The Internet of Everything and Its Relationship

with Operating Systems Security

Guillaume Lam
Department of Computer Science
University of California, Los Angeles
Los Angeles, California 90024
Email: guillaumelam.34@ucla.edu

I.

I NTRODUCTION

Security measures have always been given great consideration in the design of operating systems. The purpose of
this is to not only ensure that an operating systems actions
will function correctly, but to also prevent malicious entities
from negatively modify with them. As security mechanisms
improve, so do external aggression tactics in parallel. For this
reason, there must be continuous progress made in the field of
operating systems security. The advent of the Internet Age has
brought with it various new concerns for operating systems architects ranging from keyloggers to unwanted script injections.
Such attacks are often concealed in uploaded files on the internet, with attacks being as basic as fake emails that phish for
a users personal information and as complicated as malicious
code hidden within a modified copy of an otherwise innocuous
executable file. Nevertheless, computer security experts have
striven to protect operating systems everywhere from foreign
attacks by implementing an assortment of authentication, authorization, and access control mechanisms. With that idea
in mind, we must note that as the internet rapidly expands
from being user-to-server or user-to-user focused many of
these security measures must be reevaluated. No longer should
operating system security be thought in terms of users, but at
the fields forefront is the idea of an automated agent that
has no physical representation [or]particular service provider
but rather establishes contracts with service providers to get
or provide access to data to accomplish some function for
users[1].
II.

BACKGROUND

To better understand the implications of an increasingly

complicated internet network, we must first have a basic
comprehension of the most important categories of security
mechanisms implemented by operating systems. For the purpose of this article, we will give explanations of the following:
authentication and authorization.
A. Authentication
Authentication, or the validation of a users identity, is
the most commonly implemented form of security measure.
The most common form of authentication is the password
check, in which a user attempting to gain access to a system
provides a valid form of identification to the systems security
mechanism. Regardless of robustness implementations such
as guess prevention, this form of authentication cannot be

considered fully trustworthy due to possibility for a users

validation key to be transmitted over a network in which it
could be disclosed to eavesdroppers[2]. Due to this vulnerability, a more favored authentication implementation lies in the
design of key-based systems in which an encrypted form of
the validation is sent to the network and then decoded by the
systems security mechanism. The system will then send the
user an encrypted version of the results of the access attempt
which is then decoded by the user. Through this authentication
method, passwords are able to be snooped, but they will be
undecipherable without the corresponding encryption keys. It
is evident that as opposed to solely implementing a password
check, the integration of key-based encryption mechanisms
leads to more trustworthy system security measures.
B. Authorization
Authorization, or the validation of a users rights within a
system, is as equally important a security consideration for
operating systems as authentication. We present the following
scenario to better explain this idea; on a multi-user server,
a user should have access to his files only and should also
be able to determine the access permissions of other users
concerning those files. In no case would we want other users to
be able to have access to the users files unless specified by the
user. As a result, in addition to authenticating users, operating
systems must also be able to handle access control across all
users reliably and efficiently. Linux, a well-known operating
system, separates permissions into three groups: owner, group,
and all users. In doing so, the Linux file system avoids the
potential vulnerability [that] can exist when local access is
granted to external users, file system tampering[3]. Within each
group, permissions are once again categorized into read, write,
and execution privileges in order to facilitate more precise
authorization control. Most commonly, a user will limit access
others have to the file to be read only in order to protect the
file from tampering.
III.

M ETHOD

An article published in February 2015 on Network World

discusses the concept of the Internet of Things, IoT for
short, which has arisen as a result of the ever-increasing
complexity of the internet. Four experts ranging from both
professional and academic backgrounds debate about the future
of IoT, and in doing also discuss their differing beliefs in
how internet security should be handled. Although a consensus

