河南中医药大学：《信息安全网络与网络安全》课程教学资源（英文讲稿）第04章 操作系统 Operating Systems

SECURITY IN COMPUTING FIETH EDITION Chapter 4: Operating Systems 授课教师:高海波 可南中医药大学 信息管理与信息系统教研室 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

SECURITY IN COMPUTING, FIFTH EDITION Chapter 4: Operating Systems From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 1 授课教师：高海波 河南中医药大学 信息管理与信息系统教研室

2 Chapter 5 Objectives Basic security functions provided by operating systems System resources that require operating system protection Operating system design principles How operating systems control access to resources The history of trusted computing Characteristics of operating system rootkits From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Chapter 5 Objectives • Basic security functions provided by operating systems • System resources that require operating system protection • Operating system design principles • How operating systems control access to resources • The history of trusted computing • Characteristics of operating system rootkits 2 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

3 Operating System Functions 黑黑 User Interface Operating Ices Management Communication Ing Resource Allocation CPU Memo Program 1/0 Devic From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Operating System Functions 3 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

History of Operating Systems Single-user systems, no OS Multiprogrammed os, aka monitors Multiple users Multiple programs Scheduling, sharing, concurrent use Personal computers From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

History of Operating Systems •Single-user systems, no OS • Multiprogrammed OS, aka monitors • Multiple users • Multiple programs • Scheduling, sharing, concurrent use •Personal computers 4 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

5 Protected Objects Memory Sharable l/o devices, such as disks Serially reusable I/O devices, such as printers Sharable programs and subprocedures Networks Sharable data From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Protected Objects • Memory • Sharable I/O devices, such as disks • Serially reusable I/O devices, such as printers • Sharable programs and subprocedures • Networks • Sharable data 5 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

6 OS Layered Design Subprocesses of User Processes User processes Compilers, Database Managers Utility Functions File Systems, Device Allocation rating System Scheduling Sharing, Memory Management Synchronization, Allocation Operating System Security Functions Kernel Security Kernel Hardware From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

OS Layered Design 6 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

7 Functions Spanning Layers Trusted User Authentication module nterface Mo Authentication Data Comparison Code ∧ authentication From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Functions Spanning Layers 7 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

8 Modular OS Design Users Users ers Users User mode User interface Se ec File ObjectA/V Net ack p Shell System Services Interface 1O Time Synch Memory Comm Primitive services Microkernel Kermel Mode drivers Hardware Interface and Abstraction Hardware From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Modular OS Design 8 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

9 Virtualization With virtualization the os presents each user with just the resources that user should see The user has access to a virtual machine(VM), which contains those resources The user cannot access resources that are available to the os but exist outside the vm A hypervisor, or VM monitor, is the software that implements a vm Translates access requests between the VM and the Os Can support multiple OSs in VMs simultaneously Honeypot: A VM meant to lure an attacker into an environment that can be both controlled and monitored From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Virtualization • With virtualization, the OS presents each user with just the resources that user should see • The user has access to a virtual machine (VM), which contains those resources • The user cannot access resources that are available to the OS but exist outside the VM • A hypervisor, or VM monitor, is the software that implements a VM • Translates access requests between the VM and the OS • Can support multiple OSs in VMs simultaneously • Honeypot: A VM meant to lure an attacker into an environment that can be both controlled and monitored 9 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

Separation and Sharing Methods of separation Physical Temporal Logical Cryptographic Methods of supporting separation/sharing Do not protect Isolate Share all or share nothing Share but limit access Limit use of an object From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Separation and Sharing • Methods of separation: • Physical • Temporal • Logical • Cryptographic • Methods of supporting separation/sharing: • Do not protect • Isolate • Share all or share nothing • Share but limit access • Limit use of an object 10 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved