Authentication and Unix Users

Questions and Answers

What happens once a process changes its user ID from root (ID 0) to another user ID?

• It can continue running with the new user ID. (correct)
• It loses access to all files.
• It can revert back to root ID.
• It becomes a regular process without elevated privileges.

A user account grants administrative privileges by default.

False (B)

Name one important file that contains user password information.

/etc/shadow

The ______ protocol is a challenge-response authentication method used to verify user identities.

NTLM

Match the following authentication protocols with their description:

NIS = Network Information Service for central user management LDAP = Lightweight Directory Access Protocol for accessing directory information Kerberos = Network authentication protocol using tickets NTLM = Challenge-response authentication protocol used by Windows

What does the term 'pass the hash' refer to?

An attack that involves obtaining the password hash (B)

Kerberos is the only authentication protocol supported in larger Windows networks.

False (B)

What is the primary function of Pluggable Authentication Modules (PAM)?

Centralize authentication and make functionality available through a library.

The activity of user authentication in PAM includes mechanisms like passwords, tokens, and ______.

fingerprints

Match the PAM activities with their descriptions:

auth = Determining whether a user is allowed to log in account = The process of authenticating a user

What flag is used to indicate the highest privilege level in a protection ring model?

Ring 0 (C)

Ring 3 allows direct interaction with the physical hardware.

False (B)

What is the process called that determines if an entity is allowed access to a resource?

Authorization

A system call is a request from user space to the OS to perform a certain ___.

operation

Match the following PAM control flags with their descriptions:

requisite = If the module fails, immediately return failure and stop required = If the module fails, continue but return failure at the end sufficient = If the module passes, return pass and stop optional = Pass/fail result is ignored for non-authentication tasks

Which of the following is NOT a type of system call?

User authentication (C)

To execute a ring 0 instruction from ring 3, a SIGILL (illegal instruction) occurs.

True (A)

Name two examples of operations that can be performed by system calls.

Process control and file management

What is a primary characteristic of viruses?

They can spread by infecting other files. (B)

Trojans are self-replicating malware programs.

False (B)

What is the term for malware that runs at the kernel level to hide its presence?

rootkit

A malware type known for encrypting data and demanding ransom is called ______.

ransomware

Match the following types of malware with their descriptions:

Virus = Infects a host program Worm = Standalone program that spreads without a host Trojan = Offers hidden malicious functionality Rootkit = Hides traces of malware on a system

What is the primary responsibility of the Trusted Code Base (TCB)?

To protect user processes from each other (A)

Which of the following methods do worms primarily use to spread?

Both A and C (A)

Loadable kernel modules can execute sequentially and perform automatic cleanup.

False (B)

Signature-based detection of malware is effective at detecting zero-day malware.

False (B)

What is the main advantage of using loadable kernel modules?

They allow modifications to the OS kernel at runtime without rebooting.

What is one possible countermeasure to combat rootkits?

Cryptographically sign all kernel modules and drivers

In Unix, persistent data on background storage is organized in ______.

files

The primary function of ______ is to disable the usual functioning of a computer until a demanded payment is made.

ransomware

Match the following file-related syscalls with their functions:

open() = Open a file and return file handler read() = Read bytes from a file handle into a buffer write() = Write bytes from a buffer to the file handle close() = Close the file handle

What is a significant drawback of antivirus software?

False positives can disrupt system functionality. (C)

Which of the following statements is true regarding file descriptors?

They provide an index into a file descriptor table maintained by the kernel. (B)

Behavior-based malware detection is fully reliable for newly developed malware.

False (B)

Access Control allows unrestricted access to resources.

False (B)

What type of malware is characterized by modifying its appearance to avoid detection?

polymorphic malware

What is the purpose of the access() syscall?

To check access rights based on the real user ID.

The ______ hierarchy organizes files in Unix.

tree

Bootkits are installed in the ______ of the hard drive to ensure re-infection at each reboot.

MBR

Match the malware detection techniques with their descriptions:

Signature-based detection = Identifies known malware patterns Behavior-based detection = Analyzes behaviors or heuristics Static detection = Checks for known packers Dynamic detection = Runs malware in a sandbox environment

Which of the following file descriptors represents standard output?

1 (D)

The file system in Unix operates in user space.

False (B)

What do loadable kernel modules allow the kernel to do?

Communicate with hardware without prior knowledge of how it works.

Match the following concepts with their meanings:

Trusted Code Base = Code running in kernel space and processes with root permissions Access Control = Selective restriction of access to resources File Descriptor = Index into a file descriptor table Loadable Kernel Module = A module that can modify the OS kernel at runtime

Which command is used to manually load a kernel module into the kernel?

insmod (A)

Everything in Unix is represented as a file.

