kinds of components are required
in this case—for an instance, a onetime password generator that generates
the correct response only if the PIN is valid. Two-factor authentication
offers far better authentication protection than single-factor authentication
because it requires “something you have” as well as “something you
know.”

Encryption

Encryption is application of an algorithmic transformation to data. When

data is stored in its encrypted form, only a user or his process that knows
how to recover the original form of data can use it. This feature helps in
preserving confidentiality of data. Protection and security mechanisms use
 Operating Systems
encryption to guard information concerning users and their resources;
however, it could also be used to guard information belonging to users.
Cryptography is the branch of science dealing with encryption techniques.

5.10 THREATS

Attempts to breach the security of a system are called security attacks, and
the person or the program making the attack is called an adversary or
intruder. Two common forms of security attacks are:

• Masquerading: Assuming the identity of a registered user of the

system through illegitimate means.

• Denial of service: Preventing registered users of the system from

accessing resources for which they possess access privileges.

In a successful masquerading attack, the intruder gains access to resources

that the impersonated user is authorized to access, hence he can corrupt or
destroy programs and data belonging to the impersonated user at will. The
obvious way to launch a masquerading attack is to crack a user’s password
and use this knowledge to pass the authentication test at log in time.
Another approach is to perform masquerading in a more subtle manner
through programs that are imported into a software environment.

A denial-of-service attack, also called a DoS attack, is launched by

exploiting some vulnerability in the design or operation of an OS. A DoS
attack can be launched through several means; some of these means can
be employed only by users of a system, while others may be employed by
intruders located in other systems. Many of these means are legitimate,
which makes it easy to launch DoS attacks and hard for an OS to detect
and prevent them. For example, a DoS attack can be launched by
overloading a resource through phantom means to such an extent that
genuine users of the resource are denied its use. If the kernel of an OS
limits the total number of processes that can be created in order to control
pressure on kernel data structures, a user may create a large number of
processes so that no other users can create processes. Use of network
sockets may be similarly denied by opening a large number of sockets.
Operating Systems

A DoS attack can also be launched by corrupting a program that offers

some service, or by destroying some configuration information within the
kernel, e.g., use of an I/O device can be denied by changing its entry in the
physical device table of the kernel.

A network DoS attack may be launched by flooding the network with

messages intended for a particular server so that network bandwidth is
denied to genuine messages, and the server is so busy receiving messages
that it cannot get around to responding to any messages. A distributed DoS
attack is one that is launched by a few intruders located in different hosts
in the network; it is even harder to detect and prevent than a non-
distributed one. Many other security attacks are launched through the
message communication system. Reading of messages without
authorization, which is also called eavesdropping, and tampering with
messages are two such attacks. These attacks primarily occur in distributed
operating systems.

Trojan Horses, Viruses, and Worms

Trojan horses, viruses, and worms are programs that contain some code
that can launch a security attack when activated. Table below summarizes
their characteristics. A Trojan horse or a virus enters a system when an
unsuspecting user downloads programs over the Internet or from a disk.
On the contrary, a worm existing in one computer system spreads to other
computer systems by itself.

A Trojan horse is a program that has a hidden component that is designed

to cause havoc in a computer system. For example, it can erase a hard disk
in the computer, which is a violation of integrity; collect information for
masquerading; or force a system to crash or slowdown, which amounts to
denial of service. A typical example of a Trojan horse is a spoof login
program, which provides a fake login prompt to trick a user into revealing
his password, which can be used later for masquerading. Since a Trojan
horse is loaded explicitly by an unsuspecting user, it is not difficult to track
its authorship or origin.
 Operating Systems

Threat Description

Trojan horse A program that performs a legitimate function that is

known to an OS or its users, and also has a hidden
component that can be used later for nefarious purposes
like attacks on message security or masquerading.

Virus A piece of code that can attach itself to other programs

in the computer system and spread to other computer
systems when programs are copied or transferred.

Worm A program that spreads to other computer systems by

exploiting security holes in an OS like weaknesses in
facilities for creation of remote processes.

Table 5-5: Security threats through trojan horses, viruses, and worms

A virus is a piece of code that infects other programs and spreads to other
systems when the infected programs are copied or transferred. A virus
called an executable virus or file virus causes infection as follows: The
virus inspects the disk, selects a program for infection, and adds its own
code, which we will call the viral code, to the program’s code. It also
modifies the program’s code such that the viral code is activated when the
program is executed. A simple way to achieve it is to modify the first
instruction in the program’s code, i.e., the instruction whose address is the
execution start address of the program, to transfer control to the viral code.
When the viral code gets activated, it inspects the disk looking for other
programs to infect. After infecting these programs, it passes control to the
genuine code of the program. Since the infection step does not consume
much CPU time and the infected program’s functioning is not affected, a
user has no way of knowing whether a program has been infected. The
way a virus attaches itself to another program makes it far more difficult
to track than a Trojan horse.

