Introduction to Computer Security
|
|
- Wesley Bennett
- 5 years ago
- Views:
Transcription
1 Introduction to Computer Security UNIX and Windows Security Pavel Laskov Wilhelm Schickard Institute for Computer Science
2 Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability, modular, multi-component system secure design from ground up: implementation of the Bell-La Padula model initial development from 1963 to 1969; continued until 1985; last system decommissioned in 2000
3 Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability, modular, multi-component system secure design from ground up: implementation of the Bell-La Padula model initial development from 1963 to 1969; continued until 1985; last system decommissioned in 2000 UNIX: the opposite of MULTICS initial assembler implementation by Ken Thompson and Dennis Ritchie for PDP-7 and PDP-11 rewritten in C in 1973: the first operating system written in a high-level language continuous evolution of various dialects of UNIX and its routines for almost 40 years
4 Security and UNIX design Security was not a primary design goal of UNIX; dominant goals were modularity, portability and efficiency. UNIX provides sufficient security mechanisms that have to be properly configured and administered. The main security strength of UNIX systems comes from open source implementation which helps improve its code base. The main security weakness of UNIX systems comes from open source implementation resulting in a less professional code base.
5 Principals User identifiers (UID) Group identifiers (GID) A UID (GID) is always a 16-bit number A superuser (root) always has UID 0. UID information is stored in /etc/passwd GID information is stored in /etc/group
6 User account information: /etc/passwd 1. Username: used when user logs in, 1 32 characters long 2. Password: x indicates that encrypted password is stored in /etc/shadow 3. User ID (UID): 0 reserved for root, 1-99 for other predefined accounts, for system accounts/groups 4. Group ID (GID): the primary group ID 5. User ID info: a comment field 6. Home directory: The absolute path to the directory the user will be in when they log in 7. Command/shell: The absolute path of a command or shell (/bin/bash)
7 /etc/passwd examples root:x:0:0:root:/root:/bin/bash dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false laskov:x:1000:1000:pavel Laskov,,,:/home/laskov:/bin/bash nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
8 Shadow password file 1. Username: the user name 2. Passwd: the encrypted password 3. Last: days since Jan 1, 1970 that password was last changed 4. May: days before password may be changed 5. Must: days after which password must be changed 6. Warn: days before password is to expire that user is warned 7. Expire: days after password expires that account is disabled 8. Disable: days since Jan 1, 1970 that account is disabled Examples: root:!:14118:0:99999:7::: laskov:$1$/et/grjh$xssvnwpda35twsst7yjvb/:14118:0:99999:7:
9 Group file 1. Groupname: the group name 2. Password: an x indicates that a password is set and if left blank no password has been set 3. GID: the group ID number 4. Members: current members of the group separated by a comma Examples: root:x:0: adm:x:4:laskov laskov:x:1000:
10 Root privileges Almost no security checks: all access control mechanisms turned off can become an arbitrary user can change system clock Some restrictions remain but can be overcome: cannot write to read-only file system but can remount them as writable cannot decrypt passwords but can reset them Any user name can be root! root:x:0:1:root:/:/bin/sh funnybunny:x:0:101:nice Guy:/home/funnybunny:/bin/sh
11 Subjects The subjects in UNIX are processes identified by a process ID (PID). New process creation fork: spawns a new child process which is an identical process to the parent except for a new PID vfork: the same as fork except that memory is shared between the two processes exec family: replaces the current process with a new process image Processes are mapped to UIDs (principal-subject mapping) in either of the following ways: real UID is always inherited from the parent process effective UID is either inherited from the parent process or from the owner of the file to be executed
12 Objects Files, directories, memory devices, I/O devices etc. are uniformly treated as resources subject to access control. All resources are organized in tree-structured hierarchy Each resource in a directory is a pointer to the inode data structure that describes essential resource properties.
