• used to improve performance by taking data from slower devices and temporarily storing it in faster devices when repeated use likely - cache RAM.
• Processor
  
  • Level1 cache - holds onboard cache of v. fast memory
  • Level2 cache - static memory used to support the L1 cache
• Real Memory - often contains a cache of info held on magnetic media or SSD
• etc

• also main memory or primary memory

• typically the largest RAM storage resource available to a computer
• usu. composed of a number of dynamic RAM chips and so have to be refreshed periodically by the CPU

• = small amount of on-board memory on a CPU, that provide it with directly accessible memory locations that the ALU uses when processing instructions / performing calcs

• advantage is that it is part of the ALU itself and so is kept in sync with the CPU at typical CPU speeds

• eg CPU "register1"

• not a memory addressing scheme
• instead a way to refer to data supplied to the CPU as part of an instruction eg. "add 2 to the value in register1"
  
  • the 2 is the immediate addressing (a value), the second is register addressing

• memory addressing - is the means by which locations in memory can be referenced. Different addressing schemes:

• CPU is provided with the actual address of the memory location to access

• uses a value stored in one of the CPU's registers as the base location from which to start counting
• CPU then adds the offset supplied with the instruction

• the memory address contains another memory address

uses a series of tiny capacitors - that over time lose their charge, so they have to be periodically refreshed by the CPU

• more sophisticated - uses flip-flop device (on/off switch) that maintain their state as long as power is maintained
• no CPU overhead to re-fresh
  

• static memory runs more quickly but is more expensive than dynamic (flip-flops more expensive than capacitors)
• static and dynamic memory are combined to get the 'right' trade off between price and performance for the specific use.

• derivative concept from EEPROM
• non volatile storage that can be electronically erased and re-written.
• main difference is thar EEPROMs have to all contents erased whereas flash storage can be erased in blocks
• most common is NAND (memory cards. thumb drives, mobile devices and SSDs) .

• uses electrical voltage to erase contents. More user friendly to do than EPROM

• is data stored on media that is not immediately available to the CPU eg. SSD, flash, CD etc

• special type of secondary memory that the OS makes to look and act just like real memory eg. pagefile.

• cheap but slow

• have small window where special UV light is shone and this erases the contents, allowing new contents to be burned in

• data may remain on the chip after power removed
• memory chips are easy to steal
• control of access to memory in a multi-user system

ROM

contents can be burned in once. After that can't be changed

used where some customisations are needed but changes not needed once done

• Complex Instruction Set Computer
• Forerunner to RISC
• can execute several low level instructions in a single instruction

• Reduced Instruction Set Computer
• has reduced instruction set
• the simple instructions need less clock cycles
• was possible due to an increase in the speed of memories and the ability to get more work done in less clock cycles

• executes 1 instruction at a time

parallel instruction set for increased performance

holds the application's operating state eg. user mode or privileged mode

arithmetic

• syncs opns
• manages the instructions it receives from memory; decodes and executes and determines which instructions have priority

handles addressing and cataloging of data stored in memory and translates logical addressing into physical addressing

holds the address of the next instruction to be executed

supervises transfers data transfers over the bus system between the CPU and I/O devices

simultaneous execution of
more than 1 application on a
computer and is managed by the OS

most rely on OS to simulate (switches between tasks)

permits multiple concurrent tasks to
be performed within a single process

thread = self contained sequence of instructions that can execute in parallel with other threads that are part of the same parent process

used often in apps with frequent context switching

• switching threads within a process ~40-50 instructions to switch
• switching processes ~1000 instructions

example: multiple word docs - 1 process, multiple threads

• sym multi-processing systems use threading at OS level. Sends one thread to each available processor for simultaneous execution #

where 1 computer contains
multiple processors which are all
treated equally and
controlled from a single OS

• share common data bus, memory resources
• can be large num processors
• normally enough for most systems

good at processing simple
ops at very high rates

use of more than 1 processor
to increase computing power

• with advent of dual-core / quad-core
  processors single CPU
  multi-processing now possible

typically house 100's/1000's of processors,
each with own OS,memory and databuses

• for computationally intensive task, controlling app delegates responsibility to 1 processor
• the processor breaks down task and delegates these to other processors
• results returned to coordinating processor and combined then results returned to app

very powerful but very expensive

used mostly for computing or computational based research

good for processing v. large,
complex and computationally expensive
tasks that can be broken down
and distributed to subordinate units

similar to multi-tasking but
takes place on mainframe systems
and requires specific programmming

• way to serialise multiple processes, so when 1 task waits for peripheral next task can resume.
• 1st task doesn't resume until all other processes in batch have had their chance
• for 1 task very slow but overall improves efficiency for all tasks in total

considered to be obsolete (legacy only)

multi-programming vs multi-tasking?