A virus typically sets up a back door that can be exploited for a destructive
purpose at a later date. For example, it may set up a daemon that remains
dormant until it is activated by a trigger, which could be a specific date,
time, or message, and performs some destructive acts when activated.
Operating Systems

Different categories of viruses infect and replicate differently. Apart from

the file virus described above, a boot sector virus plants itself in the boot
sector of a hard or floppy disk. Such a virus gets an opportunity to execute
when the system is booted and gets an opportunity to replicate when a new
bootable disk is made.

Executable and boot-sector viruses thrived when programs were loaded

through floppies. Use of CDs that cannot be modified has curtailed their
menace. However, newer viruses have switched to more sophisticated
techniques to breach a computer’s defences. An e-mail virus enters a
computer system through an e-mail and sends spurious mails to users
whose e-mail ids can be found in an address book. The Melissa virus of
1999 used a viral code that was a Word document posted on an Internet
newsgroup. The virus was triggered when a user opened a downloaded
copy of the Word document, and it sent the document itself to 50 persons
whose e-mail id’s were found in the user’s address book.

The back door in this case was a tiny code fragment that was associated
with the Word document using the language called Visual Basic
Application (VBA). It was triggered by the auto-execute feature of
Microsoft Word, which automatically executes the program associated
with a Word document when the document is opened. The I LOVE YOU
virus of year 2000 was an e-mail virus that attached viral code as an
attachment in an e-mail. This code executed when some user double-
clicked on the attachment. It sent e-mails containing its own copies to
several others and then corrupted files on the disk of the host where it
executed. Both Melissa and I LOVE YOU viruses were so powerful that
they forced large corporations to completely shut off their e-mail servers
until the viruses could be contained.

Viruses use various techniques to escape detection by antivirus software.

These techniques include changing their form, compressing or encrypting
their code and data, hiding themselves in parts of the OS, etc.

A worm is a program that replicates itself in other computer systems by

exploiting holes in their security setup. It is more difficult to track than a
virus because of its self-replicating nature. Worms are known to replicate
at unimaginably high rates, thus loading the network and consuming CPU
 Operating Systems
time during replication. The Code Red worm of 2001 spread to a quarter
of a million hosts in 9 hours, using a buffer overflow attack. The Morris
worm of 1988 spread to thousands of hosts through three weaknesses in
the Unix system.

The security attacks launched through Trojan horses, viruses, or worms

can be foiled through the following measures:

• Exercising caution while loading new programs into a computer.

• Using antivirus programs.
• Plugging security holes as they are discovered or reported.

Loading programs from original disks on which they are supplied by a

vendor can eliminate a primary source of Trojan horses or viruses. This
approach is particularly effective with the compact disk (CD) technology.
Since such disks cannot be modified, a genuine program cannot be
replaced by a Trojan horse, or a vendor-supplied disk cannot be infected
by a virus.

Antivirus programs analyze each program on a disk to see if it contains

any features analogous to any of the known viruses. The fundamental
feature it looks for is whether the execution start address of the program
has been modified or whether the first few bytes of a program perform
actions resembling replication, e.g., whether they attach code to any
programs on a disk.

OS vendors post information about security vulnerabilities of their

operating systems on their websites periodically and provide security
patches that seal these loopholes. A system administrator should check
such postings and apply security patches regularly. It would foil security
attacks launched through worms.

The Buffer Overflow Technique

The buffer overflow technique can be employed to force a server program

to execute an intruder-supplied code to breach the host computer system’s
security. It has been used to a devastating effect in mail servers and other
Web servers. The basic idea in this technique is simple: Most systems
contain a fundamental vulnerability—some programs do not validate the
lengths of inputs they receive from users or other programs.
Operating Systems

Because of this vulnerability, a buffer area in which such input is received

may overflow and overwrite contents of adjoining areas of memory.