13 Inode structure mode uid gid atime mtime itime block count ptr file type and access control rights user name group name last access time last modification time last inode change time size of the file in blocks pointers to physical blocks with file contents
14 Mode field in detail File/resource type - file d directory b block device file c character device file s socket l symbolic link p FIFO Access control rules (permissions) owner rights r, w, e, - group rights r, w, e, - world rights r, w, e, - Examples -rw-r--r-- 1 laskov laskov unix.tex lrwxrwxrwx 1 root root stdin -> /proc/self/fd/0 crw laskov tty /dev/pts/1
15 Directory permissions read: searching a directory using e.g. ls write: modifying directory contents, creating and deleting files and directories execute: making a directory current and/or opening files in it
16 Managing permissions Octal encoding of permissions read-only: 100 B 4 read-write: 110 B 6 read-write-execute: 111 B 7 Modifying permissions chmod 777 filename chmod u+rwx,g+rx,o-w filename Changing file owner (root only) chown user:group filename
17 Default permissions Default permissions are usually 666 for files and 777 for directories. umask command changes default permissions synopsis: umask mask the inverse of mask is ANDed with the current permissions Examples: def. perm. mask inv. mask result
18 Controlled invocation Certain actions, e.g. using system ports (1-1023) or changing a password, require root privileges. We don t want to give users a general root privilege by telling them a root password, but only the right to run selected commands as root. Solution: set a special flag indicating that a program can be run under the privilege of its owner rather than that of a calling user. Disadvantage: this right cannot be given to selected users: all users in the world (or in a group) can run a program under its owner s privilege.
19 SUID, SGID and sticky flags A fourth octal number is added to permissions with the following bit designations: SUID: set UID (allow all users to run a program) SGID: set GID (allow all users in a specific group to run a program) sticky flag: only an owner (or root) can remove files in a directory Use chmod with four octal digits to set the extra flags: chmod unix.tex ls -l 08-unix.tex -rwsr-sr-t 1 laskov laskov unix.tex
20 Security risks of SUID Privilege escalation chmod 7700 bad-script.sh chown root:root badscript.sh./bad-script.sh
21 Security risks of SUID Privilege escalation chmod 7700 bad-script.sh chown root:root badscript.sh./bad-script.sh Ownership transfer to root is forbidden!
22 Security risks of SUID Privilege escalation chmod 7700 bad-script.sh chown root:root badscript.sh./bad-script.sh Ownership transfer to root is forbidden! Exploitation automatically receives root privileges
23 Search paths An attacker can diverting of execution of another program with the same name. Rules of conduct: If possible, specify full paths when calling programs, e.g. /bin/sh instead of sh. The same applies to programs to be run locally: use./program instead of program. Make sure. is the first symbol in the PATH variable. This will at least prevent calling a remote version of a program if what you really want is a local invocation.
24 Path and SUID combined $ ls -altr /home/sitka/ping -rwsrwxr-x 1 root root 8378 Dec 12 09:58 /home/sitka/ping $ cat ping.c #include <unistd.h> int main() { char *args[2]; args[0] = "/bin/sh"; args[1] = NULL; execve(args[0], args, NULL);} $ PATH=/home/sitka:${PATH} $ ping # whoami root
25 Security features missing in UNIX ACLs in general (getfacl only gets permissions) Data labeling, e.g. secret, classified etc. Mandatory access control, so that individuals are unable to overrun certain security decisions made by an admin (e.g. chmod 777 $HOME is always possible) Capabilities are supported by only a small subset of UNIX-like operating systems (e.g. Linux with kernel versions above ) Standardized auditing
26 Microsoft Windows Family Tree Key security milestones: NT 3.51 (1993): network drivers and TCP/IP Windows 2000: Active Directory, Kerberos, security architecture. Server 2003: security policies, LAN and wireless security Vista (2007): no admin-by-default, firewall, DEP, ASLR 64-bit versions (Vista+): mandatory kernel code signing
27 Security components of Windows OS Kernel mode: Security Reference Monitor: ACL verification User mode: Log-on process (winlogon): user logon Local Security Authority (LSA): password verification and change, access tokens, audit logs (MS04-11 buffer overflow: Sasser worm!) Security Accounts Manager (SAM): accounts database, password encryption User Account Control (UAC, Vista): enforcement of limited user privileges
28 Windows registry A hierarchical database containing critical system information Key-value pairs, subkeys, 11 values types A registry hive is a group of keys, subkeys, and values Security-related registry hives: HKEY_LOCAL_MACHINE\SAM: SAM database HKEY_LOCAL_MACHINE\Security: security logs, etc HKEY_LOCAL_MACHINE\Software: paths to programs! Security risks: manipulated registry entries missing security-related registry keys
29 Windows domains A domain is a collection of machines sharing user accounts and security policies. Domain authentication is carried out by a domain controller (DC). To avoid a single point of failure, a DC may be replicated
30 Active directory Active directory introduced in Windows 2000 is an LDAP-like directory service for organization of system resources: Users and groups Security credentials and certificates System resources (desktops, servers, printers) Security policies DNS service Trust management
