software types
DESCRIPTION
Software Types. Operating Systems Also called Systems Software Manage the computer resources Ex: Linux, Windows, MacOS Applications Software Specific tasks Rely on OS Ex: MS Office, CAD/CAM, PhotoShop. OS Types. IBM 370 SunOS, VAX Win Server 2008 Windows, MacOS Windows CE pSOS - PowerPoint PPT PresentationTRANSCRIPT
Software TypesSoftware TypesOperating Systems
◦Also called Systems Software◦Manage the computer resources◦Ex: Linux, Windows, MacOS
Applications Software◦Specific tasks◦Rely on OS◦Ex: MS Office, CAD/CAM, PhotoShop
OS TypesOS TypesMainframesWorkstationsServersPersonal
Computers Mobile DevicesReal TimeEmbedded
04/24/23 2
IBM 370SunOS, VAXWin Server 2008Windows, MacOSWindows CEpSOSEmbedded NT,
embedded Linux
Live Chat 7
Operating System Operating System FunctionsFunctionsAccess Control
◦Who can access resources.Identity and credential
management◦Account management and
verification.Information flow.Audit and Integrity protection.
◦Logs & permissions.
What needs Protection?What needs Protection?Memory.I/O devices: disksRe-useable I/O devices: printers.Programs and sub-processes.Networks.Data.
Security Methods of Operating Security Methods of Operating SystemsSystemsSeparation: basis of protection
◦Physical: different devices for different security levels.
◦Temporal: processes execute at different times.
◦Logical: illusion that a user is operating alone.
◦Cryptographic: conceal data and computations.
Only half the answer ◦must share some objects.
Protection LevelsProtection LevelsDo not protect.Isolate: processes unaware of each
other.Share all or share nothing. Owner
declares.Share via access limitation: OS checks.Share by capabilities: dynamic creation
of sharing rights for objects.Limit use of object: view but not print.
Protection Ring ModelProtection Ring Model
UNIX Operating System UNIX Operating System SecuritySecurityRoot Accounts
◦ Sudo an alternative.Permissions
◦ -rwxr--r-- /etc/passwd◦ Owner, group, world.
SUID◦ -rwSrwxrwx 1 root wheel 3412 Jan 1 2011
program.sh◦ Dangerous, anyone can edit and execute
as root.
UNIX Operating System UNIX Operating System SecuritySecurity Iptables: Host based firewall.OSSEC: Host based intrusion detection.AIDE: log monitoring.Only run required services
◦ Center for Internet Security Instructions to lock down and secure most operating systems.
Extra secure operating systems◦ SELinux: security enhanced Linux with security
modules.◦ OpenBSD: listed #1 in a top ten list.
Windows OS SecurityWindows OS SecurityFirewall: turn it on.Automatic updates: set a time.Anti-Virus: must have.Anti-Spyware: good to have.HIDS: 3rd party products.Event Monitoring: centralize
logging.User Permissions: audit
permissions.
Windows Security ToolsWindows Security ToolsSecunia: monitor for product patches.AVG: free Anti-virus.Malwarebytes: anti-malware.Spybot Search and Destroy: rm
spyware.JavaRA & PureRA: keep java up to
date.Parental/worker controls: block web
sites.Use at your own risk.
Memory ProtectionMemory ProtectionProtect the memory space of data &
programs.◦Fence: confine to one side of a boundary.◦Fence Register: address at the end of the
Operating System. Restrictive, too much memory could be reserved.
Variable fence register: location can change◦Protects in one direction. Users compete for
Memory.
Figure 4-1 Fixed Fence.
Figure 4-2 Variable Fence Register.
Figure 4-3 Pair of Base/Bounds Registers.Variable Register = Base Register
Figure 4-4 Two Pairs of Base/Bounds Registers.
Tagged ArchitectureTagged ArchitectureBase/bounds registers are all or
nothing.Tagged Architecture
◦Every word of memory is tagged with extra bits to identify access rights to the word.
◦Compatibility of code can be a problem.
Figure 4-5 Example of Tagged Architecture.
SegmentationSegmentationDivide a program into separate pieces
◦Code of a procedure, an array, data values.
◦Each piece can have its own access rights.◦A segment has a name and an offset
value.◦Usually one OS segment address table per
executing process.◦Segments can exist at any location, can be
moved and can be checked for protection.
Figure 4-6 Logical and Physical Representation of Segments.
Figure 4-7 Translation of Segment Address.
Paging a Segmentation Paging a Segmentation AlternativeAlternativeDivide program into equal-sized
pieces.Memory divided into equal-sized
page frames so no fragmentation concerns.
Operating System maintains a table of pages to true memory address.
Programmers do not have to worry about page boundaries unlike segmentation.
Figure 4-8 Page Address Translation.
Combine Paging & Combine Paging & SegmentationSegmentationPaging offers implementation
efficiency.Segmentation offers logical
protection.Combine them to form paged
segmentation.◦Program divided into logical segments◦Break each segment into fixed page sizes.◦Hardware improvement improved
efficiency for paged segmentation.
Figure 4-9 Paged Segmentation.
