Presentation is loading. Please wait.

Presentation is loading. Please wait.

NET 311 Information Security

Published byGotthilf Linden Modified over 6 years ago

Similar presentations

Presentation on theme: "NET 311 Information Security"— Presentation transcript:

1 NET 311 Information Security
Networks and Communication Department Lecture 9 : Security in Operating Systems( Linux and Windows )

2 lecture contents: Security feature in Linux.
Security feature in Windows 20-Sep-18 Networks and Communication Department

3 LINUX Linux systems are commonly used as multi- user systems.
Linux systems are commonly used as servers. Web, , data base servers How to ensure that authorized users can only access designated resources on a LINUX system. 20-Sep-18 Networks and Communication Department

4 BASIC ELEMENTS OF ACCESS CONTROL
Subject: Entity capable of access resources Often subject is a software process Classes of subjects e.g Owner, Group, World Object: Resources to which access is controlled e.g Files, Directories, programs, communication ports Access Rights: Describes the ways in which subject may access objects e.g read, write, execute, delete, create search 20-Sep-18 Networks and Communication Department

5 CATEGORIES FOR THE SUBJECTS/USERS
Owner-u Each file and directory (a special type of file) has an "owner." This is the user account that has primary power over the file, allowing it to do things like change the file's permissions. (User that owns the file)  Group-g In addition to the owner, each file has a group account associated with it. This group, like the user account that is the file's owner, has its own set of access permissions to the file. (User in the files group) Others/World-o The last permissions category covers "everyone else" — any accounts that are not the owner or a member of the account group that is the file's group owner. (Other users) 20-Sep-18 Networks and Communication Department

6 DAC DAC-Discretionary Access Control
Discretionary access control, or DAC, is the type of access control where access is determined by the owner of an object. 20-Sep-18 Networks and Communication Department

7 EXAMPLE OF DAC ACCESS MATRIX
Specifies the access rights of the subjects over objects. 20-Sep-18 Networks and Communication Department

8 LINUX SECURITY MODEL The Linux traditional security model can be summed up quite succinctly: people or processes with “root” privileges can do anything; other accounts can do much less. root is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system. It is also referred to as the root account, root user and the super user. Thus, the attackers are always looking to gain root privilege and when they do, they can erase or edit logs; hide their processes, files, and directories. Linux’s security model relies on Discretionary Access Control (DAC). 20-Sep-18 Networks and Communication Department

9 LINUX SECURITY MODEL In the Linux DAC system, there are:
subject (users + processes) who performs actions (read, write, execute/use) on the objects that (file, directory, or special file). The actions are managed by the Kernel that rely on the permission that the subject has. 20-Sep-18 Networks and Communication Department

10 LINUX SECURITY TRANSACTIONS
20-Sep-18 Networks and Communication Department

11 LINUX DAC IN DEPTH Linux treat everything as file--It is file-system which considered a big deal in security. Documents, pictures, and even executable program are very easy to conceptualize as files on the hard disk The directories are a file containing a list of other files. The two things that are not represented by files: User account: someone capable of using files Group account: a list of user account. 20-Sep-18 Networks and Communication Department

12 INODES inode is a data structure that stores important information about a file or a directory. At the time a new file is created, it gets a free inode. Files and directories are administered by the operating system using inodes. Operating system keeps a list of the inodes in an inode table inode contains the information such as Mode Owner Size Time stamps etc 20-Sep-18 Networks and Communication Department

13 inode Mode is 16 bits Owner id 16 bits Group id 16 bits
12 protection bits: permissions 4 bit file type: regular, file directory etc Owner id 16 bits Group id 16 bits Size of the file….. 20-Sep-18 Networks and Communication Department

14 PERMISSIONS Permissions are classified into two types
File Permissions Directory permissions read the file write to the file execute the file Directory Permissions read: List the contents of the directory write: create and delete the files execute: Access files in the directory 20-Sep-18 Networks and Communication Department

15 PROTECTION BITS IN INODE
12 bits in an inode Mode are for protection First 9 bits indicate read, write execute permissions for user, group and others Last three bits indicate special permissions 20-Sep-18 Networks and Communication Department

