OS Security

Question 1

What are the four types of operating system architecture?

Answer 1

The four types are:

1. Basic Operating Systems:
   
   • Designed for minimal tasks with limited resources, often found in embedded systems like microcontrollers. They provide basic functions such as simple scheduling and I/O management without advanced features like multitasking or user interfaces.
   • Trust Boundary: Encompasses the whole system; limited isolation.
2. Monolithic Operating Systems:
   
   • All essential OS functions (e.g., file system, memory management, device drivers) are integrated into a single, large kernel that runs in a single address space. This design can offer high performance due to fewer context switches but can be harder to maintain and less secure because a bug in any part of the kernel can affect the entire system.
   • Trust Boundary: Single boundary for entire kernel; vulnerabilities affect the whole OS.
3. Multiserver Operating Systems:
   
   • This architecture spreads OS services across multiple servers running in user space, with a minimal kernel managing communication between them. This design increases modularity, making the system easier to update and maintain, and enhances fault tolerance, as failures in one server don’t typically crash the entire OS.
   • Trust Boundary: Each server has its own boundary; better isolation and fault tolerance.
4. Hypervisor-Based Operating Systems:
   
   • The OS runs virtual machines on top of a hypervisor, which acts as a thin layer between the hardware and multiple OS instances. This allows for better resource allocation, isolation, and security, enabling different operating systems to run concurrently on the same physical hardware. Common in cloud computing and virtualisation environments.
   • Trust Boundary: VMs are isolated within their own boundaries; hypervisor forms a critical boundary between hardware and VMs.

Question 2

What are the Saltzer and Schroeder security principles?

Answer 2

The Saltzer and Schroeder principles, outlined in their 1975 paper “The Protection of Information in Computer Systems,” are a set of foundational guidelines for designing secure systems. These principles have had a lasting influence on computer security practices. Here’s a summary of each principle:

1. Least Privilege:
   
   • Users and programs should operate with the minimal level of access necessary to perform their tasks. This reduces the potential damage from accidents or malicious actions by limiting access to sensitive resources.
2. Separation of Privilege:
   
   • Access to resources should be granted based on multiple conditions or credentials, rather than relying on a single access control mechanism. This reduces the risk that a single point of failure could lead to a security breach.
3. Economy of Mechanism:
   
   • Security mechanisms should be as simple as possible. Simplicity reduces the chances of errors and vulnerabilities, making the system easier to understand, implement, and manage securely.
4. Open Design:
   
   • The security of a system should not rely on the secrecy of its design or implementation. Instead, security should depend on the robustness of the mechanisms in place, assuming the design could be publicly known.
5. Complete Mediation:
   
   • Every access to every resource should be checked against security policies. This ensures that access controls are consistently enforced and that no resource is left unprotected.
6. Fail-Safe Defaults:
   
   • The default configuration should deny access, rather than permit it. Access should only be granted explicitly, and in the event of a failure, the system should default to a secure state.
7. Least Common Mechanism:
   
   • Resources and mechanisms used by multiple users or processes should be minimized to reduce the risk of unintentional information sharing or security breaches through shared resources.
8. Psychological Acceptability:
   
   • Security mechanisms should be designed so that they do not interfere unduly with the usability of the system. If security measures are too cumbersome, users may try to bypass them, weakening overall security.

These principles aim to create systems that are secure, reliable, and manageable, by promoting a balanced approach to security that accounts for both technical and human factors.

Question 3

What are the revised security principles amended by R.E.Smith?

