Week 7 - Operating Systems Security

What is memory protection?

Protects system memory from unauthorised access - Prevents processes accessing memory belonging to other processes or the OS - Ensures system integrity

Why is memory protection needed?

Prevents resource conflicts - Stops processes corrupting each other's memory - Protects operating system data

What is process isolation?

Mechanism preventing one process reading or writing another process's memory - Fundamental memory protection technique

What is kernel mode (supervisor mode)?

Special processor mode for trusted operating system code

- Allows privileged operations

- Has access to protected resources

What is user mode?

Restricted execution mode for applications - Limits what programs can do directly - Requires OS services for privileged operations

Kernel mode vs user mode

Kernel mode has privileged access to system resources - User mode is restricted - Improves system security and stability

What triggers a switch to kernel mode?

Exceptions or other processor events

- Processor automatically transfers control to the operating system

What is a privilege level?

Amount of permissions granted to a task - Determines accessible instructions memory areas functions and devices

What does privilege level affect?

• Instructions a task may use

• Memory areas it may access

• Functions it may call

• I/O devices it may use

What is a descriptor register?

Stores addresses accessible to a process - Loaded by supervisor code - Used for memory protection

What is the privileged bit?

Processor control bit required for privileged operations - Can only be controlled by supervisor code

What is segmentation in memory protection?

Memory organised into segments

- Each segment has descriptors and permissions

- Supports isolation and protection

What is a segment descriptor?

Data structure containing a segment's address size and access permissions

What are memory access control indicators?

R = Read - W = Write - X = Execute - M = Supervisor mode execution - F = Fault to supervisor

What is accountability?

Ability to associate actions with a specific user or process - Supports auditing and responsibility

What is a principal?

Entity responsible for actions in a system

- Typically a user or process

Authentication vs Authorisation

Authentication verifies identity - Authorisation determines permitted actions and resource access

What is access control?

Mechanism controlling access to system resources

Protects data and system resources from unauthorised use

What are the main access control models?

DAC (Discretionary Access Control) - RBAC (Role-Based Access Control) - MAC (Mandatory Access Control)

What is Discretionary Access Control (DAC)?

Resource owner controls access permissions - Permissions may be granted to other users - Flexible and easy to use

Benefits of DAC

Gives users control over resources - Flexible - Easy to use at small scale

Limitations of DAC with ACLs

ACLs can become large - May require frequent updates - Listing all authorised users can be tedious

What is Role-Based Access Control (RBAC)?

Permissions assigned to roles - Users assigned to roles - Users inherit role permissions

Benefits of RBAC

Simplifies access management - Reduces errors - Scales easily in large organisations

What is Mandatory Access Control (MAC)?

Central authority controls access according to predefined policies - Users cannot change permissions

How does MAC work? (Mandatory Access Control)

Users and resources receive security classifications

- Access granted according to classification rules

- Permissions controlled centrally

Benefits of MAC

High security - Prevents unauthorised sharing - Centralised control

What is an access matrix?

Conceptual table showing permissions for subject-object pairs

- Each entry specifies allowed access rights

What is an Access Control Entry (ACE)?

Entry in an access matrix specifying permissions a subject has for an object

What is an Access Control List (ACL)?

Object-centred representation of permissions - Lists subjects and their rights for a particular object

What is a Capability List (C-List)?

Subject-centred representation of permissions - Lists objects and rights available to a subject

ACLs vs Capability Lists

ACLs are organised by object - Capability lists are organised by subject

What is a Reference Validation Mechanism?

Practical implementation of access control mediation - Checks whether requested access is authorised

Properties of a Reference Validation Mechanism

Tamper-proof

- Always invoked

- Verifiable

Why is a Reference Validation Mechanism important?

Ensures every access request is checked before access is granted

What are audit trails?

Logs recording access and system activity - Support accountability debugging and investigations

What is a UID?

Numeric User Identifier used by the operating system for access control

What is a GID?

