Reference Monitors & OS Security Flashcards

1
Q

what is the security kernel (rmb that CO guy from 2018)

A

He’s a fast runner, he plays soccer maybe, and he creates the referee,

Hardware, firmware and
software elements of a TCB
that implement the reference
monitor concept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

TCB (trusted computer base)

A
The totality of protection
mechanisms within a computer
system – including hardware,
firmware, and software – the
combination of which is
responsible for enforcing a
security policy.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the requirements of reference monitors. RM is implemented by kernel (colonel) so it represents SAF. That leads to total vehicular control.

A

Function Requirement: Complete meditation
Security Requirement: Tamper Proof
Assurance Requirement: Verifiable
I mean this is kinda intuitive also

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Complete mediation

A

The reference validation mechanism must

always be invoked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Tamper-proof

A

The reference validation mechanism must

be tamper-proof.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Verifiable

A

The reference validation mechanism must
be small enough to be analysed and
tested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

placing RM hardware

A

access control mechanisms in microprocessors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

placing RM OS kernel

A

hypervisor, i.e. a virtual machine that

emulates the host computer it is running on. Referee with sunglasses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

placing RM Services layer

A

access control in database systems, Java Virtual Machine, .NET Common Language Runtime, or CORBA middleware architecture.

Referee sips an 8 bit coffee shaped like a computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

placing RM Operating system

A

access control in Unix and Windows 2000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

placing RM Application

A

security checks in the application code to address application specific requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AllFather Speaks: Orphan Kills Heimdallr

A

Application, services, operatingsystem, kernel (wear killer sunglasses/vizors), hardware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Operating System Integrity

A

Assume that your O/S prevents unauthorized access to resources (as long as it works as intended)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Ey say more about tamper proof requirement

A

• To bypass protection, an attacker may try to disable the security controls by
modifying the O/S.
• An integrity problem: the O/S is not only the arbitrator of access requests, it
is itself an object of access control.
• Users must not be able to modify the operating system.

don’t fuck with the boy,ogre. the boy controls weapons but the boy is a weapon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the 2 competing requirements in OS integrity, and what are the concepts used to achieve these goals

A

Users should be able to use (invoke) the O/S. Solved by status information
Users should not be able to misuse the O/S/ Solved by controlled invocation or restricted privilege.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the status flag

A

To protect itself, an O/S must be able to distinguish computations ‘on behalf’ of
the O/S from computations ‘on behalf’ of a user.

Status flag allows system to work in different modes

the computer lady from little britain goes up to the entrance to a different party. the butler asks, are you for yourself or bill gatees.

Intel 80x86: two status bits and four modes
 Unix distinguishes between user and superuser (root)

For example, to stop users from writing directly to memory and corrupting the logical file structure, the OS grants write access to memory locations only if the processor is in supervisor mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

If a user wants to write to memory (requires supervisor mode) then the system has to switch between nodes. How is this done

A

Changing the status bit to supervisor mode would give all supervisor privileges to the user

Controlled invocation: Invocation of a function that executes privileged instructions to provide a limited, well defined functionality, and then
return to user mode.

So the computer lady, me in a dress, looks my ben ten watch. see it glow 0 in a faint green glow in the night sky. the air is humid. Option 1, I turn the watch to 1. I hear the click of the watch, bill gates’ silhouette appears on it and I turn into it. I am in supervisor mode now.
Option 2, I bring out my phone, with confidence and ego i call bill gates and he gives me the functionality to write to memory (enter the orange ball).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

why is there a need for security mechanisms at the core

A

 Security mechanisms in a given layer can be compromised from a layer
below.
 To evaluate security, you must check that security mechanisms cannot
be bypassed.
 The more complex a system, the more difficult this check becomes. At
the core of a system you may find simple structures which are amenable
to thorough analysis.

tldr: you create a very skinny man with a body shape like an apple core. his heart’s poking out, it’s quite terrifying, like the seed in the apple core. he’s in charge of the base layer of the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

what are the benefits for putting security mechanisms at the core

A

Putting security mechanisms into the core of the system can reduce performance overheads caused by security

Processor performance depends on the right choice and efficient implementation of a generic set of operations that is most useful to the majority of users. The same holds for security mechanisms

Some sources assume that TCBs and security kernels must enforce multi-level security policies.

