Protection and Security

Contents
 Protection and Security
 Mechanisms and Policies,
 Threats
o Types of threats
 Intruders
 Accidental data lose
 Attacks from inside the system
o Trojan Horse
o Logic Bomb
o Trap doors
o Worms
 Virus
o Difference between Worm and Virus
o Types of Virus
 Boot sector virus,
 Device driver viruses
 Macro viruses
 Polymorphic virus
 Memory resident virus
 Antivirus approaches.
 Protection mechanisms
o Cryptography
o Digital signature
o Trusted system
 User Authentication
o Passwords
o physical identification
o authentication using biometrics
PROTECTION AND SECURITY
Protection refers to a mechanism for controlling the access of program, processes or users to
the resources defined by a computer system
Security refers to providing a protection system to computer resources such as CPU,
memory, disk, software programs and most importantly data/information stored in the
computer system.
If a computer program is run by unauthorized user then he/she may cause severe damage to
computer or data stored in it. So a computer system must be protected against unauthorized
access, malicious access to system memory, viruses, worms etc.
Mechanisms and policies are to keep programs and users from accessing or changing stuff
they should not do.
Mechanism determine how to do something and Policies decide what will be done. The role
of protection in a computer system is to provide a mechanism for the enforcement of
policies.

OPERATING SYSTEMS SECURITY GOALS

Any computer system has four general goals with respect to security.
Computer protection and security mechanisms provided by an operating system must
address the following four requirements:
1) Confidentiality: It means that information maintained by a computer system should be
kept secret (privacy) and be accessible only by authorized parties. Interception occurs
when an unauthorized party gains access to a resource, illegal file copying and the
invocation of programs.
Threat to this goal is ‘exposure of data’.

2) Data Integrity: It means that unauthorized persons should not modify the data without
the owner’s permission. Computer system’s resources can be modified only by
authorized parties. Modification occurs when an unauthorized party not only gains
access to but changes a resource such as data or the execution of a running process.
Threat to this goal is ‘tampering with data’

3) Availability: It means that the system must be made available to the authorized persons
and not to make it unusable or not accessible. Interception occurs when an unauthorized
party reduces the availability of a resource.
Threat for this goal is ‘denial of service’.

4) Authenticity: This means that the computer system must be able to verify the identity
of a user.
 Treat to this goal is ‘fabrication’ which occurs when an unauthorized party inserts forged
data amongst valid data.

THREATS

Threat is an event to cause harm to a system in the form of destruction, disclosure,

modification of data or denial of service.

Generally there are four types of treat they are

1) Interruption: It means physically destroying the hardware resources. For example the
cutting of communication line, destruction of a hard disk, disabling the file management
system, physically damaging the power cables etc..

2) Interception: It means a person access the data without any proper permission from the
owner, this is an attack on the confidentiality. Example include accessing mailbox of
others, trace the passwords and enter into others login, illicit copying of data and files
etc..

3) Data modification: This treat is more dangerous than the other two. In this method
unauthorized persons gains the data and then modify the original data and send as it is to
destination. This is an attack of integrity.

4) Fabrication: It is also a dangerous type where unauthorized people inserts additional

unwanted data in to the original information and send it in the name of an authorized
person. This is an attack on availability and authenticity.

INTRUDERS

Intruders are those who violate the security restriction with the intension of harming the
system.

Intruders are two types

1. Passive intruders are those who just want to read or copy data or files without the
permission from the owner.
2. Active intruders are those who modify the data without any permission. They are more
dangerous. We lose original data permanently from active intruders.

Program Threats or Threats From Inside the System

If a user program made this process to do malicious tasks then it is known as Program
Threats.
One of the common examples of program threat is a program installed in a computer which
can store and send user identification via network to some hacker. Such programs are
commonly known as Malicious Software or Malware.

Malware attempts to cause damage or consume the resources of a target system.

It is software that is specially designed to gain access or damage a computer system or data
stored in that system without the knowledge of the owner. It sometimes prevents the
computer system to perform its regular function in the normal manner.
Malware can be divided into programs that can operate independently; or those that need a
host program to run; and also programs that can replicate (reproduce) themselves.

Following is the list of some well known program threats

 Trojan Horse

A Trojan Horse is a trickery malware. At first glance it will appear to be useful software
but will actually do damage once installed or run on any computer. It is a program or
command procedure containing hidden code, when invoked performs some harmful
function. Some dangerous functions of Trojan horse might be modifying or deleting user’s
file and destroying information on your system. Trojans are also known to create a
backdoor on your computer that gives malicious users access to your system, allowing
confidential or personal information to be compromised. Trojans are not independent they
spread through user interaction such as opening an e-mail attachment or downloading and
running a file from the Internet.

 Trap Door

It is a secret entry point into a user program where it is designed to work as required, and
perform illegal action without the knowledge of the user, almost like a trap. Some functions
of Trap Door malware are simply to bypass the usual authentication process without doing
the normal check. So anyone can enter without the login authentication. It is also not an
independent malware but need some host program to run.

 Logic Bomb

It is a code embedded in a program that misbehaves only when certain conditions are met,
e.g. a certain date or the presence of certain files or users. Otherwise it works as a genuine
program. It is harder to detect. It is also a malware that need some host program to run.