31 Access control in Windows Access control is applied to objects: files, registry keys and hives, Active Directory objects. More than just access control on files! Various means exist for expressing security policies: groups roles ownership and inheritance rules complex access rights
32 Principals Principals are active entities in security policies Principals can be local users aliases domain users groups machines Principals have a human readable user name and a unique security identifier (SID) Local principals are created by a LSA, e.g. principal = MACHINE\principal Domain principals are administered by DC, e.g. principal@domain = DOMAIN\principal
33 Security identifiers A security identifier (SID) is a unique, machine generated code of varying length used to identify principals. Format: S-1-IA-SA-SA-SA-N, where IA (identifier authority): characterizes an issuer, e.g. World Authority (1) or Local Authority (2) SA (subauthority): identifies a specific SID issuer, e.g. a domain controller N: relative identifier, unique for each authority Examples: Everyone (World): S System: S Administrator: S <domain>-500
34 Principals used for access control SID: an individual principal Group: a collection of principals managed by DC; groups have their own SIDs and can be nested Alias: a local group managed by LSA; cannot be nested Aliases implement logical roles: an application may define an alias to which SIDs are assigned at run-time
35 Subjects Subjects are active entities in OS primitives. Windows subjects are processes and threads. Security credentials for a subject are stored in a token. Tokens provide a principal/subject mapping and may contain additional security attributes. Tokens are inherited (possibly with restrictions) during creation of new processes.
36 Token contents Identity and authorisation contents user SID, group SIDs, alias SIDs privileges Defaults for new securable objects owner SID, group SID, DACL Miscellaneous attributes logon SID
37 Privileges A set of fixed privileges is defined by numeric constants in Winnt.h Privileges control access to system resources. Example privileges: load or unload a device driver lock a page in a physical memory create a computer account shut down a system modify a system time Privileges are not access rights!
38 Objects Objects represent various passive OS entities Example Windows objects: files or directories pipes processes and threads file mappings access tokens window-management objects registry keys printers network shares synchronization objects job objects Active Directory objects Security of built-in objects is managed by OS Security of private objects must be managed by applications Securable objects are equipped with a security descriptor
39 Security descriptor Owner: a principal who owns an object Primary group: for POSIX compatibility DACL: specifies who is granted and who is denied access SACL: specifies a security audit policy
40 Access rights: an overview Describe what one can do to an object Encoded as a 32-bit mask Standard access rights (bits 16 23) are common to most object types DELETE READ_CONTROL: read object s security descriptor SYNCHRONIZE: use object for synchronization (not all objects) WRITE_DAC: change object s DACL WRITE_OWNER: change object s owner Object-specific rights (bits 0 15) are tailored to each class of objects Extended rights can be specified for Active Directory entries.
41 Generic access rights The highest 4 bits (28 31) represent generic access rights: GENERIC_READ GENERIC_WRITE GENERIC_EXECUTE GENERIC_ALL Each class of objects maps its generic rights to object-specific rights. Generic rights are used to simplify design: they provide an intermediate description level for access rights.
42 ACLs in Windows DACL in a security descriptor is a list of Access Control Entries (ACE) ACE format: ACE type: positive or negative permissions Principal SID Access rights mask Inheritance flags ACEs are processed sequentially until either some entry denies all requested access rights or a set of ACEs grants all requested access rights
43 ACE matching algorithm For any objects that do not have DACL, access is always granted. For all other objects, the subject s token is compared sequentially with each ACE as follows: ACE does not contain a matching SID: skip and continue. SID matches and contains a negative permission: deny access and stop. SID matches and contains a positive permission: if accumulated access rights match access mask, grand access and stop. otherwise add ACE to the accumulated access rights and continue.
44 Summary: UNIX vs. Windows
45 Summary: UNIX vs. Windows Windows has more security features: Fine-grained access control via ACLs Automatically generated security identifiers Secure storage of user credentials Active directory and trust management
46 Summary: UNIX vs. Windows Windows has more security features: Fine-grained access control via ACLs Automatically generated security identifiers Secure storage of user credentials Active directory and trust management Windows has a long tradition of excessive superuser privileges.
47 Summary: UNIX vs. Windows Windows has more security features: Fine-grained access control via ACLs Automatically generated security identifiers Secure storage of user credentials Active directory and trust management Windows has a long tradition of excessive superuser privileges. Complex security features in Windows coupled with closed-source implementation lead to potential insecurity due to misconfiguration.