The skinny man with the core body has a sniper. see him somehow carry the weight of the barret. his eyes are bloodshot. he takes aim at UAVs flying overhead and shoots them. the people living above cheer.
he does not smile.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

RAM. Also sum up security characteristics of different types of memory.

A

reads and writes memory, no guarantee of confidentiality

There’s a goat-person with hooves. he has those weird goat eyes. you can both see and fuck with the goat person, like push him over.
The goat person is making what it thinks are heart eyes at edward cullen. edward cullen can’t be fucked with obviously. But he can be seen and whoops he sparkles and he’s got bill gates in his hands
Edward Cullen is distracted, checking out lil huddy. lil huddy keeps getting attacked by kpop tiktok bot stans.
Lil huddy is playing with a worm in between his fingers. the worm holds the secret to all existence, and has a wise face.
the worm drops, it shits. audit log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

ROM (read only memory)

A

Provides integrity but not confidentiality, the ROM may store part of the OSq

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

EPROM (erasable and programmable read only memory)

A

could store parts of the OS or crypto keys; high tech attacks can soften this

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

WROM

A

Memory contents are frozen once and for all, by blowing a fuse placed on the write line, WROM could hold crypto keys or audit logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Volatile memory

A

Volatile memory loses its contents when power is switched off.
• Memory contents still present after a short power
loss.
• Can be reconstructed by special electronic techniques if power has been switched off for some time.
• To counter such attacks, memory has to be overwritten repeatedly with suitable bit patterns.

