5. • Examples of security threats:
• Threats raised by data and programs downloaded from the
Internet
• Examples of protection threats:
• Illegal access to a resource or a service by a process
• An attempt to tamper with messages
• Security threats can arise more easily in a distributed OS
15.55
6. • Trojan horses, viruses, and worms contain code that can
launch a security attack when activated
15.66
7. • A virus typically sets up a back door that can be exploited
for a destructive purpose at a later date
• E.g., executable virus, boot-sector virus, e-mail virus
• Worms may spread using buffer overflow technique
• Measures to foil security attacks:
• Using caution while loading new programs into a computer
• Using antivirus programs
• Plugging security holes
15.77
8. • To formally prove a system is secure, we need:
• A security model comprising security policies
and mechanisms
• A list of threats
• A list of fundamental attacks
• A proof methodology
15.88
9. 15.9
• Manual procedures can discover security flaws
• But procedures become less reliable as
systems grow
• Formal approach constructs feasible sequences
of operations and deduces their consequences
• But hard to develop specification of a system
and threats
10. • In an organization employing military-like security, all
documents are classified into three security levels—
unclassified, confidential, and secret.
• Persons working in the organization are given security
clearances called U (unclassified), C (confidential), and S
(secret) with the proviso that a person can access all
documents at his level of security classification and at
lower levels of classification.
• Thus, a person with C classification can access
confidential and unclassified documents, but is forbidden
from accessing secret documents
15.10
11. • The organization uses a Unix system and persons in the
organization use Unix features to access files containing
documents. This way, it is expected that a program executed by a
user can access a document at a specific security level only if the
user possesses the appropriate security clearances.
• To check whether document security is foolproof, all operations in
the system are modeled and a check is made to see whether a
person can access a document that is at a higher level of
classification than his security clearance
15.11
12. • It is found that a combination of indiscriminate assignment of
the “execute” privilege for programs to users and use of the
setuid feature of Unix can enable a user to access a
forbidden document.
• It can happen because the setuid feature permits a user to
execute a program with the privileges of the program’s owner
so if a user can execute a program owned by an individual
with a higher security clearance, he can “take” the security
clearance of the program’s owner.
• This security flaw can be eliminated by either forbidding use
of the setuid feature or confining the “execute” privilege for a
program only to users whose security clearance is not lower
than that of the program’s owner.
15.12
13. • It discovered through manual procedures; however,
manual procedures become less reliable as systems
grow more complex. Formal methods construct feasible
sequences of operations and deduce or verify their
properties. This way they can discover sequences of
operations that have disastrous consequences, or assert
that such sequences of operations do not exis
15.13