Introduction to Computer Security
Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability,
More informationOperating system security
Operating system security Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline Access control models in operating systems: 1. Unix 2. Windows Acknowledgements: This
More informationAccess Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.
Access Control CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Access Control Describe the permissions available to computing processes
More informationServer. Client LSA. Winlogon LSA. Library SAM SAM. Local logon NTLM. NTLM/Kerberos. EIT060 - Computer Security 2
Local and Domain Logon User accounts and groups Access tokens Objects and security descriptors The Register Some features in Windows 7 and Windows 8 Windows XP evolved from Windows 2000 Windows 10, 8,
More informationOperating system security models
Operating system security models Unix security model Windows security model MEELIS ROOS 1 General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects
More informationIS 2150 / TEL 2810 Information Security and Privacy
IS 2150 / TEL 2810 Information Security and Privacy James Joshi Professor, SIS Access Control OS Security Overview Lecture 2, Sept 6, 2016 1 Objectives Understand the basics of access control model Access
More informationCSE543 - Introduction to Computer and Network Security. Module: Operating System Security
CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1 OS Security An secure OS should provide (at least) the following mechanisms Memory protection
More informationSecure Architecture Principles
CS 155 Spring 2017 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Secure Architecture Principles Isolation
More informationProtection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger
Protection CSE473 - Spring 2008 Professor Jaeger www.cse.psu.edu/~tjaeger/cse473-s08/ Protection Protect yourself from untrustworthy users in a common space They may try to access your resources Or modify
More informationSecure Architecture Principles
CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from
More informationCS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms
CS 392/681 - Computer Security Module 5 Access Control: Concepts and Mechanisms Course Policies and Logistics Midterm next Thursday!!! Read Chapter 2 and 15 of text 10/15/2002 Module 5 - Access Control
More informationWindows Access Control List (ACL) 2
What do we have in this session? Windows Access Control List (ACL) 2 1. Access Control Lists (ACLs) 2. Object-specific ACEs 3. Trustees 4. Access Rights and Access Masks 5. ACCESS_MASK 6. Access Mask format
More informationSecure Architecture Principles
CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from
More informationIntroduction to Security
IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Secure Design Principles OS Security Overview Lecture 2 September 4, 2012 1 Objectives Understand the basic principles of
More informationTEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control
TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control Version 1.0, Last Edited 09/20/2005 Name of Students: Date of Experiment: Part I: Objective The objective of the exercises
More informationIntroduction to Security
IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Secure Design Principles OS Security Overview Lecture 1 September 2, 2008 1 Objectives Understand the basic principles of
More informationData Security and Privacy. Unix Discretionary Access Control
Data Security and Privacy Unix Discretionary Access Control 1 Readings for This Lecture Wikipedia Filesystem Permissions Other readings UNIX File and Directory Permissions and Modes http://www.hccfl.edu/pollock/aunix1/filepermissions.htm
More informationA Survey of Access Control Policies. Amanda Crowell
A Survey of Access Control Policies Amanda Crowell What is Access Control? Policies and mechanisms that determine how data and resources can be accessed on a system. The Players Subjects Objects Semi-objects
More informationCS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms
CS 392/681 - Computer Security Module 6 Access Control: Concepts and Mechanisms Course Policies and Logistics Midterm grades Thursday. Read Chapter 2 and 15 th of text Lab 4 postponed - due next week.
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 3.2: OS Security Access Control Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Bogdan Carbunar (FIU)
More informationUnix, History
Operating systems Examples from Unix, VMS, Windows NT on user authentication, memory protection and file and object protection. Trusted Operating Systems, example from PitBull Unix, History Unix, History
More informationTEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control
TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control Version 2.0, Last Edited 10/1/2006 Students Name: Date of Experiment: Part I: Objective The objective of the exercises
More informationWe ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?
