Chapter 14: System Protection and Security

Goals of Protection

Protection ensures that processes do not interfere with each other or with the OS.

Main goals:

  • Confidentiality – Prevent unauthorized access to information.

  • Integrity – Prevent unauthorized modification of data or resources.

  • Availability – Ensure authorized users can access resources.

  • Safety – Prevent actions that could cause harm or system failure.

Protection mechanisms define controlled access to resources such as files, memory, CPUs, and devices.

Domain of Protection

A domain is a set of access rights. A process runs within a specific domain.

  • Access Rights: <object, permissions> pairs, such as (file1, read).

  • Static Domains: Domains assigned at process creation and do not change.

  • Dynamic Domains: Processes may switch domains (e.g., using system calls or capabilities).

Domain structures:

  • User Mode vs Kernel Mode Basic dual-domain separation.

  • Role-Based Domains Administrators, users, services.

  • Capability Lists and Tickets Unforgeable tokens that grant specific rights.

Access Matrix

The access matrix formalizes protection by specifying:

  • Rows: Subjects (users, processes, domains)

  • Columns: Objects (files, devices, memory)

  • Entries: Access rights (read, write, execute)

Example:

File A

Printer

User 1

read/write

use

User 2

read

Implementation Techniques:

  • Access Control Lists (ACLs) Column-based; used by many OSes (Windows, Unix permissions).

  • Capability Lists Row-based; each subject holds a list of allowed accesses.

  • Lock-and-Key Mechanisms Objects have locks; domains hold keys to unlock them.

System and Network Security Threats

Systems face threats from internal and external adversaries.

Types of threats:

Malware

  • Viruses – Attach to executable files; require host.

  • Worms – Self-replicating over networks.

  • Trojan Horses – Malicious code disguised as legitimate software.

  • Ransomware – Encrypts user data and demands payment.

Attack Techniques

  • Phishing / Social Engineering Tricks users into exposing credentials.

  • Password Attacks Brute force, dictionary attacks, credential stuffing.

  • Privilege Escalation Exploiting vulnerabilities to gain higher permissions.

  • Man-in-the-Middle (MitM) Intercepting network communications.

  • Denial of Service (DoS/DDoS) Overloading systems to make them unavailable.

Network Security Measures

  • Encryption (TLS, HTTPS) Protects data in transit.

  • Firewalls and Packet Filters Restrict network traffic.

  • Intrusion Detection/Prevention Systems (IDS/IPS) Monitor for malicious patterns.

  • Authentication Passwords, multi-factor authentication, biometric systems.

  • Patching and Hardening Keeping systems updated and minimizing attack surface.