Your First Guide to secure Linux. August 12, 2010 Toshiharu Harada NTT DATA CORPORATION
|
|
- Shawn Warren
- 6 years ago
- Views:
Transcription
1 Your First Guide to secure Linux August 12, 2010 Toshiharu Harada NTT DATA CORPORATION
2 Abstract There are two types of people in the world. Those who are security experts, and the remainder of the world. In most cases, security experts are willing to provide technical assistance to people, but this does not always work as the information can be highly technical and confusing if you are not comfortable with the fundamentals of Linux security. Toshiharu Harada, Project Manager for TOMOYO Linux at NTT DATA CORPORATION will share the fundamental concepts of "secure Linux" for managers and end users who have little or no familiarity with security. This session does not require any special skills or knowledge, and is *not* designed for security experts.
3 Prologue "Whenever people agree with me, I always feel I must be wrong -- Oscar Wilde
4 secure Linux is a Linux version of OS with enhanced security
5 What is OS with enhanced security?
6 You can Google it as always, but what you get will be much more than you want (and hard to understand)
7 If you ask security people... You ll get the same results in 3D
8 Tons of information on the net... Open source implementations available... Active and friendly community... What s the missing link?
9 Maybe the missing link is the concept of secure Linux So, here I am
10 Who Am I? Project manager of TOMOYO Linux, one of the secure Linux extensions part of the upstream When I launched TOMOYO project in 2003, I started investing of the existing projects Thanks to many people, TOMOYO has been incorporated in the mainline Linux kernel
11 This presentation is intended to provide you the fundamental concepts of what secure OS is why it has to be developed
12 What You Get Understanding the underlying concepts of secure Linux should help you to enlarge your administrative knowledge and experience to make a good decision on when and how you need it to protect your system (someday)
13 secure Linux is a name for Linux version of secure OS (operating system) Linux has three secure Linux extensions: SELinux, SMACK and TOMOYO currently, and AppArmor (to be merged for )
14 Pros of secure Linux It can reduce the potential damages to your Linux system when it gets exploited So, let s start with exploits
15 Chap. 1 Exploits "Give me a place to stand on, and I will move the Earth. -- Archimedes
16 Wisdom from Microsoft Security Response Center
17 Law #1 If a bad guy can persuade you to run his program on your computer, it s not your computer anymore Actually, a bad guy can run his program on your computer without persuading you That s what we call an exploit
18 What is an exploit? From Wikipedia (as of July 15th, 2010) An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.
19 Bad luck aspect of computer science From 10 Immutable Laws of Security by Microsoft Law #1 It s an unfortunate fact of computer science: when a computer program runs, it will do what it s programmed to do, even if it s programmed to be harmful.
20 Exploits Demo Understanding the meaning of exploit helps you to understand what secure OS is Let s see three examples
21 (1) ftp exploit
22 (2) samba exploit
23 (3) local exploit
24 Know Thy Enemy Typical procedures of exploits 1. Connect to a server pretending a normal client 2. Check to see if a server is a vulnerable one 3. Cause misbehavior by buffer overflow and other technique Their goal is gaining the root privilege
25 Chap.1 Summary Exploits are based on vulnerabilities Vulnerabilities are common and your systems is exposed to many risks Exploits aim to obtain root privilege of your system in the most cases
26 Chap. 2 Linux Security With great power, comes great responsibility -- Peter Parker
27 Reviewing Good Old Linux Security Linux had got security, of course it s called Discretionary Access Control (DAC, for short) Owners (and root) can define access permissions through chmod command Any problem with that? Yes, unfortunately
28 Problem with DAC Root user can violate DAC settings DAC cannot help when... your server is exploited a bad guy manages to login your server as root It s useless against exploits
29 What about Firewalls and IDS? Can they compensate DAC shortage?
30 Firewall and IDS Firewall Exploits pretend to be good clients and try to connect through opened ports IDS IDS can t recognize unknown/future attacks and vulnerabilities
31 Click N See
32 Buffer Overflow We learned that DAC and other traditional Linux security are not quite dependable Suppose buffer overflow is a typical approach of attacks, can we prevent them causing buffer overflow?
