Topic 2 - Operating Systems

Question 1

How is Authentication defined in Computer Security?

Answer 1

To allow some access to an asset we must ensure they are permitted to access that asset, and they are who they say they are.
It is a process of verifying a user’s identity

Question 2

What are the areas that Authentication focuses on in order to identify someone?

Answer 2

Something the user is
Something the user has
Something the user knows

Question 3

What are some key areas of Passwords in Security?

Answer 3

Identification - Identifies you are who you are
Authentication - Verify that identity
Time of Check to Time of Use - TOCTTOU: Repeated checks of Authentication

Question 4

What are some problems with Passwords?

Answer 4

People forget them
They can be guessed
Spoofing and Phishing
Compromised password files
Keylogging

Question 5

What do Hash Functions do?

Answer 5

Takes a message of any length, and returns a pseudorandom hash of fixed length

Question 6

What makes a strong Hash Function?

Answer 6

Output must be indistinguishable from random noise
Bit changes must be diffused through the entire output
Given a hash, you are not able to reverse it
Make it highly unlikely for different messages to end up with the same hash i.e. a hash collision

Question 7

How do you make a system that looks up passwords from a database much more secure?

Answer 7

Pass the passwords through a one-way hash function, and then compare the hashed passwords instead of plaintext.

Question 8

What are the two types of password cracking?

Answer 8

Offline - You have a copy of the password hash locally
Online - You do not have the hash, and are instead attempting to gain access to an actual login terminal

Question 9

How does Offline Password Cracking work?

Answer 9

Try possible passwords, and see if there’s a hash collision with a password list
Typically is a brute force approach

Question 10

How can Password Cracking approaches be augmented to be much faster?

Answer 10

Using a dictionary of common words and passwords, and slightly augmenting them

Question 11

What is Password Salting?

Answer 11

An improvement to password security, wherein a random ‘salt’ is prepended to a password before hashing occurs.
This salt is stored unencrypted with the hash

Question 12

What are the security benefits from Password Salting?

Answer 12

Using a different random salt for each user:
- Cracking multiple passwords is slower
- Prevents rainbow table attacks - Can’t pre-compute many password combinations

Question 13

What primarily affects Password Cracking speed?

Answer 13

Hashing Speed
The longer this takes, the longer it takes to attempt to crack a password

Question 14

What is another strategy possible attackers might use to gain access to a system?

Answer 14

Pretexting - Offer some additional information regarding why we need access to those details

Question 15

What are some examples of Biometric Security Systems?

Answer 15

Fingerprints
Facial recognition
Iris Recognition
Voice recognition
Behavioural Biometrics

Question 16

What are some security considerations when using Biometrics?

Answer 16

No risk of losing access
Very convenient
Cost of technology required to use them
False positives and false negatives can arise
Can never be changed
Not foolproof - Can be attacked by Adversarial ML, but difficult in practice
Ethical/privacy concerns

Question 17

What are some other physical means of security?

Answer 17

Keys - Physical assets
USB tokens
Smart Cards
Smartphones/wearables

Question 18

How does FIDO/Web Authentication work?

Answer 18

User performs gesture before private key can be used
Private key is then sent to be verified to the app
The private key is then authenticated with a public key

Question 19

What are some of the properties of OTP?

Answer 19

Time/counter-based OTP that user enters
Temporary code that changes every set time period
Requires manual intervention

Question 20

What are some of the properties of WebAuth?

Answer 20

Public-key cryptography
Embedded MFA e.g. Biometrics
Challenge-response during authentication
Automatic - If paired with every device
If password is a recovery option, security ends up being the same as a standard password anyways

Question 21

What are some considerations surrounding Possession Factors e.g. physical security such as USBs or Keycards?

Answer 21

Relies on strong keys and cryptography
In principle, very secure
Often factored into Multi-factor authentication
Physical loss, damage or theft could cause problems
Usability and Cost

Question 22

What are some possible problems with Passwords as a form of security?

Answer 22

Passwords are prone to being guessed, cracked, stolen, misused, etc…
Often the weakest link in a security ‘chain’
Still not well-managed server side
Much effort replace them, but they are very well-balanced with pros and cons

Question 23

What are some advantages of using Password Managers?

