Dr. Neminath Hubballi
IIT Indore © Neminah Hubballi


Functions of Operating System

Security concerns in OS

Process security

File Security

Booting security

Hibernation security

Password based security

Event log management in windows
IIT Indore © Neminah Hubballi


Is a mediator between user applications and hardware

Handles lot many complex tasks
 Memory management
 Process management
 Handling deadlocks
 File system support
 Multitasking
 Multi user support
IIT Indore © Neminah Hubballi


Consider a situation where there is shortage of systems in school of CSE IITI

If you are asked to share same PC with your peers
 What do you want to do

Users have different level of access
 Based on role

Multiple users and multi tasking requires a level of protection
 One user from interfering other users
 One program from interfering other users

Sharing of resources
 Optimization
IIT Indore © Neminah Hubballi

User Applications
Non Essential OS
Applications
OS Kernel
Hardware

Hardware
 Many devices
 Each device has a driver
 Provides APIs to access

Kernel
 Heart of OS
 Manages the low level h/w resources

Non essential component of OS
 Printing program

User application
 Access the service provided by OS
 System calls
IIT Indore © Neminah Hubballi


Kernel defines the notion of a process

Programs are stored in persistent storage

Can multiple copies of same program run simultaneously
?

Time slicing

Process tree

Fork system call
 Parent and child
 Peers

In Linux system init is the root of process tree
 Meaning all other processes are created by it
 Its PID is 0
IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi


To grant appropriate access restrictions on the process operating system associates privilege information to a process

This privilege is same as privilege of user who is running the process

Each process has a user id called uid, group id gid

The uid is a number between 0 to 32767 which uniquely identifies each user

Typically uid 0 is assigned to the root user

Similarly gid is also a number in the same range

Effective user id eid is the user id whose privileges are used to access a resource
IIT Indore © Neminah Hubballi

 Permissions:
 Assigned to each file/directory
 Provides security
 Ability to manage users and their files .
 Needed to access file/directory
 Usually granted to groups
 In multi-user operating systems like Linux, access is given only to authorized users
 Super (root) user:
 Has special privileges –
 In a sense owns everything
 Can change file ownerships
 Bypass permissions that owner of file may have set
 Uses root account to provide administrative functions
IIT Indore © Neminah Hubballi


Unix systems treat everything as a file

Special files
 Devices- a piece of hardware either part of system or an external unit
 Sockets- a means of communicating with other processes

Permissions can be of
 Read
 Write and
 Execute

File system
 ext 2 and ext 3 – permissions apply
 FAT – no means of ownership
IIT Indore © Neminah Hubballi


Sticky Bit: Mainly used to avoid some other user deleting a file though she has a write permission on the folder

If Sticky bit is enabled on a folder, the folder contents are deleted by only owner who created them and the root user.

This is a security measure to avoid deletion of critical folders and their content(sub-folders and files), though other users have full permissions.

Setting sticky bit
 chmod +t /opt/dump/

+t indicates sticky bit setting\

Check sticky bit
 ls –l : a t will appear in the listing

Revoking sticky bit
 Chmod -t /opt/dump/
IIT Indore © Neminah Hubballi


Process granularity
 Each process upon creation is allocated some memory called as address space
 This memory is organized in segments

.text, .data, .bss, and heap and stack segments
 Each segment has its own access permissions

Readable, writable and executable
 Operating system protects one process from other by not allowing access to others address space

Global granularity
 Kernel address space
 User address space
IIT Indore © Neminah Hubballi


Typical booting sequence is
BIOS
Secondary Boot Loader
There is a chain of trust in booting process
An attacker can subvert booting process by altering or modifying something in any of these components
In order to protect system from such changes most systems have a BIOS password
Operating System
IIT Indore © Neminah Hubballi


Hibernation is a concept of saving state of system into disk
 Typically in a file state information is stored
 Entire main memory is copied into a file (in a compressed format)

Since entire state is copied onto disk
 All passwords and other sensitive information carry danger of being exposed

Researchers have shown the feasibility of extracting such information by mounting a live CD attack

On a windows machine state is stored in a file c:\hiberfil.sys
IIT Indore © Neminah Hubballi

Password and User Account
Management in Operating System

Naive approach
 Create a file password where all users passwords are stored

Neminath : pass156

Gourinath : test234

Somnath : temp123
 Save the file password in a place in the system
 What if a thief gets access to this file ?