We ve seen: Protection: ACLs, Capabilities, and More Some cryptographic techniques Encryption, hashing, types of keys,... Some kinds of attacks Viruses, worms, DoS,... And a distributed authorization and
More informationDatasäkerhet/Data security EDA625 Lect5
Ch. 6 Unix security Datasäkerhet/Data security EDA625 Lect5 Understand the security features of a typical operating system Users/passwords login procedure user superuser (root) access control (chmod) devices,
More informationOutline. Security. Security Ratings. TCSEC Rating Levels. Key Requirements for C2. Met B-Level Requirements
Outline Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik Ratings System Components 2 Ratings TCSEC Rating Levels National Computer Center (NCSC) part of US Department of Defense
More informationSecurity. Outline. Security Ratings. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik
Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik Outline Ratings System Components Logon Object (File) Access Impersonation Auditing 2 Ratings National Computer Center (NCSC) part
More informationExercise 4: Access Control and Filesystem Security
Exercise 4: Access Control and Filesystem Security Introduction Duration: 90 min Maximum Points: 30 Note: The solutions of theorethical assignments should be handed out before the practical part in the
More informationSystem Programming. Introduction to Unix
Content : by Dr. B. Boufama School of Computer Science University of Windsor Instructor: Dr. A. Habed adlane@cs.uwindsor.ca http://cs.uwindsor.ca/ adlane/60-256 Content Content 1 Introduction 2 3 Introduction
More informationSecure Architecture Principles
Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel 1 Secure
More information? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week
Announcements Access control John Mitchell u Homework Due today. Next assignment out next week u Graders If interested in working as grader, send email to Anupam u Projects Combine some of the project
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path Race conditions NOTE: filenames may differ between OS/distributions Principals
More information5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9
File Security, Setting and Using Permissions Chapter 9 To show the three protection and security mechanisms that UNIX provides To describe the types of users of a UNIX file To discuss the basic operations
More informationAn Introduction to Unix Power Tools
An to Unix Power Tools Randolph Langley Department of Computer Science Florida State University August 27, 2008 History of Unix Unix Today Command line versus graphical interfaces to COP 4342, Fall History
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path TCP wrappers Race conditions NOTE: filenames may differ between OS/distributions
More informationQ) Q) What is Linux and why is it so popular? Answer - Linux is an operating system that uses UNIX like Operating system...
Q) Q) What is Linux and why is it so popular? Answer - Linux is an operating system that uses UNIX like Operating system... Q) Q) What is the difference between home directory and working directory? Answer
More informationInformation Security Theory vs. Reality
Information Security Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 4: Access Control Eran Tromer 1 Slides credit: John Mitchell, Stanford course CS155, 2010 Access control Assumptions System knows
More informationUser Commands chmod ( 1 )
NAME chmod change the permissions mode of a file SYNOPSIS chmod [-fr] absolute-mode file... chmod [-fr] symbolic-mode-list file... DESCRIPTION The chmod utility changes or assigns the mode of a file. The
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 13: Operating System Security Department of Computer Science and Engineering University at Buffalo 1 Review Previous topics access control authentication session
More informationDiscretionary Access Control
Operating System Security Discretionary Seong-je Cho ( 조성제 ) (sjcho at dankook.ac.kr) Fall 2018 Computer Security & Operating Systems Lab, DKU - 1-524870, F 18 Discretionary (DAC) Allows the owner of the
More informationFiles (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1
Files (review) and Regular Expressions Todd Kelley kelleyt@algonquincollege.com CST8207 Todd Kelley 1 midterms (Feb 11 and April 1) Files and Permissions Regular Expressions 2 Sobel, Chapter 6 160_pathnames.html
More informationcs642 /operating system security computer security adam everspaugh
cs642 computer security /operating system security adam everspaugh ace@cs.wisc.edu principles Principles of Secure Designs Compartmentalization / Isolation / Least privilege Defense-in-depth / Use more
More informationUser accounts and authorization
User accounts and authorization Authentication vs authorization Authentication: proving the identity of someone Authorization: allowing a user to access certain resources 1 Government authorization documents
More informationOperating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07
0Handouts: Lesson 1 Quiz 1. What is the working definition of authentication? a. The ability for a person or system to prove identity. b. Protection of data on a system or host from unauthorized access.
