1

CHAPTER 3
OPERATING SYSTEMS CONCEPTS
 A COMPUTER MODEL

• An operating system has to deal with the fact

that a computer is made up of a CPU, random
access memory (RAM), input/output (I/O)
devices, and long-term storage.

2
 3 OS CONCEPTS

• An operating system (OS) provides the interface between the users of a

computer and that computer’s hardware.
• An operating system manages the ways applications access the resources in a
computer, including its disk drives, CPU, main memory, input devices,
output devices, and network interfaces.
• An operating system manages multiple users.
• Unique needs and rights of users/groups should be respected
/malicious activities avoided
• An operating system manages multiple programs.
• Protecting each running app from interfering with each other/ avoid
damaging of resources by malicious apps
THE KERNEL

• The kernel is the core component of the operating

system.
• It handles the management of low-level hardware
resources, including memory, processors, and input/output
(I/O) devices, such as a keyboard, mouse, or video display.
• Most operating systems define the tasks associated
with the kernel in terms of a layer metaphor, with the
hardware components, such as the CPU, memory, and
input/output devices being on the bottom, and
users and applications being on the top.

4
5 INPUT/OUTPUT

The input/output devices of a computer include things like its keyboard,

mouse, video display, and network card, as well as other more optional devices,
like a scanner, Wi-Fi interface, video camera, USB ports, etc.

Each such device is represented in an operating system using a device driver,

which encapsulates the details of how interaction with that device should
be done.
 6 SYSTEM CALLS

System calls are usually contained in a

User applications don’t collection of programs, that is, a library such
as the C library (libc), and they provide an
communicate directly with interface that allows applications to use a
low-level hardware components, predefined series of APIs that define the
and instead delegate such tasks to functions for communicating with the
kernel.
the kernel via system calls.
• Examples of system calls include those for
performing file I/O (open, close, read, write)
and running application programs (exec).
PROCESSES

• A process is an instance of a program that is currently

executing.
• The actual contents of all programs are initially stored in
persistent storage, such as a hard drive.
• In order to be executed, a program must be loaded into random-
access memory (RAM) and uniquely identified as a process.
• In this way, multiple copies of the same program can be run as
different processes.
• For example, we can have multiple copies of MS Powerpoint
open at the same time.
PROCESS IDS

• Each process running on a given computer is identified by a

unique nonnegative integer, called the process ID (PID).
• Given the PID for a process, we can then associate its CPU
time, memory usage, user ID (UID), program name, etc.
 USERS AND THE PROCESS TREE

• If a user creates a new process by making a request to run some program,

• The kernel sees this as an existing process asking to create a new process.
• The process is called forking.
• The existing process is the parent process and the one being forked is known as the child process.
10 INTER-PROCESS COMMUNICATION

Pass messages by reading and writing files

Share the same region of physical memory

Pipes and sockets: the sending and receiving processes to share

the pipe or socket as an in-memory object.
11 INTER-PROCESS COMMUNICATION

Signals: in Unix-based system, processes can send direct messages to

each other asynchronously.

Remote Procedure Calls: Windows rely on remote procedure calls (RPC) which
allows a process to call a subroutine from another process’s program.
FILE SYSTEMS

A filesystem is an abstraction of how the external, nonvolatile memory of the computer is organized.

Operating systems typically organize files hierarchically into folders, also called directories.

Each folder may contain files and/or subfolders.

Thus, a volume, or drive, consists of a collection of nested folders that form a tree.

The topmost folder is the root of this tree and is also called the root folder.

12
13

FILE SYSTEM
EXAMPLE
 FILE PERMISSIONS

• File permissions are checked by the operating system to determine if a file is readable,
writable, or executable by a user or group of users.
• In Unix-like OS’s, a file permission matrix shows who is allowed to do what to the file.
• there is the owner class, which determines permissions for the creator of the
file.
• Next is the group class, which determines permissions for users in the same group
as the file.
• Finally, the others class determines permissions for users who are neither the
owner of the file nor in the same group as the file.
15 MEMORY MANAGEMENT

The RAM memory of a computer is its address space.

It contains both the code for the running program, its input data, and its
working memory.

For any running process, it is organized into different segments, which keep the
different parts of the address space separate.

Security concerns require that we never mix up these different segments.

16 MEMORY ORGANIZATION

Text. This segment contains the actual (binary) machine code of the program.

Data. This segment contains static program variables that have been initialized in the program code.

BSS. This segment, which is named for an antiquated acronym for block started by symbol, contains static
variables that are uninitialized.

Heap. This segment, which is also known as the dynamic segment, stores data generated during the
execution of a process.

Stack. This segment houses a stack data structure that grows downwards and is used for keeping track of
the call structure of subroutines (e.g., methods in Java and functions in C) and their arguments.
17

MEMORY
LAYOUT
 18 Each of the five memory segments has its own set of access
permissions (readable, writable, executable), and these permissions are
MEMORY enforced by the operating system.

