Figure 9.9 Need for page replacement.
Over-allocation of memory manifests itself as follows. While a user process
is executing, a page fault occurs. The operating system determines where the
attempt to connect to one of twenty servers and download and execute a
program from them. Fortunately, the servers were disabled before the code
could be downloaded. The content of the program from these servers has not
yet been determined. If the code wa
If the program being attacked runs with system-wide permissions, this newly
created shell will gain complete access to the system. Of course, the code
segment could do anything allowed by the privileges of the attacked process.
This code segment is then c
the movie War Games. For instance, the code might check for a specific user ID or
password, and it might circumvent normal security procedures. Programmers
have been arrested for embezzling from banks by including rounding errors
in their code and having
lines. Intercepting these data could be just as harmful as breaking into a
computer; and interruption of communications could constitute a remote
denial-of-service attack, diminishing users' use of and trust in the system.
Security at the first two levels
To discuss security threats and attacks.
To explain the fundamentals of encryption, authentication, and hashing.
To examine the uses of cryptography in computing.
To describe the various countermeasures to security attacks.
block is entered, the stack frame for this method is annotated to indicate this
fact. Then, the contents of the block are executed. When an access to a protected
resource is subsequently requested, either by this method or a method it
calls, a call to che
does not provide sufficient flexibility, it can be extended or replaced with
less disturbance of a system in service than would be caused by the
modification of an operating-system kernel.
Efficiency. The greatest efficiency is obtained wrhen enforcement
variety of protection policies to be implemented. Although a programmer can
define her own protected procedures (any of which might be incorrect), the
security of the overall system cannot be compromised. The basic protection
system will not allow an unve
In this section, we survey two capability-based protection systems. These
systems vary in their complexity and in the types of policies that can be
implemented on them. Neither system is widely used, but they are interesting
proving grounds for protection
swiftly that access is allowed. After the last access, the capability is destroyed.
This strategy is used in the M.ULTICS system and in the CAL system.
As an example of how such a strategy works, consider a file system in
which each file has an associated
which domains are to have access to which objects in which ways.
14.5 Implementation of Access Matrix
How can the access matrix be implemented effectively? In general, the matrix
will be sparse; that is, most of the entries will be empty. Although datastr
The access matrix can implement policy decisions concerning protection.
The policy decisions involve which rights should be included in the (z',;')th
entry. We must also decide the domain in which each process executes. This
last policy is usually decided
of a user with network access privilege (such as root, the most powerful user
ID). One problem with this method is that if a user manages to create a file
with user ID root and with its setuid bit on, that user can become root and do
anything and everythi
tape drives) and software objects (such as files, programs, and semaphores).
Each object has a unique name that differentiates it from all other objects in the
system, and each can be accessed only through well-defined and meaningful
operations. Objects a
activities. To provide such protection, we can use various mechanisms to ensure
that only processes that have gained proper authorization from the operating
system can operate on the files, memory segments, CPU, and other resources
of a system.
process more general and sophisticated programs, so channels can be tuned
for particular workloads.
We can employ several principles to improve the efficiency of I/O:
Reduce the number of context switches.
Reduce the number of times that data must be co
virus copies buo'
j sector to unusprt
original boot block
removable R/W d sk
is installed, it infects
^ that as well
other pifdgrams;|o; yi/rite tHe
u P :; :;: boot sector;:
".^request for worm
target system infected system
Figure 15.6 The Morris Internet worm.
15.3 System and Network Threats 573
The worm was made up of two programs, a grappling hook (also called a
bootstrap or vector) program and the main p
area (such as a single building or a few adjacent buildings) and are generally
used in an office environment. All the sites in such systems are close to one
another, so the communication links tend to have a higher speed and lower
error rate than do their
to data migration is to transfer the entire file to site A. From that point on, all
616 Chapter 16 Distributed System Structures
access to the file is local. When the user no longer needs access to the *file, a
copy of the file (if it has been modified) i
in standalone systems can be expanded to encompass the distributed system.
Such functions include file transfer, login, mail, and remote procedure calls
The advantage of a distributed system is that these functions can be
carried out over great di
A distributed system is a collection of processors that do not share memory
or a clock. Instead, each processor has its own local memory, and the
processors communicate with one another through communication lines
such as local-area or wide-ar
Windows XP allows the creation of any number of user accounts, which can
be grouped in any manner. Access to system objects can then be permitted or
denied as desired. Users are identified to the system by a unique security ID.
When a user logs on, Window
to be an authorized host by meeting some authorization criterion. For example,
if a firewall rule allows a connection from a host and identifies that host by its
IP address, then another host could send packets using that same address and
be allowed throu
Although effective for a wide class of attacks, Tripwire does have limitations.
Perhaps the most obvious is the need to protect the Tripwire program
and its associated files, especially the database file, from unauthorized modification.
For this reason, T
systems. Of course, not all anomalous system activity indicates an intrusion,
but the presumption is that intrusions often induce anomalous behavior. An
example of anomaly detection is monitoring system calls of a daemon process
to detect whether the syst
Katherine" might yield the password "Mmn.isK!'". The password is hard to
crack but easy for the user to remember.
15.5.4 One-Time Passwords
To avoid the problems of password sniffing and shoulder surfing, a system
could use a set of paired passwords. When
15.6 Implementing Security Defenses 593
concerned with operating systems and the software that runs on them, we will
concentrate on those aspects.
Vulnerability scans typically are done at times when computer use is
relatively low, to minimize their impac
security is frequently bypassed or otherwise circumvented.
15.5.2 Password Vulnerabilities
Passwords are extremely common because they are easy to understand and use.
Unfortunately, passwords can often be guessed, accidentally exposed, sniffed,