1 / 15

Secure Operating Systems

Secure Operating Systems. Lesson C : Linux Security Features. Where are we?. Multics is beautiful, Multics is beautiful, Multics is beautiful… And also, we’ve looked at some of the ways operating systems get broken Let’s look at a well known OS today: Linux. Linux: Overview.

kiley
Download Presentation

Secure Operating Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Operating Systems Lesson C: Linux Security Features

  2. Where are we? • Multics is beautiful, Multicsis beautiful, Multicsis beautiful… • And also, we’ve looked at some of the ways operating systems get broken • Let’s look at a well known OS today: Linux

  3. Linux: Overview • Accounts, authentication • File permissions • Secure Access • Encrypted storage • Logging • Resource usage controls… • It’s a long list. Let’s take a look.

  4. User Accounts • The Unix model is pretty straightforward • An entity has a user account; this account can be associated with groups • Usually, there is one superuser, root – this account has complete control of the system

  5. PAM: Authentication • User accounts don’t help if you can’t authenticate, so Linux provides PAM • Pluggable Authentication Module • PAM allows us fine grained support on logins and authentication • Account modules: auth is valid under current conditions (time of day, phase of moon…) • Authentication modules: authenticates the user • Password modules: Updating passwords, and measuring password strength • Session modules: things to do at the start and end of every session

  6. Protection: Files • Files can be protected at the user, group, world, level • Valid permissions are read, write, execute • umask provides default permissions for a user on files and directories • Setuid bit – is this a vuln or a feature? Let’s discuss…

  7. Secure Access • None of the above matters if we can’t log in to the box securely • Linux has a few features. • Most notably, we can restrict the places root can log in from – perhaps to a local physical console • All remote connections come in through sshd– compare to telnet

  8. Encrypted storage • First, let’s be clear… what are we protecting from? • With that said, we can create an encrypted bootload and encrypted storage in Linux • Protecting the boot sequence is pretty important – we’ll revisit that when we look at Windows 8

  9. Logging • Or even audit…there’s syslog and auditing • In more up to date Linii, there’s auditd • Very flexible auditing system, that provides very granular logging of events • Configured by audit rules • Tampering? • At the less granular level, there’s syslog etc. • In essence: you have the ability to see, if you choose to look

  10. Resource control • Linux can control how much of a resource a particular user uses, too • Quota can also provide hard limits

  11. Non-Executable Memory • Linux has supported the NX bit for almost TEN years (!!!) • You do need to check your distribution and kernel configuration though • Remind me: what does this achieve?

  12. ASLR • Yes, Linux has address space layout randomization as a kernel option

  13. GCC assistance • Pointer encryption • -Wformat –Wformat-security • Not much use if you don’t pay attention • -D_FORTIFY_SOURCE=2 –O2 – put in runtime and compile time checks on buffers • Built in stack canaries • Position Independent Executables (PIE) • ELF hardening (mark segments r/o before execution

  14. Things to Do • Take a look at the little Linux machine you installed earlier in the semester. What security features are available? What areas can you harden the configuration. Tell me what you did to try and harden the OS…

  15. Questions & Comments • What do you want to know?

More Related