Numeric Group Identifier representing a protection group

What is a file owner?

• User associated with a file

• Identified by UID

• Controls permissions in DAC systems

What is a protection group?

Group associated with a file

- Identified by GID

- Used for shared access control

What is the superuser?

Process running with UID 0 - Granted access to all file resources regardless of protection settings

Root vs superuser

Root is the conventional username associated with UID 0 - Superuser refers to processes running with UID 0 privileges

What is file-based access control?

Access control applied to files and file metadata - Permissions determine allowed operations on files

What is the User-Group-Others (UGO) model?

Unix/Linux permission model based on owner group and others categories

What permissions exist in the UGO model?

Read (r) - Write (w) - Execute (x)

How do Linux file permissions work?

Permissions are specified separately for user group and others - Each category has read write and execute bits

How do you interpret -rw-r--r--?

Regular file - Owner has read and write - Group has read - Others have read

What does r permission mean?

Read access to file contents

What does w permission mean?

Write access allowing modification of file contents

What does x permission mean?

Execute permission allowing a file to run as a program

What does x mean for directories?

Allows traversal or entry into the directory

How are file permissions checked?

System checks user category first then group then others

- First matching category determines permissions

What is SetUID?

Special permission bit causing an executable to run with the permissions of the file owner

What is SetGID?

Special permission bit causing an executable to run with the permissions of the file group

- On directories new files inherit the directory group

What is the Sticky Bit?

Special directory permission preventing users deleting or renaming files they do not own

What is umask?

Default permission mask for newly created files and directories - Removes permissions from system defaults

Common umask (user mask) value 022

1. For Files

• Unmasked Value (Base): 666 (Read & Write for Owner, Group, and Others. Note: For security reasons, Linux never grants execute permissions to files by default upon creation.)

• Umask: 022

• Calculation: 666 - 022 = 644

• Final Permissions: 644 (Owner: read/write, Group: read, Others: read).

2. For Directories

• Unmasked Value (Base): 777 (Read, Write, & Execute for Everyone. Directories require execute permissions so users can enter them.)

• Umask: 022

• Calculation: 777 - 022 = 755

• Final Permissions: 755 (Owner: read/write/execute, Group: read/execute, Others: read/execute).

Difference between memory protection and object protection

Memory protection controls access to process memory - Object protection controls access to files and other resources

What is a VPN?

Virtual Private Network created using encrypted tunnels and specialised protocols to connect trusted networks over public networks

Why are VPNs needed?

Normal network traffic is visible on the network - VPNs provide confidentiality through encrypted tunnels

What is VPN tunnelling?

One data stream carried inside another - Original data is encapsulated and transmitted through an encrypted tunnel

What is a private network?

Network intended only for trusted users - Security may rely on isolation authentication firewalls and gateways

What are the two primary VPN use cases?

Site-to-site VPN - Remote access VPN

What is a site-to-site VPN?

Connects two private networks across a public network

- Typically transparent to end users

What is a remote access VPN?

Allows authorised users to remotely access a private network

What is transport mode VPN?

Host-to-host VPN architecture - Provides end-to-end security between hosts

What is tunnel mode VPN?

VPN architecture where gateways or endpoints add and remove VPN protection

What is a network-to-network VPN?

Tunnel-mode VPN connecting two networks through gateways

What is a network-to-host VPN?

Tunnel-mode VPN connecting a remote user to an organisation's network

What are limitations of VPNs?

VPN provider can observe traffic leaving the tunnel

- Browser tracking remains possible

- VPNs can be abused for insider attacks

Why must users trust a VPN provider?

Traffic is visible after leaving the VPN tunnel - Provider handling of logs affects privacy

Why does a VPN not prevent browser tracking?

Websites can still track users using cookies and similar mechanisms

How can VPNs enable insider attacks?

Encrypted traffic may bypass normal monitoring - Data exfiltration can become harder to detect