When you reboot derek, he still remembers some things. You can hack into him to try to reconstruct his old memories a while after he dies (his ghost), but erm, q hard. To solve this, derek repeatedly has his memory changed when alive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Non-volatile (permanent) Memory
``` Non-volatile (permanent) memory keeps its content when power is switched off; if attacker can directly access memory bypassing the CPU, cryptographic or physical measures are needed to protect sensitive data. • E.g., a light sensor in a tamper resistant module may detect an attempted manipulation and trigger the deletion of the data kept in the module. ``` Jianyu remembers all things when he sleeps, shiva waking sleep something. If you try to peek inside, he self detonates.
26
what is confidential
you can't see my shit
27
what is integrity
you can't fuck with my shit. integrity, cant fuck w me confi, cena y'cant see me
28
What is IPC
A process has its own address space and communicates with other processes only through O/S primitives (Inter-Process Communication).  Logical separation of processes as a basis for security.  A context switch between processes can be an expensive operation.
29
is the context switch expensive
yes
30
what is a process
A program in execution, consisting of executable code, data, and the execution context, e.g. the contents of certain CPU registers.
31
what is a thread
Strands of execution within a process. Threads share an address space to avoid the overheads of a full context switch, but they also avoid potential security controls
32
Processes and threads are important units of control for the OS, and for security. They are the :
subjects of access control
33
how does the CPU deal with interruptions of executions created by errors
through exceptions, interrupts, and traps. Bill gates shaves his head and wears a tie why?
34
what is a trap.
special input to the CPU that includes an address (interrupt vector) in an interrupt vector table giving the location of the program (interrupt handler) that deals with the condition specified in the trap. satya nadella in a dress serves a list of IV bags in a table to bill gates. he raises an eyebrow. One of the IV bags is bloodied and has a torn off human hand on it. Bill gates pushes a small copy of himself onto a stack then gives a nod to the hand. the hand moves the watch of some fake bill gates to remove the supervisor bit. then it returns control of the world to the User. bill gates continues doing his own thing.
35
What does the OS have to do
1. Separate user space from OS space, 2. Logically separate users, 3. Restrict the memory objects a process can access at the Microsoft garden party, bill gates has a whole bar to himself that he doesn't let people enter. he then tells me that I can go to this bar table but not this other bar table. i can't go there, erm, there's a forcefield. I look at my ben ten watch. I don't do anything yet. I also feels my hot hair (sunny day) and look at the row of wigs in the classroom/bar over there that I can't access cos I don't have position. I tear my hair off.
36
What is the logical separation of users
1. File management | 2. Memory management
37
Segmentation Security
Segmentation divides memory into logical units of variable lengths. • A division into logical units is a good basis for enforcing a security policy. • Units of variable length make memory management more difficult.
38
Paging Security
Paging divides memory into pages of equal length. • Fixed length units allow efficient memory management. • Page faults may create a covert channel
39
Why is paging not a good basis for access control
 Paging is not a good basis for access control as pages are not logical units.  One page may contain objects requiring different protection.  When a process accesses a logical object stored on more than one page, a page fault occurs whenever a new page is requested.  A covert channel exists if page faults are observable.
40
Covert Channel
Consider a password scheme where the password entered is compared character by character with the reference password stored in memory. Access is denied the moment an incorrect match is found. If a password is stored across a page boundary, then observing a page fault indicates that the piece of the password on the first page has been guessed correctly. If the attacker can control where the password is stored on the page, password guessing becomes easy
41
how does the OS control access to data objects in memory
1 Operating system modifies the addresses it receives from user processes; e.g., address sandboxing. 2 Operating system constructs the effective addresses from relative addresses it receives from user processes; 3 Operating system checks whether the addresses it receives from user processes are within given bounds.
42
Address consists of
Segment identifier Offset
43
When the operating system receives an address, it sets the correct segment identifier as follows:
Bitwise AND of the address with mask_1 clears the segment identifier; bitwise OR with mask_2 sets the segment identifier to the intended value SEG_ID. look at tutorial notes
44
RELATIVE ADDRESSING
The address is specified by an offset relative to a given base address.
45
Fence registers
Base register addressing keeps users out of O/S space; fence register points to top of user space.
46
Bounds register
Define the bottom of the user space. Base and bounds registers allow to separate program from data space.
47
cybercrime Zoom
Zoom’s randomly-generated meeting ID No. could be predicted (and even brute-forceable), allowing bad actors to intrude, disrupt and eavesdrop on meetings. The company subsequently replaced meeting IDs with “cryptographically strong” one and made passwords default for users to join a meeting.  Security flaws in the app could let websites hijack Mac cameras. The company subsequently patched its software and uninstalled a local webserver that created the vulnerability.  The app sent data about a user’s time zone and city, as well as details about the user’s device to Facebook, even if the user did not have a Facebook account.  The company tightened their privacy policy after concerns surfaced about user’s personal information being used to target ads.  Zoom allegedly leaked user information because of an issue with how the app grouped contacts.  Zoom allegedly misled users to believe video meetings were secured with end-to-end encryption instead of transport encryption.
