Levels of Security System Security
7.1.1 Levels of Security
Security may be all or nothing It should be noted that when the operating system’s security is breached, it typically means that all its objects are vulnerable. This is the holy grail of system hacking — once a hacker “breaks into” a system, he gets full control. For example, the hacker can impersonate another user by setting the user ID of his process to be that of the other user. Messages sent by that process will then appear to all as if they were sent by the other user, possibly causing that user some embarasement. Example: the Unix superuser In unix, security can be breached by managing to impersonate a special user known as the superuser, or “root”. This is just a user account that is meant to be used by the system administrators. By logging in as root, system administrators can manipulate system files e.g. to set up other user accounts, change system settings e.g. set the clock or clean up after users who had experienced various problems e.g. when they create files and specify permissions that prevent them from later deleting them. The implementation is very simple: all security checks are skipped if the requesting process is being run by root. Windows was originally designed as a single-user system, so the user had full priviledges. The distinction between system administrators and other users was only introduced re- cently. Alternatively, rings of security can be defined An alternative is to design the system so that it has several security levels. Such a design was employed in the Multics system, where it was envisioned as a set of con- centric rings. The innermost ring represents the highest security level, and contains the core structures of the system. Successive rings are less secure, and deal with ob- jects that are not as important to the system’s integrity. A process that has access to a certain ring can also access objects belonging to larger rings, but needs to pass an additional security check before it can access the objects of smaller rings. 1607.1.2 Mechanisms for Restricting Access
Parts
» | Komputasi | Suatu Permulaan
» Operating System Functionality | Komputasi | Suatu Permulaan
» Abstraction and Virtualization | Komputasi | Suatu Permulaan
» Hardware Support for the Operating System
» Roadmap | Komputasi | Suatu Permulaan
» Scope and Limitations | Komputasi | Suatu Permulaan
» Performance Metrics | Komputasi | Suatu Permulaan
» Statistical Characterization of Workloads
» Analysis, Simulation, and Measurement
» Modeling: the RealismComplexity Tradeoff
» Waiting in Queues Queueing Systems
» Queueing Analysis Queueing Systems
» Incremental Accuracy Simulation Methodology
» Workloads: Overload and Lack of Steady State
» Summary | Komputasi | Suatu Permulaan
» Process States What is a Process?
» Operations on Processes and Threads
» Multiprogramming and Responsiveness Having Multiple Processes in the System
» Multiprogramming and Utilization Having Multiple Processes in the System
» Multitasking for Concurrency The Cost
» Performance Metrics Scheduling Processes and Threads
» Handling a Given Set of Jobs
» Using Preemption Scheduling Processes and Threads
» Priority Scheduling Scheduling Processes and Threads
» Starvation, Stability, and Allocations
» Fair Share Scheduling Scheduling Processes and Threads
» Concurrency and the Synchronization Problem
» Mutual Exclusion Algorithms Mutual Exclusion for Shared Data Structures
» Semaphores and Monitors Mutual Exclusion for Shared Data Structures
» Locks and Disabling Interrupts
» Deadlock and Livelock Resource Contention and Deadlock
» A Formal Setting Resource Contention and Deadlock
» Deadlock Prevention, Avoidance, and Detection
» Real Life Resource Contention and Deadlock
» Mapping Memory Addresses | Komputasi | Suatu Permulaan
» Support for Segmentation Segmentation and Contiguous Allocation
» Algorithms for Contiguous Allocation
» Address Translation Paging and Virtual Memory
» Algorithms for Page Replacement
» Swapping | Komputasi | Suatu Permulaan
» Links Alternatives for File Identification
» Data Access Access to File Data
» Caching and Prefetching Access to File Data
» Memory-Mapped Files Access to File Data
» Mapping File Blocks Storing Files on Disk
» Reliability Storing Files on Disk
» Levels of Security System Security
» Mechanisms for Restricting Access
» User Identification | Komputasi | Suatu Permulaan
» Controling Access to System Objects
» Virtualization | Komputasi | Suatu Permulaan
» Resource Management | Komputasi | Suatu Permulaan
» Reduction Hardware Support and Co-Design
» Booting the System | Komputasi | Suatu Permulaan
» Timers Kernel Priorities Context Switching
» Kernel Address Mapping Making a System Call
» Error Handling | Komputasi | Suatu Permulaan
» Parallelism vs. Concurrency Kernel Locking Conflicts SMP Scheduling Multiprocessor Scheduling
» Supporting Multicore Environments System Composition
» Code Structure Monolithic Kernel Structure
» Microkernels | Komputasi | Suatu Permulaan
» Extensible Systems | Komputasi | Suatu Permulaan
» Naming | Komputasi | Suatu Permulaan
» Remote Procedure Call Message Passing
» Streams: Unix Pipes, FIFOs, and Sockets
» Shared Memory Programming Interfaces
» Distributed System Structures | Komputasi | Suatu Permulaan
» Example Client-Server Systems | Komputasi | Suatu Permulaan
» Middleware | Komputasi | Suatu Permulaan
» Protocol Stacks Communication Protocols
» Error Correction Implementation Issues
» TCP Congestion Control Implementation Issues
» Authentication Authentication and Security
» Security Authentication and Security
» Networked File Systems | Komputasi | Suatu Permulaan
» Load Balancing | Komputasi | Suatu Permulaan
» Requirements Scheduling in Real-Time Systems
Show more