Answer 23

Single master passwords vs many passwords - In principle, technically more secure
Convenience

Question 24

What are some disadvantages of Password Managers?

Answer 24

Not all free
Master password used to access all other passwords - Causes single point of failure
Vaults still at risk to company leaks

Question 25

What is a Reference Monitor?

Answer 25

An access control concept that refers to an abstract machine that mediates all access to objects by subjects

Question 26

What are some required properties for a Reference Monitor?

Answer 26

Must be tamper-proof/resistant Must always be invoked when access to an object is required Must be small enough to be verifiable/subject to analysis to ensure correctness

Question 27

What examples of Reference Monitors are there in the different layers of security?

Answer 27

Application - Firewalls Services - JVM, .NET Operating System - Windows Security reference monitor Operating System Kernel - Virtual Machine Hypervisor Hardware - Dedicated registers for defining privileges

Question 28

Why is placing a Reference Monitor at a lower layer of security better?

Answer 28

Assure a higher degree of security Simple structures to implement Reduced performance overheads Fewer layers below for attack possibilities

Question 29

What is a problem with placing Reference Monitors at a low layer of security?

Answer 29

Access control decisions are far removed from applications

Question 30

What does 'Modes of Operation' refer to in the terms of OS Integrity?

Answer 30

Defines which actions are permitted in which mode e.g. system calls, machine instructions, I/O

Question 31

What does 'Controlled Invocation' refer to in the terms of OS Integrity?

Answer 31

Allows us to execute privileged instructions safely, before returning to user code

Question 32

How do 'Modes of Operation' work?

Answer 32

Distinguishes between computations done on behalf of The OS and The User A status flag within the CPU allows the OS to operate in different modes The most privileged location is the kernel, and the further out you go, the less privileged those rings become

Question 33

How does 'Controlled Invocation' work?

Answer 33

Many functions are held at kernel level, but are called from within user level code. Controlled Invocation is the mechanism that handles the transfer between the kernel mode and user mode. It flags an interrupt which resolves the issue, and then returns to the original code.

Question 34

How is an interrupt handled/processed?

Answer 34

Given an interrupt, the CPU will switch execution to the location given in an interrupt descriptor table. The interrupt will be flagged, which corresponds to an Interrupt Vector in the descriptor table. That then corresponds to the Interrupt Handler in memory

Question 35

What is a Descriptor?

Answer 35

Descriptors hold information on crucial system objects like kernel structure locations, and are held in Descriptor Tables. They also contain a Privilege Level, called a Descriptor Privilege Level.

Question 36

How does a Descriptor Table work?

Answer 36

Descriptors are held in these tables, and each descriptor has a specific index that is handled by selectors

Question 37

How does the CPU protect the kernel?

Answer 37

The CPU protects the kernel by checking the Current Privilege Level (CPL) when a Selector is loaded.

Question 38

What are Interrupt-Gates?

Answer 38

Descriptors that have a privilege level higher than where they point are called Gates. These descriptors are also created by the kernel itself, so it becomes a secure method of entry into the kernel.

Question 39

How do you insert rootkits?

Answer 39

If you can run custom code on compromised drivers, then you can insert your own handler into the Kernel, which is called a Rootkit.

Question 40

What are some properties of Processes in regards to the kernel?

Answer 40

Exists in its own address space Communicates with other processes via the OS Separation for security

Question 41

What is a Thread?

Answer 41

A thread is a strand of execution within a process, where they share a common address space

Question 42

What are the two primary Memory Protection methods?

Answer 42

Segmentation - Divide data into logical units Paging - Divides memory into pages of equal size

Question 43

What are some properties of Segmentation in Memory Protection?

Answer 43

Good for security Challenging memory management Not used much in modern OSs

Question 44

What are some properties of Paging in Memory Protection?

Answer 44

Efficient memory management Less good for access control Extremely common in modern OSs

Question 45

How do Page Tables work?

Answer 45

All processes will see an individual linear address space Page tables are maps from linear address spaces to the physical address spaces

Question 46

What is Meltdown?

Answer 46

Meltdown is an exploit that allows people to read the privileged memory from the kernel address space

Question 47

How does Meltdown work?

