Security and Protection

• The security Environment

• Basics of Cryptography
• User authentication
• Attacks from inside the system
• Attacks from outside the system
• Protection mechanisms
• Trusted systems
• Summary

1
 The Security Environment

• Security and protection interchangeable terms.

• To avoid confusion we will use the term security to refer
overall problem, and the term protection mechanism to
refer the specific operating system mechanism used to
safeguard information in the computer.
• Fist we will look at security to see what nature of the
problem is.
• Later on in the chapter we will look at the protection
mechanism and models available to help achieve security.

2
 Threads

• The sources of threats are listed in figure 9.1.

• Security goals and threats
3
• The fist one, Data confidentiality, is concerned with
having secret remaining secret.
• The second goal, data integrity, means that unauthorized
users should not be able to modify any data without the
owner’s permissions.
• The third goal, system availability, means that nobody can
disturb the system to make it unusable.
• Such denial of service attacks are increasingly common
(this is because floods of requests).
• Another aspect of security is privacy: protecting
individuals from misuse information's about them.

4
 Intruders
• In security literature, people who are noising around places
where they have no business being called intruders
(davetsiz misafir) or something adversaries (rakip,
düşman).
• Intruders act in two ways.
– Passive intruders; just want to read files they are nor
authorized to red.
– Active Intruders are more malicious (kötülük kin); they
want to make unauthorized changes to data.

5
• Designing a system secure against intruders;some common
categories.
– Causal praying by non-hectically users; Sharing files
reading mails.
– Snooping by insiders; break security is a personal
challenge.
– Determined attempts to make money; steal from banks
where they were working for.
– Commercial or military espionage; stealing programs,
trade secrets, paten-table ideas, technology, circuit
designs, business plans and so forth (casusluk).
• A virus may be an Intruders itself.
• Intruders try to break into specific system to steal or
destroy particular data, whereas a virus usually cause more
general damage.

6
 Accidental data loss
• In addition to threads caused by malicious intruders,
valuable data can be lost by accident.
• Some common causes of accidental data loss are;
– Act of God; fires, floods, earthquakes, wars, riots, or
rats gnawing tapes or floppy disks.
– Hardware or software errors; CPU malfunctions,
unreadable disks or tapes, telecommunication errors,
program bugs.
– Human errors; incorrect data entry, wrong tape or disk
mounted, wrong program running, lost disk or tape, or
some other mistakes.
• Maintaining adequate backups, preferable far from the
original data.
7
 Basics of Cryptography

• A little knowledge of Cryptography may be useful for

understanding parts of this chapter.
• The purpose of Cryptography is to take a message or file,
called the plaintext, and encrypt it into cipher text in such a
way that only authorized people know to convert it back to
the plaintext.
• The encryption and decryption algorithms should be
public?
• They can now be kept secret.
• In trade this tactic is called security by obscurity and
8
• Instead, the secrecy is depends on parameters to the
algorithms called keys.
• If P is the plaintext, KE is the encrypted key, C is the
cipher text, and E encryption algorithm (function) then
C=E(P,KE).
• This the definition of the encryption.
• Similarly, P=D(C,KD) where D is the decryption
algorithm, KD is the decryption key and P is the plaintext.
• This relation is shown in figure 9.2.
•

9
• Figure 9.2.
• Relationship between the plaintext and the cipher text
10
 Secret-key Cryptography

• Mono-alphabetic substitution
– each letter replaced by different letter

• Given the encryption key,

– easy to find decryption key

• Secret-key crypto called symmetric-key crypto

11
• To make this clearer, consider an encryption algorithm in
which each letter is replaced by a different letter, for
example, all As are replaced by Qs, and all Bs are replaced
by Ws, all Cs are replaced by Es and so on. Like this:
• Plain text: ABCDEFGHIJKLMNOPQRSTUVWZ
• Chipher-text: QWERTYUIOPASDFGHJKLZXCVBNM
• This general system is called a mono-alphabetic
substitution (yerine koyma); for example the plaintext
ATTACK would be transformed into the chipper text
QZZQEA.

