SystemsSec 2016W Lecture 4: Difference between revisions

From Soma-notes
 
(14 intermediate revisions by the same user not shown)
Line 3: Line 3:
* chroot jails
* chroot jails
* MULTICS
* MULTICS
* Trent Jaeger's ''Operating Systems Security'' textbook
* TCP IP Illustrated


===Class Notes===
===Class Notes===
----
----
====Jails====
====Jails====
* better version of chmod
A chroot jail isolates a single process from the rest of the system, and should be used by non-root users.
* BSD mechanism, not really a Linux thing
* BSD mechanism, not really a Linux thing
* limiting hierarchy to make a non-root dir seem like the root dir, forces hierarchy to be duplicated so that nothing seems weird
* limiting hierarchy to make a non-root dir seem like the root dir, forces hierarchy to be duplicated so that nothing seems weird
Line 21: Line 23:
* proxies are for HTTP specifically
* proxies are for HTTP specifically
* VPN is for any internet traffic
* VPN is for any internet traffic
* TCP IP illustrated, to better understand networking
If you're having a hard time understanding networking, [https://en.wikipedia.org/wiki/TCP/IP_Illustrated ''TCP IP illustrated''] , look into reading these 3 volumes. They are highly recommended by Anil.


====(Complex Security) Policies====
====(Complex Security) Policies====
* "Suck, don’t make them." - Anil, 2016.
''"Suck, don’t make them."'' - Anil, 2016.
* can’t approximate how humans approach information with logic systems
We can’t approximate how humans approach information with logic systems, so we shouldn't try.


====MULTICS====
====MULTICS====
'''Mult'''iplexed '''I'''nformation and '''C'''omputing '''S'''ervice
* supposed to be a “grown up” OS
* supposed to be a “grown up” OS
* first OS to take security seriously
* first OS to take security seriously
Line 34: Line 37:


====UNIX====
====UNIX====
* simplest mechanisms, most usable
Our favourite open sourced OS. All praise to the GNU.
* simplest security mechanisms, most usable
 
====SELinux====
'''S'''ecurity '''E'''nhanced Linux
 
A set of kernel modifications whose goals are to make the Linux kernel more secure. These mainly include implementing and enforcing security policies.


====Reference Monitor====
====Reference Monitor====

Latest revision as of 15:55, 11 February 2016

Topics & Readings


  • chroot jails
  • MULTICS
  • Trent Jaeger's Operating Systems Security textbook
  • TCP IP Illustrated

Class Notes


Jails

A chroot jail isolates a single process from the rest of the system, and should be used by non-root users.

  • BSD mechanism, not really a Linux thing
  • limiting hierarchy to make a non-root dir seem like the root dir, forces hierarchy to be duplicated so that nothing seems weird
  • fake root user gets ‘jailed’ into subset of hierarchy, and doesn’t really have real root privileges
  • process has a different root dir in kernel, but to the fake root user it still seems like the root dir
  • one kernel space, multiple user spaces
  • kind of like OS virtualization
DD-WRT

DD-WRT is firmware for routers. LinkSys used to make a router models that came with a Linux kernel on them, the WRT54G series.

Proxy vs VPN tunneling

  • proxies are for HTTP specifically
  • VPN is for any internet traffic

If you're having a hard time understanding networking, TCP IP illustrated , look into reading these 3 volumes. They are highly recommended by Anil.

(Complex Security) Policies

"Suck, don’t make them." - Anil, 2016. We can’t approximate how humans approach information with logic systems, so we shouldn't try.

MULTICS

Multiplexed Information and Computing Service

  • supposed to be a “grown up” OS
  • first OS to take security seriously
  • took a "shotgun approach" to security, too much generality
  • implemented a ring system which was overly complicated

UNIX

Our favourite open sourced OS. All praise to the GNU.

  • simplest security mechanisms, most usable

SELinux

Security Enhanced Linux

A set of kernel modifications whose goals are to make the Linux kernel more secure. These mainly include implementing and enforcing security policies.

Reference Monitor

  • software that mediates all security decisions
  • MULTICS designed to have a reference monitor, which was their ring system
  • UNIX doesn’t really have one, processes (kind of) moderate security decisions together

Important Questions


Jails

  • What is an OS jail?
  • What would happen if a user broke out of a jail?

MULTICS

  • What is it?
  • What was good/bad about MULTICS?
  • How did MULTICS affect UNIX?

Reference Monitor

  • What is it?
  • What is it's role in an OS?
  • How is it implemented in UNIX and MULTICS?