Directory AccessDirectory AccessEach user controls access to their files.Each user has their own directory.
◦ Also has copies of files they can access.Permissions: Read, Write, eXecute.Difficulty if there are many shared
objects.◦ Space consumption.
Revocation of access can be time consuming.◦ Given the number of copies.
Figure 4-10 Directory Access.
Alternative Access PathsAlternative Access PathsDirectory problems with
pseudonyms.◦Owners have files with same name.◦Want to grant access to these files to
another user.◦Multiple permissions may exist to
same object for a single user.◦The directory approach is considered
too simple for most object protection situations.
Figure 4-11 Alternative Access Paths.
Access Control ListsAccess Control ListsOne list maintained for each
object.List shows all subjects with
access.One access control list per
object.Each subject has a directory.ACLs use wild cards “*”.
Figure 4-12 Access Control List.
Domains and Name SpaceDomains and Name SpaceA capability is an unforgettable token
allowing certain rights to an object.Each capability identifies a single
object in a domain.A domain is a collection of objects
which a process has access too.A user may have access to a domain
which includes programs, files, data, I/O devices.
Figure 4-13 Process Execution Domain.
Domain Object PassingDomain Object PassingA collection of capabilities defines a
domain.Calling a sub-procedure can pass
objects.Capabilities are a straight forward way to
track of access rights during execution. capabilities backed up by control matrix
or an access control list.Capabilities must be stored in memory
inaccessible to users.
Figure 4-14 Passing Objects to a Subject.
AAA Authentication Authorization AAA Authentication Authorization and Accountabilityand Accountability
Identity is often left out. Should be IAAAIdentity is a claim. “I am So&So”Authentication is proving an identity
claim.◦Password, 2-factor, credentials.
Authorization defines what you can doAccountability hold users accountable for
their actions.◦Logging, auditing.
Triple A ModelTriple A Model
04/24/23 37
Authentication Authorization
AccountingSource: Jayaswal, K. (2006). Administering data centers: Servers, storage, and voice over IP. Indianapolis, IN: Wiley Publishing, Inc.
Live Chat 10
AAAAAAAuthentication
◦Who you areAuthorization
◦What you are permitted to doAccounting
◦What you actually did
04/24/23 38
Source: Jayaswal, K. (2006). Administering data centers: Servers, storage, and voice over IP. Indianapolis, IN: Wiley Publishing, Inc.
Live Chat 10
AuthenticationAuthenticationAuthentication is the process
used to identify who you are based on:◦User name/password combination◦Certificates◦Biometrics
Fingerprints Retina scan Other?
04/24/23 39
Source: Jayaswal, K. (2006). Administering data centers: Servers, storage, and voice over IP. Indianapolis, IN: Wiley Publishing, Inc.
Live Chat 10
AuthenticationAuthenticationPassword-based authentication
◦ User name/passwordToken-based authentication
◦ One-time password generated by encrypting a time stamp with secret key (SecurID)
Digital Certificate-based authentication◦ Electronic or digital certificate◦ Contains public key, user information,
issuer’s information, and valid period
04/24/23 40
Source: Jayaswal, K. (2006). Administering data centers: Servers, storage, and voice over IP. Indianapolis, IN: Wiley Publishing, Inc.
Live Chat 10
Authorization ProcessAuthorization ProcessAs users attempt to gain access
to network resources, credentials are presented
Request sent to an AAA serverServer authenticates user and
determines authorizationAccounting keeps track of
resource usage
04/24/23 41
Source: Jayaswal, K. (2006). Administering data centers: Servers, storage, and voice over IP. Indianapolis, IN: Wiley Publishing, Inc.
Live Chat 10
Authentication Authentication MechanismsMechanismsSomething the user knows
◦Password, pass phrase, PIN, a secret.Something the user has:
◦Badge, keys, identification, token.Something the user is
◦Biometrics2-Factor: require two of the
above.
Figure 4-15 Users’ Password Choices.
Password AttacksPassword AttacksPassword cracking: John-the-ripperBrute force attacks: take time, effective.Rainbow Table: a database of password hash
values.Hybrid attack: append or pre-pend
characters before hashing. ◦Attack against complex passwords.
Dictionary attacks: use word lists.Salt: a random value used when creating
password hashes.
BiometricsBiometricsEnrollment: registering with the system.Throughput: how long to authenticate. 6-10Accuracy
◦False Rejection Rate(FRR) Authorized subject rejected
◦False Accept Rate Unauthorized person accepted as valid
◦Crossover Error Rate: accuracy Where FRR =FAR
Biometric DevicesBiometric DevicesRetina Scan: laser scan of capillaries.Iris Scan: passive, high accuracy, each iris is
unique, no body fluids exchanged.Hand Geometry: specific points on hand.Keyboard dynamics: measure pressure and rhythm.Dynamic Signature: how a person signs their
name. Voice Print: tone of voice. Vulnerable to a replay
attack.Facial scan: high cost. Used at Super Bowl to
identify criminals.
Discussion QuestionsDiscussion QuestionsBiometric Objections.
◦What are some reasons people are reluctant to use biometrics?
◦How can you counter these objections?