33 Click N See
34 Buffer Overflow What is it? Intentionally cause overflow of buffer to gain control and execute /bin/sh How to protect? Various tools and technologies have been invented, but not guarantee safe
35 Chap. 3 MAC "Although the world is full of suffering, it is full also of the overcoming of it. -- Helen Keller
36 Origins of secure OS In 80s, research has been made in the USA, to define evaluation criteria for trusted computer systems DoD unveiled Trusted Computer Systems Evaluation Criteria (TCSEC, aka Orange Book ) in 1985
37 1985
38 Amiga 1000 was released in 1985
39 TCSEC (TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA) Trusted Computer Systems should have... Division A and Verified Protection Division B and Mandatory Protection Division C Discretionary Protection Division D Minimal Protection
40 DAC defined by TCSEC The TCB* shall define and control access between named users and named objects in the ADP* system. The enforcement mechanism shall allow users to specify and control sharing of those objects by named individuals or defined groups or both. TCB: Trusted Computing Base, ADP: automatic data processing ( you don t have to remember these terms, I think)
41 DAC read write execute object user (self) group others
42 DAC % chmod 600 my_file read write execute object user (self) group others
43 MAC MAC (Mandatory Access Control) can improve the situation which DAC cannot solve
44 MAC defined by TCSEC The TCB shall enforce a mandatory access control policy over all subjects and storage objects under its control. These subjects and objects shall be assigned sensitivity labels that are a combination of hierarchical classification levels and nonhierarchical categories, and the labels shall be used as the basis for mandatory access control decisions.
45 MAC subject A grant or reject object B label for A label for B
46 NSA SELinux FAQ Security of Linux system depends Unmodified Linux system 2. Linux system with MAC
47 Security of Unmodified Linux System security privileged applications correctness of the kernel
48 Security of Linux System with MAC security security policy correctness of the kernel MAC
49 How MAC can help? (samba exploit vs. TOMOYO)
50 Differences Unchanged (Things you cannot change) exploit has occurred a bad guy obtained root shell without logging in Changed (Things you can change with MAC) some commands failed despite of root privilege (MAC introduced a new layer of security)
51 Click N See
52 Chap. 4 Policy God, give us grace to accept with serenity the things that cannot be changed, Courage to change the things which should be changed, and the Wisdom to distinguish the one from the other. -- Reinhold Niebuhr
53 secure Linux needs policy MAC is an instrument to restrict invalid accesses, not a brain You (security admin) do instruct MAC system about good and bad accesses by defining a policy (AppArmor calls it profile )
54 Importance of policy The goal is very simple Grant access if it s correct (or needed) Reject everything else If you make mistakes in your policy system might fail to work properly system might not be protected
55 The Serenity Prayer O God, give us grace to accept with serenity the things that cannot be changed, Courage to change the things which should be changed, and the Wisdom to distinguish the one from the other
56 The Security Prayer (with my deepest respects for Reinhold Niebuhr) O God, give us grace to accept with serenity the things that are needed, Courage to reject the things which are not necessary, and the Wisdom to distinguish the one from the other
57 Where to find the wisdom? SELinux has a reference policy that embodies the built-up knowledge over the years about what accesses are in fact required for a large body of software novice users can start with Boolean and power users can maintain their own foundation TOMOYO and SMACK Do it yourself
58 Domain No program is always good or always bad Therefore, security policies are the set of security contexts (conditions) SELinux and TOMOYO call them domains (AppArmor call them profiles )
59 Domain Granularity of MAC policy is determined by two factors domain granularity access control granularity for each domain Both live in the kernel space, not in the userspace
60 userspace kernel
61 Managing Policy What and When Give permissions only when they are needed Delete permissions if they turned out to be unnecessary How Carefully monitor the logs
62 Managing Policy Cautions a policy error is detected/defined when a access occurs but its definition is missing among policy rules you can add such an error definition to the policy, in fact transforming it into policy rule, so that the same error will not occur anymore if you repeat this step thoughtlessly, you will lose control
63 Policy Auto Learning What is it? Feature available with AppArmor and TOMOYO How it works? Observing executions of system call Transform results into the policy rule (like audit2allow does for SELinux)
64 Results of policy auto learning can never be perfect has no logics should be considered as a starting point Auto learning feature can be used as an analysis tool or an educational tool
65 References Live as if you were to die tomorrow. Learn as if you were to live forever. -- Mahatma Gandhi
66 For Comprehensive Understanding of Linux Security Ideal reference by James Morris, who is the Linux kernel security subsystem maintainer; author of the kernel cryptographic API; and a leading contributor to the SELinux, Linux Security Module, Netfilter and IPsec projects.
