RUDI LUMANTOUNIVERSITAS BUDILUHUR Semester 2 / 2007 Rudi Lumanto / Mochamad Wahyudi Computer...

RUDI LUMANTO UNIVERSITAS BUDILUHURSemester 2 / 2007

Rudi Lumanto / Mochamad Wahyudi

Computer Networking & Security

Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri



STMIK Nusa Mandiri

Operating System Security


RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007

Outline

OS Structure (Linux, Windows, MAC) Password Access Control Data Redudancy (Information Availibility) Usefull Tools



A chain is only as strong as its weakest link



OS Structure

A kernel connects the application software to the hardware of a computer. It is the central component of most computer operating systems (OS)

UNIX OS (1969) ------ Ms. Windows OS (1985) ------- MAC OS (1975)



Multics project in a joint effort of Bell Labs, MIT and GE to develop a general computer operating system.

1969 AT&T Bell Laboratory by Ken Thompson

1973 recoded in C(UNIX Kernel) by Dennis Ritchie and Ken Thompson

1978 BSD by Bill Joy(UCB) 1983 System V 4.2BSD

released 1988 BSD Networking release

1 1989 System V release 4

(SVR4)

◆ History of UNIX

Bill 　 JoyDesigner of berkeley version of UNIX,BSD=Berkeley Software DistributionCreator of vi editor.“edison of the internet”

Denis RitchieHarvard univ.1972 create C language

Ken ThompsonUC of BerkeleyCreate B lang.



System III(1982)

System V(1983)

SVR2(1984)SVR3(1987)SVR4(1989)

SVR4.2(1992)SVR4.2MP(1993)

UNIX95UNIX98

BSD

4.2BSD(1984)

4.3BSD(1986)

4.4BSD(1993)

4.4BSD-Lite 386BSD

Free BSD Net BSD

Open BSD

UNIX(1969)

V1(1971)

V7(1979)

SunOS

Solaris2

Solaris7

SYSTEM V BSD

Linux(1991)

◆ History of Unix



◆ History of Linux 1984, The concept of open source, --its

roots stem from GNU.

Mr. Richard Stallman a researcher at MIT started project called GNU, to develop a complete Unix like OS which is free software. (GNU is a recursive acronym for "GNU's Not Unix"; it is pronounced "guh-NEW".)

1987, Prof. Andrew S Tanenbaum invents Minix, an open source OS that’s a clone of Unix

1991 , Linus Torvalds, 21 year old students at university of Helsinki, began develop a Linux.

Richard Stallman

Linus torvalds

Andrew S Tanenbaum,BSc-MIT, PhD-UC Barkeleyprincipal designer of three operating systems: TSS-11, Amoeba, and MINIX. TSS-11 was an early system for the PDP-11. Amoeba is a distributed operating systems for SUN, VAX, and similar workstation computers. MINIX is a system for the IBM PC, Atari, Macintosh, Amiga, and SPARC, providing a system as simple as real UNIX (i.e. Version 7) for educational use.



◆ Unix/Linux Configuration

The UNIX system is functionally organized at three levels:

•The kernel, which schedules tasks and manages storage; •The shell, which connects and interprets users' commands, calls programs from memory, and executes them; and •The tools and applications that offer additional functionality to the operating system



Kernel

Shell

Shell

Shell

◆ Shells and Kernel

KERNEL :The heart of the operating system, the kernel controls the hardware and turns part of the system on and off at the programer's command. SHELL:Intermediater between the user and the operating system kernel. It also called a command interpreter orCommand Analyzer. There are several type of shell



Power on Power off

Session

login logout

◆ Starting and Terminating Linux

Login: Process of initiating a Linux operating system session

Logout: Process of terminating a Linux operating system session



Windows OS Structure : Simplified

Systemsupport

processes

Serviceprocesses

Userapplications

Environmentsubsystems

Subsystem DLLs

Executive

Kernel Device drivers

Hardware Abstraction Layer (HAL)

Windowingand graphics

UserMode

KernelMode

Microsoft first introduced an operating environment named Windows in November 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces (GUIs)



