Prof.

Amit Vyas
Department of Computer Engineering
V.V.P. Engineering College

1
Unit-8: Security and
Protection

2
What is Operating System?
 Operating System a type of system software. It basically
manages all the resources of the computer. it is an interface
between the different parts of software or hardware.
 An operating system (OS) is a software that manages a
computer's resources and controls how information flows
into system and out of the processor.

3
General-Purpose Operating Systems
1. Windows Family: Windows 10, Windows 11,

2. MacOS: macOS

3. Linux Distributions: Ubuntu,

4. Unix : family of multitasking, multi-user computer

operating systems

4
Mobile Operating Systems
 Android: Developed by Google

 iOS: Used in Apple devices (iPhone, iPad)

 KaiOS: For feature phones (KaiOS is a mobile Linux

distribution for keypad feature phones based on the Firefox OS
open-source project)
 HarmonyOS: Developed by Huawei

5
What is Security?
 Security refers to the processes to protect the operating
system from dangers, including viruses , malware, and
remote hacker.

 Intrusion Detection System (IDS) is a security tool that

monitors a computer network or systems for malicious
activities or policy violations.

6
Security Environment
Confidentiality: Keeping the information private and
secure from unauthorized access.
restricting access to information so that only authorized
people can view or use it. It protects personal and e
information.

If confidentiality is lost, it means unauthorized people have

accessed the information.
7
 Integrity: : Integrity means making sure information is
correct, reliable, and not changed without permission.

 Data integrity also refers to the accuracy and validity of

data over its entire lifecycle. After all, compromised data is
of little or no interest to organizations of any size, not to
mention the added risks that come with sensitive data loss.

8
 Availability: ensuring that information and systems
are accessible when needed and work reliably.
 A loss of availability is the disturbance of access to
usage of any of information system. Unauthorized
disclosure is a threat to confidentiality in any
Operating system

9
The different types of attacks can affect……
 Exposure: organization's IT environment that could
allow an attacker to gain unauthorized access to a
system or network: unpatched software,
misconfigurations, weak passwords, and outdated systems.

10
 Deception is the act of intentionally providing false
information to convince someone to believe something
that is not true.

 Interception: It is a universal attack in the situation of

communications.
For a shared Local Area Network (LAN) like wireless
LAN or a broadcast Ethernet, those devices which are
attached to the LAN is able to accept a copy of packets
planned for another device.
11
Design Principles of Security
 The high-quality application development
frameworks has been a boon to the world’s
software.
 It’s easier than every one to put together an
application and start delivering value for customers,
who can come from anywhere in the world.
 Unfortunately, the same is true for hackers
coming to attack your application. 12
 As the world’s software grows more connected, and
contains more valuable data, hackers have grown
more sophisticated.

 Today’s hackers command massive bonnets and

receive sponsorship from hostile nation-states.

13
These principles is critical to ensuring that the software
you ship is safe and secure for your customers.
1. Principle of Least Privilege
2. Principle of Separation of Duties
3. Principle of Defense in Depth
4. Principle of Failing Securely
5. Principle of Open Design
6. Principle of Avoiding Security by Obscurity (clarity)
7. Principle of Minimizing Attack Surface Area
8. How to Dive Deeper
14
Design Principles of Security (Cont…)
Least Privilege Principle

 Definition: Each user or process is given only the

permissions necessary to perform its tasks.

 Example: A web browser should not have permission to

modify system files.

15
Separation of Duties Principle
 Definition: Divide responsibilities and permissions
among multiple entities to prevent a single point of
failure.
 Example: In an operating system, an admin account
cannot create backups and approve them without an
additional approval process.

16
 3. Defense in Depth Principle
 Definition: Use multiple, independent layers of security to
protect the system.

 Example: An OS might use firewalls, user authentication,

encryption, and intrusion detection systems together.

17
 4. Failing Securely Principle
 Definition: When a system encounters a failure, it
should default to a secure state.

 Example: If an authentication service crashes, it should

block access instead of allowing unrestricted entry.

18
 5. Open Design Principle
 Definition: The security of a system should not hide on
secrecy of its design or implementation.

 Example: Open-source operating systems allow experts to

find and fix vulnerabilities rather than hiding flaws.

19
 6. Avoiding Security by Obscurity Principle
 Definition: Security should not depend on hiding details
like algorithms, configurations, or code.

 Example: Instead of hiding port numbers, an OS should

reopen on strong encryption and authentication.

20
 7. Minimizing Attack Surface Area Principle
 Definition: Reduce the number of ways an attacker can
exploit the system.
 Example: Disable unused services and ports in the OS to
limit entry points for attacks.

21
How to Dive Deeper
You can dive deeper into operating systems by learning
about their architecture, security, and how they
manage processes, memory, and devices. You can also
learn how to use external tools to analyze operating
systems
 Kernel, Base and limit registers, Process
management, Security
22
User Authentication
 Authentication helps ensure only authorized users
can gain access to a system by preventing
unauthorized users from gaining access and
potentially damaging systems, stealing information
or causing other problems.

23
What is User Authentication?

 It is the process of verifying the identity of a user

before granting access to the system or specific
resources.
 This typically involves validating credentials like a
username and password, but modern methods often
include additional factors.

24
A straightforward process, user authentication consists
of three tasks:

1. Identification.

2. Authentication.

3. Authorization.

25
1. Identification.
 The step where users prove their identity by
providing a name, email address, phone number or
username.

26
2. Authentication.
 What you know
Information that only the person in question would
easily know, including passwords, personal identification
numbers (PINs), maiden names or answers to security
questions.