67 Linux Kernel Security Wiki Best place to find Linux kernel security related projects
68 To Know Your Enemy Apache.org services attacked (April 13, 2010) Changes to LoCo Server Policy (August 11, 2007) August/ html Debian server compromise (July 12, 2006)
69 Find the Code Linux Cross Reference
70 TCSEC to ISO/IEC TCSEC has expired and the current standard is ISO/IEC Functional requirements have been described as protection profile LSPP (Labeled Security Protection Profile) succeeds MAC in TCSEC
71 Standards National Security Institute STD Trusted Computer System Evaluation Criteria ISO/IEC CAPP: Controlled Access protection profile LSPP: Labeled Security protection profile
72 RHEL Certifications
73 Other Topics
74 Secure Embedded Linux Characteristics of embedded devices Dedicated for usages and built with minimum resources Mass production affects cost (recall for millions, for instance) Network/HD/Updates might not always be available Linux has been spreading for embedded devices
75 Secure Embedded Linux Google s Android and Chromium OS are adding unique modifications to improve security
76 Secure Embedded Linux
77 Cloud Guest OS runs as a process from host OS / hypervisor Internal activities of guest OS are translated, so host OS can hardly monitor and confine them Guest OS share the NIC, HD and other devices, so physically reachable each other
78 Cloud Commonly used virtualization library libvirt has been incorporated the results of svirt (secure virtualization)
79 Congratulations You ve just learned the most difficult part of Linux security, understanding the concept Everything else is waiting for you to begin If you understand secure Linux, you will find it as an invaluable tool
80 Loving can cost a lot, but not loving always costs more. -- Merle Shain
81 Why not starting today?
82 The Serenity Prayer by Reinhold Niebuhr ( ) God, give us grace to accept with serenity the things that cannot be changed, Courage to change the things which should be changed, and the Wisdom to distinguish the one from the other. Living one day at a time, Enjoying one moment at a time, Accepting hardship as a pathway to peace, Taking, as Jesus did, This sinful world as it is, Not as I would have it, Trusting that You will make all things right, If I surrender to Your will, So that I may be reasonably happy in this life, And supremely happy with you forever in the next. Amen
83 Contact Information I would like to make these slides useful for future readers, so please send your comments and corrections to haradats@gmail.com Open source is a mutual benefit society, so I m sharing my own experiences as TOMOYO Linux project manager as well as selected technical slides
84 The latest version of these slides can be found at SlideShare Acknowledgements Special thanks to Giuseppe La Tona, Tetsuo Handa for reviewing and Stephen Smalley for correcting SELinux related information Trademarks Linux is a registered trademark of Linus Torvalds in the United States and other countries TOMOYO is a registered trademark of NTT DATA CORPORATION in Japan
Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control
Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationTOMOYO Linux for Secure Embedded
Toshiharu Harada haradats@nttdata.co.jp NTT DATA CORPORATION February 24, 2008 JFYI This slide has been under control of Subversion. The version you are viewing is $Id: tomoyo.tex 71 2008-03-07 10:06:22Z