16 NUMERIC FILE PERMISSIONS
Internally, Linux uses numbers to represent permissions; only user programs display permissions as letters. The chmod command recognizes both mnemonic permission-modifiers ("u+rwx,go-w") and numeric modes. Each permission has a numeric value, and the permissions in each digit-place are additive: the digit represents the sum of all permission-bits you wish to set. The basic numeric values are: 4 for read, 2 for write 1 for execute. Why no "3” ? Because : (a) these values represent bits in a binary stream and are therefore all powers of 2 (b) this way, no two combination of permissions have the same sum 20-Sep-18 Networks and Communication Department

17 NUMERIC FILE PERMISSIONS
A numeric mode consists of four digits (as you read left-to-right) used to represents: special-permissions user-permissions group-permissions other-permissions. ( other users not covered by user permission or group permission) 20-Sep-18 Networks and Communication Department

18 NUMERIC FILE PERMISSIONS
Example: If, for example, user-permissions are set to "7", this represents 4 (the value for "read") plus 2 (the value for "write") plus 1 (the value for "execute"). For example, 0700 translates to "no special permissions set, all user-permissions set, no group permissions set, no other-permissions set." 20-Sep-18 Networks and Communication Department

19 SPECIAL PERMISSIONS There are two most dangerous permissions:
Setuid: if sets on an executable binary file, it causes that program to “run as” its owner, no matter who executes it. Setuid has no effect on directories Setgid: when sets on an executable file, it causes that program to “run as a” member of the group that owns it. Setgid does and causes any file created in a directory to inherit the directory's group. •Hint "run as" means "to run with the same privileges as." 20-Sep-18 Networks and Communication Department

20 SPECIAL PERMISSIONS When do these special permissions becomes dangerous? If set on any file owned by root or any other privileged account or group. When they become useful? if users belong to other groups and routinely create files to be shared with other members of those group instead of manually changing its group. 20-Sep-18 Networks and Communication Department

21 KERNEL SPACE VS USER SPACE
Refers to memory used by the Linux kernel and its loadable modules (e.g., device drivers) User space Refers to memory used by all other processes Since kernel enforces Linux DAC and security critical to isolate kernel from user so kernel space never swapped to disk only root may load and unload kernel modules 20-Sep-18 Networks and Communication Department

22 2- Windows Operating System
Windows Security Security Defenses Windows VS Linux 20-Sep-18 Networks and Communication Department

23 Windows Security There are different types of privileges that used in Windows some of them is very dangerous. Examples of such privileges include: act as part of operating system privilege which is referred to as the Trusted Computing Base (TCB) it allows code (including security code) to be run by any account; and this is the most dangerous one. Debug programs privilege which allows an account to debug any process running in Windows. Backup files and directories privilege which is able any process that run this privilege to pass all access control list (ACL) checks. 20-Sep-18 Networks and Communication Department

24 Windows Security Defenses
There are four main defends that Windows Security faced: Account Defenses “Secondary Logon” which able the user run an application with another account. Network Defenses: IPSec and IPv6 support, and a bi-directional firewall Buffer overrun Defenses : mechanisms to detect the attacker who exploits the buffer overflow Browser Defenses 20-Sep-18 Networks and Communication Department

25 Windows Security Defenses
Cryptographic Services: Windows includes a complete set of cryptographic functionality such as: a. Encrypting File System (EFS) which is simple, a user or administrator marks a directory to use EFS, then, the file created in that directory is encrypted. b. Data Protection allows users to encrypt and decrypt data transparently. c. BitLocker which is added in Window Vista and it encrypts the entire volume with using AES, and the encryption key is stored either on a USB or within a Trusted Platform Module (TPM) chip on the computer motherboard. 20-Sep-18 Networks and Communication Department

26 Why is Linux is more secure than Windows?
1. Privileges In Windows: users are generally given administrator access by default, which means they pretty much have access to everything on the system, even its most crucial parts. So, then, do viruses. It's like giving terrorists high-level government positions. In Linux: users do not usually have such "root" privileges; rather, they're typically given lower-level accounts. It means even if a Linux system is compromised, the virus won't have the root access it would need to do damage system , more likely, just the user's local files and programs would be affected. That can make the difference between a minor annoyance and a major catastrophe in any business setting. 20-Sep-18 Networks and Communication Department

