Operating Systems 15 - security
-
Upload
aladdin-reed -
Category
Documents
-
view
20 -
download
3
description
Transcript of Operating Systems 15 - security
1
OPERATING SYSTEMS 15 - SECURITYPIETER HARTEL
2
Contents
Authentication
Passwords
Tokens
Biometrics
Access control
Policies
Mechanisms
Auditing
Logs
Intrusion detection
3
Passwords
Why the salt?
Salt: two characters of hashed password; 4096 possibilities
4
int main(int argc, char* argv[]) { struct passwd *p; while ((p = getpwent()) != NULL) { printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd, p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell); } endpwent(); return 0;}
Reading the password file
Output?
gcc Getpwent.c
./a.out | more
Is there a memory leak?
ls –l /etc/shadow /etc/passwd
Cyber-crime Science 5
Tokens
Advantages
Generally stronger than passwords
Disadvantages
May require special hardware
Can be lost
Authentication protocol
Static
Dynamic password generator
Challenge response
IIS
Biometrics
6[Jai00] A. K. Jain, L. Hong, and S. Pankanti. Biometric identification. Commun. ACM, 43(2):90-98, Feb 2000. http://doi.acm.org/10.1145/328236.328110
7
Access control policies
Policy types
Discretionary
Mandatory
Role based
8
Discretionary access control mechanisms (for “files”)
Enforcement by the reference monitor
The matrix is usually sliced (why?)
Access control list per object
Capabilities per subject
9
Role based access control
Group user by role
Encourage users to switch role
Principle of the least privilege
10
#define llsz sizeof(struct lastlog)
int main(int argc, char *argv[]) { FILE *fp=fopen("/var/log/lastlog", "r"); int i; for(i=1;i<argc;i++) { struct passwd *p = getpwnam(argv[i]); if(p == NULL) { printf("unknown user: %s\n", argv[i]); } else { struct lastlog ll; fseek(fp, p->pw_uid*llsz, 0); fread(&ll, llsz, 1, fp); printf("%s %s %s %s", argv[i], ll.ll_line, ll.ll_host, ctime(&ll.ll_time)); } } fclose(fp); return 0;}
Monitoring logins
last
gcc Lastlog.c
./a.out lecturer student
Is there a problem?
man 5 lastlog
ls –l /var/log/lastlog
11
Summary
Authentication and access control try to prevent problems
Auditing tries to detect problems
Technology is only part of the problem
Mechanism and policy