• mp: large scale sys eg. mainframe vs
  mt: PCs (windows/linux)
• mp: coordinated by specially written s/w and then executed via OS vs mt: coordinated by OS #

chip(s) that governs
all major ops

Any tangible part of c/p (can reach out and touch)

can only operate at 1
security level at a time

• require policy mechanisms to
  manage info at diff security levels
• sec admins approve a system
  to handle only 1 sec level at a time
• burden on sec admins rather than h/w

can simultaneously operate
at multiple security levels

uses specialised security
protection mechanisms multistate uses ...

relatively uncommon due to
expense of implementing mechanisms

Random

Sequential

Volatile

nonvolatile

• data remanence - data may remain on secondary storage even after being erased

• removable media can be used to steal data

• access to data is v. important security concern - access controls and enc must be applied to protect data

Primary

Secondary

• Network Attached Storage
• the storage devices are directly connected to a file server that makes the storage available at a file-level to the other computers. In a SAN, the storage is made available at a lower "block-level", leaving file system concerns to the "client" side.

typically shared by users and servers

• storage area network (SAN)
• is a network which provides access to consolidated, block level data storage.
• SANs are primarily used to enhance storage devices, such as disk arrays, tape libraries, and optical jukeboxes, accessible to servers so that the devices appear to the operating system as locally attached devices

typically used by servers

security risks ...

• can be compromised via TEMPEST

• leave print-outs on printer
• data stored locally on printer eg. on HDD, or RAM

• TEMPEST vulnerable
• Key stroke devices fitted into keyboard
• Bluetooth can be intercepted

• allow uncontrolled access into a n/w
• if not properly configured can cause major security issues
• consider total ban on modems

• organises code + components in OS and Apps that run under the OS into concentric rings
• the deeper into the rings the higher the privilege level
• most modern OS's use 4 rings ... 0 to 3

💥
Ring 0: OS Kernel / Memory (Resident Components)
Ring 1: Other OS Components
Ring 2: Drivers, Protocols etc
Ring 3: User Level Programs and Applications

Rings 0-2 run in supervisory/privileged mode
Ring 3 runs in user mode

• dates back to Multics (1963-69) from which Unix derived

Security ... ring model allows OS to:

• protect itself from users and apps
• can enforce strict boundaries between high priv OS components and lower privilege parts of the OS/drivers

• strictest = each ring has own memory segment
• requests for memory addr in lower ring, must call helper process in lower level ring

In practice many OS break into 2 memory segments

• Kernel Mode / Privileged Mode - rings 0 to 2
• User Mode - ring 3 user level programs

• Essence = priority, priv and memory segmentation
• process in lower numbered ring always runs before process in higher ring
• processes in lower rings can access more resource and access OS more directly
• mediated access model - higher ring processes need to ask handler/driver in a lower ring for services

in runtime env need to integrate sec info & ctrls to protect the integrity of the OS, manage which users can access specific data items, authorise/deny ops against data etc

mechanisms designed to prevent
info crossing between security levels

• basic mode used by OS when executing user p/ms

• often processes run in a virtual machine or virtual subsystem machine
  
  • simulated env created by OS as safe/efficient place for p/ms to execute
  • each VM is isolated

... also known as

• supervisory / system / kernel mode

NB: don't confuse processor modes with user modes!

• even tho high level processor mode is called 'privileged / supervisory' it has no relationship to the role of a user
• all users apps (incl. those of admins) run in user mode
• when sys admins use sys tools to make config changes this is done in user mode
• when an app needs to run a priv op, it requests the OS using sys call (which OS has to approve) before it is executed using a priv mode not controlled by the user

• OS can run in:
  
  • supervisor state - privileged, all access mode
  • problem state - user mode
    
    • priv are low, all access reqs checked against authorisation before granted/denied
    • because unprivileged nature of user access means problems can occur and the sys must take appropriate measures to protect security, integrity and confidentiality

* are different types of execution in which a process may run

States:

• Ready - process ready to resume/begin processing
• Waiting ("waiting for a resource" - sometimes called 'blocked'
• Problem (Running) - process runs until it completes, time slice completes or it is blocked
• Supervisory - when the process needs to perform an action that needs higher privileges than the problem state's set of privileges ie. anything not occuring in ring3 (problem state) needs to take place in supervisory mode
• Stopped - process finishes or error occurs ... OS can recover all memory / resources allocated

• processing queue
• consume process time in fixed chunks = time slice
• if not finished process gets added to queue
• process scheduler usually selects highest priority process, so no guarantee when a process will be next run

• what needs to be in place for these security modes?
  
