OS Security — Authentication, DAC, MAC, RBAC | Tutorials Logic
Security Goals
Operating system security aims to protect system resources and data. The three core security goals (CIA Triad) are:
- Confidentiality: Ensure that information is accessible only to authorized users. Prevent unauthorized disclosure.
- Integrity: Ensure that data is accurate and has not been tampered with by unauthorized parties.
- Availability: Ensure that authorized users can access resources and services when needed.
Additional goals include Authentication (verify identity), Authorization (control access), and Non-repudiation (prevent denial of actions).
Common Security Threats
| Threat | Description | Impact |
|---|---|---|
| Virus | Self-replicating malicious code that attaches to legitimate programs | Data corruption, system damage |
| Worm | Self-replicating malware that spreads across networks without user action | Network congestion, system compromise |
| Trojan Horse | Malicious code disguised as legitimate software | Backdoor access, data theft |
| Ransomware | Encrypts user files and demands payment for decryption key | Data loss, financial damage |
| Rootkit | Hides malicious processes from the OS and security tools | Persistent, hard-to-detect compromise |
| Spyware | Secretly monitors user activity and sends data to attacker | Privacy violation, credential theft |
| Buffer Overflow | Writing beyond buffer boundaries to overwrite memory and execute arbitrary code | Privilege escalation, code execution |
| Privilege Escalation | Gaining higher privileges than authorized (vertical) or accessing other users' resources (horizontal) | Full system compromise |
Authentication
Authentication verifies the identity of a user or process. Common methods:
- Something you know: Password, PIN, security questions
- Something you have: Smart card, hardware token, OTP device
- Something you are: Biometrics - fingerprint, face recognition, iris scan
- Multi-Factor Authentication (MFA): Combines two or more factors for stronger security
Password security best practices: Hashing with salt (bcrypt, Argon2), minimum length requirements, account lockout after failed attempts, password expiry policies.
Access Control Models
| Model | Full Name | Description | Example |
|---|---|---|---|
| DAC | Discretionary Access Control | Resource owner decides who can access. Users can grant permissions to others. | Unix file permissions (owner, group, others) |
| MAC | Mandatory Access Control | OS enforces access based on security labels. Users cannot override. | SELinux, military systems (Top Secret, Secret, Confidential) |
| RBAC | Role-Based Access Control | Permissions assigned to roles; users assigned to roles. Simplifies management. | Enterprise systems: Admin, Manager, Employee roles |
| ABAC | Attribute-Based Access Control | Access based on attributes of user, resource, and environment. | Cloud IAM policies (AWS IAM) |
Access Control Lists (ACL)
An Access Control List (ACL) is a list associated with each resource that specifies which users or groups have what permissions on that resource.
- File ACL example:
alice: read, write | bob: read | others: none - Network ACL: Firewall rules specifying which IP addresses/ports are allowed or denied
- Capability list: The inverse - a list per user of what resources they can access (used in some OS designs)
Unix permissions are a simplified ACL: owner (rwx), group (rwx), others (rwx). Extended ACLs (setfacl) allow per-user and per-group permissions beyond the basic three.
Encryption in OS Security
| Type | Description | OS Examples |
|---|---|---|
| Full Disk Encryption (FDE) | Encrypts the entire disk; requires authentication at boot | BitLocker (Windows), FileVault (macOS), LUKS (Linux) |
| File-Level Encryption | Encrypts individual files or directories | EFS (Windows), eCryptfs (Linux) |
| Memory Encryption | Encrypts RAM contents to protect against cold boot attacks | AMD SME/SEV, Intel TME |
| Secure Boot | Verifies bootloader and OS integrity using cryptographic signatures | UEFI Secure Boot |
OS Security Mechanisms
- Kernel protection rings: Ring 0 (kernel mode) has full access; Ring 3 (user mode) is restricted. System calls are the controlled interface between them.
- Address Space Layout Randomization (ASLR): Randomizes memory addresses to make buffer overflow exploits harder.
- Data Execution Prevention (DEP/NX): Marks memory regions as non-executable to prevent code injection attacks.
- Sandboxing: Isolates processes to limit damage from compromised applications (browsers, containers).
- Audit logging: Records security-relevant events for forensic analysis and compliance.
Level Up Your Operating system Skills
Master Operating system with these hand-picked resources
10,000+ learners
Free forever
Updated 2026
Related Operating System Topics