ACCESS
PERMISSIONS
The text region is usually read only,

It is generally not desirable to allow the alteration of a

program’s code during its execution.
All other regions are writable, because their contents
may be altered during a program’s execution. ,
19 MEMORY ACCESS PERMISSIONS

An essential rule of operating systems security is that processes are not allowed
to access the address space of other processes, unless they have explicitly
requested to share some of that address space with each other.

Enforcing address space boundaries avoids many serious security problems

by protecting processes from changes by other processes.
 20 MEMORY ACCESS PERMISSIONS

Operating systems divide the address space into two

broad regions:
• user space, where all user-level applications run, and
• kernel space, which is a special area reserved for core operating
system functionality.

Typically, the operating system reserves a set amount

of space at the bottom of each process’s address space.
 21 VIRTUAL MEMORY

• There is generally not enough computer memory for the

address spaces of all running processes.
• Nevertheless, the OS gives each running process the
illusion that it has access to its complete (contiguous)
address space.
• In reality, this view is virtual, in that the OS supports this
view, but it is not really how the memory is organized.
• Instead, memory is divided into pages, and the OS keeps track
of which ones are in memory and which ones are stored
out to disk.
• It allows for a computer to execute a set of processes that
could not be multitasked if they all had to keep their entire
address spaces in main memory all the time.
 22 PAGE FAULTS
1. Process requests virtual address not in memory, causing a page
fault.
2. Paging supervisor pages out
an old block of RAM memory.
“read 0110101”
“Page fault,
Process let me fix that.”
Paging supervisor
old
Blocks in
RAM memory:
new External disk
3. Paging supervisor locates requested block
on the disk and brings it into RAM memory.
 23 VIRTUAL MACHINES

• Virtual machine: A view that an OS presents that a

process is running on a specific architecture and
OS, when really it is something else. E.g., a windows
emulator on a Mac.
• Virtual machine technology allows an operating system to
run without direct contact with its underlying
hardware
• Benefits:
• Hardware Efficiency
• Portability
• Security
• Management
 OPERATING
SYSTEMS SECURITY

24
 25

• To protect a computer, it is essential to

monitor and protect the processes that are
running on that computer
PROCESS • The protection of a computer and its
SECURITY processes should be maintained all the time,
during booting, loading, running ,
sleeping/hibernating state etc.
THE BOOT
SEQUENCE
• The action of loading an operating system into
memory from a powered-off state is known as
booting or bootstrapping.
• When a computer is turned on, it first executes code
stored in a firmware component known as the
BIOS (basic input/output system).
• On modern systems, the BIOS identifies the system
disk and loads into memory the second-stage boot
loader (\bootmgr), which handles loading the rest of
the operating system into memory and then passes
control of execution to the operating system.
BIOS PASSWORDS

• A malicious user could potentially seize execution of a computer at several

points in the boot process.
• To prevent an attacker from initiating the first stages of booting, many
computers feature a BIOS password that does not allow a second-stage
boot loader to be executed without proper authentication.
BOOT DEVICE HIERARCHY

• There are some other security issues related to the boot sequence.
• Most second-stage boot loaders allow the user to specify which device
should be used to load the rest of the operating system.
• In most cases, this option defaults to booting from the hard drive, or in the event of a new
installation, from external media such as a DVD drive
• one should make sure that the operating system is always booted from trusted media
 BOOT DEVICE
HIERARCHY
• There is a customizable hierarchy that determines the order of precedence
of booting devices: the first available device in the list is used for booting.
• This flexibility is important for installation and troubleshooting purposes, but
it could allow an attacker with physical access to boot another OS from an
external media- bypassing the security mechanisms built into the OS intended to
run on the computer.
• To prevent these attacks: second- stage boot loader password protection that only allow authorized
users to boot from external storage media
 HIBERNATION

Modern machines have the ability to go into a powered-off state known as hibernation.

While going into hibernation, the OS stores the contents of machine’s memory into a hibernation file (such as hiberfil.sys) on disk so that
the state of the computer can be quickly restored when the system is powered back on.

But… without additional security precautions, hibernation exposes a machine to potentially invasive forensic investigation.

Since the entire contents of memory are stored into the hibernation file, any passwords or sensitive information that were stored in
memory at the time of hibernation are preserved.

A live CD attack can be performed to gain access to the hibernation file.

• Windows stores as C:\hiberfil.sys.
• To defend against these attacks, hard disk encryption should be applied.
• Can this also happen when in a Sleep mode?

