Lecture 4 was discussed about the operating system security. From the moment you boot your computer mean after BIOS loads, you are interacting with the operating system. For the modern computer system, operating system performs the central roles to support applications. There are some protection requirements of OS which are memory, shareable I/O devices such as disks, serially reusable I/O devices, such as printer and tape driver, sharable programs and sub- procedures and lastly is shareable data. The security method of OS is separation. Separation keeps one user’s object separate from other user. Physical separation is processes use different physical objects. Temporal separation is processes with different security requirements are executed at different times. For logical separation, processes only access objects inside its permitted domain. Next, cryptographic separation mean process data and computations are unintelligible to outsider. Separation may not provide sharing in system, if sharing is required, other methods should be considered such as no protection, isolation, share all or share nothing, share via access limitation, share by capabilities, limit use of an object and granularity of protection.
Method that use for memory protection is Fence. Fence is used to limit user program space. Relocation method is use relative addressing instead of absolute addressing. Base/ Bounds Register method use two registers to limit low and up boundary of a program and tagged architecture method to protect a part of user’s program. Another three methods are segmentation, paging and combined paging with segmentation.
Some protected objects also explained by Mr.Zaki in lecture 4 which are memory, a file or data set on an auxiliary storage device, an executing program in memory and instruments, directories, files, or data structure such as stack, hardware devices, a table of OS, password and the user authentication mechanism, and the protection mechanism itself. Moreover, the protection goals are to check every access. Previously authorized user may not access the object definitely. The second goal is allow least privilege. Least privilege states that a subject should have access to the smallest number of objects necessary to perform some task. Verify acceptable usage is also protection goals that ability to access is a yes-no decision.
All-None Protection is one of the file protection mechanisms. In this mechanism, any user can read, write and modify any files. It based on the trust between users. The password is used to protect from operations. But it has several disadvantages such as lack of trust, all or nothing, rise of timesharing, complexity and file listing. The second file protection mechanism is group protection. The world is divided into three classes: the user, a trusted working group and the rest of users. All authorized users are separated into groups, in which users have a common relationship. When creating a file, the user defines the rights for each class.
Authentication is a process used to verify transmitted data in a computing environment. Password is a character of strings that used to authenticate an identity or a user. Password selection criteria are use characters other than A until Z, choose long passwords, avoid actual names or words, choose a unlikely password, change the password regularly, do not write it down, and do not tell anyone else the password.
As a conclusion, operating system basic security is closely integrated to general OS design.
No comments :
Post a Comment