12
• At the first glance this might appear to be safe system
because although knows the general system, he does not
know which of 26! = (yaklaşık) 4x 10^26 possible key is
in use.
• However in English e is the most common letter and
followed by t,o,a, n, i, and most common diagrams are th,
in er, re, etc.
• Many crypto-graphics system like this one (is easy to find
the decryption key and vice versa).
• Such systems are called secret-key cryptography or
symmetric-key cryptography.
• For security 1024 bit keys should be used giving a search
of space 2^1024 = (y) 2x 10^308 keys.

13
 Public-key Cryptography

• All users pick a public key/private key pair

– publish the public key
– private key not published
• Public key is the encryption key
– private key is the decryption key
• Secret key mechanisms are efficient but both person be in
possession of shared secret keys.
• To get around this problem, public-key cryptography is
used.

14
• Public key cryptography, consider the following two
questions;
• Question 1: how much is the
314159265358979x314159265358979?
• Question 2: what is the square root of
3912571506419387090594828508241?
• Encryption makes use of the easy operations but
decryption without the key requires you perform the hard
operation.
• A public key system called RSA exploit the fact that
multiplying by numbers is much easier for a computer to
do than factoring big numbers, especially when all
arithmetic is done using modulo arithmetic and all
numbers involved have hundreds of digits..

15
• This is a thousand times slower than symmetric
cryptography.
• Every one pick (publickey, privatekey).
• The public key is the encryption key; and the private key is
the decryption key.
• To send a secret message to a user a correspondent
encrypts the message with the receiver's public key.
• Since receivers has the private key, only the receivers can
decrypts the message.

16
 One-way functions
• Function such that given formula for f(x)
– easy to evaluate y = f(x)
• But given y
– computationally infeasible to find x
• There are various situations that we will see later in which it
is desirable some functions, f, which means has property
that given f and its parameters x, computing y=f(x) is easy
to do, but given only f(x), finding x is computationally in
feasible (initialize y to x).
• Then it could have a loop that iterates a many as times as
there are 1 bits in x, with each iteration permuting bits of y
in an iteration-dependent way, adding in a different constant
on each iteration, and generally mixing the bits up very
thoroughly.
17
 Digital signatures
• Digital signatures make it possible to sign email message
and other digital documents in such a way that they cannot
be repudiated by the sender later (this requires an hashing
operation).
• The most popular hashing function used are MD5 (message
Digest) which produces a 16-byte result and SHA (Secure
Hash Algorithm) which produces a 20-byte result.
• The next step assumes the use of public key cryptography as
described above.
• The document owned then applies his private hey to the
hash to get D (hash).
• This value, called the signature block, is applied to the
document and sent to the receiver, as shown in figure 9.3.
18
• Figure 9.3.
• Computing a signature block
• What the receiver gets
19
• The receiver computes the has of the document using MD5
or SHA, as agreed upon in advance.
• The receiver than applies the sender2s public key to the
signature block to get E(D(hash)).
• E(D(x)) = x
• We originally asked for was that
• D(E(x)) = x
• E is the encryption function and D is the decryption
function.
• The order of application must not matter and RSA
algorithm has this property.
• One common method for message senders to attach a
certificate to a message, which contains users name and
public key and digitally signed by a trusted third party.

20
 User Authentication
• Security issues in operating systems.
• When a user logs into a computer, the OS normally wishes
to determine who the user is, a process called user
authentication.
• Three general principles of user authentication is given
below.
– Something the user knows.
– Something the user has.
– Something the user is.

• These principles leads to different authentication schemas

with different complexity and security properties.
21
• People who want to cause trouble on a particular system
have to first log into that system, which means getting past
whichever authentication procedure is used.
• These peoples are called hackers (this term used for
programmers so a term of honor is reserved for great
programmer.
• In true sense we will call people who try to break into
computer system where they do not belong crackers
(üşütük).