More informationLINUX SECURITY PRIMER: SELINUX AND SMACK FRAMEWORKS KATHY TUFTO, PRODUCT MANAGER
LINUX SECURITY PRIMER: SELINUX AND SMACK FRAMEWORKS KATHY TUFTO, PRODUCT MANAGER E M B E D D E D S Y S T E M S W H I T E P A P E R w w w. m e n t o r. c o m INTRODUCTION With the proliferation of smart
More informationRed Hat Enterprise Linux
Red Hat Enterprise Linux Security www.redhat.com A Powerful Collection of Red Hat Enterprise Linux Security Tools Computing security has never been more important. Increasing regulations, differing requirements
More informationThinking the Open Source way
Thinking the Open Source way Matt Jamison Sr. Gov t Solutions Architect MSgt, USAFR jamo@redhat.com Source code: #include int main (void) { printf("hello, world!\n"); return 0; } Binary code:
More informationJapan Linux Symposium Daisuke Numaguchi Tetsuo Handa Giuseppe La Tona NTT DATA CORPORATION
Japan Linux Symposium 2009 2009.10.23 Daisuke Numaguchi Tetsuo Handa Giuseppe La Tona NTT DATA CORPORATION 1. INTRODUCTIONS Copyright (C) 2009 NTT Data Corporation 2 TOMOYO overview MAC implementation
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationPrinciples of ICT Systems and Data Security
Principles of ICT Systems and Data Security Ethical Hacking Ethical Hacking What is ethical hacking? Ethical Hacking It is a process where a computer security expert, who specialises in penetration testing
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationSELinux. Daniel J Walsh SELinux Lead Engineer
SELinux Daniel J Walsh SELinux Lead Engineer 0 Day Exploits Patch Cycle Someone discovers a vulnerability in software Package Maintainer and OS Vendor Notified Fix generated/distributed Fix installed by
More informationLinux Kernel Security Overview
Linux Kernel Security Overview Linux Security Summit Europe 2018 Edinburgh, UK James Morris jmorris@namei.org $ whoami Linux kernel security subsystem maintainer Linux kernel engineer at Microsoft Previously
More informationSEEdit: SELinux Security Policy Configuration System with Higher Level Language
SEEdit: SELinux Security Policy Configuration System with Higher Level Language Yuichi Nakamura, Yoshiki Sameshima Hitachi Software, Japan {ynakam,same}@hitachisoft.jp Toshihiro Tabata Okayama University,
More informationComputer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More informationProductizing Linux Applications. What We ll Cover
Productizing Linux Applications Peter Ashford Ashford Computer Consulting Service 9/08/2015. What We ll Cover The first part of this presentation describes a process that will assist you in delivering
More informationSystem Configuration as a Privilege
System Configuration as a Privilege Glenn Wurster, Paul C. van Oorschot School of Computer Science Carleton University, Canada HotSec 2009 11 Aug 2009 Glenn Wurster, Paul C. van Oorschot System Config
More informationLinux Kernel Security Update LinuxCon Europe Berlin, 2016
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999
More informationSecurity Architecture
Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many applications, running on separate machines We need
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationThe Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency
The Case for Security Enhanced (SE) Android Stephen Smalley Trusted Systems Research National Security Agency Background / Motivation Increasing desire to use mobile devices throughout the US government.
