Topic 3c – Operating System Security

The OS has two jobs: make the computer useful, and make sure it stays that way.

Learning Objectives

By the end of this topic, you should be able to:

Learning Activities

To help you meet the learning objectives, we have prepared a combination of readings, activities, and videos.

Course Readings

These reading were designed to introduce the course topics to an audience of educators. They should be considered "required" and read in order.

Checking for Understanding, Questions

Access Control

  1. What information does an OS account record typically contain, and how does the OS use it during the login procedure?
  2. What can an administrator do that an ordinary user account cannot? Why does this make the administrator account a high-value target for attackers?
  3. Describe two types of suspicious behavior that auditing software is designed to detect.
  4. Explain how a fake login screen (sniffing software) can be used to steal credentials. What layer of defense does it bypass, and what layer might catch it?

Passwords and MFA

  1. What are two specific mistakes people commonly make with passwords that undermine security, even when the OS itself is well-designed?
  2. Why does a longer password provide better protection against brute-force attacks than a shorter password with more character types?
  3. Describe the three categories of authentication factors. For each, give an example that is not in the readings.
  4. A student says: "I use 2FA on my email, but it's annoying. I don't really need it since I have a strong password." How would you respond?

Privilege Levels

  1. Why is software-only memory protection insufficient? What specific attack does hardware memory bounds enforcement prevent, and how does it work?
  2. What is the difference between privileged mode and nonprivileged mode? Which mode does an ordinary application run in?
  3. What is a privileged instruction? Give two examples and explain why each needs to be restricted.
  4. Trace the privilege mode transitions that occur during a single time slice: starting from the OS selecting a process, through the process executing, to the time-slice interrupt returning control to the OS.
  5. A process running in nonprivileged mode attempts to modify its own memory limit register. Walk through exactly what happens next.

Checking for Understanding, Answers

You can compare your answers to the following answer key.

Show Answer Key

Access Control

  1. An OS account record typically contains a username, a hashed (not plain-text) password, group memberships, home directory location, and access permissions. During login, the OS accepts a username and password, hashes the entered password using the same algorithm used to store it, and compares the result to the stored hash. If they match, the OS creates a session for that user with the permissions associated with that account.
  2. An administrator (superuser) can install and remove software, modify system files, change other users' permissions, access all files regardless of ownership, and change system-wide settings. An ordinary user is restricted to their own files and approved applications. Attackers target the administrator account because compromising it gives complete control over the entire system — they can install malware, create backdoors, or read any file without restriction.
  3. Auditing software is designed to detect behaviors such as: (1) repeated failed login attempts, which may indicate a brute-force or credential-stuffing attack; (2) logins at unusual times or from unusual locations; (3) access to files outside a user's normal working set; (4) privilege escalation attempts — a process trying to gain higher permissions than it was granted.
  4. A fake login screen presents an interface identical to the real OS login prompt. When a user enters their credentials, the fake screen captures them and passes them to the attacker before (optionally) handing off to the real login process. It bypasses the OS's own authentication entirely because the OS never sees the credentials — the attacker's program intercepts them first. Auditing software that monitors for unexpected processes running at login time, or trusted path mechanisms (a secure attention sequence the OS reserves), might catch it.

Passwords and MFA

  1. Two common mistakes: (1) password reuse — using the same password across multiple accounts means a breach of one site exposes all others; (2) writing passwords down insecurely or sharing them, undermining the secrecy the password relies on. Others include using easily guessable passwords (names, birthdays) or refusing to use a password manager, leading to weak passwords chosen for memorability.
  2. Brute-force attacks try every possible combination. The number of combinations grows exponentially with length: each additional character multiplies the search space by the size of the character set. A 12-character password using only lowercase letters has 2612 ≈ 95 trillion combinations. A 6-character password using all character types (26+26+10+32 = 94 characters) has 946 ≈ 689 billion. The 12-character all-lowercase password has a larger search space despite the limited character set, because length dominates.
  3. The three categories: (1) Something you know — a PIN, a passphrase, a security question answer; (2) Something you have — a hardware security key, a phone receiving an SMS code, a smart card; (3) Something you are — a fingerprint, face geometry, iris scan, voice pattern.
  4. A strong password protects against attackers who are trying to guess or crack the password. MFA protects against attackers who have already obtained the password — through phishing, a data breach at another site, or malware. These are two different attack scenarios; a strong password does not protect against the second one. MFA means that even a fully compromised password does not give an attacker access without also controlling the second factor.

Privilege Levels

  1. Software-only protection can be circumvented because a malicious process could simply modify the protection data structures in memory, since they are just data. Hardware memory bounds registers are part of the CPU itself: the CPU checks every memory access against the bounds registers and raises a hardware exception if the access falls outside the allowed range. This prevents one process from reading or writing another process's memory entirely in hardware, where no software trick can bypass it.
  2. Privileged mode (also called kernel mode or supervisor mode) allows the CPU to execute any instruction and access any memory. The OS kernel runs in this mode. Nonprivileged mode (user mode) restricts access: certain instructions are forbidden and memory access is limited to the process's own allocated space. Ordinary applications run in nonprivileged mode.
  3. A privileged instruction is one that can only execute in privileged mode; attempting it in nonprivileged mode causes a hardware exception. Examples: (1) modifying memory bounds registers — restricted because a process that could expand its own memory bounds could access any other process's memory; (2) halting the CPU or disabling interrupts — restricted because a process that could disable interrupts could freeze the entire system and prevent the OS from regaining control.
  4. Mode transitions during one time slice: (1) The OS (running in privileged mode) selects a process from the ready queue. (2) The dispatcher loads the process's saved state (registers, PC) from the process table and executes a special return-from-interrupt instruction that switches the CPU to nonprivileged mode and jumps to the process's code. (3) The process runs in nonprivileged mode for its time slice. (4) A hardware timer fires an interrupt, forcing the CPU back to privileged mode and transferring control to the OS interrupt handler. (5) The OS saves the process's current state and repeats from step 1.
  5. Modifying a memory limit register is a privileged instruction. When the process attempts to execute it in nonprivileged mode, the CPU immediately detects the violation and raises a hardware exception. Control transfers automatically to the OS exception handler (in privileged mode). The OS records the violation, typically terminates the offending process with an error (a segmentation fault or access violation), and logs the event. The process never succeeds in modifying the register.

Extend Your Learning

The following resources go a little deeper on topics we touched on but did not fully explore in the readings. These are entirely optional — none of this material appears on the Competency Demo — but each one is a natural "next question" from something covered this week.

  • Privilege escalation attacks
    Real-world OS exploits almost always involve privilege escalation — getting from nonprivileged mode to privileged mode without authorization. The Spectre and Meltdown vulnerabilities (mentioned in the Week 2 SEC material) are famous examples. This article from CrowdStrike covers the main classes of privilege escalation attacks and how they are typically mitigated.
    Privilege Escalation Attacks — CrowdStrike