is not reached due to the objective nature of the article,

the essence of the article is that whereas the internet was
once relegated to solely a form of communication, it has
now been seamlessly integrated into the real world. Both
computer networks and the internet have found uses within
various professional settings, from the mundane such as online
restaurant order placement to health care monitoring. The
article emphasizes that the potential harm of system security
breaches has greater implications than the confines of the
internet. There are tangible social and economic consequences
that can be linked to failure in both operating system security
and internet security. Attacks on an online service do not just
mean bringing an entire website down temporarily; the most
insidious of attacks involve obtaining access to sensitive user
data online and then using that information to commit crimes
such as identity theft in the real world.
A. Complete Homogenization
A suggested solution to regulating security mechanisms
more easily is to completely standardize security practices for
all internet-based systems and objects. As stated by a paper
presented at the IEEE 5th International Conference in 2011,
the problem with the IoT resides in the tens of billionsof heterogeneous objects[4]. The argument for the homogenization
of internet security measures is centered on the notion that
with more standardized security practices, potential breaches
will be more easily identified and thus the danger of the stated
tens of billions of objects will be greatly reduced. Less time
would be spent understanding and solving integration issues
across different components with varying security protocols,
and more would be used to improve the existing security
mechanisms. Whereas the accessibility and comprehensibility
achievable should be considered as a major reason to support
homogenization, it is also important to consider the possibility
of the next security crisis[1]. This is only a minor exaggeration,
as with homogenized security protocols, one successful breach
would render breaches in other places much easier. Referring
to the article published on Network World, the convergence
of once extremely heterogeneous security protocols in the
early stages of network security is the reason for many of the
most common internet security problems today. The argument
against homogenization is that there is the potential for a
rendition of this event to reoccur, except this time at a larger
and less manageable scale.
B. Partial Homogenization
Perhaps a more sensible solution would be to embrace the
heterogeneity of the IoT, and rather than attempting to fully
homogenize security systems everywhere security protocols
should be homogenized across application areas based on
data as stated by a paper published in the September 2013
edition of Future Generation Computer Systems. A median
between complete homogeneity and heterogeneity, this concept
allows for smart connectivity within existing networks due
the homogeneity of security protocols while also diminishing
the threat of security breaches on a network-wide basis [5].
Application areas could be determined by function such as
economic, social, or health-care or even by location, and the
main motivation behind this would be to achieve a balance in

tradeoffs between both sides of the regulation spectrum. Network breaches would not be as dangerous due to applicationisolated homogenization at the cost of regulation accessibility.
Conversely, regulation of security protocols would be simplified due to homogenization at the cost of the increased threat in
network breaches. The concern behind this approach would be
that although it contains the benefits of both heterogenization
and homogenization, it implements neither optimally while
also containing the tradeoffs of both. Essentially the problem
with partial homogenization of the IoTs security protocols is
its potential lack of an audience; for some parties this approach
would not be specific and safe enough, and for others this
approach would be too restrictive to apply on a large scale.
C. Effects on Operating Systems
Regardless of security standardization policies, the potential dangers of an increasingly complex IoT should be apparent
to operating system architects. An operating system wishes
to preserve its authentication and authorization policies even
in the presence of the internet. Security breaches achieved
by malicious entities through the internet can force operating
systems to run unintended code and modify or extract user files
or directories. Consequences could range from minor instances
such as text-file corruption to graver instances such as the
installation of a keylogger without detection by the operating systems defense mechanisms. In handling the security
problems of the Internet of Things, we must also consider
the potential harm done to individual operating systems. The
breach of an online service has the potential to give the attacker
access to information on numerous users and possible ways
to infiltrate their computers. We can easily understand the
implications of such an incident, especially for websites such
as Facebook which cater to millions of users. Failure in the
security protocols of large online services could potentially
threaten and expose millions of operating systems. As attacks
on online services threaten more operating systems than usertargetted attacks, the security implications of the Internet of
Things growth should be held with the same, if not more,
weight as security issues for individual operating systems.
IV.

C ONCLUSION

The evolution of the internet has mandated a reevaluation

of the standards in security implementation due to the increasingly complex relationships in the internet. In the Internet of
Things, no longer are connections relegated to simply being
user-to-user or user-to-provider, but there are now various intermediate layers to consider. Debate is ongoing about whether
or not to homogenize security protocol standards completely,
and the general consensus is that areas of homogenization
should be implemented to achieve simpler management while
preserving a basic level of security. This issue especially
relates to operating systems in the sense that the connections
established to the internet on an operating system could be
used by foreign entities to malicious gain control of the
operating system. The authentication and authorization procedures implemented by the operating system would be rendered
inefficient, at no fault of the system designers. In a time
experiencing continuous internet integration with everyday life,
security should be at the forefront of research.

R EFERENCES
[1] The Security Implications of IoT: A Roundtable Discussion
with Four Experts Network World. Web. 13 Mar. 2015.
http://www.networkworld.com/article/2881754/internet-of-things/thesecurity-implications-of-iot-a-roundtable-discussion-with-fourexperts.html
[2] Haller, N. et al, On Internet Authentication, Naval Research Laboratory,
Oct 1994.
[3] Understanding Linux File Permissions, Linux.com. Web. 13 Mar.
2015. http://www.linux.com/learn/tutorials/309527-understanding-linuxfile-permissions
[4] Barnhart, E. et al, Consideration for Machine-to-Machine communications architecture and security standardization, IEEE 5th International
Conference. IEEE, Dec 2011.
[5] Buyya, R. et all, Internet of Things (IoT): A vision, architectural elements, and future directions, The University of Melbourne. Department
of Electrical and Electronic Science, 2013.