22
 Authentication using passwords
• The most widely used form of authentication is to require
the user to type a login name and password (asterisk).
• If they marched login is allowed to not.
• Another area in which not quite getting it right has serious
security implications is illustrated in figure 0.4,
– A successful login is shown,
– A failed attempt by a cracker to log into system A.
– A failed attempt by a cracker to log into system B.
• In 9.4.b, the system complains as soon as it sees invalid
login name.
• This is mistake, as it allows the cracker to keep trying login
names until she find a valid one.
• The last option is really trying.
23
(a) A successful login
(b) Login rejected after name entered
(c) Login rejected after name and password typed

24
 How hacker break in
• Most crackers break in by just calling up the target
computer and trying many (login name, password)
combinations until they find one that works (names birth
date, and ect.).
• War dialer which dial up 10,000 telephone numbers in
random order and after 2.6 million calls he located 20,000
computers in an area and 200 of which had no security at
all.
• The combination of a war dialer and password guessing
can be deadly.
• An alternative to using a war dialer is attack to computers
over Internet. Every computer on the Internet has a 32-bit
IP address used to identify it.
25
• People usually writes these addressing dotted decimal
notation as w.x.y.z where each of the four components of the
IP addresses is an integer from 0 to 255 in decimal.
• ping w.x.y.z
• telnet w.x.y.z
• Many telnet diamonds break the underlying TCP connection
after some number of unsuccessful login attempts in order to
slow down crackers (cracker start many threads).
• To find IP addresses they use, all he has to to this type;
• dnsquery foobar.edu.
• And will get some of their IP addresses.
• One hopes their security is better, but there is little reason to
believe that since another nuclear weapon lab, Los, Alamos,
lost a hard disk full of classified information in 2000.

26
• LBL > telnet elxsi
• ELXSI AT LBL
• LOGIN: root
• PASSWORD: root
• INCORRECT PASSWORD, TRY AGAIN
• LOGIN: guest
• PASSWORD: guest
• INCORRECT PASSWORD, TRY AGAIN
• LOGIN: uucp
• PASSWORD: uucp
• WELCOME TO THE ELXSI COMPUTER AT LBL
• Once a cracker has broken into a system and become super user,
it may be possible to install a packet signifier, software that
exams all incoming and outgoing network packets looking
certain patterns.
• Increasingly many breaks ins are being done by technically naive
who are just running scripts they found on the Internet. These
scripts either use brute forces attacks of the type described
above, or try to exploit known bugs in specific programs. Real
hacker refer to them as script kiddies.
27
 UNIX password security
• Some older OS keep the password file on the disk in
unencrypted from, but protect by the usual system
protection mechanisms.
• This is just looking for trouble.
• A better solution, used in UNIX, works like this.
• The login program ask to type his name and password.
• The password is immediately encrypted by using it as a key
to encrypt a fixed block of data.
• One way function is used.
• The login program then reads the password file, which is
just series of ASCII lines, one per user, until it finds the line
containing the user’s login name.
• Read the chapter.
28
• To prevent the possibility of attacks (is to associate an n
bit random number, are called salt, with each password.
• The random number is changed whenever the password is
changed.
• Figure 9.6, the use of salt to defeat pre-computation of the
encrypted passwords.
• The notation e(Dog4238) represents the result of
concentrating Bobbie’s password, (Dog, with her
randomly assigned salt 4238 and running it through the
encryption function e.

29
 Improving password security
• The program that users call to install or change their
password can also give a warning when poor password is
chosen.
• Among other it might complain about are.
– Passwords should be a minimum of seven characters.
– Passwords should contain both upper and lower case
letters.
– Passwords should contain at least one digit or special
character.
– Passwords should not be dictionary words, people’s
name etc.

