Application and OS Security Flashcards
What is the main function of an OS from a bottom up view?
A collection of computer programs that manage the computer’s resources, such as the CPU , memory, disk drives.
What is the main function of an OS from a top-down review?
A collection of computer programs that provide an interface between a user and the hardware
What does each device have connected to the bus?
a device controller
What does a device driver do?
- communicates with the device controller
- enables data to be transferred between buffer and main memory
What must a CPU be able to do?
- distinguish between OS and application programs
- prevent application programs from executing privileged instructions
When is a bootstrap program loaded?
at power up or reboot
What is a bootstrap?
a technique of loading a program into a computer by means of a few initial instructions which enable the introduction of the rest of the program from an input device.
What is firmware?
a combination of a hardware device and computer instructions or computer data that reside as read-only software on the hardware device.
What does BIOS mean?
Basic Input/output System
What is the primary role of the BIOS?
to initialise and test hardware components and load the OS
What could malicious BIOS modification lead to?
- a permanent denial of service
- a persistent malware presence
What are the 5 steps of booting?
- execute BIOS boot block
- initialise and test low-level hardware
- load additional firmware modules
- select boot device
- use boot loader to load OS and run it
what does UEFI stand for?
Unified Extensible Firmware Interface
What do UEFI specs define?
interface between OS and firmware
What are 3 ways the bootloaders can be attacked?
- user-initiated installation of new BIOS code (most difficult to address)
- malware could re-flash the system BIOS
- network-based system management tools could cause an organisation-wide BIOS update attack
What is SMM?
System Management Mode - an operating mode of x86 CPU
What rootkits are in ring 3?
Usermode rootkits
What rootkits are in ring 0?
Kernelmode rootkits
What rootkits are in ring -1?
Hypervisor rootkits (bluepill)
What rootkits are in ring -2?
SMM rootkits
What does TPM stand for?
Trusted platform module
What is a TPM designed for?
- a chip with low cost
- embedded in a computing platform
- TPM is an international standard for a secure cryptoprocessor
What is a cryptoprocessor?
a dedicated microcontroller designed to secure hardware through integrated cryptographic keys
What does the TPM provide?
- a random number generator
- facilities for the generation of cryptographic keys
- remote attestation to create a nearly unforgeable hash key summary of the hardware and software configuration
- binding: encrypts data using the TPM bind key
- sealing: specifies the TPM state for the data to be decrypted
What types of TPM are there?
- Discrete
- Integrated
- Firmware
- Software
- Virtual
What are the 2 main application attacks?
“user provided input” and “interactions with other systems”
What is a symlink attack?
attacker creates symlink to file accessible only to the superuser
What are command line attacks?
directory traversal in path names, command injection attacks, buffer overflows
what assumption do buffer overflow attacks make?
inputs will be smaller than a certain size and the buffer is created to be that size.
What is the problem with buffer overflow attacks?
detectability
What happens in a remote attack?
the attacker manipulates the behaviour of applications over a network connection
What is the goal of a remote attack?
execute operations on attacked host
What happens in a local attack?
the attacker manipulates the behaviour of applications through local injection
What does a local attack assume?
there’s a previously established presence on the machine
what is the goal of a local attack?
to execute operations with different/superior privileges
