lecture30 - Security 1 - Security _ Protection _ Cryptography_default

Memory Allocation Algorithms

1. Body Allocator

Definition: A method of allocating memory blocks in sizes that are powers of 2, which helps in efficient utilization of memory.Example Process:

• Start with an initial block of 64 bytes, which is to be used as the base for allocations.

• When allocating 8 bytes:

  • Identify the closest larger power of 2 that fits the requirement, which is 8 bytes in this case.

  • Allocate the 8 bytes, leaving 1 byte as internal fragmentation since memory is allocated in fixed-size blocks.

• Splitting Blocks:

  • If an allocation request exceeds the size of the currently free block, the allocator splits larger existing blocks into smaller ones.

  • For example, a block of 32 bytes can be split into two blocks of 16 bytes each to fulfill different allocation requests.

• This method balances the allocation size with the available memory, reducing waste but potentially increasing fragmentation as the system adapts to varied request sizes.

2. Slab Allocator

Definition: An allocator design that uses fixed-size slots, known as slabs, ensuring efficient memory usage by managing objects of identical size.Use Case: Particularly beneficial for environments that require repeated allocation and deallocation of numerous instances of the same sized object, such as structures in systems programming.Example: In a web server handling user sessions, each session can be represented as a struct requiring 128 bytes. A slab can be allocated that holds multiple session structs of 128 bytes, allowing quick retrieval and storage. This reduces memory overhead as the slab structure manages these allocations internally.Bitmap Usage: Instead of managing each slot individually, the availability of each slot can be represented in a bitmap, reducing complexity and overhead related to tracking free slots.

3. Internal vs. External Fragmentation

• Internal Fragmentation: This occurs when there is unused space within an allocated block. For example, if a user allocates 30 bytes from a 64-byte block, the remaining 34 bytes in that block constitute internal fragmentation.

• External Fragmentation: This refers to the unused space that arises in the memory as a result of the allocation and deallocation process. Over time, as blocks of different sizes are allocated and freed, gaps can form between allocated blocks. For instance, if a 64-byte block is split to create several allocations of 10 bytes and one 20-byte allocation, the remaining unallocated memory may not be enough to accommodate another 10-byte request, leading to external fragmentation.

Security Concepts

1. Definitions of Security

• Security: The discipline that focuses on preventing unauthorized access to information systems. It encompasses measures taken to protect digital and physical assets.Example: Firewalls, encryption protocols, and security policies are all part of a broader security strategy to safeguard sensitive data.

• Protection: Mechanisms and policies that enforce control access, helping to safeguard resources from unauthorized use or modification. Example: Using multi-factor authentication (MFA) to control access to sensitive systems, ensuring that only authorized users can log in.

• Principle of Least Privilege: A foundational security principle stating that users and programs should be granted the minimum levels of access necessary for their functions, eliminating unnecessary exposure to sensitive data.Example: A user in a sales department may only have access to customer data relevant to their job role, but not to financial records.

2. Privilege Separation

Definition: A practice aimed at increasing security by dividing a program into distinct parts, each operating under different privilege levels. This limits overall exposure and damage potential if one part is compromised.Implementation: In UNIX systems, every process may have real and effective user IDs to regulate permissions and access control effectively. For instance, running a web server as a less privileged user minimizes the risks of exposing critical system resources.

3. Goals of Security

• Confidentiality: Protecting information from unauthorized access and disclosure.Example: Encryption is used in emails to ensure that only the intended recipient can read the content.

• Authentication: The process of verifying the identity of users or systems to ensure trusted interactions.Example: Username and password combinations alongside biometric verification such as fingerprint scans to access secure systems.

• Integrity: Involves ensuring that data remains unaltered and reliable over time, providing assurance against unauthorized modification.Example: Use of hash functions to verify that a downloaded file has not been tampered with by comparing its hash value against a known good value.

• Availability: Ensuring that cognitive systems, data, and resources are accessible and functional for authorized users as needed.Example: Regular backups and system redundancy ensure that data is always accessible, even in the event of hardware failure.

4. Domain of Protection

Definition: Refers to specifying the objects a process can access and the operations that are permitted.Implementation: This can be mapped using an Access Matrix, which defines the relationship between processes and their permissible operations on various objects. For instance, a process for logging system errors may only have access to write to log files, not to modify user data.

5. Access Control Components

• Access Control List (ACL): A detailed list of permissions assigned to various users or groups for each resource, critical for managing file permissions in UNIX.Example: An ACL for a directory may specify read, write, and execute permissions for different user groups, allowing only admins full access while restricting others to read-only.

• Capability List: A list that denotes which resources are accessible to which domains, later used to enforce access control based on process permissions.Example: A capability list for a process may show it can read files in a designated directory but has no permissions to modify or delete them.

Cryptography Overview

1. Purpose of Cryptography

• Authentication: Transforms messages to validate the origin of the information.Example: Digital signatures are used to confirm the identity of the sender in an email.

• Integrity: Ensures data remains unchanged during transit or storage.Example: Checksums are computed and sent alongside files to verify they were not altered during transmission.

• Non-repudiation: Guarantees senders cannot deny their sent messages, enhancing accountability in communications.Example: Contracts signed electronically serve as proof that the sender cannot deny sending them.

• Confidentiality: Methodologies to conceal message content from unauthorized viewers, using encryption to prevent access.Example: HTTPS secures web traffic by encrypting data between the user's browser and the server.

2. Key Cryptography Terms

• Plaintext: The original, readable content before encryption.Example: The text "Hello World" is plaintext before being encrypted.

• Ciphertext: The encoded output generated after encryption that obscures the original message.Example: The encrypted version of "Hello World" might appear as "U2FsdGVkX1+jP6L2ToUsA==" after encryption with an algorithm.

• Symmetric Key Algorithm: Involves using the same key for both encryption and decryption processes, providing quick and straightforward encryption (e.g., DES).Example: A user and their friend share a common key to encrypt messages between them, ensuring only they can read each other's messages.

• Public Key Algorithm: A two-key system involving a public and private key to secure communications, facilitating secure exchanges without prior key sharing.Example: The RSA algorithm allows users to share their public key openly while keeping their private key secret to encrypt communications securely.

3. Challenges in Symmetric Key Cryptography

• Key Distribution: Insecure environments make it difficult to share encryption keys safely, leading to potential security vulnerabilities.Example: A company struggling to distribute encryption keys to its sales team securely, risking interception by competitors.

• Key Explosion: The necessity for unique keys for every user pair creates extensive key management challenges, as with n users requiring n(n-1)/2 keys, making scalable and efficient key management crucial.Example: In a chat application with 100 users, the number of keys required would total 4,950 if each user needs a unique key for private conversations with every other user.