More informationTOMOYO Linux: pragmatic and manageable security for Linux
FreedomHEC Taipei 2008 TOMOYO Linux: pragmatic and manageable security for Linux Kentaro Takeda takedakn@nttdata.co.jp NTT DATA CORPORATION 2008/11/21 TOMOYO is a registered trademark of NTT DATA CORPORATION
More informationFirewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003
Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003 A system or combination of systems that enforces a boundary between two or more networks - NCSA
More informationAccess Control. Steven M. Bellovin September 13,
Access Control Steven M. Bellovin September 13, 2016 1 Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware
More informationAccess Control/Capabili1es
Access Control/Capabili1es Some slides/ideas adapted from Ninghui Li 1 Why Computers are Vulnerable? Programs are buggy Humans make mistakes Access control is not good enough Discretionary Access Control
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationConfinement. Steven M. Bellovin November 1,
Confinement Steven M. Bellovin November 1, 2016 1 Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many
More informationA Survey of Access Control Policies. Amanda Crowell
A Survey of Access Control Policies Amanda Crowell What is Access Control? Policies and mechanisms that determine how data and resources can be accessed on a system. The Players Subjects Objects Semi-objects
More informationSELinux type label enforcement
SELinux type enforcement -Demonstration -General description David Morgan Demonstration Trying to access a resource (permissions vs SELinux) permissions system cares which user account SELinux cares which
More informationOperating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008
Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008 Page 1 Outline Designing secure operating systems Assuring OS security TPM and trusted computing Page 2 Desired
More informationPrivilege Escalation
Privilege Coleman Kane Coleman.Kane@ge.com February 9, 2015 Security Vulnerability Assessment Privilege 1 / 14 root, or Privilege or Elevation is the act of gaining access to resources which were intended
More informationLFJ Symposium BoF The role of "pathname based access control" in security. Tetsuo Handa
2008.07.10 LFJ Symposium BoF The role of "pathname based access control" in security. Tetsuo Handa Two types of access control Label (i.e. attribute) based SELinux
More informationSE Linux Implementation LINUX20
SE Linux Implementation LINUX20 Russell Coker IBM eserver pseries, Linux, Grid Computing and Storage Technical University 7/7/2004 Licensed under the GPL Topic Objectives In this topic students will learn
More informationSELinux Introduction. Jason Zaman FOSSASIA 2017 March 17th - 19th blog.perfinion.com
SELinux Introduction Jason Zaman FOSSASIA 2017 March 17th - 19th blog.perfinion.com Overview 1. Who am I? 2. What is SELinux? 3. DAC vs MAC 4. Type Enforcement 5. Labels 6. Sometimes SELinux denies badness
More informationMulti-tenancy Virtualization Challenges & Solutions. Daniel J Walsh Mr SELinux, Red Hat Date
Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12 What is Cloud? What is IaaS? IaaS = Infrastructure-as-a-Service What is PaaS? PaaS = Platform-as-a-Service
More informationPost-Class Quiz: Access Control Domain
1. In order to perform data classification process, what must be present? A. A data classification policy. B. A data classification standard. C. A data classification procedure. D. All of the above. 2.
More information, Inc
Monthly Research SELinux in Virtualization and Containers, Inc http://www.ffri.jp Ver 1.00.02 1 SELinux in Virtualization and Containers Virtualization security with SELinux Threat model of operating system
More informationP1_L3 Operating Systems Security Page 1
P1_L3 Operating Systems Security Page 1 that is done by the operating system. systems. The operating system plays a really critical role in protecting resources in a computer system. Resources such as
More informationIntroduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria
Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria Evaluation: assessing whether a product has the security properties claimed for it. Certification: assessing whether a
More information(Refer Slide Time: 01:25)
Computer Architecture Prof. Anshul Kumar Department of Computer Science and Engineering Indian Institute of Technology, Delhi Lecture - 32 Memory Hierarchy: Virtual Memory (contd.) We have discussed virtual
More informationCSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger
CSCI 420: Mobile Application Security Lecture 7 Prof. Adwait Nadkarni Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger 1 cryptography < security Cryptography isn't the solution to
More informationSetting up my Dev Environment ECS 030
Setting up my Dev Environment ECS 030 1 Command for SSHing into a CSIF Machine If you already have a terminal and already have a working ssh program (That is, you type ssh into the terminal and it doesn
More informationTest Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,
Test Conditions Closed book, closed notes, no calculator, no laptop just brains 75 minutes Steven M. Bellovin October 19, 2005 1 Form 8 questions I m not asking you to write programs or even pseudo-code
More informationFouad Riaz Bajwa. Co-Founder & FOSS Advocate FOSSFP - ifossf International Free and open Source Software Foundation, MI, USA.