30
 One time passwords
• The most extreme form of changing the password all the
time is one-time password.
• Each login uses the next password in a list.
• If an intruder discovers a password, ,t will not to do him
any good, since next time a different password must be
used.
• If the secret password is s, the first password is given by
running one-way function n times.
• P1 = f(f(f(f(s))))
• The second password is given by running the one-way
function n-1 times;
• P2 = f(f(f(s)))

31
 Challenge response authentication
• A variation on the password idea is to have each new user
provide a long list of questions and answers that are then
stored on the server securely (encrypted).
• The questions should be chosen so that the user does not
need to write them down.
• Possible questions are;
– Who is Majolein’s sister?
– On what street was your elementary school?
– What did Mrs Worobooff teach?
• At login, the server asks one of them at random and checks
the answer.
• Another variation is challenge response. User send 7 and the
user types 49 (the function is x^2).
32
 Authentication using a physical object
• The second method for authenticating a user is to check for
some physical object they have rather than something they
know (like door keys).
• Chip cards contain an integrated circuit (chip) on them.
• These card can be subdivided into two categories: stored
value cards and smart cards.
• Stored value cards contain a small amount of memory
(usually less than 1 KB) using EEPROM technology to
allow the value to be remembered when the card is removed
from the reader and thus the power turned off.
• However, nowadays, much security work is being focused on the smart
cards which currently have something like-a 4- MHz 8-bit CPU, 16 KB
of ROM , 4 KB of EEPROm, 512 bytes of starching RAM and 9600 –
bpsd communication channel to the reader.
33
• Smart cards can be used to hold money, as do stored value
cards, but with much better security and universality.
• Various authentication schemas can be used with a smart
card. A simple challenge response works like this.
• Figure 9.7 use of a smart card authentication
• Magnetic cards
– magnetic stripe cards
– chip cards: stored value cards, smart cards.

34
 Authentication using biometrics
• The third authentication method measures phys,cal
characteristics of the user that are hard to forge (taklit).
• These are called biometrics.
• For example, a fingerprint or a voiceprint reader in the
terminal could verify the user2s identity.
• A typical biometrics system has two parts;
– Enrolment (characteristics are measured and stored in a
record;significant features are extracted) and,
– Identification (the user show up and provides a login
name. Then the system makes the measurements
again).

35
• Finger length measurements is surprisingly practical as
illustrated in figure 9.8 but not perfect. The system can be
attacked with hand molds made of plaster of Pairs or some
other materials.
• A device for measuring finger length.

36
 Countermeasures
• Intruder may broke into a system and does major damages.
• Extra measure can be taken.
• Restricting login times to 8 A.M. To 5 P. M.
• Dial-up lines may be made up more secure.
• In any event with or without call back, the system should
take at least 5 seconds to check any password typed in on a
dial-up line, and should increase this time after several
consecutive unsuccessful login attempts.
• All logins should be recorded and reported.
• The next step is lying baited traps to catch intruders (A
simple schema is to have one special login name with an
easy password and then the security manager can see who
is the intruder).
• Other traps can be easy-to-find bugs in the OS and similar things,
designed for the purpose of catching intruders in the act. 37
• Limiting times when someone can log in
• Automatic callback at number pre-specified
• Limited number of login tries
• A database of all logins
• Simple login name/password as a trap
– security personnel notified when attacker bites

38
 Operating System Security
Attacks from Inside the System
• Free program made available to unsuspecting user
– Actually contains code to do harm

• Place altered version of utility program on victim's

computer
– trick user into running that program

39
 Trojan horses
• Free program made available to unsuspecting user
– Actually contains code to do harm
• Place altered version of utility program on victim's
computer
– trick user into running that program
• One insiders attack is the Trojan horse, ,in which a
seemingly innocent program contains code to perform an
unexpected and undesirable function.
• This function might be modifying, deleting or encrypting
the user’s files, copying them to a place where the cracker
can retrieve them later, or even sending them to a cracker
or a temporary safe hiding place via email or FTP.