Software Software ManagementManagement

Operating System Functions

Hardware Hardware ManagementManagement

MemoryMemoryManagementManagement

DataDataManagementManagement

Operating System

Microsoft®

Windows

®



Features of Windows ServerMultitaskingMultitasking

Memory SupportMemory SupportSMP ScalabilitySMP Scalability

Plug and PlayPlug and Play

ClusteringClustering

File SystemsFile Systems

NTFSNTFS

QoSQoS

Remote Remote Installation Installation ServicesServices

MultitaskingMemory Support

SMP Scalability

Plug and Play

Clustering

File SystemsQoS

Terminal ServicesTerminal ServicesTerminal Services

MultitaskingMultitaskingMemory SupportMemory Support

SMP ScalabilitySMP Scalability

Plug and PlayPlug and Play

ClusteringClustering

File SystemsFile Systems

NTFSNTFS

Terminal ServicesTerminal Services

QoSQoS

Operating System

Microsoft®

Windows

®



Roles of Computers in a NetworkMail ServerMail Server

Database ServerDatabase Server

DatabaseDatabase

Fax ServerFax Server

File and Print File and Print ServerServer

Directory Services Directory Services ServerServer

Client Computer

File and Print Server

Database Server

Mail Server

Fax Server

Mail ServerMail Server

Database ServerDatabase Server

DatabaseDatabase

Fax ServerFax Server

File and Print File and Print ServerServer



Kernel - Mode Components : Core OS

Executive

– Base operating system services,

– Memory management, process and thread management,

– Security, I/O, interprocess communication. Kernel

– Low-level operating system functions,

– Thread scheduling, interrupt and exception dispatching,

– Multiprocessor synchronization.

– Provides a set of routines and basic objects that the rest of the executive uses to implement higher-level constructs.

Both contained in file Ntoskrnl.exe



Device drivers (*.sys)– Hardware device drivers translate user I/O function calls

into specific hardware device I/O requests – virtual devices - system volumes and network protocols

Windowing and Graphics Driver (Win32k.sys)– Graphical user interface (GUI) functions (USER and

GDI)– windows, user interface controls, and drawing

Hardware Abstraction Layer (Hal.dll) – Isolates the kernel, device drivers, and executive from

hardware– Hides platform-specific hardware differences

(motherboards)

Kernel - Mode Components : Drivers



Key to a defense in depth of OS

Monitoring login, failed login and all network activity

UNIX OS : - sulog : Record failed attempts and switch to another user with su command- wtmp log : Record information for every account that logs in and out of a system, and also the time and duration of a system

WINDOWS OS (Event Viewer )- System log- Application log- Security log



Password



The first measure of a system’s security is how effective it is in Authenticating and Identifying.

Password are used by most system as the first and usually onlymeans of identification and authentication.

System Password Attacks type :- Brute Force- Dictionary Based- Password Sniffing- Social Engineering

Three Basic Schemes for Identification & authentication :1. Something you know, example : Password, PIN2. Something you have, example : ID card, Security Token, Cell Phone3. Something you are, example : Fingerprint, Signature



Breach systems by trying every possible combination of letter and number till a match is found that provides access to the system

Take a long time and full of memory because of exhaustive trial and error

Brute Force Attack



How to Prevent Brute Force Attack

1) Restricting the amount of login attempts that a user can perform

2) Banning a users IP after multiple failed login attempts

3) Keep a close eye on your log files for suspicious login attempts



Dictionary Based Attack

Utilize a program that compare the encrypted password in the password file to encrypted words in a dictionary file

Try different passwords from a listSucceeds only with poor passwordVery fast



Preventing Dictionary Attack Use SALT.

SALT in cryptography is random stuff you add to plaintext before encrypting. Now in the password file we store: username, rrrr, h (password + rrrr). Here rrrr is the salt.



