Difference between revisions of "SystemsSec 2016W Lecture 4"
Jump to navigation
Jump to search
Jessjohnson (talk | contribs) |
Jessjohnson (talk | contribs) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
* chroot jails | * chroot jails | ||
* MULTICS | * MULTICS | ||
* Trent Jaeger's ''Operating Systems Security'' textbook | |||
* TCP IP Illustrated | |||
===Class Notes=== | ===Class Notes=== | ||
---- | ---- | ||
====Jails==== | ====Jails==== | ||
A chroot jail isolates a single process from the rest of the system, and should be used by non-root users. | |||
* BSD mechanism, not really a Linux thing | * BSD mechanism, not really a Linux thing | ||
* limiting hierarchy to make a non-root dir seem like the root dir, forces hierarchy to be duplicated so that nothing seems weird | * limiting hierarchy to make a non-root dir seem like the root dir, forces hierarchy to be duplicated so that nothing seems weird | ||
| Line 21: | Line 23: | ||
* proxies are for HTTP specifically | * proxies are for HTTP specifically | ||
* VPN is for any internet traffic | * VPN is for any internet traffic | ||
If you're having a hard time understanding networking, [https://en.wikipedia.org/wiki/TCP/IP_Illustrated ''TCP IP illustrated''] , look into reading these 3 volumes. They are highly recommended by Anil. | |||
====(Complex Security) Policies==== | ====(Complex Security) Policies==== | ||
''"Suck, don’t make them."'' - Anil, 2016. | |||
We can’t approximate how humans approach information with logic systems, so we shouldn't try | We can’t approximate how humans approach information with logic systems, so we shouldn't try. | ||
====MULTICS==== | ====MULTICS==== | ||
'''Mult'''iplexed '''I'''nformation and '''C'''omputing '''S'''ervice | |||
* supposed to be a “grown up” OS | * supposed to be a “grown up” OS | ||
* first OS to take security seriously | * first OS to take security seriously | ||
| Line 36: | Line 38: | ||
====UNIX==== | ====UNIX==== | ||
Our favourite open sourced OS. All praise to the GNU. | Our favourite open sourced OS. All praise to the GNU. | ||
* simplest mechanisms, most usable | * simplest security mechanisms, most usable | ||
====SELinux==== | ====SELinux==== | ||
'''S'''ecurity '''E'''nhanced Linux | '''S'''ecurity '''E'''nhanced Linux | ||
A set of kernel modifications whose goals are to make the Linux kernel more secure. These mainly include implementing and enforcing security policies. | A set of kernel modifications whose goals are to make the Linux kernel more secure. These mainly include implementing and enforcing security policies. | ||
Latest revision as of 11:55, 11 February 2016
Topics & Readings
- chroot jails
- MULTICS
- Trent Jaeger's Operating Systems Security textbook
- TCP IP Illustrated
Class Notes
Jails
A chroot jail isolates a single process from the rest of the system, and should be used by non-root users.
- BSD mechanism, not really a Linux thing
- limiting hierarchy to make a non-root dir seem like the root dir, forces hierarchy to be duplicated so that nothing seems weird
- fake root user gets ‘jailed’ into subset of hierarchy, and doesn’t really have real root privileges
- process has a different root dir in kernel, but to the fake root user it still seems like the root dir
- one kernel space, multiple user spaces
- kind of like OS virtualization
DD-WRT
DD-WRT is firmware for routers. LinkSys used to make a router models that came with a Linux kernel on them, the WRT54G series.
Proxy vs VPN tunneling
- proxies are for HTTP specifically
- VPN is for any internet traffic
If you're having a hard time understanding networking, TCP IP illustrated , look into reading these 3 volumes. They are highly recommended by Anil.
(Complex Security) Policies
"Suck, don’t make them." - Anil, 2016. We can’t approximate how humans approach information with logic systems, so we shouldn't try.
MULTICS
Multiplexed Information and Computing Service
- supposed to be a “grown up” OS
- first OS to take security seriously
- took a "shotgun approach" to security, too much generality
- implemented a ring system which was overly complicated
UNIX
Our favourite open sourced OS. All praise to the GNU.
- simplest security mechanisms, most usable
SELinux
Security Enhanced Linux
A set of kernel modifications whose goals are to make the Linux kernel more secure. These mainly include implementing and enforcing security policies.
Reference Monitor
- software that mediates all security decisions
- MULTICS designed to have a reference monitor, which was their ring system
- UNIX doesn’t really have one, processes (kind of) moderate security decisions together
Important Questions
Jails
- What is an OS jail?
- What would happen if a user broke out of a jail?
MULTICS
- What is it?
- What was good/bad about MULTICS?
- How did MULTICS affect UNIX?
Reference Monitor
- What is it?
- What is it's role in an OS?
- How is it implemented in UNIX and MULTICS?