27
3. Authorization
 Cryptography keys to enforce integrity and authenticity,
HMAC is similar to digital signatures. Secure file transfer
protocols like FTPS, SFTP and HTTPS use HMAC to ensure
data integrity.

28
Types of User Authentication Methods
Knowledge-Based Authentication (Something You
Know)
 Examples: Passwords, PINs, security questions.

Token-based Authentication (Something You Have)

 Examples: users to enter their credentials once and receive
a unique encrypted string of random characters in
exchange. (smart card )
29
 Biometric Authentication (Something You Are)
 Examples: Fingerprints, facial recognition, retina scans.

Location-Based Authentication (Somewhere You Are)

 Examples: Verifying access based on geographic location or
IP address.

30
 Multi-Factor Authentication (MFA)
 authentication method that requires two or more
independent ways to identify a user. (e.g., password +
fingerprint).

31
Steps in User Authentication Process
 Identification: User claims their identity (e.g., by
providing a username).
 Credential Submission: User submits proof of identity
(e.g., password or fingerprint).
 Validation: The operating system verifies the submitted
credentials against its database.
 Access Control: If verified, the OS grants access based on
the user's role and permissions.

32
Challenges in User Authentication
 Password Management: Users often reuse or choose weak
passwords.
 Phishing Attacks: Users can be tricked into providing
credentials.
 Biometric Spoofing: Some biometric systems can be
fooled by fake fingerprints or photos.
 Usability vs Security: Stricter (hard)methods may frustrate
users.
33
Protection Mechanism
 Protection refers to a mechanism which controls the
access of programs, processes, or users to the resources
defined by a computer system.

 We can take protection as a helper to multi programming

operating system, so that many users might safely share a
common logical name space such as directory or files.

34
Need of Protection:
 To prevent the access of unauthorized users,
 To ensure that each active programs or processes in
the system uses resources only as the stated policy,
 To improve reliability by detecting latent errors.

35
Role of Protection mechanism:
 The role of protection is to provide a mechanism that
implement policies which defines the uses of resources in
the computer system.

 Some policies are defined at the time of design of the

system, some are designed by management of the system
and some are defined by the users of the system to protect
their own files and programs
36
 Application programmer should also design the protection
mechanism to protect their system against misuse.
 Policy is different from mechanism. Mechanisms determine
how something will be done and policies determine what
will be done.

 Policies are changed over time and place to place.

 Separation of mechanism and policy is important for the
flexibility of the system.

37
 Each domain comprises a collection of objects and the
operations that may be implemented on them. A domain
could be made up of only one process, procedure, or user.

Figure: Protection Mechanism 38

Association between process and domain
Each process switches from one domain to another
based on the permission or access rights specified to
it. The association between process and domain can be
either in static or dynamic type.

39
 1. Fixed (Static) Association
 In this approach, a process is permanently associated with a
specific domain.
 All necessary access rights are predefined and assigned to
the process at the start.

Example : mkdir, cd , echo.

40
 2. Changing (Dynamic) Association
 In this approach, processes can change domains as
needed during their execution.
 A new domain can be created or an existing one switched
into, allowing the process to acquire additional or
different permissions.

 Example:A process starts with user-level privileges but

temporarily switches to an administrative domain (e.g.,
using sudo in Unix/Linux) to perform privileged tasks.

41
Access Control List
 An access control list (ACL) contains rules that grant or
deny access to certain digital environments.

 There are two types of ACLs:

1.Filesystem ACLs- filter access to files and/or directories.
File system ACLs tell operating systems which users can
access the system, and what privileges the users are
allowed.
42
2.Networking ACLs- filter access to the network. Networking
ACLs tell routers and switches which type of traffic can access
the network, and which activity is allowed.
 Originally, ACLs were the only way to achieve firewall
protection

 However, organizations continue to use ACLs in conjunction

with technologies like virtual private networks (VPNs) that
specify which traffic should be encrypted and transferred
through a VPN tunnel.
43
Reasons to use an ACL:
 Traffic flow control.
 Restricted network traffic for better network
performance.
 A level of security for network access specifying
which areas of the server/network/service can be
accessed by a user and which cannot granular
monitoring of the traffic exiting and entering the
system.
44
Types of Access Control Lists
1.Standard ACL
 An access-list that is developed solely using the source IP
address. These access control lists allow or block the
entire protocol suite.
 They don’t differentiate between IP traffic such as UDP, TCP,
and HTTPS. They use numbers 1-99 or 1300-1999 so the
router can recognize the address as the source IP address

45
2.Extended ACL
 An access-list that is widely used as it can differentiate IP
traffic.
 It uses both source and destination IP addresses and port
numbers to make sense of IP traffic.
 You can also specify which IP traffic should be allowed or
denied. They use the numbers 100-199 and 2000-2699.

46
Relationship Between Protection Domains and
ACLs
1. A protection domain groups access rights for processes
or users, while an ACL specifies access rights for each
resource.
2. Protection domains work at a broader level, while ACLs
provide resource-specific control.
3. Protection Domains group resources and define what
actions are permissible. ACLs specify access rights at the
resource level, ensuring fine-grained control.
47
Difference between Security and Protection
Security Protection

Security grants the system access to the While protection deals with access to the system
appropriate users only. resources.

While in protection, internal threats are

In security, external threats are involved.
involved.

In security, more convoluted queries are Whereas in protection, simple queries are
handled. handled.

Security illustrates that which person is Whereas protection determines what files can
granted for using the system. be accessed or permeated by a special user.

In security, encryption and

Whereas in protection, an authorization
certification(authentication) mechanisms
mechanism is implemented.
are used. 48
Thank You

49