Password Sniffing Monitoring the network packets to obtain

passwords or IP Address

Target machine

Target machine

Targetmachine

Network Hub

192.168.0.20 192.168.0.30 192.168.0.101

Sniffermachine



Use a network switch instead of network hubs

Employ VPN (Virtual Private Network) Use an encryption program like SSH (Secure

Shell) Use one time passwords (OTP)

Password Sniffing Countermeasuse



Social Engineering

Countermeasure– Modifying people’s behavior by training and

education

Most people are trusting by nature and are not on-guard for this type of maneuver.

It is not amazing how easy it is to get someone to divulge a password over the telephone



Good Password Guideline At least 8 alphanumeric and special symbol

characters in length. Avoid all number and all letters The maximum number of times any single character

can be repeated in a password should be restricted to three

Avoid using personal data such as birthday, telephone number, numberplate

System controls should be configured to limit a time of a password (ex.36 week) and also cannot re-use old password unless after 8 to 10 new password be used

Should be selected by the end user and easy to remember



Comparative Analysis for Password Breaking(Assumption : Software can calculate 500.000 Words/Sec)



Access ControlOnce the user is logged into the system, the user is given authorizationto access system resources, such as files. The authorization can be thought of as access privileges. The discretionary privileges can be definedby an Access Control List (ACL)

ACL is the mechanism that restricts or grants access to a system’s resources (Example : Read, Write or Delete Access )

An organization should use some method that controls employee access to Its systems and networks,

The Concepts of Permission



PermissionsMost computers and NOS employ the concept of permissions for Controlling access.

Most system at least have 3-4 level of permissions1. Read2. Write3. Execute4. Delete

And have 3 user level :1. Owner2. Group3. Public or Everybody



Some Operating System use more than 4 level of access permissions. Novel, for instance, uses 8 different levels



Group A

Group BOwner

Others

Group

A

BC

D

E

◆ Unix Access Controlling

Three types of users



Permits the user to read the file.Permits the user to write the file.Permits the user to execute the file.Disable the r w x permissions.

rwx-

For File

For Directory

Permits the user to search for files/directory in the directory.Permits the user to create/delete the file.Permits the user to search the directory.Disable the r w x permissions.

rwx-

◆ Unix OS File Access : Types of protections



Owner

rwx　　　　　　　rwx　　　　　　　rwx

Format of the protection mode

Group Others


RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri


Data Redundancy

One of the best way to ensure availability is data redundancy. Availabilty means not only

the data be accessible but it must also be timely and accurate.

Data Redundancy can be achieved in different ways. Each Method provides a varying degree of redundancy and backup.

- Disk Mirroring- RAID (Redundancy Array of Independent Disks)- Data Streaming- Hot Backup



Disk Mirroring

The process of duplicating data from one hard disk to another hard disk

Provides two sets of identical files on separate disks



RAID

A category of disk drives that employ two or more drives in combination for fault tolerance and performance. RAID disk drives are used frequently on servers but aren't generally necessary for personal computers.



Streaming

A technique for transferring data such that it can be processed as a steady and continuous stream.

It is the process of writing transaction to another media at the same time the transaction update the data files. One common implementation is to write the transaction to tape.

Streaming process creates a lot of overhead in terms of CPU and I/O on a system



Hot Backup

A Technique used to provide for the ongoing operation of a LAN should a file server fail. In this technique, two file servers operate in tandem. Data is duplicated on the hard disks of the two servers. This is like disk mirroring but across two servers instead of one server.



Useful Tools

Useful tools available in tightening Operating System security :– COPS (Computer Oracle and Password System)– SATAN (Security Administrator’s Tool for Analyzing

Network)– SAINT (Security Administrators Integrated Network

Tool)– TITAN– TIGER– TCPWrapper– Tripwire



COPS, SATAN & SAINT



TITAN, TIGER & TCPWrapper



Rudi Lumanto / Mochamad Wahyudi



RUDI LUMANTOUNIVERSITAS BUDILUHUR Semester 2 / 2007 Rudi Lumanto / Mochamad Wahyudi Computer...

Documents

Transcript of RUDI LUMANTOUNIVERSITAS BUDILUHUR Semester 2 / 2007 Rudi Lumanto / Mochamad Wahyudi Computer...