 Virus
 Virus is the most common type malware. A virus is generally a piece of code that attaches
itself into another host program and becomes a part it. When the host code is executed, the
viral code is executed as well. Almost all viruses are attached to an executable file, which
means the virus may exist on a system but will not be active or able to spread until a user
runs or opens the malicious host file or program. A copy of the virus can spread from one
computer to another infecting other programs or files as it travels. They are highly
dangerous and can modify, delete user files, crash systems. Human interference is required
for virus to be active.

 Worms
Worm is considered to be a sub-class of a virus .The biggest danger with a worm is its
capability to replicate itself on the infected system. It could send out hundreds or thousands
of copies of itself. Consumes too much system memory and causes web server, network
server and individual computer to stop responding. A worm enters a computer through
vulnerability in the system and takes advantage of file-transport or information-transport
features on the system, allowing it to travel independently. Worms are standalone software
and do not require a host program or human help to propagate. Worms spread from
computer to computer without any human action.
Eg: a worm could send a copy of itself to everyone listed in your e-mail address book.
Difference between worm and virus

 Worm is considered to be a sub-class of a virus.

 Viruses require the spreading of an infected host file to propagate, where as the worms
are standalone software and do not require a host program or human help to propagate.
Worms spread from computer to computer without any human action.
 Virus require human interference to be active where as worms get active by itself once it
enters the system

can infect other file whereas worm does not infect other file but it occupies memory space

whereas the aim worm is to mac computer and network unusable.

TYPES OF VIRUS

Viruses are designed to be attached to files that have some programming capability. Such
files are usually the executable files.
Viruses can be classified according to their origin, techniques used, damage caused,
platforms they use for attack and the types of files they mainly select for damage.
The types of viruses are:
1) Boot Sector Virus:
As the name suggests a boot sector virus affects the boot section of a computer. Boot
sector is the section which is accessed at the very first when the computer is turned on. It
is used to boot the information used by the operating system. This kind of virus infects
the boot sector and spreads when a system is booted and could also overwrite the boot
sector program
Examples of boot viruses include: Polyboot.B, Michelangelo, Stone virus

2) Memory-Resident Virus:
This type of virus reside in the main memory all the time . From that point on, the virus
infects every program that executes. Whenever a program is loaded into memory for
execution, it attaches itself to that program and can manipulate any file that is executed,
copied or moved.
Examples of Memory-Resident Virus are: Randex, CMJ, Meve

3) Polymorphic Virus:
This type of viruses changes itself with each infection and it creates multiple copies but
have different bit pattern. These viruses are more difficult to detect by scanning by the
antivirus software because each copy of the virus looks different than the other copies.
Examples of Polymorphic Virus are: Phoenix, Evil Satan, Bug Proud, virus 101

4) Macro Virus:
This type of virus infects the files that are created using some applications which contain
macros. A macro is a collection of several commands grouped together. These
commands are executed with a single keystroke whenever we want. Many applications
use macros such as MSWord, Excel Assembly language developers etc. Macro viruses
infect the documents, not the executable portions of the code. These viruses exploit
certain features found in the Applications such as MS Word or MS Excel. Macro viruses
are easily spread. A very common method is by electronic mail.
Examples of Macro Virus are :Melissa A, Relax, Nuclear, Word concept.

5) Stealth Virus:
A form of virus explicitly designed to hide itself from detection by antivirus software.
This type of virus hides its path after it infects the computer system. It is the virus who
hides the modification it has made in the file or boot record
Examples Stealth virus are: Frodo, Joshi, Whale

6) E-Mail Viruses:
This is a new kind of virus that arrives via email and it uses the email features to
propagate itself. Virus gets executed when email attachment is open by recipient. Virus
sends itself to everyone on the mailing list of sender.
Examples of email virus are : Melissa A, ILOVEYOU, Klez.
How a Virus Works

During the life time of a typical virus it goes through the following four phases:
1. Dormant Phase: In this state the virus is idle waiting for some event to happen before
it gets activated. Some examples of these events are: A date, the presence of another
program or file, the capacity of the disk exceeding some limit etc... Not all viruses have
this stage
2. Propagation Phase: In this stage the virus makes an identical copy of it and attaches
itself to another program. This infected program contains the virus and will in turn enter
into a propagation phase to transmit the virus to other programs
3. Triggering Phase: In this phase the virus is activated to perform the function for which
it was intended. The triggering phase can also be caused by a set of system events
4. Execution Phase: In this phase the virus performs its function such as damaging
programs and data files. This is the running phase of virus.

Antivirus Software
It is a program which is used to scan files and directory and identify and eliminate the
viruses and other malicious softwares.
The recovery by antivirus software includes 3 phases, these are
1. Detection: Using scanners we can detect the virus and can identify the location of the
virus
2. Identification: Once detected the virus then we can identify what type of virus it is.
Decision of antivirus software depends on the identification of the virus
3. Removal: Once virus is identified remove it from all infected systems and programs
Antivirus software also needs to be regularly updated in order to recognize the latest threats.