Answer 3

1. Continuous Improvement:
   
   • Continuously evaluate and refine security practices to improve effectiveness. This involves regularly reviewing security measures, learning from incidents, and making iterative enhancements, similar to the principles in modern standards like ISO 27001.
2. Least Privilege:
   
   • Grant users and processes the minimum access rights necessary to perform their tasks. This minimises potential damage in case of a breach by limiting what an attacker can access if they compromise a lower-privilege account.
3. Defence in Depth:
   
   • Layer multiple, independent security controls throughout the system. This strategy ensures that if one layer fails, others will still protect the system, forcing attackers to overcome multiple barriers to succeed.
4. Open Design:
   
   • Design security mechanisms that remain secure even if their inner workings are known. This promotes transparency and trust while relying on the strength of the implementation, not secrecy, to ensure security.
5. Chain of Control:
   
   • Ensure that only trusted software is executed, or that software actions are controlled to enforce security policies. This principle prevents unauthorised code (like malware) from gaining control, similar to maintaining a chain of custody for evidence.
6. Deny by Default:
   
   • Start with all access denied, and only allow access that has been explicitly granted according to security policies. This principle ensures that any access not explicitly authorised is automatically blocked, enhancing security.
7. Transitive Trust:
   
   • Understand that if one entity trusts a second entity, and the second entity trusts a third, then the first implicitly trusts the third. Recognising this helps manage the risks associated with extended trust chains in security systems.
8. Separation of Duty:
   
   • Split critical tasks into distinct elements that must be completed by different individuals or processes. This reduces the risk of fraud or error by ensuring that no single person or entity has control over the entire process.

R. E. Smith, “A Contemporary Look at Saltzer and Schroeder’s 1975 Design Principles,” in IEEE Security & Privacy, vol. 10, no. 6, pp. 20-25, Nov.-Dec. 2012, doi: 10.1109/MSP.2012.85.
keywords: {Information security;Standards;Cryptography;Design methodology;Privacy;Computer security;security;protection mechanisms;Saltzer;Schroeder},

Question 4

What are the typical high-level server hardening techniques?

Answer 4

Typical server hardening techniques:

1. Minimise Installed Software:
   
   • Uninstall or disable any unnecessary services, applications, and packages that are not required for the server’s primary function. This reduces the attack surface by limiting the number of potential entry points that attackers can exploit.
2. Apply Regular Updates:
   
   • Regularly update the server’s operating system and all installed software to apply security patches. This helps protect the server from vulnerabilities that could be exploited by attackers. Automate updates where possible, but test critical patches before deployment to avoid compatibility issues.
3. Use Strong Authentication:
   
   • Enforce strong password policies that require complex and unique passwords. Implement multi-factor authentication (MFA) to add an additional layer of security. Limit the use of root or administrative accounts, and prefer using role-based accounts with the minimum privileges necessary.
4. Configure Firewalls:
   
   • Set up firewalls to filter incoming and outgoing traffic, only allowing necessary ports and services to be accessible. Use both software (host-based) firewalls and, where applicable, network firewalls to provide layered security.
5. Secure Remote Access:
   
   • Disable remote access protocols that are not needed, such as Telnet, and use encrypted protocols like SSH for remote management. Restrict remote access to specific IP addresses or ranges using firewall rules, and consider using VPNs for additional security.
6. Disable Unused Network Protocols:
   
   • Turn off network protocols that are not in use, such as FTP, SMB, or SNMP, to prevent them from being exploited. This reduces the risk of vulnerabilities in these protocols being used to compromise the server.
7. Implement Access Controls:
   
   • Use file and directory permissions to restrict access to sensitive data and system files. Ensure that users and processes operate with the least privileges necessary, and regularly audit permissions to ensure they are properly set.
8. Enable Logging and Monitoring:
   
   • Enable logging of critical system events, such as login attempts, file access, and configuration changes. Regularly monitor logs for unusual or suspicious activity, and set up alerts for specific events that may indicate a security breach.
9. Use Intrusion Detection/Prevention Systems (IDS/IPS):
   
   • Deploy IDS/IPS to monitor network traffic and system behaviour for signs of malicious activity. IDS can alert you to potential attacks, while IPS can actively block or prevent these attacks from succeeding.
10. Encrypt Data:
    
    • Encrypt sensitive data both at rest (stored data) and in transit (data being transmitted over networks). Use strong encryption standards to protect against unauthorised access, and ensure encryption keys are securely managed.
11. Secure Configuration Management:
    
    • Use configuration management tools (e.g., Ansible, Puppet) to enforce consistent security settings across all servers. Regularly audit configurations to ensure they comply with security policies and industry best practices.
12. Disable Unnecessary Accounts:
    
    • Identify and disable any default, unused, or unnecessary user accounts on the server. This prevents these accounts from being exploited by attackers, especially if they have default passwords or elevated privileges.