48
THE COVID-19 PANDEMIC HAS INCREASED THE | IMPORTANCE OF GOOD CYBER HYGIENE
Uptick in number of cases involving cybercriminals attempting to capitalise on COVID-19 to steal personal information and credentials which will allow them to gain access to networks and/or make financial gains.  There are fake contact tracing apps that are embedded with malware that can be used to conduct malicious activities, such as monitoring users' activities on their devices or stealing personal data.  Some malware strains deployed* include known credential-stealing malware such as AZORult, Cerberus, Lokibot, and TrickBot.  These threats have proliferated across many sectors, including healthcare, manufacturing, pharmaceutical and transportation.
49
OVERVIEW OF CYBER THREATS IN SINGAPORE 2019
PHISHING 47500 WEBSITE DEFACEMENT 873 RANSOMWARE 35
50
OMMONLY SPOOFED GOVERNMENT | ORGANISATIONS
``` 70% of incidents reported to SingCERT by SMEs and members of the public occurred through phishing attacks ```
51
COMMAND AND CONTROL SERVERS (C&C) AND | BOTNET DRONES
530 unique C&C servers were observed in Singapore, a 73% increase from 2018. ``` 2,300 botnet drones (compromised computers infected with malicious programs) with Singapore IP addresses were observed daily, on average (20% decrease from CSA’s observations in 2018). ```
52
CYBERCRIME IN SINGAPORE
Refers to cyber-extortion, online cheating cases, and offences under the Computer Misuse Act (CMA), such as unauthorised access of computer material and unauthorised use of computer service.
53
Point-of-Sale (POS) | Attacks
``` Refers to compromise of touchpoints (e.g. online shopping sites and cash terminals in brick-and-mortar stores). Active since 2016, Magecart cybercrime operators have been conducting POS attacks by injecting malicious codes into e-commerce websites to skim credit card details. They have stepped up their activities in recent years, targeting both SMEs and MNCs. ```
54
Supply Chain Attacks
``` Supply chain attacks target the less secure components of systems, and could be aimed at accessing and stealing confidential information, or gaining a foothold to springboard attacks into other parts of the system and connected networks. Thirdparty service providers with access to an organisation’s data are often the weak links targeted by threat actors. ```
55
Data Breaches
``` 2019 witnessed an exponential increase in data breaches around the world, with the total number of records exposed registering a near 300 per cent increase, compared to 2018. [2] The large amounts of personal and financial information held in organisations such as governments, healthcare institutions and technology firms serve as attractive targets for threat actors. ```
56
Mobile Attacks
``` Threat actors are shifting towards targeting mobile devices such as smartphones and tablets to conduct credential theft, surveillance and malicious advertising. A major factor behind this spike in mobile attacks is likely due to the increased usage of mobile banking applications, which provide lucrative avenues for threat actors to gain access to and steal sensitive information. ```
57
Spear Phishing
``` Threat actors have been observed to adapt the writing styles of spoofed individuals and organisations, as well as use information from publicly available sources, such as social media posts, so that their e-mails appear more convincing to their victims. Business e-mail compromise (BEC) is another form of spear phishing on the rise ```
58
SYSTEM SECURITY
1. computer security : provide a protected environment for data and their processing 2. single user: physical security 3. process protection 4. data protection 5. networked computer (yeah idk)
59
Security issues
Inter-process communication • Storage protection
60
Communication security
• Tampering of message data • Identification of sender • Disclosure of data to unauthorized parties
61
Storage security
• Control of access to storage/file manager • Identification of data owner and user
62
DISTRIBUTED SYSTEM SECURITY computer security
Addresses security of the end | systems
63
DISTRIBUTED SYSTEM SECURITY Application security
Relies on both to provide services | securely to end users.
64
RISK-BASED SECURITY APPROACH
1. Computing power (could be technology-dependent) 2. Value of the encrypted data e.g. payment (target-specific) 3. Nature of the system e.g. government, bank, SCADA, etc
65
Practical security is about risk management which depends on a number of factors
11. business nature: Public confidence: Government, Banks, … Critical infrastructure: SCADA, Healthcare, Aviation, … 12. Potential Rewards for the Attacker Business secret, reputation of competitors Government policy, Economic forecast Industrial control (ICS), etc 13. Resources needed to protect the system and to break the system
66
Risk-based security system is a balance between
``` Risk Potential loss of owner & potential reward of enemy Cost Security design and implementation, computing overheads ``` ``` Convenience Users may be tempted to bypass the security control or breach security if too inconvenient to use ```
67
SYSTEM SECURITY FAILURES
Cryptographic algorithms are broken  Security features are not designed correctly  Security features are not used correctly  Security components are not implemented correctly  Security components are not configured properly  Security is not managed properly  Threat environment may change and assumption invalid
68
Prerequisite of Security Technology Framework:
1. Security requirements 2. Security policies 3. Security mechanisms
69
Prevention:
take measures that prevent your assets from being damaged.
70
Detection:
take measures so that you can detect when, how, and by whom an asset has been damaged.
71
Reaction:
take measures so that you can recover your assets or to recover from a damage to your assets.
72
Confidentiality:
prevent unauthorised disclosure of information