Answer 47

Meltdown attempts to read a value from kernel memory by: - Reading from kernel - Mask out a single bit - Access user memory at that location

Question 48

How does Spectre work?

Answer 48

Spectre performs speculative evaluation to side-step application bounds checks It then masks a single bit, and then accesses user memory at that location

Question 49

What is the primary role of the OS?

Answer 49

Combine, in a compact way: - Identification - Authentication - Access Control - Auditing - User accounts to store permissions - Installation and configuration

Question 50

What is the pipeline for Access Control?

Answer 50

Subject/Principle - An active entity Object - Resource being accessed Access operation Reference monitor - Grants or denies access

Question 51

What are the differences between Principal and Subjects?

Answer 51

Principle - An entity that can be granted access to objects or can make statements affecting access control decisions Subjects - An active entity within an IT system e.g. process running under a user identity

Question 52

When are Principles used, and when are Subjects used?

Answer 52

Principle - Used when discussing security policies Subject - Used when discussing operational systems enforcing policies

Question 53

What are some properties of Objects?

Answer 53

Object - File or resource e.g. memory, printers, directories

Question 54

What are the two options for Objects that can be implemented in order to focus control?

Answer 54

What a subject is allowed to do What may be done to a subject

Question 55

What are the two different types of Ownership?

Answer 55

Discretionary - Owner can be defined for each resource Mandatory - Could be a system-wide policy

Question 56

What are Groups in terms of the OS?

Answer 56

Users with similar access rights can be collected into groups Groups are given permissions to access objects

Question 57

What measures could you take to secure even from Root?

Answer 57

Give Write protection to the password file and group files Separate Superuser duties Never use root as a single user Audit su and sudo usage

Question 58

What are Inodes?

Answer 58

Inodes are a way of storing permission information They also store the metadata for files, where each file links to an inode which stores security information.

Question 59

What is SELinux?

Answer 59

Allows mandatory access control, role-based and multi-level security Objects and processes have contexts that allow SELinux to make access control decisions

Question 60

What does the Windows Security Subsystem do?

Answer 60

Runs in user mode Handles logon processes Handles Local Security Authority (LSA) Handles Security Account Manager (SAM)

Question 61

What does LSA do?

Answer 61

Checks user accounts Provides access token Responsible for auditing

Question 62

What does SAM do?

Answer 62

Maintains user account database used by LSA Encrypts/hashes passwords

Question 63

What is an Access Control Matrix?

Answer 63

Access rights are defined individually for each combination of subject and object, and the matrix holds these pairs

Question 64

What is a row in the ACM (Access Control Matrix) equivalent to?

Answer 64

A list of capabilities defined per user

Question 65

What is an Access Control List?

Answer 65

An Access Control List (ACL) is equivalent to a column in an ACM, and is stored within the object itself. It outlines what users have what type of access to an object

Question 66

How are Groups made up?

Answer 66

Groups are collections of SIDs and can itself be an SID.

Question 67

What are Access Tokens?

Answer 67

Security credentials for a login session, stored in an access token. It identifies the user, the user's groups, and the user's privileges.

Question 68

What are Window's equivalent of Subjects?

Answer 68

Processes and Threads New processes get a copy of the parent access token, possibly modified

Question 69

What is a possible problem with Access Tokens?

Answer 69

Individual access tokens are immutable, and can live beyond policy changes

Question 70

What does User Account Control govern?

Answer 70

User Account Control is a system that allows a user to spawn a process with the other token, or switch a process's token

Question 71

What do Domains contain?

Answer 71

Domains have a centralised security administration, and a Domain Controller. It is single sign-on for network resources, and multiple Domains allow for decentralisation by nature

Question 72

What are Domain Controllers?

Answer 72

They handle user accounts and access control, as well as use trusted 3rd parties for authentication purposes.

Question 73

What does the logon process contain for Windows?

Answer 73

Logon process contains: - Winlogon - Process responsible for authenticating users - Local Security Authority (LSA) - An authentication package (NTLM and Kerberos) - Security Account Manager (SAM) - Additional Credential providers, if applicable

Question 74

How does a domain logon differ from standard Interactive Logon in Windows?

Answer 74

Replaces NTLM with Kerberos Replaces SAM with an Active Directory Domain Controller Checks of a user are now performed on the remote LSA