27 Why is Linux is more secure than Windows?
2. Social Engineering Viruses and Worms are often spread by convincing computer users to do something they shouldn't, like open attachments that carry viruses and worms. This is known as social engineering. In Windows: Spreading the worms and viruses is so easy on Windows systems. Just send out an with a malicious attachment and an interesting subject. The result? An open door for the attached malware, with potentially disastrous consequences organization wide. In Linux: Before any real damage could occur, a Linux user would have to read the , save the attachment, give it executable permissions and then run the executable. Not very likely, in other words. 20-Sep-18 Networks and Communication Department

28 Why is Linux is more secure than Windows?
3. Audience Size Since Millions of people all using the same software(Windows), it become an attractive target for malicious attacker. As a result, the majority of viruses target Windows. 4. How Many Eyeballs In Linux: the creator of Linux--holds that, "given enough eyeballs, all bugs are shallow." What that means is that the larger the group of developers and testers working on a set of code, the more likely any flaws will be caught and fixed quickly. In Windows: it's a limited set of paid developers who are trying to find problems in the code. They adhere to their own set timetables, and they don't generally tell anyone about the problems until they've already created a solution, leaving the door open to exploits until that happens. 20-Sep-18 Networks and Communication Department

29 Windows Advantages Disadvantages User friendly
Enhancements can help millions of users Defects found quickly because of widespread use Disadvantages Security defects can leave millions vulnerable Non-technical user-base Industry dominance leaves MS handcuffed - any move to expand capabilities seen as anticompetitive

30 Linux Advantages Disadvantages Stability Free Software
Runs on old hardware Security Disadvantages Learning curve Equivalent programs More technical ability needed Not all hardware compatible Advantages: The majority of Linux variants are available for free or at a much lower price than Microsoft Windows. Linux is and has always been a very secure Operating System. Although it still can be attacked when compared to Windows, it much more secure. The majority of Linux variants and versions are notoriously reliable and can often run for months and years without needing to be rebooted Disadvantages: Although the majority Linux variants have improved dramatically in ease of use, Windows is still much easier to use for new computer users Linux has a large variety of available software programs, utilities, and games. However, Windows has a much larger selection of available software. Required someone who knows Linux really well. Alternately, you could hire someone who has experience with Linux. A good Linux administrator needs to be on hand as you start to migrate your systems over. This is a disadvantage financially, at least in the beginning. Some of the latest and greatest hardware that is being produced is not compatible with Linux. One thing you can do is before your purchase, ask if the hardware vendor has support for Linux. Some manufacturers do write their own Linux drivers and distribute them with your purchase, making it very easy to integrate with your existing system.

31 References Windows vs. Linux Security, Professor: Hossein Saiedian
20-Sep-18 Networks and Communication Department

Download ppt "NET 311 Information Security"

Similar presentations

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Lecture 7 Access Control

Lecture 7 Access Control
AN INTRODUCTION TO LINUX OPERATING SYSTEM Zihui Han.

AN INTRODUCTION TO LINUX OPERATING SYSTEM Zihui Han.
We are here today to know the differences between Windows operating system and Linux operating System And why is windows more famous than Linux Show the.

We are here today to know the differences between Windows operating system and Linux operating System And why is windows more famous than Linux Show the.
IT Essentials: PC Hardware and Software 1 Chapter 7 Windows NT/2000/XP Operating Systems.

IT Essentials: PC Hardware and Software 1 Chapter 7 Windows NT/2000/XP Operating Systems.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.

Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
Viruses Hackers Backups Stuxnet Portfolio Computer viruses are small programs or scripts that can negatively affect the health of your computer. A.

Viruses Hackers Backups Stuxnet Portfolio Computer viruses are small programs or scripts that can negatively affect the health of your computer. A.
CE01000-3 Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.

CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.

Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
INTERNET SAFETY FOR KIDS

INTERNET SAFETY FOR KIDS
Operating Systems Security

Operating Systems Security
Chapter 9: Networking with Unix and Linux. Objectives: Describe the origins and history of the UNIX operating system Identify similarities and differences.

Chapter 9: Networking with Unix and Linux. Objectives: Describe the origins and history of the UNIX operating system Identify similarities and differences.
COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:

COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.

Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK 74104.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Similar presentations

Ads by Google