Many companies possess valuable information they want to guard closely.
Among many things, this information can be technical (e.g., a new chip design or
software), commercial (e.g., studies of the competition or marketing plans), finan-
cial (e.g., plans for a stock offering) or legal (e.g., documents about a potential
merger or takeover). Most of this information is stored on computers.
puters increasingly have valuable data on them, too. Many people keep their finan-
cial information, including tax returns and credit card numbers, on their computer.
Love letters have gone digital.
And hard disks these days are full of important
photos, videos, and movies.
As more and more of this information is stored in computer systems, the need
to protect it is becoming increasingly important. Guarding the information against
unauthorized usage is therefore a major concern of all operating systems. Unfor-
tunately, it is also becoming increasingly difficult due to the widespread accept-
ance of system bloat (and the accompanying bugs) as a normal phenomenon.
this chapter we will examine computer security as it applies to operating systems.
The issues relating to operating system security have changed radically in the
past few decades. Up until the early 1990s, few people had a computer at home
and most computing was done at companies, universities, and other organizations
on multiuser computers ranging from large mainframes to minicomputers. Nearly
all of these machines were isolated, not connected to any networks. As a conse-
quence security was almost entirely focused on how to keep the users out of each
If Tracy and Camille were both registered users of the same computer
the trick was to make sure that neither could read or tamper with the other’s files,
yet allow them to share those files they wanted shared. Elaborate models and
mechanisms were developed to make sure no user could get access rights he or she
was not entitled to.
Sometimes the models and mechanisms involved classes of users rather than
just individuals. For example, on a military computer, data had to be markable as
top secret, secret, confidential, or public, and corporals had to be prevented from
snooping in generals’ directories, no matter who the corporal was and who the gen-
eral was. All these themes were thoroughly investigated, reported on, and imple-
mented over a period of decades.
An unspoken assumption was that once a model was chosen and an imple-
mentation made, the software was basically correct and would enforce whatever
the rules were. The models and software were usually pretty simple so the assump-
tion usually held. Thus if theoretically Tracy was not permitted to look at a certain
one of Camille’s files, in practice she really could not do it.
With the rise of the personal computer, tablets, smartphones and the Internet,
the situation changed. For instance, many devices have only one user, so the threat
of one user snooping on another user’s files mostly disappears. Of course, this is
not true on shared servers (possibly in the cloud). Here, there is a lot of interest in
keeping users strictly isolated. Also, snooping still happens—in the network, for
example. If Tracy is on the same Wi-Fi networks as Camille, she can intercept all
of her network data. Modulo the Wi-Fi, this is not a new problem. More than 2000
years ago, Julius Caesar faced the same issue. Caesar needed to send messages to
his legions and allies, but there was always a chance that the message would be
intercepted by his enemies. To make sure his enemies would not be able to read his
commands, Caesar used encryption—replacing every letter in the message with the
letter that was three positions to the left of it in the alphabet. So a ‘‘D’’ became an
‘‘ A’’, an ‘‘E’’ became a ‘‘B’’, and so on. While today’s encryption techniques are
more sophisticated, the principle is the same: without knowledge of the key, the
adversary should not be able to read the message.
Unfortunately, this does not always work, because the network is not the only
place where Tracy can snoop on Camille. If Tracy is able to hack into Camille’s
computer, she can intercept all the outgoing messages
, and all incoming
they are encrypted. Breaking into someone’s computer is not al-
ways easy, but a lot easier than it should be (and typically a lot easier than cracking
someone’s 2048 bit encryption key). The problem is caused by bugs in the soft-
ware on Camille’s computer. Fortunately for Tracy, increasingly bloated operating
systems and applications guarantee that there is no shortage of bugs. When a bug is
a security bug, we call it a
When Tracy discovers a vulnerability in
Camille’s software, she has to feed that software with exactly the right bytes to
trigger the bug. Bug-triggering input like this is usually called an
successful exploits allow attackers to take full control of the computer machine.