Fouad Riaz Bajwa Co-Founder & FOSS Advocate FOSSFP - ifossf International Free and open Source Software Foundation, MI, USA. www.ifossf.org Worst Security Threats Sharing Knowledge What makes FOSS secure?
More informationnext-generation datacenters
whitepaper How Red Hat delivers a secure enterprise platform for next-generation datacenters ExEcutivE summary Security has always been an important consideration when selecting a server operating system
More informationFirmware Updates for Internet of Things Devices
Firmware Updates for Internet of Things Devices Brendan Moran, Milosch Meriac, Hannes Tschofenig Drafts: draft-moran-suit-architecture draft-moran-suit-manifest 1 WHY DO WE CARE? 2 IoT needs a firmware
More informationPRACTICAL NETWORK DEFENSE VERSION 1
PRACTICAL NETWORK DEFENSE VERSION 1 The world s premiere online practical network defense course elearnsecurity has been chosen by students in over 140 countries in the world and by leading organizations
More informationMac Shutdown 4.0 User Guide
! Mac Shutdown 4.0 User Guide We Make Software - TensionSoftware.com Mac Shutdown 2005-2016 Tension Software all rights reserved. Every effort has been made to ensure that the information in this manual
More informationLinux Kernel Security
Linux Kernel Security Adapting 1960s Technology to st Meet 21 Century Threats James Morris Red Hat LinuxCon Boston 2010 Fig. 1 History The first fact to face is that UNIX was not developed with security,
More informationPND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access
The World s Premier Online Practical Network Defense course PND at a glance: Self-paced, online, flexible access 1500+ interactive slides (PDF, HTML5 and Flash) 5+ hours of video material 10 virtual labs
More informationSecurity Enhanced Linux
Security Enhanced Linux Bengt Nolin beno9295@student.uu.se October 13, 2004 Abstract A very brief introduction to SELinux; what it is, what is does and a little about how it does it. 1 1 Background 1.1
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationSecuring ArcGIS for Server. David Cordes, Raj Padmanabhan
Securing ArcGIS for Server David Cordes, Raj Padmanabhan Agenda Security in the context of ArcGIS for Server User and Role Considerations Identity Stores Authentication Securing web services Protecting
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More information1. You re boring your audience
1. You re boring your audience OK, so you ve convinced your users to visit your landing page. Or even better they ve signed up for your mailing list. That s great! Now that you have their attention, the
More informationOutline. Security as an economic good. Risk budgeting with ALE. Failure: Risk compensation. Failure: Displacement activity
CSci 5271 Introduction to Computer Security Day 2: Intro to Software and OS Security Stephen McCamant University of Minnesota, Computer Science & Engineering Security as an economic good Security is a
More informationIntroduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria
Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria Evaluation: assessing whether a product has the security properties claimed for it. Certification: assessing whether a
More informationSELinux: A New Approach to Secure Systems
SELinux: A New Approach to Secure Systems by Chris Runge Abstract In this whitepaper, we will examine Security-Enhanced Linux (SELinux), the benefits it brings, and how Red Hat is working to make those
More informationUsing a Separation Kernel to Protect against the Remote Exploitation of Unaltered Passenger Vehicles
Safety & Security for the Connected World Using a Separation Kernel to Protect against the Remote Exploitation of Unaltered Passenger Vehicles 16 th June 2015 Mark Pitchford, Technical Manager, EMEA Today
More informationHacking Terminology. Mark R. Adams, CISSP KPMG LLP
Hacking Terminology Mark R. Adams, CISSP KPMG LLP Backdoor Also referred to as a trap door. A hole in the security of a system deliberately left in place by designers or maintainers. Hackers may also leave
