written 2.8 years ago by |
Dual-Mode Operation
- Sharing system resources requires the operating system to ensure thataprogram cannot arbitrarily interfere with other programs
- The hardware itself provides support to differentiate between at least
two modes of operations:
- User mode: execution done on behalf ofauser
- Monitor mode (also supervisor mode or system mode): execution done on behalf of the operating system
- Privileged instructions can be issued only in monitor mode
- The mode bit is added to computer hardware to indicate the current mode: monitor (0) or user (1)
- When an interrupt or fault occurs, the hardware switches to monitor mode by following the address, stored in the interrupt vector, to the interrupt handler function in the OS; this handler will let the OS decide what to do next.
I/O Protection
- All 1/0 instructions (read (), write(),send (), recv(), fgets (),putc(),etc.) are privileged instructions
- Because: the OS must ensure thatauser program could never gain control of the computer in monitor mode by storinganew address in the interrupt vector
Memory Protection
- Must provide memory protection at least for the interrupt vector and the interrupt handler function
- In order to have memory protection, add
two registers that determine the range of
legal addressesaprogram may access:
- Base register-holds the smallest legal physical memory address.
- Limit register–contains the size of the range
- Memory outside the defined range is protected
Memory Protection
- The base and limit registers definea logical address space, which is virtualized for the process to start at address0
- When executing in monitor mode, the operating system has unrestricted access to both monitor and user's memory
- Obviously, the load instructions for the base and limit registers are privileged instructions
CPU Protection
- If the CPU is executing program instructions one after the next, how does the OS retain control?
- A timer interrupts the control flow afteraspecified period to ensure
that the operating system hasachance to determine what to do
- Timer is decremented every clock tick
- When timer reaches the value 0, the interrupt vector is followed to the interrupt handler
- Timer commonly used to implement time sharing
- Also used to compute the current time "Load-timer" is a privileged instruction
General-System Architecture
- Given the I/O instructions are privileged, how does the user program
perform I/0?
- With a system call: the method used byaprocess to request action by the operating system
- Control passes through the interrupt vector toaservice routine in the OS, and the mode bit is set to monitor mode
- The monitor verifies that the parameters are correct and legal, executes the request, and returns control to the program instruction immediately following the system call
User Account Rights Protect Files
- User files are protected from other users by defining access based on user accounts
- If you are logged in as an account with access (e.g., you're the owner,
oragroup owner), you can manipulate the file:
- chmod
- vim
- touch
- rm
- etc.
Acting as a Different User-Pretexting
If you want to temporarily act asadifferent user (but stay logged on as yourself), you can use the su command:
- su yoog Obviously, you'll need to know yoog's login credentials
You can also execute just one action with the sudo command:
- sudo -u yoog rm -rf ~/yoogFiles/*
- These commands change your effective user and/or group IDs, all of which can be displayed with the id command
The root User Account
- Most UNIX systems haveasuper-user account, typically called root,
which has permissions to do anything
- su root
- sudo -u root pkill -u brewsteb
- As root, you can change file ownership, change limits on how many processes users can run at once, add and delete user accounts, and many other things
- It is generally considered bad form to stay logged-in to root itself-it's preferred that you make use of sudo to make changes
SUID, SGID
- Each executable has two security bits associated with it: SUID, and SGID
- If SUID is set, the executable runs with effective user ID of the owner of the file
- If SGID is set, the executable runs with effective user ID of the group owner of the file
- This is different from before–we're now talking about specific
executibles that have bits that enable them to run as different users
- As opposed to beingadifferent user, and then running programs, as su and sudo allow
Why SUID Matters
- What if you replace the contents of the real ping, which has SUID set and is owned by root, with your own code?
- It would have the same permissions (owned by root), but could do anything you want to the system
- What happens when you set the SUID bit on your own executables?
- They would still be owned by you, and thus would run as you
- Since you're not root this isn't very interesting
- Can you give your custom executable to root?
- No–this is specifically why you have to be logged in as root to change
file ownership!
- chown doesn't work unless you're root
- chgrp don't work unless you areamember of that group
Strongest Forms of Security
- The strongest forms of security involve network ånd physical isolation, but these seriously limit utility
- If you do grant physical access to your
computer-even disabling local login
access-you still have to worry about:
- Bootable devices (live CDs, flash drives, etc.) can boot a different OS that can access the hard drive of your computer
- Hard drive could be stolen and read
- Reading link-level NIC lights, keyboard EM
- With local logins, passwords=pain
Actual Password Security... is a Pain in the Neck
- Don't let users write them down
- Age the passwords
- Enforce stronger (but more annoying)
passwords
- 1337: @nt3@t3[2
- random: Z1#3s8u*h mypassword
- long: Ho\/doYouTypeMeF@st
- Restrict use of previous passwords
- Password dictionary check
Password Security
- Longer is better than more complicated
- Lower case letters = 26 possibilities per character
- Upper case letters = 26 possibilities per character
- Numbers $=10$ possibilities per character
- Special Characters = 30 possibilities per character
- Any given character could be 1 of 92 choices
- There are then $92^{8} 8$-character passwords:
$92 \times 92 \times 92 \times 92 \times 92 \times 92 \times 92 \times 92=92^{8}$
Longer is better than more complicated $$ \text { - } 92^{8}=5.1 \times 10^{15}=5,132,188,731,375,616 $$
- Using just lower case letters:
- $26^{8}=2.0 \times 10^{11}=\quad 208,827,064,576$
A 12 character, lower-case password: $-26^{12}=9.5 \times 10^{16}=95,428,956,661,682,176$
Which is easier to remember:
- TR0m\&on3
- ihavetwoarms
- Which are you more likely to write down?
- FYI, 4 common words are important in the example above
- See xkcd's excellent correct horse battery staple comic:
Login Failures
- What happens if you don't lockauser account if too
many failures happen?
- A account can be brute forced by guessing possibilities
- Passwords are generated with the sausage model
(one-way):
- username: UserBob
- password: 123456 -> hashes to -> a3R7nito5fo%r
- Store the pair UserBob/a3R7nito5fo%r
- This encrypted pair is public knowledge, but the encryption method is one-way
Password Encryption
- If anyone knew how to reverse the password method, then:
- a3R7nito5fo%r -> comes from -> 123456
- Fortunately it is very hard to crack the one-way encryption
- Problem: why is storing the password file publicly dangerous, and
why is havingalarge encrypted password file stolenaproblem?
- A dictionary can be built of encryptions by turning the crank sequentially:
- 123454=JOF9#$94(4k9!
- 123455=fj49#mc903#0Q
- 123456=a3R7nito5fo%r
- 123457=h9^wehf9*3xd9
Monitoring and Logs
With all of the insecure protocols still in use (telnet, FTP), keep a tight eye on everything with log files:
Network
Account login/logout
Program usage
File access
Getting Root Access when you're not supposed to have it.
- Assuming social engineering didn't work, you'll have to use fancy stuff:
- Port scans+port/program insecurities
- Buffer overflows (with system access)
- Boot hacking (with physical access)
- Why are we talking about this stuff?
- So you can protect yourself against it
- Security checks
- etc.