  • hierarchical MAC env
  • total physical control over which subjs can access c/p console
  • total physical ctrl over which subjects can enter same room as c/p console

all users need to have appropriate clearance, access permissions and need to know for all info stored on the system

each user must have:

• sec clearance allowing access to all info processed by system
• access approval for all info processed by the system
• valid need to know for all info processed by the system

• Need to know - relates to access authZ scheme where a subject's right to access obj takes into account not only privilege level but also their relevance to their role
  
  • those with no need to know shouldn't access the object regardless of their priv level

removes need to know requirement

each user must have:

• sec clearance allowing access to all info processed by system

• access approval for all info processed by the system

  
  

• valid need to know for some info processed by system

  
  

• US gov - 4 approved security modes for processing classified info
• only used by gov and gov contractors but still need to know

• as move from dedicated mode -> multi level mode
• burden of enforcing requirements shifts from admin personnel (to physicaly restrict the system) to the h/w and s/w which control which info can be access by each user

removes need to know and access permissions requirements

each user must have:

• sec clearance allowing access to all info processed by system
• access approval for any info they will have access to on the system
• valid need to know for all info they will have access to on the system

• special implementation of mode
• users with necessary clearance can process multiple compartments of data at same time

• 2 forms of sec labels need adding to each object
  
  • sensitivity levels - levels at which obj needs protecting
  • information labels - prevents data over classification and associate additional info with the objects

removes all 3 requirements

• some users don't have valid sec clearance for all info processed. Access controlled by whether subj's clearance level dominates the object's sensitivity levels
• each user must have access approval for all info they will access on the sys
• each user must have a valid need to know for all info they will have access to

c/p architecture is an engineering discipline concerned with the design and construction of computing systems at a logical level

more complex a system, the less assurance it provides:

• more complex = more areas for vulnerabilites
• = more areas must be secured against threats

• related to general I/O operations rather than individual devices
• esp for older legacy / non PnP devices
• 3 main types of opns that require manual config on legacy devices:

• where part of the address space that the CPU manages functions to provide access to some kind of device through a series of memory mapped addresses
• reading the memory mapped locations, you are reading effectively from the device.
• write to the memory mapped addresses and you are writing to the device

• only allow 1 device access to the memory addresses
• allow access should be through OS and subject to normal authZ and access controls

• Interrupt Request
• a technique for assigning specific signal lines to specific devices through a special interrupt controller

only the OS should be able to mediate access to IRQs at a sufficiently high level of priv to prevent tampering or accidental change

• devices that can exchange data directly with real memory (RAM) w/o needing held from the CPU use DMA to manage this

• works as a channel with 2 signal lines
  
  • DMA Request (DMQ)
  • DMA Acknowledgement (DACK)

• for config - manage addresses to keep device addresses unique and to make sure the addresses are only used for DMA

• for sec - only the OS should be able to mediate DMA assignments and the use of DMA to access IO devices

• describes s/w stored on ROM chip
• 2 types of firmware:

• on a motherboard
• Basic Input/Output System (BIOS)
• holds simple instructions to boot the OS from disk
• updating = "flashing"
• usu. stored on EEPROM

• being replaced (since 2011) with UEFI
• UEFI = Unified Extensible Firmware Interface
• more advanced i/f between the h/w and OS

• general internal and external device firmware

• many h/w devices need ltd processing power to complete tasks w/o loading the CPU.
• these 'mini OSs' are contained in firmware on chips
• usu. stored on EEPROM

• are extensions of basic comp science doctrine

• esp. user mode vs supervisor mode

• builds on principle of least priv

• granular access permissions ie. different permissions for each type of priv op

• allows designers to assign some processes rights to perform certain supervisory funcs w/o granting them unrestricted access to the sys

• allows reqs rto be inspected, checked against access controls and granted/denied based on the id of the user making the reqs or on groups to which the user belongs or sec roles they have

• reply on a system's ability to monitor activity on and interactions with a system's resources and config data and to protect resulting logs from unwanted access or alteration

• relies on authN and authZ components

• role of sec policy = to guide and inform the design, dev, impl, testing and maintenance of a system.