Protection Mechanism
Various mechanisms to safe guard the system from intruders and threats are as follows:

1. Cryptography

It is a mechanism of providing security to the information from unauthorized persons.

Cryptography is a method of transforming an intelligible message known as ‘plain text’ into
an unintelligible form called ‘cipher text’ and then sends the data to the destination. Only
the destination person knows how to convert it back to the plain text which is the original
message. The term cryptography is a Greek word which means "secret writing".
Cryptography involves the process of ‘Encryption’ and ‘Decryption’.
Encryption is the process of changing a plaintext into cipher text using an Encryption
algorithm and a key
Decryption is the process of changing the Cipher text back to its plain text .A decryption
algorithm is used to take the Cipher text and the key to produces the original plaintext.

Suppose ‘P’ is the plain text file ,’KE’ is the encryption key, ’KD’ is the decryption key,
’C’ is the cipher text and ‘E’ and ‘D’ are encryption and decryption algorithm, then
C=E (P, KE) at sender side
P=D(C, KD) at receiver side

There are two types of cryptographic techniques

a) Symmetric-key Cryptography (Secret key): Both the sender and receiver share a
single key. The sender uses this key to encrypt plaintext and send the cipher text to
the receiver. On the other side the receiver applies the same key to decrypt the
message and recover the plain text.

b) Public-Key Cryptography(asymmetric): In Public-Key Cryptography two related

keys (public and private key) are used. Public key may be freely distributed; it means
it can be made public, while its paired private key remains a secret. The public key is
used for encryption and for decryption private key is used or vice versa.

2. Digital Signature

A digital signature is a mathematical technique used to validate the authenticity and

integrity of a message, software or digital document.
Digital signatures are based on public key cryptography, also known as asymmetric
cryptography.

How a digital signatures work

Step1: To create a digital signature, signing software (such as an email program) creates a one-way
hash of the electronic data to be signed. A hash function is used to transform the electronic data
into a 128-bit value which is smaller than the text itself, known as hash value(H) or message digest
.
Step 2: Using the sender’s private key encrypt the hash value. The encrypted hash along with
hashing algorithm is the digital signature
The reason for encrypting the hash instead of the entire message or document is that the hash is
smaller than the text itself; this saves time since hashing is much faster than signing.
The value of the hash is unique to the hashed data. Any change in the data, even changing or
deleting a single character, results in a different value.
Step 3: The encrypted hash value so formed known as the digital signature is appended to the
original document and sent to the receiver.
Step 4: At the receiver end the receiver’s public key is used to decrypt the hash value send as
signature(H). Then the recipient uses the same hash function on the document to recalculate the
hash code (H’) and check to see if the recalculated hash code is equal to the decrypted hash code.
I.e H’=H
Step 5: If the decrypted hash matches a second computed hash of the same data, it proves that the
data hasn't changed since it was signed. If the two hashes don't match, the data has been tampered.

3. Trusted System
Trusted Systems used to enhance the ability to defend against intruders and malicious
programs.
Another approach to protect data and resources is based on levels of security. This is
commonly found in military and equally applicable in other areas as well , where
information is categorized as unclassified (U), confidential (C), secret (S), top secret (TS),
or beyond. If a person wants to open a file he must have a right to operate prescribed
category only. When multiple categories or levels of data are defined, the requirement is
referred to as ‘multilevel security’.
Another type of security mechanism of trusted system is reference monitor concept. The
reference monitor is a controlling element in the hardware and operating system of a
computer that regulates the access of subjects to objects on the basis of security parameters
of the subject and object. The reference monitor has a file, known as the ‘security kernel
database’ that lists the access privilege of each subject and the protection attributes of each
object. The reference monitor enforces the security rules.
A system that can provide such verification is referred as trusted systems
User Authentication Methods
The problem of identifying the users when they login is called user authentication.
Authentication can be categorized into three main types: Passwords (secret-what you
know), Tokens (what you have) and Biometrics (who you are)
a) Passwords
Password is a secret word or phrase or personal identification number. It is a very simple
efficient method and also easy to implement. A password mechanism works like this, when
a user is asked to login using his name and password then the password entered is encrypted
and verified by a login program with a help of a password file. If a mach is found then login
is permitted, otherwise denied.
b) Physical Identification (Tokens)
It is another type of authentication mechanism. A token is a physical device used to aid
authentication. Each user is identified by a card .Example Bank cards, smart cards etc.
Whenever user want to login to the system the card is inserted which then checks to see the
validity by using a PIN as a password..
Another approach is ‘signature analysis’. The user signs his name with a special pen
connected to the terminal and the computer compares it to a known specimen stored online.
c) Biometrics system
A biometric ID is a distinguishing feature of the human body that can be verified as unique
to be used for authentication. Examples fingerprints, iris, face, voice etc. Physical
characteristics of the user are hard to forge.
Biometric system consists of two parts; one is called ‘enrollment’ and other called
verification or ‘identification’ part. In the first part the user’s physical characteristics are
measured and converted into digitalized and then stored in a database. The second part is
identification which asks the user for login using the physical part, if the parts are matched
then the login is allowed otherwise rejected.