40
 Login spoofing

(a) Correct login screen

(b) Phony login screen
• Somewhat related to Trojan horse is login proofing.
• Normally login screen displayed.
• A cracker or cheater writes a program to display the screen
of figure (b) user enters login name and then (asks
password) password.
• The login name and password is collected.
41
 Logic bombs
• Company programmer writes program
– potential to do harm
– OK as long as he/she enters password daily
– ff programmer fired, no password and bomb explodes.
• Another insider attack.
• High employee mobility is the logic bomb.
• The programmer secretly insert into a production OS
• As long as the programmer feeds its daily password, it
does nothing.
• A person is fired and removed prom premises without
warning.
• The next day the logic bomb does not get fed its daily
password, so it goes off.
42
 Trap doors

(a) Normal code.

(b) Code with a trapdoor inserted

43
 Buffer overflows (1)
• Most system programs are written in the C programming
language.
• Unfortunately, no C compiler does array bound checking.
– int i;
– char c[1024];
– i = 12000;
– C[i] = 0;
• This property of C leads to attack of following kind of.
• This may change memory areas where other programs
codes resides.
• Then the running code of other program changed to a
random junk and probably the program will crash within
seconds.
• If the changed program parts was a correct program
instead of a junk program!
44
 Buffer overflows (2)

• (a) Situation when main program is running

• (b) After program A called
• (c) Buffer overflow shown in gray

45
 Generic security attacks
Typical attacks
• Request memory, disk space, tapes and just read; may not be
erased and may be full of interesting information.
• Try illegal system calls; many system can easily be confused.
• Start a login and hit DEL, RUBOUT, or BREAK; password
checking program will be killed and login is successful.
• Try modifying complex OS structures; Keep user in user
space. Changing the system can wreak havoc (hasar) with the
security.
• Try to do specified DO NOT s; Manuals says that do not do X,
try as many as variations of X as possible.
• Convince a system programmer to add a trap door; by
skipping certain vital security checks for any user with your login
name.
• Beg administrator's secretary to help a poor user who
forgot password; bribe a secretary and access wonderful
information. 46
 Famous security flaws

• The TENEX – password problem.

• One character password checking program.
• Stopping as soon as it saw that the password was wrong.
• When the first character of the password is correct page fault occurred.
• And the intruder is informed.that the password is correct.
47
 Design principles for security
• System design should be public; other wise intruder will find out
sooner or late and system sunk.
• Default should be no access;Errors in legimate access is refused
will be reported much faster than unauthorized accesses.
• Check for current authority; check the permission when a file is
opened.
• Give each process least privilege possible;Trojan horse will
not do much damage.
• Protection mechanism should be
– Simple
– Uniform
– in lowest layers of system
• Scheme should be psychologically acceptable. Much work is
not acceptable.

And … keep it simple

48
 Network Security
• External threat
– code transmitted to target machine
– code executed there, doing damage
• Goals of virus writer
– quickly spreading virus
– difficult to detect
– hard to get rid of
• Virus = program can reproduce itself
– attach its code to another program
– additionally, do harm
49
 Attacks from outside the System
• Since a virus is just a program, it can do anything a
program can do.
• Black mail; a virus can encrypt all files on victim's hard
disk an the intruder try to get money.
• Another thing a virus can do is render the computer
unusable as long as the virus is running.
• This called a denial of service attack.
• BIOS in Flash ROM.
• A virus can write random junk in the flash ROM.
• A virus can also be released with a specific target.
• Another example of a target virus is one that could be
written by ambitious corporate vice president and release
onto the local LAN.
50
 Virus Damage Scenarios
• Blackmail
• Denial of service as long as virus runs
• Permanently damage hardware
• Target a competitor's computer
– do harm
– espionage
• Intra-corporate dirty tricks
– sabotage another corporate officer's files

51
• Parasitic viruses.
• Cavity viruses.
• Memory resident viruses.
• Boot sector viruses.
• Device driver viruses.
• Macro viruses; words document creates a macro and the
macro contains a macro viruses.
• Source code viruses.

