Operating Systems

ECEG-5202

INTRODUCTION TO SECURITY
Outline
▪Introduction
▪Threats and attacks
▪Defenses

January 16, 2023 INTRODUCTION TO SECURITY 2

Introduction
Computer security
The protection afforded to an automated information system in order to
attain the applicable objectives of preserving the integrity, availability, and
confidentiality of information system resources (includes hardware, software,
firmware, information/data, and telecommunications).
NIST Computer Security Handbook

Three key objectives

◦ Confidentiality
◦ Integrity
◦ Availability

January 16, 2023 INTRODUCTION TO SECURITY 3

Introduction…
Confidentiality
◦ Data confidentiality
◦ Assures that private or confidential information is not made available or disclosed to
unauthorized individuals
◦ Privacy
◦ Assures that individuals control or influence what information related to them may be collected
and stored and by whom and to whom that information may be disclosed

◦ A loss of confidentiality is the

unauthorized disclosure of
information

January 16, 2023 INTRODUCTION TO SECURITY 4

 Introduction…
Integrity
◦ Data integrity
◦ Assures that information and programs are changed only in a specified and authorized manner
◦ System integrity
◦ Assures that a system performs its intended function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system

◦ A loss of integrity is the unauthorized modification or destruction of information

January 16, 2023 INTRODUCTION TO SECURITY 5

 Introduction…
Availability
◦ Assures that systems work promptly and service is not denied to authorized users
◦ A loss of availability is the disruption of access to or use of information or an
information system

CIA triad
◦ Security requirements
◦ Fundamental security objective

January 16, 2023 INTRODUCTION TO SECURITY 6

Introduction…
CIA attacks on assets

January 16, 2023 INTRODUCTION TO SECURITY 7

Introduction…
Additional concepts
◦ Authenticity
◦ The property of being genuine and being able to be verified and trusted; confidence in the
validity of a transmission, a message, or message originator
◦ Verifying that users are who they say they are and that each input arriving at the system came
from a trusted source

◦ Accountability
◦ Refers to the requirement for actions of an entity to be traced uniquely to that entity
◦ This supports no repudiation, deterrence, fault isolation, intrusion detection and prevention,
and after-action recovery and legal action
◦ Systems must keep records of their activities to permit later forensic analysis to trace security
breaches or to aid in transaction disputes

January 16, 2023 INTRODUCTION TO SECURITY 8

 Introduction
Security is about
◦ Honest user (e.g., Alice, Bob, …)
◦ Dishonest attacker
◦ How the attacker
◦ Disrupts honest user’s use of the system (Integrity, Availability)
◦ Learns information intended for Alice only (Confidentiality)

January 16, 2023 INTRODUCTION TO SECURITY 9

Introduction…
Network security

January 16, 2023 INTRODUCTION TO SECURITY 10

Introduction…
Web security

January 16, 2023 INTRODUCTION TO SECURITY 11

Introduction…
Operating system security

January 16, 2023 INTRODUCTION TO SECURITY 12

Threats and attacks

January 16, 2023 INTRODUCTION TO SECURITY 13

Threats and attacks…..

January 16, 2023 INTRODUCTION TO SECURITY 14

Threats and attacks…
Communication lines and networks
◦ Passive attacks
◦ Attempts to learn or make use of information from the system but does not affect system
resources
◦ Goal
◦ Obtain information that is being transmitted

January 16, 2023 INTRODUCTION TO SECURITY 15

Threats and attacks…
Communication lines and networks ….
◦ Passive attacks…
◦ Telephone conversion, an electronic mail message, and a transferred file are subject to these
threats
◦ Release of message content
◦ Difficult to detect
◦ Do no involve any alteration of the data
◦ Solution
◦ Prevent the success of these attacks by means of encryption
◦ Encryption masks the contents of what is transferred, even if obtained by someone, they
would be unable to extract information
◦ Traffic analysis
◦ Focus is on prevention rather than detection