More informationCS246 Spring14 Programming Paradigm Notes on Linux
1 Unix History 1965: Researchers from Bell Labs and other organizations begin work on Multics, a state-of-the-art interactive, multi-user operating system. 1969: Bell Labs researchers, losing hope for
More informationCS 290 Host-based Security and Malware. Christopher Kruegel
CS 290 Host-based Security and Malware Christopher Kruegel chris@cs.ucsb.edu Windows Windows > 90 % of all computers run Windows when dealing with security issues, it is important to have (some) knowledge
More informationIT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao
IT Service Delivery And Support Week Four - OS IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 What is an Operating System (OS)? OS is a software that designed to run on specific hardware
More informationComputer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More informationO/S & Access Control. Aggelos Kiayias - Justin Neumann
O/S & Access Control Aggelos Kiayias - Justin Neumann One system Many users Objects that require protection memory I/O devices (disks, printers) programs and processes networks stored data in general Separation
More informationChapter 5: User Management. Chapter 5 User Management
Chapter 5: User Management Chapter 5 User Management Last revised: 20/6/2004 Chapter 5 Outline In this chapter we will learn Where user and group account information is stored How to manage user accounts
More informationPROCESS CONTROL BLOCK TWO-STATE MODEL (CONT D)
MANAGEMENT OF APPLICATION EXECUTION PROCESS CONTROL BLOCK Resources (processor, I/O devices, etc.) are made available to multiple applications The processor in particular is switched among multiple applications
More informationbash startup files Linux/Unix files stty Todd Kelley CST8207 Todd Kelley 1
bash startup files Linux/Unix files stty Todd Kelley kelleyt@algonquincollege.com CST8207 Todd Kelley 1 midterms (Feb 27 and April 10) bash startup files More Linux Files review stty 2 We customize our
More informationUNIX/Linux Auditing. Baccam Consulting, LLC Training Events
UNIX/Linux Auditing Baccam Consulting, LLC tanya@securityaudits.org Training Events www.securityaudits.org/events.html ***CISSP Course being offered April 25-April 29, 2016 Copyright 2005-2016, Baccam
More informationRBAC in Solaris 10. Darren J Moffat Staff Engineer, Networking & Security Sun Microsystems, Inc. 7 th October 2004
RBAC in Solaris 10 Darren J Moffat Staff Engineer, Networking & Security Sun Microsystems, Inc. 7 th October 2004 Agenda Least Privilege / RBAC in Solaris 10 SMF - Service Management Framework Zones (N1
More informationPre-Assessment Answers-1
Pre-Assessment Answers-1 0Pre-Assessment Answers Lesson 1 Pre-Assessment Questions 1. What is the name of a statistically unique number assigned to all users on a Windows 2000 system? a. A User Access
More informationUnix Basics. UNIX Introduction. Lecture 14
Unix Basics Lecture 14 UNIX Introduction The UNIX operating system is made up of three parts; the kernel, the shell and the programs. The kernel of UNIX is the hub of the operating system: it allocates
More informationUnix/Linux: History and Philosophy
Unix/Linux: History and Philosophy History and Background Multics project Unix Linux Multiplexed Information and Computing Service Collaborative venture between General Electric, Bell Telephone Labs, and
More informationFreeBSD Advanced Security Features
FreeBSD Advanced Security Features Robert N. M. Watson Security Research Computer Laboratory University of Cambridge 19 May, 2007 Introduction Welcome! Introduction to some of the advanced security features
More informationProcesses. CS3026 Operating Systems Lecture 05
Processes CS3026 Operating Systems Lecture 05 Dispatcher Admit Ready Queue Dispatch Processor Release Timeout or Yield Event Occurs Blocked Queue Event Wait Implementation: Using one Ready and one Blocked
More informationUNIX Kernel. UNIX History
UNIX History UNIX Kernel 1965-1969 Bell Labs participates in the Multics project. 1969 Ken Thomson develops the first UNIX version in assembly for an DEC PDP-7 1973 Dennis Ritchie helps to rewrite UNIX
More informationCS/CIS 249 SP18 - Intro to Information Security
Lab assignment CS/CIS 249 SP18 - Intro to Information Security Lab #2 - UNIX/Linux Access Controls, version 1.2 A typed document is required for this assignment. You must type the questions and your responses
More informationChapter 1 - Introduction. September 8, 2016
Chapter 1 - Introduction September 8, 2016 Introduction Overview of Linux/Unix Shells Commands: built-in, aliases, program invocations, alternation and iteration Finding more information: man, info Help
More informationAccess Control Lists. Don Porter CSE 506
Access Control Lists Don Porter CSE 506 Background (1) ò If everything in Unix is a file ò Everything in Windows is an object ò Why not files? ò Not all OS abstractions make sense as a file ò Examples:
More informationTSIT02 Computer Security
TSIT02 Computer Security Lecture 6: Password storage, Implementation examples, Virtualization Jonathan Jogenfors Information Coding Group Department of Electrical Engineering TSIT02 Computer Security Jonathan
More informationlsx [ls_options ] [names]
NAME ls, lc, l, ll, lsf, lsr, lsx - list contents of directories SYNOPSIS ls [-abcdefgilmnopqrstuxacfhlr1] [names] lc [-abcdefgilmnopqrstuxacfhlr1] [names] l [ls_options ] [names] ll [ls_options ] [names]
More informationInformation Security CS 526
Information Security CS 526 s Security Basics & Unix Access Control 1 Readings for This Lecture Wikipedia CPU modes System call Filesystem Permissions Other readings UNIX File and Directory Permissions
More informationParents and Children
1 Process Identifiers Every process apart from the PID also has a PUID and a PGID. There are two types of PUID and PGID: real and effective. The real PUID is always equal to the user running the process
More informationINSE 6130 Operating System Security. Overview of Design Principles
INSE 6130 Operating System Security Design Principles Prof. Lingyu Wang 1 Overview of Design Principles Design principles Time-proven guidelines For implementing security mechanisms/systems Rooted in simplicity
More informationEverything about Linux User- and Filemanagement
Everything about Linux User- and Filemanagement Lukas Prokop 20. April 2009 Inhaltsverzeichnis 1 Who I am 2 1.1 whoami..................................... 3 1.2 passwd......................................