All user accounts are compromised
 What can we do to prevent it ?

Encrypt the file containing password file

Seems a good idea but not enough

There is a key used to encrypt the file

How does the OS verifies the password ?

Key needs to be somewhere in the system

Key needs to be stored

If file containing password can be stolen key also can be stolen

Use one way hashing and salting
– most flavors of unix systems use this method
IIT Indore © Neminah Hubballi

Password and User Account
Management in Operating System

One way hashing is a function f
 Characteristic of this function is
 when supplied x computes f(x) easily

But inverse is extremely complex i.e., given f(x) it is difficult to calculate x.

An example
 Convert all the characters into their ASCII values and XOR them
 Resultant is a small number derived out of XOR operation
 Store the hash value in password file
 Note we do not store the password anywhere

The idea is make it impossible to guess the password even if hash value is known
 Now the password file looks like

Neminath : a12hf

Gourinath : b4a2e

Somanath : d34ef
IIT Indore © Neminah Hubballi

Password and User Account
Management in Operating System

From a thief's perspective
 She can start guessing passwords one by one and compare it to the hash values in password file
 She needs to know which hash function to use
 There are only handful of good one-way hash functions implemented
 So its easy to guess one or find out one
 Using a table called rainbow table (which is a list of common pre-computed password hashes )it is easy to break it
 Even if one user uses a weak password which maches with that of dictionary system security is compromised
 This is addressed through a technique called as salting
IIT Indore © Neminah Hubballi

Password and User Account
Management in Operating System

Salting
 Do not hash passwords as it is add something to it and then hash
 Unix system uses an additional 12 bit number to hash password
 How to chose value of salt

Deterministic across the users: not a good idea !

Unique for each user : sounds good but how to get a unique one

Take the current timestamp of system and divide with a predetermined number to get a 12 bit remained use it as a salt.

Meta data as salt : use the birthday or PAN number of user as salt
IIT Indore © Neminah Hubballi


A file in the directory /etc/passwd stores the Unix users password

Unix password is hashed and salted

Salting and hashing effectively increase the amount of work done to break into the target system

Algorithm
 Take the first 8 ASCI characters of the user password and encrypt a 64 bit constant character consisting of all 0’s
 If the user password is less than 8 characters suitably pad it to make it 56 bits
 Encrypt the 64 bit length 0’s 25 times with DES using user password as key
 Resultant encrypted version is stored in the file
IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi


Types of Logs
 Application logs : events from applications
 Security logs : login and logout details, failed logins
 System logs: events from system components\

The event header contains
 Date and time
 User and Computer
 Event ID
 Level
 Source
 Category
IIT Indore © Neminah Hubballi


Types of Events
 Information : Normally indicates successful operation of something
 Warning : Indicates not a severe issue but in future it may be troublesome
 Error : Describes a significant problem
 Success Audit (Security log) : When a user successfully logs into system
 Failure Audit (Security log) : A failed login attempt
IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi


Level category time and day source event id task

Warning 12/6/2013 12:34:21 PM Tcpip 4228 None

Details: TCP/IP has chosen to restrict the scale factor due to a network condition. This could be related to a problem in a network device and will cause degraded throughput.

Issue is related to communication

Scale factor is related to receive window size

By using the window scale option, the receive window size may be increased up to a maximum value of 1,073,725,440 bytes. This is done by specifying a one byte shift count in the header options field.

The true receive window size is left shifted by the value in shift count. A maximum value of 14 may be used for the shift count value.
IIT Indore © Neminah Hubballi


Windows event logs

Antivirus programs

Firewalls

Radius server

DHCP server
 IDS and IPS ……..
IIT Indore © Neminah Hubballi

Courtesy: SANS Analyst Program Document
IIT Indore © Neminah Hubballi

Courtesy: SANS Analyst Program Document
IIT Indore © Neminah Hubballi