52
 How Viruses Work (1)
• Virus written in assembly language
• Inserted into another program
– use tool called a “dropper”
• Virus dormant (hareketsiz ve uyur) until program executed
– then infects other programs
– eventually executes its “payload”

53
 How Viruses Work (2)

Recursive
procedure
that finds
executable
files on a
UNIX
system

Virus could
infect them all

54
 How Viruses Work (3)

• Parasitic viruses; can attach themselves to the front, the

back , or middle of the executable program
• (a) An executable program
• (b) With a virus at the front
• ( c) With the virus at the end
• (d) With a virus spread over free space within program 55
 How Viruses Work (4)

• Boot sector viruses;

• (a) After virus has captured interrupt, trap vectors
• (b) After OS has retaken printer interrupt vector
• ( c) After virus has noticed loss of printer interrupt vector and recaptured it.

56
 How Viruses Spread
• Virus placed where likely to be copied
• When copied
– infects programs on hard drive, floppy
– may try to spread over LAN
• Attach to innocent looking email
– when it runs, use mailing list to replicate

57
Antivirus and Anti-Antivirus Techniques

(a) A program
(b) Infected program
(c) Compressed infected program
(d) Encrypted virus
(e) Compressed virus with encrypted compression code
58
Antivirus and Anti-Antivirus Techniques

Examples of a polymorphic virus, All of these examples do the same

thing
(a) Calculation code of X=A+B+C-4).
(b) Do the same thing but NOPs inserted.
(c) Virus uses ( c) instead of (a) and still works; A virus that mutates on
each copy is called a polymorphic virus. (d) and (e) does the same.
(A mutilator engine changes code without changing its function)
59
Antivirus and Anti-Antivirus Techniques
• Integrity checkers
• Behavioral checkers
• Virus avoidance
– good OS
– install only shrink-wrapped software
– use antivirus software
– do not click on attachments to email
– frequent backups
• Recovery from virus attack
– halt computer, reboot from safe disk, run antivirus

60
 The Internet worms

• Consisted of two programs

– bootstrap to upload worm
– the worm itself
• Worm first hid its existence
• Next replicated itself on new machines

61
 Mobile Code (1) Sandboxing

(a) Memory divided into 1-MB sandboxes

(b) One way of checking an instruction for validity.
When the program jumps to an unauthorized area trap is occurred.

62
 Mobile Code (2)

• Applets can be interpreted by a Web browser

63
 Mobile Code (3)

• How code signing works

64
 Java security (1)

• A type safe language

– compiler rejects attempts to misuse variable

• Checks include …
1. Attempts to forge (taklit) pointers
2. Violation of access restrictions on private class
members
3. Misuse of variables by type
4. Generation of stack over/underflows
5. Illegal conversion of variables to another type
65
 Java security (2)

Examples of specified protection with JDK 1.2.

In the fist line, the user Susan has setup her permission files;
the www.taxre.com have read access to 1040.xls.
In addition to applets from all sources, whether signed or not can
read and write files in /usr/tmp.
Furtherer more Susan also thrust Microsoft enough to allow
applets originating at its site read and writes to update or fix bugs.
Trusted companies must signed their certificate ant necessary public
key must be on her disk.
Files are not the only source that can be protected (other
sources also) 66
 Protection Mechanisms
Protection Domains (1)

Examples of three protection domains

A domain is a set of (object,rights) pairs. Each pair specifies an
object and some subset of the operations that can be performed
on it.
A right in this context means permission to perform one of
operations 67
 Protection Domains (2)

• A protection matrix
• In Unix, the domain of a process is defined by its UID and
GID (UID,GID) combinations are also possible.
68
 Protection Domains (3)

• A protection matrix with domains as objects

• Process in domain 1 can switch to domain 2 but once there
they cannot go back.
69
 Access control lists (1)

• Use of access control lists of manage file access

• A list containing all domains that may access the object. This list is
called Access Control List or ALC.
• Often in security literature, the users are called subjects or principals,
to contrast them with things owned, the objects, such as files. 70
 Access control lists (2)

• Two access control lists

• A portion of ACL might be as shown in figure 9-26.