More informationIntroduction to Security and User Authentication
Introduction to Security and User Authentication Brad Karp UCL Computer Science CS GZ03 / M030 14 th November 2016 Topics We ll Cover User login authentication (local and remote) Cryptographic primitives,
More informationLecture 15 Designing Trusted Operating Systems
Lecture 15 Designing Trusted Operating Systems Thierry Sans 15-349: Introduction to Computer and Network Security Anatomy of an operating system Concept of Kernel Definition Component that provides an
More informationHow to Secure SSH with Google Two-Factor Authentication
How to Secure SSH with Google Two-Factor Authentication WELL, SINCE IT IS QUITE COMPLEX TO SET UP, WE VE DECIDED TO DEDICATE A WHOLE BLOG TO THAT PARTICULAR STEP! A few weeks ago we took a look at how
More informationOperating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)
Operating System Security Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own) Hw1 grades out this Friday Announcement Travel: out of town
More informationBest Practices in Securing a Multicloud World
Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers
More informationOperating system hardening
Operating system Comp Sci 3600 Security Outline 1 2 3 4 5 6 What is OS? Hardening process that includes planning, ation, uration, update, and maintenance of the operating system and the key applications
More informationModule: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1 OS Security So, you have built an operating system that enables user-space processes to
More informationDiscover How to Watch the Mass Ascension of the Albuquerque International Balloon Fiesta Even if You Can t Be There
Attention: Balloon Enthusiasts Interested in Seeing the Balloon Fiesta Discover How to Watch the Mass Ascension of the Albuquerque International Balloon Fiesta Even if You Can t Be There Here s A New,
More informationMASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.893 Fall 2009 Quiz II All problems are open-ended questions. In order to receive credit you must answer
More informationCSE Computer Security
CSE 543 - Computer Security Lecture 15 - Linux Security October 18, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Retrofit Security in Existing Systems Upside Operating systems are costly to
More informationHolistic Database Security
Holistic Database Security 1 Important Terms Exploit: Take advantage of a flaw or feature Attack Surface: Any node on the network that can be attacked. That can be the UI, People, anything that touches
More informationLaying a Secure Foundation for Mobile Devices. Stephen Smalley Trusted Systems Research National Security Agency
Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National Security Agency Trusted Systems Research Conduct and sponsor research to provide information assurance for
More informationLecture 3 MOBILE PLATFORM SECURITY
Lecture 3 MOBILE PLATFORM SECURITY You will be learning: What techniques are used in mobile software platform security? What techniques are used in mobile hardware platform security? Is there a common
More informationAdvanced Systems Security: Multics
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationSELinux Updates. Thorsten Scherf Senior Consultant. Red Hat Global Professional Services Berlin / Germany
SELinux Updates Thorsten Scherf Senior Consultant Red Hat Global Professional Services 01.12.2011 Berlin / Germany Agenda SELinux review What happened to strict policy Policy customization and development
More informationsottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani
Titolo presentazione Piattaforme Software per la Rete sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Outline 1) Introduction to System Security 2) Basic Exploits 3) Network
More informationCyber Security Update Recent Events in the Wild and How Can We Prepare?