• for sys devs, a security policy is a doc that defines a set of rules, practices and procs that describe how the system should manage, protect, and distribute sensitive info.

multi-level security policies = security policies that prevent info flow from higher security levels down to lower sec levels

• security needs to be applied throughout life-cycle

• fact: 3rd party s/w should not be trusted
• OS must use protection mechanisms to keep env stable and keep processes isolated.
• computer system designers should adhere to a number of protection mechanisms / principles when designing secure sys

• implement a structure similar to ring model for operating modes and apply it to each OS process

• comms between layers only via well-defined, specific i/fs to provide the needed security
• all in-bound reqs from outer (less sensitive) layers are subject to stringent authN and authZ checks
• so that layer integrity is maintained inner layers don't know or depend on outer layers
• no layer can tamper with the other
• outer layers cannot violate or override any sec policy enforced by an inner layer

• black box - users of an obj / OS don't need to know the details of how the object works; just need to know how to call the obj and what results will be returned.
• essentially same used for mediated access to data or svcs

• also, abstraction used for object groups (classes) where access control and operation rights are assigned to groups of objects rather than on a per-object basis.

• the controls that system designers should build into systems

• important in multi-level sec sys
• ensures data existing at one sec level is not visible to processes running at different sec levels

• place objects in security containers that are different from those that subjects occupy to hide obj details from those with no need to know,

• similar purpose to process isolation - prevents access of info that belongs to another process / sec level
• does this by use of physical h/w ctrls
• this is rare eg. national security implementations

• requires that the OS provides a separate memory space for each process's instructions and data
• also requires OS to enforce the boundaries to prevent access

• advantages:
  
  • prevents unauthorised data access
  • protects the integrity of processes

• implement via VMs on per user or per process basis

• esp. buffer overflow
• buffer overflow is big opportunity for compromise
• developers responsible for preventing this

• maintenance hook = backdoor = entry point into a sys known only by the developer

• running a p/m whose sec level is elevated during execution is also vulnerability
  
  • need to be carefully written and tested
  • make accessible only to appropriate users
  • harden against misuse

• when an unprepared sys crashes and recovers there are opportunities to compromise security controls
  

• many systems unload sec controls as part of shutdown procedures - Trusted Recovery ensures that all ctrls remain in place in the event of a crash.

• during Trusted Recovery the sys ensures there is no chance to access when sec ctrls are disabled. Even recovery phase runs with ctrls intact.

• attacks which occur in slow, gradual increments

• where an attacker gains access and makes small, random or incremental changes to data during storage, processing, i/p, o/p or transaction

• difficult to detect unless regular data integrity check (eg. checksum) is done each time a file is read or written

• protection?:
  
  • encrypted file sys
  • file level enc
  • file monitoring which includes integrity checks eg. Tripwire

• refers to the systematic whittling of assets in accounts or other records with financial value where v. small amounts are deducted from balances regularly.

• no actual proven cases, but it is a possible attack type

• buffer overflow
• exception handling - if a p/m doesn't exit gracefully. May be possible to crash a program after it has increased its sec level to carry out a normal task, then attacker may be able to compromise

• attackers can develop attackers based on the predictability of task execution

• race condition attacks
  
  • because attacker is racing with the legitimate process to replace the obj before it is used.
  • ex: TOCTTOU attack
    

* communication disconnects attacks: * take action between 2 known states when the state of a resource or the entire system changes

• all these are called state attacks because they attack timing, data flow control, and transition between one state to another

• in biz continual process of integrating / intertwining existing processes in novel ways to come up with new functions / capabilities
• pay attention to
  
  • single points of failure
  • emergent weaknesses in Service Orientated Architectures (SOA)

• SOA
  
  • creates new apps / funs from existing but distinct s/w svcs
  • resulting app often is new - its security issues are unknown
  • all new deployments, esp new app/funcs need to be thoroughly checked

* a method that is used to pass info over a path that is not normally used for comms

• may not be protected by normal sec mechs (as not a comms channel)
• covert channel provides a means to circumvent a security policy undetected

• overt channel = a known, expected, authorised, designed, monitored and controlled method of comms

• 2 types of covert channels:

• covert timing channel
  
  • conveys info by altering the performance of a system component or by modifying a resource's timing in a predictable way.
  • very difficult to detect
    

• covert storage channel
  
  • conveys info by writing data to a common storage area where another process can read it.

• detection can be difficult, Best way is to implement auditing and analyse log files for any covert channel activity

• EM emanations can be intercepted

• should shield equipment, physically restrict personnel and devices

• TEMPEST technologies can provide protection (faraday cages, jamming / noise generators etc)