71
 Capabilities (1)

• Each process has a capability list

72
 Capabilities (2)
• Cryptographically-protected capability
Server Object Rights f(Objects, Rights, Check)

• Server generates and returns a capability to user of the

form showed in figure 9-28.
• Generic Rights
1. Copy capability; create newt capability to create the same
object.
2. Copy object;create a duplicate object with a new capability.
3. Remove capability;delete an entry from the C-list; object
unaffected.
4. Destroy object;permanently remove an object and a capability.
73
 Trusted Systems
Trusted Computing Base

A reference monitor
Is possible to build a secure computer system?
If so, is it not done? 74
 Formal model of security systems

(a) An authorized state

(b) An unauthorized state
• Robert has found a way to issue command to have matrix changed to
fig 9-30 (b) and gained access mailbox7.
• The OS carries out his request because it does not know that the state
is unauthorized. 75
 Multilevel security (1)
• The Bell-La Padula multilevel security model; designed
for handling military security but also applicable to other
organizations.
• The simple security property; a process running at a
security level k can read only objects at it level or lower.
• The * property; a process running at security lvel k can
write only objects it level or higher.

76
 Multilevel security (2)

• The Bell-La Padula multilevel security model; 77

 Multilevel security (3)
The Biba Model

• Principles to guarantee integrity of data

1. Simple integrity principle

• process can write only objects at its security level or
lower

2. The integrity * property

• process can read only objects at its security level or
higher

78
 Orange Book Security (1)
• Orange Book dividing OS into seven categories based on
their security properties.
• Level C is intended for environments with cooperating users.
• C1 requires a mode operating system, The Unix rwx
schema meets C1 but does not meet C2.
• C2 adds the requirements that discretionary access control is down to
the level of the individual users.
• The B and A levels requires all controlled users and objects to be
assigned a security level k-label such as un classified, secret or top
secret.
• B2 adds to this requirement that the system has been designed top-
down in a modular way.
• B3 contains all of B2’s features plus must be ACLs with use and
group,
• A1 requires a formal model of protection system and a
prrof that the model is correct. Read from the book. 79
 Orange Book Security (2)

• Symbol X means new requirements

• Symbol -> requirements from next lower category apply here
also.
80
Orange Book Security (3)

81
 Covert channels (1)

• Client, server and Encapsulated server can still leak to

collaborator processes
collaborator via covert channels
• The collaborator can try to detect the bit stream by carefully
monitoring its response time.
• In general, it will get better response when the server is sending a 0
than when the server is sending a 1. 82
 Covert channels (2)

• A covert channel using file locking

• Locking and unlocking to transmit the secret bit stream
11010100.
• Acquiring and releasing dedicated sources can also be used
for signaling.
83
 Covert channels (3)
• Pictures appear the same
• Picture on right has text of 5 Shakespeare plays
– encrypted, inserted into low order bits of color values

Hamlet, Macbeth, Julius Caesar

Zebras Merchant of Venice, King Lear
84
 Summary
• The security Environment; threads Intruders and accidental
losses.
• Basics of Cryptography; secret and public keys, digital
signatures
• User authentication; using password, physical object,
biometrics.
• Attacks from inside the system; Trojan horse, login spoofing,
logic bombs, trap doors, buffer overflows, security attacks and
flaws
• Attacks from outside the system; viruses and Antivirus,
techniques, worms and mobile codes.
• Protection mechanisms;domains, control lists and capabilities.
• Trusted systems; trusted base computing, multi level and
orange book security.
85