Operating System 简明教程

Operating System - Security

安全性是指为计算机系统资源(如 CPU、内存、磁盘、软件程序,最重要的是存储在计算机系统中的数据/信息)提供保护系统。如果计算机程序是由未经授权的用户运行的,那么他/她可能会对计算机或存储在其中的数据造成严重损坏。因此,必须保护计算机系统免遭未经授权的访问,对系统内存的恶意访问,病毒,蠕虫等。我们将在本章中讨论以下主题。

Security refers to providing a protection system to computer system resources such as CPU, memory, disk, software programs and most importantly data/information stored in the computer system. If a computer program is run by an unauthorized user, then he/she may cause severe damage to computer or data stored in it. So a computer system must be protected against unauthorized access, malicious access to system memory, viruses, worms etc. We’re going to discuss following topics in this chapter.

  1. Authentication

  2. One Time passwords

  3. Program Threats

  4. System Threats

  5. Computer Security Classifications

Authentication

身份验证是指识别系统的每个用户并将执行中的程序与这些用户相关联。操作系统负责创建一个保护系统,该系统确保运行特定程序的用户是经过身份验证的。操作系统通常使用以下三种方式识别/验证用户 -

Authentication refers to identifying each user of the system and associating the executing programs with those users. It is the responsibility of the Operating System to create a protection system which ensures that a user who is running a particular program is authentic. Operating Systems generally identifies/authenticates users using following three ways −

  1. Username / Password − User need to enter a registered username and password with Operating system to login into the system.

  2. User card/key − User need to punch card in card slot, or enter key generated by key generator in option provided by operating system to login into the system.

  3. User attribute - fingerprint/ eye retina pattern/ signature − User need to pass his/her attribute via designated input device used by operating system to login into the system.

One Time passwords

One-time passwords provide additional security along with normal authentication. In One-Time Password system, a unique password is required every time user tries to login into the system. Once a one-time password is used, then it cannot be used again. One-time password are implemented in various ways.

  1. Random numbers − Users are provided cards having numbers printed along with corresponding alphabets. System asks for numbers corresponding to few alphabets randomly chosen.

  2. Secret key − User are provided a hardware device which can create a secret id mapped with user id. System asks for such secret id which is to be generated every time prior to login.

  3. Network password − Some commercial applications send one-time passwords to user on registered mobile/ email which is required to be entered prior to login.

Program Threats

操作系统进程和内核按照指示执行指定的任务。如果用户程序让这些进程执行恶意任务,则称为 Program Threats 。程序威胁的常见示例之一是安装在计算机中的一段程序,它可以通过网络将用户凭据存储并发送给某些黑客。以下是某些众所周知的程序威胁的列表。

Operating system’s processes and kernel do the designated task as instructed. If a user program made these process do malicious tasks, then it is known as Program Threats. One of the common example of program threat is a program installed in a computer which can store and send user credentials via network to some hacker. Following is the list of some well-known program threats.

  1. Trojan Horse − Such program traps user login credentials and stores them to send to malicious user who can later on login to computer and can access system resources.

  2. Trap Door − If a program which is designed to work as required, have a security hole in its code and perform illegal action without knowledge of user then it is called to have a trap door.

  3. Logic Bomb − Logic bomb is a situation when a program misbehaves only when certain conditions met otherwise it works as a genuine program. It is harder to detect.

  4. Virus − Virus as name suggest can replicate themselves on computer system. They are highly dangerous and can modify/delete user files, crash systems. A virus is generatlly a small code embedded in a program. As user accesses the program, the virus starts getting embedded in other files/ programs and can make system unusable for user

System Threats

系统威胁是指滥用系统服务和网络连接给用户带来麻烦。系统威胁可用于在称为程序攻击的整个网络上发起程序威胁。系统威胁创建这样的环境,以致于操作系统资源/用户文件被滥用。以下是某些众所周知的系统威胁的列表。

System threats refers to misuse of system services and network connections to put user in trouble. System threats can be used to launch program threats on a complete network called as program attack. System threats creates such an environment that operating system resources/ user files are misused. Following is the list of some well-known system threats.

  1. Worm − Worm is a process which can choked down a system performance by using system resources to extreme levels. A Worm process generates its multiple copies where each copy uses system resources, prevents all other processes to get required resources. Worms processes can even shut down an entire network.

  2. Port Scanning − Port scanning is a mechanism or means by which a hacker can detects system vulnerabilities to make an attack on the system.

  3. Denial of Service − Denial of service attacks normally prevents user to make legitimate use of the system. For example, a user may not be able to use internet if denial of service attacks browser’s content settings.

Computer Security Classifications

根据美国国防部可信计算机系统评估标准,计算机系统中有四种安全级别:A、B、C、D。这是一种广泛使用的规范,用来确定和模拟系统和安全解决方案的安全性。以下是每种级别的简要说明。

As per the U.S. Department of Defense Trusted Computer System’s Evaluation Criteria there are four security classifications in computer systems: A, B, C, and D. This is widely used specifications to determine and model the security of systems and of security solutions. Following is the brief description of each classification.

S.N.

Classification Type & Description

1

Type A Highest Level. Uses formal design specifications and verification techniques. Grants a high degree of assurance of process security.

2

Type B Provides mandatory protection system. Have all the properties of a class C2 system. Attaches a sensitivity label to each object. It is of three types. B1 − Maintains the security label of each object in the system. Label is used for making decisions to access control. B2 − Extends the sensitivity labels to each system resource, such as storage objects, supports covert channels and auditing of events. B3 − Allows creating lists or user groups for access-control to grant access or revoke access to a given named object.

3

Type C Provides protection and user accountability using audit capabilities. It is of two types. C1 − Incorporates controls so that users can protect their private information and keep other users from accidentally reading / deleting their data. UNIX versions are mostly Cl class. C2 − Adds an individual-level access control to the capabilities of a Cl level system.

4

Type D Lowest level. Minimum protection. MS-DOS, Window 3.1 fall in this category.