5.11 LET US SUM UP

• Security is a measure of confidence that the integrity of a system and

its data will be preserved.
• Protection is the set of mechanisms that control the access of
processes and users to the resources defined by a computer system.
• Passwords are the principal security tool.
• Two key methods used by operating systems for implementing
security and protection are Authentication and Authorization.
• Security policies specify whether a person should be allowed to use
a system.
• Secrecy, authenticity, and integrity are both protection and security
concerns.
• The access matrix provides an appropriate mechanism for defining
and implementing strict control for both static and dynamic
association between processes and domains.
• Security threats can arise more easily in a distributed OS.
• Authentication is typically performed through passwords, using few
schemes.
• Granularity of protection signifies the degree of discrimination a file
owner can exercise concerning protection of files.
• To avoid the problems of password sniffing and shoulder surfing, a
system can use a set of paired passwords.
• Encryption is application of an algorithmic transformation to data.
• Trojan horses, viruses, and worms are programs that contain some
code that can launch a security attack when activated.
• A virus is a piece of code that infects other programs and spreads to
other systems when the infected programs are copied or transferred.
• A worm is a program that replicates itself in other computer systems
by exploiting holes in their security setup.
 Operating Systems

5.12 KEYWORDS

• Access Control: The process of regulating access to resources or

data in a computer system, typically based on the identity and
privileges of users or processes.
• Authentication: The process of verifying the identity of a user,
device, or entity attempting to access a system or resource, often
through the presentation of credentials such as passwords, biometric
data, or digital certificates.
• Authorization: The process of determining what actions or
operations a user or entity is allowed to perform within a system or
on specific resources, based on their authenticated identity and
assigned privileges or permissions.
• Encryption: The process of encoding data in such a way that only
authorized parties can access and understand it, typically using
cryptographic algorithms and keys to transform plaintext data into
ciphertext.
• Firewall: A network security device or software application that
monitors and controls incoming and outgoing network traffic based
on predetermined security rules, acting as a barrier between internal
and external networks to prevent unauthorized access and protect
against network-based threats.

5.13 SOME USEFUL BOOKS

Reference Books

• Silberschatz, Abraham, Galvin, Peter and Gagne, Greg (2008).

Operating System Concepts 8th Edition, United States: Wiley
Publications.
• Crowley, Charles (1996). Operating System: A Design-oriented
Approach, United States: Richard D Irwin Publications.
• Nutt, Gary J (1997). Operating Systems: A Modern Perspective,
New Delhi: Pearson Publications.
Operating Systems

• Bach, Maurice (1988). Design of the Unix Operating Systems,

New Delhi: Prentice Hall India Learning Private Limited.
Textbook References

• Silberschatz, Abraham and Galvin, Peter B., and Gagne, Greg,

2018. Operating System Concepts (10th edition), Hoboken, NJ:
John Wiley & Sons, Inc.
• Stallings, William.2017. Operating systems: Internals and design
principles (Ninth edition). New Jersey: Pearson Education, Inc.
• Dhamdhere, Dhananjay M. 2009. Operating Systems: A Concept-
Based Approach (First Edition), New York, McGraw-Hill.
Websites:

• https://www.javatpoint.com/os-indexed-allocation
• https://padakuu.com/article/149-what-is-the-security-problem
• https://padakuu.com/article/163-access-matrix
• System protection in Operating System (slideshare.net)
• https://www.slideshare.net/sohaildanish/system-protection

5.14 ANSWER TO CHECK YOUR PROGRESS

Answer to check your progress- 1 Q. 1 …

Protection and security refer to measures and mechanisms implemented in

computer systems to safeguard against unauthorized access, modification,
disclosure, or destruction of data and resources.

Answer to check your progress- 1 Q. 2 …

Protection and security are important to ensure the confidentiality,

integrity, and availability of data and resources, prevent unauthorized
access or misuse, comply with regulations and standards, and maintain
trust in the system.

Answer to check your progress- 1 Q. 3 …

The fundamental principles of protection and security include

confidentiality (ensuring that data is accessible only to authorized users),
integrity (ensuring that data is accurate and has not been tampered with),
 Operating Systems
and availability (ensuring that data and resources are accessible when
needed).

Answer to check your progress- 2 Q. 1 …

An access matrix enforces access control policies by defining the

permissible interactions between subjects and objects based on their access
rights. Access requests are evaluated against the access matrix, and access
is granted or denied based on the entries in the matrix.

Answer to check your progress- 2 Q. 2 ….

The limitations of an access matrix include its potential for scalability

issues in large systems with many subjects and objects, the challenge of
managing and updating the matrix as the system evolves, and the difficulty
of defining precise access control policies that balance security and
usability.

5.15 TERMINAL QUESTION

1. What are the goals of protection in operating systems? Explain the

concept of the domain of protection and its significance in ensuring
system security.

2. Describe the access matrix model for protection in operating

systems. How is the access matrix implemented, and what are its
advantages and limitations?

3. Discuss the concept of access rights revocation in operating

systems. Why is it important, and what mechanisms are commonly
used to revoke access rights?

4. Define the security problem in computing systems. Explain the

importance of authentication in ensuring system security.

5. What are one-time passwords, and how do they enhance security

in authentication systems? Discuss common threats to system
security and strategies to mitigate them.