January 16, 2023 INTRODUCTION TO SECURITY 16

 Threats and attacks…
Communication Lines and Networks…
◦ Active attacks
◦ Attempts to alter system resources or affect their operation
◦ Replay
◦ Involves the passive capture of a data unit and its subsequent retransmission to produce an
unauthorized effect
◦ Masquerade
◦ Takes place when one entity pretends to be a different entity
◦ Modification of messages
◦ Some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce
an unauthorized effect
◦ Example
◦ A message stating, “Allow John Smith to read confidential file accounts ” is modified to say, “Allow
Fred Brown to read confidential file accounts”

January 16, 2023 INTRODUCTION TO SECURITY 17

Threats and attacks…
Communication Lines and Networks…
◦ Active attacks…
◦ Denial of service
◦ Prevents or inhibits the normal use or management of communications facilities
◦ Disable network or overload it with messages

◦ Difficult to prevent active attacks

◦ Require physical protection of all communications facilities and paths at all times
◦ Goal
◦ To detect them and recover from any disruption or delays caused by them

January 16, 2023 INTRODUCTION TO SECURITY 18

Threats and attacks…
Malicious software
◦ Backdoor (trapdoor)
◦ Is a secret entry point into a program that allows someone who is aware of the backdoor to gain
access
◦ Previously used to debug a program by programmers
◦ Used to gain special privileges
◦ Known as a maintenance hook
◦ Is code that recognizes some special sequence of input or is triggered by being run from a
certain user ID or by an unlikely sequence of events
◦ Becomes threat when used to gain unauthorized access
◦ Difficult to implement OS control for backdoor

January 16, 2023 INTRODUCTION TO SECURITY 19

Threats and attacks…
Malicious software…
◦ Logic bomb
◦ Is code embedded in some legitimate program that is set to “explode” when certain conditions
are met
◦ Examples of triggers
◦ Presence or absence of certain files
◦ A particular day of the week or date
◦ A particular user running the application
◦ Once triggered, a bomb may alter or delete data or entire files, cause a machine halt, or do
some other damage

January 16, 2023 INTRODUCTION TO SECURITY 20

Threats and attacks…
Malicious software…
◦ Trojan horse
◦ Claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase
your hard disk)
◦ Fits into one of the following three models
1. Continuing to perform the function of the original program and additionally performing
a separate malicious activity
2. Continuing to perform the function of the original program but modifying the function
to perform malicious activity or to disguise other malicious activity
◦ Example:
◦ A Trojan horse version of a login program that collects passwords
◦ A Trojan horse version of a process listing program that does not display certain processes that are
malicious
3. Performing a malicious function that completely replaces the function of the original
program

January 16, 2023 INTRODUCTION TO SECURITY 21

Threats and attacks…
Malicious software…
◦ Mobile code
◦ Refers to programs (e.g., script, macro, or other portable instruction) that can be shipped
unchanged to a heterogeneous collection of platforms and execute with identical semantics
◦ Transmitted from a remote system to a local system and then executed on the local system
without the user’s explicit instruction
◦ Often acts as a mechanism for a virus, worm, or Trojan horse to be transmitted to the user’s
workstation
◦ Mediums
◦ Java applets, ActiveX, JavaScripts, VBScripts

January 16, 2023 INTRODUCTION TO SECURITY 22

 Threats and attacks…
Viruses
◦ Same as other programs but attaches itself to another
program and execute secretly when the host program is run
◦ Piece of code that automatically reproduces itself
Infection
◦ Infect other programs by modifying them
◦ Injecting the original program with a routine to make copies of the virus
program

◦ A computer virus has three parts (infection, trigger and Trigger

payload)

◦ Phases of a typical virus during its lifetime

◦ Dormant phase
◦ Propagation phase Payload
◦ Triggering phase
◦ Execution phase

January 16, 2023 INTRODUCTION TO SECURITY 23

 Threats and attacks…
Worms Infection
◦ Piece of code that automatically reproduces itself over the network
◦ It doesn’t need the user intervention to propagate (autonomous)
◦ Scanning Trigger
◦ Examine host tables
◦ Target selection algorithm
◦ Email addresses, DNS, IP, network neighborhood
Target
Selection
◦ To replicate itself, a network worm uses some sort of network algorithm
vehicle
◦ Electronic email facility
◦ Emails itself to other systems
Scanning
◦ Remote execution capability
◦ Executes a copy of itself using an explicit remote execution facility or by exploiting a program flaw
engine
◦ Remote login capability