73
Integrity:
prevent unauthorised modification of information
74
Availability:
prevent unauthorised withholding of information | or resources
75
Authenticity:
“know whom you are talking to”
76
Accountability (nonrepudiation):
prove that an entity was involved in some event
77
Anonymity ensures that a
a user may use a resource or service without disclosing the user's identity. Anonymity requires that other users or subjects are unable to determine the identity of a user bound to a subject or operation.
78
Unlinkability ensures that a
user may make multiple uses of resources or services without others being able to link these uses together. Unlinkability requires that users and/or subjects are unable to determine whether the same user caused certain specific operations in the system.
79
confidentiality subgroups
Anonymity and unlinkability
80
reasons for confidentiality
``` 1. One may want to hide not just secrets, but also their existence. 2. Traffic analysis, “meta-data”, can reveal sensitive information. 3. Anonymity and unlinkability; in general privacy-related properties ```
81
Data Integrity
The state that exists when computerized data is the same as that in the source document and has not been exposed to accidental or malicious alteration or destruction.
82
Data Integrity Purposes n
Prevent unauthorised modification of information (prevent unauthorised writing). Detection (and correction) of intentional and accidental modifications of transmitted data. • Typically enforced via (cryptographic) checksums and other coding techniques.
83
Integrity is a prerequisite for many other security services;
• In operating systems, integrity of the bootstrap process (kernel, device drivers, system files) is critical to prevent persistent viruses/malwares. • Windows Vista and above allows only “signed drivers” to be installed.
84
AVAILABILITY
The property of being accessible and usable upon demand by an authorised entity affected by Denial of Service DoS attacks
85
THE “SMURF” ATTACK
Attacker sends ICMP (Internet Control Message Protocol) echo requests to a broadcast address in a network Victim’s address spoofed as sender address. The echo request is distributed to all nodes in the network Each node replies with an echo to the victim. The victim is flooded with many incoming messages. Note the amplification: the attacker sends one message, the victim receives many
86
Accountability is the property that ensures that the actions of an entity can be
traced solely to this entity. Accountability guarantees that all operations carried out by individuals, systems or processes can be identified (identification) and that the trace to the author and the operation is kept (traceability). • To be effective, one needs: – Audit trails: eg, in the OS level, this could be system/authentication logs, etc. – A link between a user and a “user identity”, so the user can be held accountable.
87
In distributed systems
cryptographic non-repudiation mechanisms can be used to achieve accountability \ Delegation is an important issue in accountability and non-repudiation
88
NON- REPUDIATION
Non-repudiation services provide unforgeable evidence that a specific action occurred Non-repudiation of origin: protects against a sender of data denying that data was sent. Non-repudiation of delivery: protects against a receiver of data denying that data was received. Enforcement typically relies on publickey cryptographic techniques.
89
SECURITY AND RELIABILITY
To make software more reliable, it is tested against typical usage patterns: – “It does not matter how many bugs there are, it matters how often they are triggered.” • To make software more secure, it has to be tested against ‘untypical’ usage patterns (but there are typical attack patterns).
90
Computer security deals with the
prevention and detection of unauthorized actions by users of a computer system. 2. Computer security is concerned with the measures we can take to deal with intentional actions by parties behaving in an unwelcome fashion.
91
FUNDAMENTAL DILEMMA OF SECURITY
Security unaware users have specific security requirements but no security expertise. • A security unaware user will rely on standard ‘best practices’ solutions, which may not meet his requirements. • To provide the ‘right’ security solution to a user requires the user to be ‘security aware’…
92
Design Decisions
I. What to focus the protection mechanism on? II. Where to place the security mechanism at? III. Complexity (of security properties) vs assurance IV. Centralized vs decentralized security control V. Protection of the ‘layer below’
93
The man-machine scale for security mechanisms combines our first two design decisions
What to focus on? Where to place at? Specific Complex Focus on users Generic Simple Focus on data
94
Data are a
representation of certain aspects of our | conceptual and real world.
95
The meanings we assign to data are called
information.
96
Information and data lie on the
two ends of the manmachine scale. The distinction between data and information can be subtle but causes some of the more difficult problems in computer security.
97
Covert channel is a type of c
computer security attack that creates a capability to transfer information objects between processes through channels “not intended for information transfer at all”, such as the service program's effect on system load.
98
Covert channel elaborate
``` Controlling access to information may be elusive and need to be replaced by controlling access to data ``` But controlling data may not always yields control of information. Covert channels: response time or memory usage may signal information. ``` nference in statistical databases: combine statistical queries to get information on individual entries. ```
99
Side channel:
Side-channel attack is any attack based on information gained from the implementation of a system. For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system.
100
Component-level security VS System-level security
Often, the location of a security mechanism on the man-machine scale is related to its complexity. • Generic mechanisms are simple, applications clamour for feature-rich security functions