Mumtaz Ali Rajput mumtaz.ali@superior.edu.pk +92 – 301- 4949 409 INFORMATION SECURITY – WEEK 5 Mumtaz Ali Rajput mumtaz.ali@superior.edu.pk +92 – 301- 4949 409

Information Security (IS) In This Chapter:   Boot Sequence BIOS Passwords Hibernation Event Logging Windows - Event Logging Linux – Event logging Process monitoring Memory and File system Security Virtual Memory Security Access Methods Information Security (IS)

Information Security (IS) The Boot Sequence The action of loading an operating system into memory from a powered- off state is known as booting or bootstrapping. When a computer is turned on, it first executes code stored in a firmware component known as the BIOS (basic input/output system). On modern systems, the BIOS loads into memory the second-stage boot loader, which handles loading the rest of the operating system into memory and then passes control of execution to the operating system. Information Security (IS)

Information Security (IS) BIOS Passwords A malicious user could potentially seize execution of a computer at several points in the boot process. To prevent an attacker from initiating the first stages of booting, many computers feature a BIOS password that does not allow a second- stage boot loader to be executed without proper authentication. Information Security (IS)

Information Security (IS) Hibernation Modern machines have the ability to go into a powered-off state known as hibernation. •While going into hibernation, the OS stores the contents of machine’s memory into a hibernation file (such as hiberfil.sys) on disk so the computer can be quickly restored later. •But… without additional security precautions, hibernation exposes a machine to potentially invasive forensic investigation. Information Security (IS)

Information Security (IS) Event Logging •Keeping track of –what processes are running, –what other machines have interacted with the system via the Internet, and –if the operating system has experienced any unexpected or suspicious behavior •Such logging can often leave important clues for –troubleshooting ordinary problems –determining the cause of a security breach Information Security (IS)

Windows - Event Logging •3 source of logs –System •Can only be written by OS –Application •Written by ordinary application –Security •Written by windows service known as Local Security Authority Subsystem Service (lsass.exe) •lsass enforce access control and user authentication Information Security (IS)

Information Security (IS) Linux – Event logging •Typically log files are stored in /var/log •These are text files with descriptive names with one event per line •E.g. auth.log contains record of user authentication •kern.log keeps track of unexpected kernel behavior •Writing of these log is done by syslog daemon Information Security (IS)

Information Security (IS) Process monitoring •There should be a way to know which processes are currently running •May be to identify the suspicious process •With this that process can be terminated •Windows –Task manager •Linux –ps, top, pstree and kill commands Information Security (IS)

Memory and File system Security •The contents of a computer are encapsulated in its memory and filesystem. •Thus, protection of a computer’s content has to start with the protection of its memory and its filesystem. Information Security (IS)

Virtual Memory Security •Windows –Virtual memory pages are written on page file name pagefile.sys •Linux –Requires user to create a swap partition to contain these memory pages –Alternatively support page file like windows •OS prevent user to view the content of virtual memory while OS is running Information Security (IS)

Attacks on Virtual memory •Attacker suddenly power off machine •Boot to another OS with external media •It may be possible to view these file •Mitigation –Hard disk encrypt •But still attacker can access encrypted swap file/partition Information Security (IS)

Password-Based Authentication •How does OS securely identified its users? •Authentication –Determination of identity or role that some has –Standard mechanism is username and password –OS store cryptographic hash of password •Cannot obtained actual password from hash even the attacker get hash password file •Basic approach to guess passwords – dictionary attack –Each word in a dictionary is hashed and compared with the hashed passwords stored in the password file. •A dictionary of 500,000 “words” is often enough to discover most passwords. Information Security (IS)

Information Security (IS) Password Salt •It is used to make the dictionary attack more difficult to launch •Associate a random number with each user id •Without Salt: –comparing hash of an entered password with a stored hash of a password, •With Salt: –comparing hash of an entered password and salt for user id with a stored hash of the password and salt. Note: cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" a password or passphrase. Salts are closely related to the concept of nonce. Information Security (IS)

How Password Salt Works Without salt: User types userid, X, and password, P. System looks up H, the stored hash of X’s password. System tests whether h(P) = H. With salt: User types userid, X, and password, P. System looks up S and H, where S is the random salt for userid X and H is stored hash of S and X’s password. System tests whether h(S||P) = H. Information Security (IS)

How Salt Increases Search Space Size •Assuming that an attacker cannot find the salt associated with a userid he is trying to compromise, then the search space for a dictionary attack on a salted password is of size 2B*D, where B is the number of bits of the random salt D is the size of the list of words for the dictionary attack •For example, if a system uses a 32-bit salt for each userid and its users pick passwords in a 500,000 word dictionary, then the search space for attacking salted passwords would be 232 * 500,000 = 2,147,483,648,000,000 •Even if an attacker can find a salt password for a userid, he only learns one password. Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)

Information Security (IS)