◦ Payload
◦ Malicious programs, virus, Trojan horse Payload
◦ Backdoor, DDoS agent, etc.
24
January 16, 2023 INTRODUCTION TO SECURITY
 Threats and attacks…
Bots (Robots)
◦ Is a program that secretly takes over another Internet-attached computer and then
uses that computer to launch attacks that are difficult to trace to the bot’s creator
◦ Botnet
◦ Collection of bots often is capable of acting in a coordinated manner
◦ Characteristics
◦ Bot functionality
◦ Remote control facility
◦ Spreading mechanism to propagate the bots and construct botnet
◦ Could be used for (examples)
◦ Distributed denial-of-service (DDoS) attacks
◦ Is an attack on a computer system or network that causes a loss of service to users
◦ Spamming
◦ To send massive amounts of bulk e-mail (spam)
◦ Sniffing traffic
◦ To watch for interesting clear text data passing by a compromised machine
◦ Mostly used to retrieve sensitive information like usernames and passwords
January 16, 2023 INTRODUCTION TO SECURITY 25
Threats and attacks…
Rootkits
◦ Is a set of programs installed on a system to maintain administrator (or root)
access to that system
◦ Can make many changes to a system to hide its existence
◦ Alters the host’s standard functionality in a malicious and stealthy way
◦ With root access, an attacker can
◦ Have complete control of the system
◦ Add or change programs and files
◦ Monitor processes
◦ Send and receive network traffic

January 16, 2023 INTRODUCTION TO SECURITY 26

 Threats and attacks…
Rootkit…
◦ Could be classified based on whether they can survive a reboot and execution mode
◦ Persistent
◦ Activates each time the system boots
◦ Must store code in a persistent store, such as the registry or file system, and configure a method by
which the code executes without user intervention
◦ Memory based
◦ Has no persistent code and therefore cannot survive a reboot
◦ User mode
◦ Intercepts calls to APIs (Application Program Interfaces) and modifies returned results
◦ Example, when an application performs a directory listing, the return results don’t include entries
identifying the files associated with the rootkit
◦ Kernel mode
◦ Can intercept calls to native APIs in kernel mode
◦ Example, The rootkit can hide the presence of a malware process by removing it from the kernel’s list of
active processes

January 16, 2023 INTRODUCTION TO SECURITY 27

 Threats and attacks…
Rootkits…
◦ System-level call attacks (Kernel-level rootkits)
◦ Programs operating at the user level interact with the kernel through system calls
◦ System calls are a primary target of kernel-level rootkits to achieve concealment
◦ System call implementation (in Linux)
◦ Each system call is assigned a unique syscall number which is used by user-mode processes
◦ Kernel maintains a system call table with one entry per system call routine
◦ Each entry contains a pointer to the corresponding routine
◦ Syscall number serves as an index into the system call table

January 16, 2023 INTRODUCTION TO SECURITY 28

 Threats and attacks…
Rootkits…
◦ System-level call attacks…
◦ Techniques that can be used to change
system calls
◦ Modify the system call table
◦ The attacker modifies selected syscall addresses stored in the system call table
◦ Modify system call table targets
◦ The attacker overwrites selected legitimate system call routines with malicious code
◦ The system call table is not changed
◦ Redirect the system call table
◦ The attacker redirects references to the entire system call table to a new table in a new kernel memory
location

January 16, 2023 INTRODUCTION TO SECURITY 29

Defenses
Many techniques exist for ensuring computer and network security
◦ Cryptography
◦ Secure networks
◦ Antivirus software
◦ Firewalls
◦ Access control
In addition, users have to practice “safe computing” by
◦ Not downloading from unsafe websites
◦ Not opening unknown attachments
◦ Not always trusting what you see on websites
◦ Avoiding scams
◦ …

January 16, 2023 INTRODUCTION TO SECURITY 30

Acknowledgment
These slides are adopted from the slides of
Surafel Lemma Abebe (Ph. D.)

Here, I would like to acknowledge and thank him for allowing me to

customize and use the slides for this course.

January 16, 2023 INTRODUCTION TO SECURITY 31