30
 MONITORING, MANAGEMENT, AND LOGGING

• One of the most important aspects of operating systems security is something military people call
“situational awareness.”
• Keeping track of what processes are running, what other machines have interacted with the system
via the Internet etc
• For example, noticing log entries of repeated failed attempts to log in may warn of a brute-force
attack, and prompt a system administrator to change passwords to ensure safety.
 32 EVENT LOGGING

• Operating systems therefore feature built-in systems for

managing event logging.
• Windows defines three possible sources of logs, “System,”
“Application,” and “Security.”
• The System log can only be written to by the operating
system itself, while the Application log may be written to by
ordinary applications.
• Finally, the Security log can only be written to by a special
Windows service known as the Local Security Authority
Subsystem Service.
 33 PROCESS MONITORING

There are several scenarios where we would like to find out exactly
which processes are currently running on our computer.
• For example, our computer might be sluggish and we want to identify an
application using up lots of CPU cycles or memory.
• Or we may suspect that our computer has been compromised by a virus and we
want to check for suspicious processes.

Every operating system therefore provides tools that allow users to

monitor and manage currently running processes.
• Examples include the task manager application in Windows and the ps, top, pstree,
and kill commands in Linux.
34

PROCESS
EXPLORER
35 MEMORY AND FILESYSTEM SECURITY

The contents of a computer are encapsulated in its

memory and filesystem.

Thus, protection of a computer’s content has to start

with the protection of its memory and its filesystem.
 36 VIRTUAL MEMORY SECURITY

virtual memory is a useful tool for operating systems.

It allows for multiple

It supports these multiple
processes with a total
processes to each view its
address space larger than
address spaces as being
our RAM memory to run
contiguous.
effectively,
 37 VIRTUAL MEMORY SECURITY

On Windows, virtual memory pages that have been written

to the hard disk are actually contained in what is known as the
page file, located at C:\pagefile.sys.

OSes enforce rules preventing users from viewing the

contents of virtual memory files while the OS is running,
and it may be configured such that they are deleted when the
machine is shut down.
 ATTACKS ON
VIRTUAL MEMORY

However, if an attacker suddenly powered off the machine without

properly shutting down and booted to another operating system
via external media:
• it may be possible to view these files and reconstruct portions of memory,
potentially exposing sensitive information

Solution: hard disk encryption should be used in all cases where

potentially untrusted parties have physical access to a machine

38
 SECURING USERS

How does the operating system securely identify its users?

A standard authentication mechanism used by most operating

systems is:
 for users to log in by entering a username and password

39
40 PASSWORD SECURITY

The basic approach to guessing passwords from the password file

is to conduct a dictionary attack, a method of breaking into a
password-protected computer or server by systematically
entering every word in a dictionary as a password.

A dictionary of 500,000 “words” is often enough to discover most

passwords.
 41 PASSWORD SALT

• One way to make the dictionary attack more

difficult to launch is to use salt.
• Associate a random number with each userid.
• Rather than comparing the hash of an entered
password with a stored hash of a password,
the system compares the hash of an entered
password and the salt for the associated
userid with a stored hash of the password and
salt.
 HOW PASSWORD SALT WORKS
42 Without salt:

1. User types userid, X, and password, P. Password file:

2. System looks up H, the stored hash of X’s …

password. X: H
…
3. System tests whether h(P) = H.

With salt:

1. User types userid, X, and password, P.

Password file:
2. System looks up S and H, where S is
the random salt for userid X and H is stored …
hash of S and X’s password. X: S, H
…
3. System tests whether h(S||P) = H.
 HOW SALT INCREASES SEARCH SPACE SIZE

• Assuming that an attacker cannot find the salt associated with a userid he is trying to compromise, then the
search space for a dictionary attack on a salted password is of size
2B*D,
where B is the number of bits of the random salt and D is the size of the list of words for the dictionary attack.
• For example, if a system uses a 32-bit salt for each userid and its users pick passwords in a 500,000 word dictionary,
then the search space for attacking salted passwords would be
232 * 500,000 = 2,147,483,648,000,000,
which is over 2 quadrillion.
• Also, even if an attacker can find a salt password for a userid, he only learns one password.
 ASSIGNMENT – PHYSICAL SECURITY AND FILE
SYSTEM SECURITY
• Authentication Technologies
• Physical Protections and Attacks • Barcodes
• Magnetic Stripe Cards
• Locks and Safes
• Smart Cards
• Lock Technology • SIM Cards
• Pin Tumbler Locks • RFIDs
• Tubular and Radial Locks • Biometrics
• Wafer Tumbler Locks • Direct Attacks Against Computers
• Combination Locks • Environmental Attacks and Accidents

• Master and Control Keys • Eavesdropping

• TEMPEST
• Attacks on Locks and Safes
• Live CDs
• Lockpicking • Computer Forensics
• Lock Bumping • Cold Boot Attacks
• Key Duplication and Impressioning • Special-Purpose Machines
• Safe Cracking • Physical Intrusion Detection
• Side Channel Attacks
FILESYSTEM SECURITY

• Access Control
• Advanced File Permissions
• File Descriptors
• Symbolic Links
• Shortcuts