Cyber Security Update Recent Events in the Wild and How Can We Prepare? Bob Cowles August, 2011 DOE Labs Hacked! ORNL off the Internet for nearly 2 weeks extensive remediation efforts put into place JLab
More informationLast time. User Authentication. Security Policies and Models. Beyond passwords Biometrics
Last time User Authentication Beyond passwords Biometrics Security Policies and Models Trusted Operating Systems and Software Military and Commercial Security Policies 9-1 This time Security Policies and
More informationViGo Architecture and Principles. Mobile Voice Biometrics as-a-service
ViGo Architecture and Principles Mobile Voice Biometrics as-a-service Part number: VV/VIGO/DOC/183/C Copyright 2015 VoiceVault Inc. All rights reserved. This document may not be copied, reproduced, transmitted
More informationTexSaw Penetration Te st in g
TexSaw Penetration Te st in g What is penetration testing? The process of breaking something or using something for an unintended used case for the purpose of bettering the system or application. This
More informationfacebook a guide to social networking for massage therapists
facebook a guide to social networking for massage therapists table of contents 2 3 5 6 7 9 10 13 15 get the facts first the importance of social media, facebook and the difference between different facebook
More informationXton Access Manager GETTING STARTED GUIDE
Xton Access Manager GETTING STARTED GUIDE XTON TECHNOLOGIES, LLC PHILADELPHIA Copyright 2017. Xton Technologies LLC. Contents Introduction... 2 Technical Support... 2 What is Xton Access Manager?... 3
More informationRole-Based Access Control (RBAC) Lab Minix Version
Laboratory for Computer Security Education 1 Role-Based Access Control (RBAC) Lab Minix Version Copyright c 2006-2009 Wenliang Du, Syracuse University. The development of this document is funded by the
More informationFall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li
Securing Linux Hyungjoon Koo and Anke Li Outline Overview Background: necessity & brief history Core concepts LSM (Linux Security Module) Requirements Design SELinux Key elements Security context: identity
More informationOutline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines
Outline Operating System Security CS 239 Computer Security February 23, 2004 Introduction Memory protection Interprocess communications protection File protection Page 1 Page 2 Introduction Why Is OS Security
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationWHITE PAPER. Best Practices for Web Application Firewall Management
WHITE PAPER Best Practices for Web Application Firewall Management WHITE PAPER Best Practices for Web Application Firewall Management.. INTRODUCTION 1 DEPLOYMENT BEST PRACTICES 2 Document your security
More informationDocker and Security. September 28, 2017 VASCAN Michael Irwin
Docker and Security September 28, 2017 VASCAN Michael Irwin Quick Intro - Michael Irwin 2011 - Graduated (CS@VT); started full-time at VT Sept 2015 - Started using Docker for QA June 2016 - Attended first
More informationINFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental
More informationOracle Advanced Security: Enterprise User Management. An Oracle Technical White Paper November 1999
Advanced Security: Enterprise User Management An Technical White Paper Advanced Security: Enterprise User Management THE CHALLENGES OF USER MANAGEMENT Some of the challenges faced by an enterprise today
More informationMoving Application Security into the Network
Moving Application Security into the Network Steven M. Bellovin smb@cs.columbia.edu http://www.cs.columbia.edu/ smb Dept. of Computer Science, Columbia University Steven M. Bellovin January 18, 2005 1
More information10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 4 Introduction to SELinux
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 4 Introduction to SELinux Roadmap Why SELinux? Overview
More informationSecuring Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager
with the IEC 62443-4-2 Standard What You Should Know Vance Chen Product Manager Industry Background As the Industrial IoT (IIoT) continues to expand, more and more devices are being connected to networks.
More informationHow to Break Software by James Whittaker
How to Break Software by James Whittaker CS 470 Practical Guide to Testing Consider the system as a whole and their interactions File System, Operating System API Application Under Test UI Human invokes
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 13: Operating System Security Department of Computer Science and Engineering University at Buffalo 1 Review Previous topics access control authentication session
More informationCISNTWK-11. Microsoft Network Server. Chapter 4
CISNTWK-11 Microsoft Network Server Chapter 4 User and Group Accounts 1 Usage Notes Throughout these slides, the term Active Directory Domain implies Domains Based on Windows Server 2008 Based on Windows
More informationfirewalls and vpns 5A15E503E76294A6E25A62A93FCE442E Firewalls And Vpns 1 / 6
Firewalls And Vpns 1 / 6 2 / 6 3 / 6 Firewalls And Vpns About the Site. General information about Linux Home Networking.. Linux Home Networking PDF Chapters. Covers topics needed for Linux software certification
More informationAccess Control. SELinux. Mestrado Integrado em Engenharia Informática e Computação. Computer Systems Security
Access Control SELinux Mestrado Integrado em Engenharia Informática e Computação Computer Systems Security João Carlos Eusébio Almeida - up201306301 João Gabriel Marques Costa - up201304197 May 17, 2017
More informationStorage and File Hierarchy
COS 318: Operating Systems Storage and File Hierarchy Jaswinder Pal Singh Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) Topics Storage hierarchy File system
More information