These detailed steps help strengthen the security of servers, making them more resilient to attacks and reducing the likelihood of security breaches.

Question 5

What are the typical low-level hardening techniques for securing operating systems?

Answer 5

Here’s an expanded list of low-level hardening techniques for operating systems, incorporating the concepts of security perimeters as described in Cybersecurity Essentials:

1. Kernel Hardening:
   
   • Modify and configure the OS kernel to reduce its attack surface by disabling unnecessary modules and enabling security features like address space layout randomisation (ASLR). Kernel hardening prevents exploits that target the kernel’s vulnerabilities, such as tampering with variable values or redirecting execution flow to an adversary-controlled exception handler.
2. Control Flow Integrity (CFI):
   
   • Implement CFI to ensure that the execution flow of programs follows legitimate paths, reducing the risk of control flow hijacking attacks like return-oriented programming (ROP).
3. Memory Protection:
   
   • Use Data Execution Prevention (DEP) to prevent code execution from non-executable memory regions. Enable stack canaries and buffer overflow protections to defend against memory corruption exploits, securing the OS’s inner perimeter.
4. Mandatory Access Control (MAC):
   
   • Implement MAC systems like SELinux or AppArmor to enforce strict access controls over system processes and files. This enhances security by limiting the damage that can be done by compromised processes, protecting the system’s inner perimeter.
5. Secure Boot:
   
   • Enable Secure Boot to ensure that only trusted and signed software components are loaded during the system’s boot process. This prevents unauthorised code, such as rootkits, from loading, effectively securing the transition from the BIOS (outer perimeter) to the OS (inner perimeter).
6. System Call Filtering:
   
   • Use tools like seccomp in Linux to restrict the system calls that a process can make. By allowing only a minimal set of necessary system calls, you can reduce the risk of exploits that abuse system calls, safeguarding the inner perimeter.
7. Patch Management:
   
   • Regularly apply patches and updates to all system components, including the OS kernel, bootloader, and system libraries. This addresses vulnerabilities before they can be exploited and is a crucial part of maintaining the security of the inner perimeter.
8. Hardware Security Features:
   
   • Leverage hardware-based security features such as Intel’s Trusted Execution Technology (TXT) or ARM’s TrustZone to protect the system from low-level attacks, like hardware rootkits or physical tampering. These features help secure both the outer and inner perimeters.
9. Device Driver Hardening:
   
   • Secure device drivers by ensuring they are signed, regularly updated, and free of unnecessary functionality. Vulnerabilities in device drivers can lead to privilege escalation, compromising the inner perimeter.
10. File System Integrity:
    
    • Implement tools like Tripwire or AIDE to monitor and verify the integrity of critical system files. Detecting unauthorised changes to system files can indicate a breach, helping to protect the system’s interior (digital data).
11. Disable Unused Hardware Interfaces:
    
    • Disable or restrict access to unused hardware interfaces, such as USB ports, FireWire, or Thunderbolt, to prevent physical access attacks (outer perimeter). Disabling unused ports via BIOS settings and securing the BIOS with a password can prevent attackers from introducing vulnerabilities via hardware ports.
12. Firmware Protection:
    
    • Regularly update and secure system firmware, such as BIOS/UEFI, to protect against firmware-level attacks. Securing the BIOS with a password and using features like Intel Boot Guard can prevent unauthorised access and modifications, securing the outer perimeter.
13. Physical Access Controls:
    
    • Control physical access to devices by using RFID access cards, keyed entry, or lockable enclosures. Preventing unauthorised physical access to the device itself is crucial for securing the outer perimeter, ensuring that attackers cannot tamper with hardware or install malicious devices.
14. BIOS Security Settings:
    
    • Use the BIOS to disable unnecessary hardware ports and the ability to boot from removable media. Protect the BIOS with a password to prevent unauthorised changes. Regularly update the BIOS firmware as part of hardware-level system hardening, securing the outer perimeter.
15. Docking Stations and Device Locks:
    
    • Use docking stations with security features and device locks to physically secure devices against theft or tampering. These measures reinforce the security of the outer perimeter by limiting physical access to the device.