More informationConfigure advanced audit policies
7 LESSON Configuring Advanced Audit Policies 70-411 EXAM OBJECTIVE Objective 2.4 Configure advanced audit policies. This objective may include but is not limited to: implement auditing using Group Policy
More informationChapter 4: Access Control
(DAC) Chapter 4: Comp Sci 3600 Security Outline (DAC) 1 2 (DAC) 3 4 5 Attribute-based control (DAC) The prevention of unauthorized use of a resource, including the prevention of use of a resource in an
More informationWhy secure the OS? Operating System Security. Privilege levels in 80X86 processors. The basis of protection: Seperation. Privilege levels - A problem
Why secure the OS? Operating System Security Works directly on the hardware but can be adapted during runtime Data and process are directly visible Application security can be circumvented from lower layers
More informationImproving the Granularity of Access Control for Windows 2000
Improving the Granularity of Access Control for Windows 2000 MICHAEL M. SWIFT and ANNE HOPKINS University of Washington and PETER BRUNDRETT, CLIFF VAN DYKE, PRAERIT GARG, SHANNON CHAN, MARIO GOERTZEL,
More informationOutline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components
UNIX security Ulf Larson (modified by Erland Jonsson/Magnus Almgren) Computer security group Dept. of Computer Science and Engineering Chalmers University of Technology, Sweden Outline UNIX security ideas
More informationLecture Topics. Announcements. Today: Operating System Overview (Stallings, chapter , ) Next: Processes (Stallings, chapter
Lecture Topics Today: Operating System Overview (Stallings, chapter 2.1-2.4, 2.8-2.10) Next: Processes (Stallings, chapter 3.1-3.6) 1 Announcements Consulting hours posted Self-Study Exercise #3 posted
More informationModule 4: Access Control
Module 4: Access Control Dr. Natarajan Meghanathan Associate Professor of Computer Science Jackson State University, Jackson, MS 39232 E-mail: natarajan.meghanathan@jsums.edu Access Control In general,
More informationPrivileges: who can control what
Privileges: who can control what Introduction to Unix May 24, 2008, Morocco Hervey Allen Goal Understand the following: The Unix security model How a program is allowed to run Where user and group information
More informationCISNTWK-11. Microsoft Network Server. Chapter 4
CISNTWK-11 Microsoft Network Server Chapter 4 User and Group Accounts 1 Usage Notes Throughout these slides, the term Active Directory Domain implies Domains Based on Windows Server 2008 Based on Windows
More informationCS2506 Quick Revision
CS2506 Quick Revision OS Structure / Layer Kernel Structure Enter Kernel / Trap Instruction Classification of OS Process Definition Process Context Operations Process Management Child Process Thread Process
More informationINSE 6130 Operating System Security
INSE 6130 Operating System Security Design Principles Prof. Lingyu Wang 1 1 Overview of Design Principles Design principles Time-proven guidelines For implementing security mechanisms/systems Rooted in
More informationLast time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control
Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating
More informationSecuring Unix Filesystems - When Good Permissions Go Bad
Securing Unix Filesystems - When Good Permissions Go Bad Introduction Unix has a very elegant and flexible permission system at the heart of its filesystem security. These permissions allow and/or disallow
More informationProject #3: Implementing NIS
Project #3: Implementing NIS NIS Daemons Limitations of NIS How We Will Use NIS NIS Domain Name NIS Software Setting Up NIS on it20 /etc/nsswitch.conf Creating New Accounts on Ubuntu /etc/passwd /etc/shadow
More informationInternet Security General Unix Security
Internet Security General Unix Security Adrian Dabrowski Markus Kammerstetter Georg Merzdoznik Stefan Riegler Internet Security 2 1 Overview OS layers / ring separation system calls vulnerabilities Unix
More informationOS Security. Authorization. Radboud University Nijmegen, The Netherlands. Winter 2015/2016
OS Security Authorization Radboud University Nijmegen, The Netherlands Winter 2015/2016 A short recap Authentication establishes a mapping between entities (users) and intended operations Typical approach:
More informationOutline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines
Outline Operating System Security CS 239 Computer Security February 23, 2004 Introduction Memory protection Interprocess communications protection File protection Page 1 Page 2 Introduction Why Is OS Security
More informationCyber Security. General Unix Security
Cyber Security Adrian Dabrowski Markus Kammerstetter Georg Merzdoznik Stefan Riegler General Unix Security Cyber Security FH Campus 1 Overview OS layers / ring separation system calls vulnerabilities Unix
More informationWindows 7 Overview. Windows 7. Objectives. The History of Windows. CS140M Fall Lake 1
Windows 7 Overview Windows 7 Overview By Al Lake History Design Principles System Components Environmental Subsystems File system Networking Programmer Interface Lake 2 Objectives To explore the principles
More informationNetworks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003
Networks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003 In Windows NT server, the user manager for domains is the primary administrative tool for managing user accounts,
More informationRoadmap for This Lecture
Windows Security 2 Roadmap for This Lecture Windows Security Features Components of the Security System Protecting Objects Security Descriptors and Access Control Lists Auditing and Impersonation Privileges
More informationWindows Server 2008 Active Directory Resource Kit
Windows Server 2008 Active Directory Resource Kit Stan Reimer, Mike Mulcare, Conan Kezema, Byron Wright w MS AD Team PREVIEW CONTENT This excerpt contains uncorrected manuscript from an upcoming Microsoft
More information6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.
6.858 Lecture 4 OKWS Administrivia: Lab 1 due this Friday. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS. Privilege separation
More informationLab Authentication, Authorization, and Accounting
Objectives Given a scenario, select the appropriate authentication, authorization, or access control Install and configure security controls when performing account management, based on best practices
More informationLogin und Authentifizierung
Login und Authentifizierung security aspects Confidentiality: data should not be read by unauthorized parties. Integrity: data should not be changed by unauthorized parties. Availability: data should be
More informationKeys and Passwords. Steven M. Bellovin October 17,
Keys and Passwords Steven M. Bellovin October 17, 2010 1 Handling Long-Term Keys Where do cryptographic keys come from? How should they be handled? What are the risks? As always, there are tradeoffs Steven
More informationChp1 Introduction. Introduction. Objective. Logging In. Shell. Briefly describe services provided by various versions of the UNIX operating system.
Chp1 Objective Briefly describe services provided by various versions of the UNIX operating system. Logging In /etc/passwd local machine or NIS DB root:x:0:1:super-user:/root:/bin/tcsh Login-name, encrypted
More informationYou can access data using the FTP/SFTP protocol. This document will guide you in the procedures for configuring FTP/SFTP access.
You can access data using the FTP/SFTP protocol. This document will guide you in the procedures for configuring FTP/SFTP access. Overview of Configuring FTP/SFTP Access In order to access data using the
More informationPass Microsoft Exam
Pass Microsoft 98-367 Exam Number: 98-367 Passing Score: 700 Time Limit: 45 min File Version: 51.0 http://www.gratisexam.com/ Pass Microsoft 98-367 Exam Exam Name: Security Fundamentals Certdumps QUESTION
More informationLAB #7 Linux Tutorial
Gathering information: LAB #7 Linux Tutorial Find the password file on a Linux box Scenario You have access to a Linux computer. You must find the password file on the computer. Objective Get a listing
More informationUser & Group Administration
User & Group Administration David Morgan Users useradd/userdel /home/ /etc/passwd is the user database /etc/shadow has passwords (relocated from passwd) /etc/group whoami su / sudo / SUID process
More informationIntroduction to Linux
Introduction to Linux Mukesh Pund Principal Scientist, NISCAIR, New Delhi, India History In 1969, a team of developers developed a new operating system called Unix which was written using C Linus Torvalds,
More information