By applying these low-level hardening techniques across the defined security perimeters (outer perimeter, inner perimeter, and interior), you can create a more secure and resilient operating system environment. Each technique helps protect different aspects of the system from a wide range of potential threats.

Question 6

What are the threats to a system’s BIOS?

Answer 6

Summary of Threats to BIOS

The system BIOS is a critical component that must be protected to maintain the integrity of a computer system. Here are the primary threats to the BIOS:

1.	Supply Chain Attacks:
•	The BIOS can be compromised during the supply chain before the system reaches its final destination. This could involve the installation of an unapproved BIOS. While supply chain security is outside the scope of the provided guidelines, processes are recommended to identify and remediate compromised systems.
2.	User-Initiated Installation of Malicious BIOS:
•	Users with physical access to the system can install a malicious or unapproved BIOS using BIOS update utilities. The guidelines acknowledge that it is challenging to prevent such installations if physical access is available but suggest methods to detect and recover from these incidents.
3.	Malware Exploitation:
•	Malware can exploit vulnerabilities in the BIOS or weak security controls to modify or reflash the BIOS. Although this requires sophisticated, targeted attacks rather than general-purpose malware, the guidelines focus on preventing these types of BIOS compromises.
4.	Network-Based Attacks via System Management Tools:
•	Network-based management tools could be hijacked to launch widespread attacks on an organisation’s BIOS infrastructure. For instance, a compromised update server could distribute a malicious BIOS to all systems within an organisation. This type of attack is highly impactful but requires insider access or a breach of the update process.
5.	BIOS Rollback Attacks:
•	Attackers could revert a system to a previous version of the BIOS that, while authentic, contains known vulnerabilities. This attack is subtle because the BIOS is technically legitimate but exposes the system to security risks.

Question 7

What are the recommended practices for securing a system bios according to NIST?

Answer 7

Summary of Recommended BIOS Management Practices

1. Provisioning Phase:
   
   • Inventory and Tracking: Identify and monitor BIOS image characteristics (e.g., version, manufacturer) for all systems.
   • Golden Master Image: Maintain a secure offline copy of each approved BIOS version, including older versions.
   • Root of Trust for Update (RTU): Securely maintain the key store and signature verification algorithm if the RTU is configurable. For organisations actively involved in BIOS authentication, securely manage private keys under multi-party control.
2. Deployment Phase:
   
   • Secure Provisioning: Use the secure local update process to install the approved BIOS and configure the RTU before deployment.
   • Baseline Configuration: Establish and enforce a common configuration baseline, ensuring integrity protection and non-bypassability features are enabled.
3. Operation and Maintenance Phase:
   
   • Change Management: Perform BIOS updates using a formal change management process, documenting changes in the configuration plan.
   • Continuous Monitoring: Monitor BIOS image and configuration baselines for deviations. Investigate and remediate any unapproved changes as part of incident response.
   • Authenticated Updates: Use authenticated updates for adding capabilities or fixing vulnerabilities, with multi-party control over private keys.
4. Recovery Phase:
   
   • Rollback and Recovery: If a BIOS update fails or the BIOS is compromised, use the secure local update process to restore a secure baseline. Validate configuration against organisational policies after recovery.
5. Disposition Phase:
   
   • Data Removal: Remove or destroy sensitive data from the BIOS before system disposal. Reset the BIOS configuration to the manufacturer’s defaults, delete passwords, and remove organisation-specific customisations to prevent data leakage.

These practices help ensure the integrity, security, and proper management of BIOS throughout the system’s lifecycle.