True (A)

What does the Biba model primarily protect?

Integrity (D)

In the Biba model, a subject is allowed to read objects below its integrity level.

False (B)

What security context format is used in type enforcement?

user:role:type(:level)

The __________ allows multiple isolated user-space instances to run on a single host OS.

OS-level virtualization

Match the following virtualization methods to their descriptions:

Software full virtualization = Requires no modification of the guest OS. Paravirtualization = Requires modification of the guest OS. Hardware full virtualization = Utilizes hardware assistance for virtualization. Emulation = Translates guest instructions into host-readable instructions.

Which of the following is a disadvantage of using LSM (Linux Security Modules)?

Can be abused to bypass kernel security (B)

The chroot command changes the working directory for a process.

False (B)

Identify the two types of mounts in the context of namespaces.

Shared mount and slave mount

Application isolation in Android is enforced through __________ and __________.

VMs; Sandboxing

Which component of the Android Application Framework provides user interfaces?

Activities (D)

Unprivileged containers map container user root to host’s user root.

False (B)

What is the purpose of the Android Security Framework's permission framework?

To control application access to sensitive resources

In type enforcement, access must be explicitly granted by __________.

allow rules

Which of the following is NOT a characteristic of OS-level virtualization?

Each container has its own kernel. (C)

Flashcards

Root Account

A user account with the highest privileges, allowing access to modify any file and impersonate any other user.

Classical Unix Authentication

A system in which users provide their password to authenticate, and the system verifies it by comparing the provided password with a hashed version stored in a file.

Centralized Authentication

A network-based authentication system where user information is centrally stored, allowing users to access any machine on the network with a single login.

NTLM Authentication Protocol

A challenge-response protocol used for authentication, where a server sends a challenge and the user responds with calculated keys derived from their password hash.

Root Account Security

The vulnerability created when an attacker gains access to the root account, enabling them to modify system files and impersonate any user, potentially compromising the entire system.

Pass-the-Hash Attack

An attack where an attacker steals the password hash instead of the actual password, making it useless to store the hash.

Kerberos

A protocol that uses hashes to securely authenticate users on a network.

NTLM

A protocol used for authentication on Windows networks, often used alongside Kerberos.

Pluggable Authentication Modules (PAM)

A system that allows different programs to use a centralized authentication system, making it easier to manage user access across multiple applications.

PAM 'Auth' Activity

The PAM activity that verifies a user's identity, often through password authentication but can also use other methods.

Authorization

A process of deciding if an entity is allowed to access a resource.

Protection Rings

A software mechanism used for controlling access to system resources, like hardware, files, or network connections.

System Calls

A software mechanism used for controlling access to system resources like hardware, files, or network connections.

PAM (Pluggable Authentication Modules)

A structured mechanism used to control user logins, based on user-specific information.

Process Control

A set of instructions used by the operating system to manage processes, including creation, termination, loading, execution, and waiting.

File Management

A set of instructions used by the operating system to manage files, including creation, deletion, opening, closing, reading, and writing.

Device Management

A set of instructions used by the operating system to manage devices, including requesting, releasing, reading, and writing.

Session

A temporary workspace for a user session. It allows for resource allocation, including mounted directories, CPU and memory usage limits, and shell access.

Trusted Code Base (TCB)

The core set of software running in kernel space, with root permissions, responsible for protecting the system's integrity and enforcing security policies.

Loadable Kernel Modules

Modules that extend the kernel's functionality, loaded at runtime, and typically used for device drivers.

Virtual File System

A file system that presents every system resource (hardware, processes) as a file to the operating system, enabling a consistent approach for interacting with them.

File Descriptor

An integer index used by the kernel to track open files and resources, allowing the system to access and manage them efficiently.

Access Control

The process of controlling access to system resources by defining who can perform what actions on specific files, sockets, and other objects.

Security Context

A security mechanism that restricts the actions a process can perform based on its security context, preventing unauthorized access to sensitive data.

File Permissions

The set of permissions associated with a file or resource in a Unix system, controlling read, write, and execute access for different users and groups.

Code Verification

The process of ensuring the integrity and authenticity of software by verifying the origin and content of code before execution.

Everything is a file abstraction

Using the same tools and APIs across different resources, offering a consistent and unified approach to managing the system.

File Descriptor Leak

A security concern where a child process inherits open file descriptors from its parent, potentially allowing it to access sensitive data that it should not have access to.

Permission checking

The process of checking permissions on a file or resource before granting access to a process that requests it.

Standard Input (stdin)

The standard input stream, typically used for reading data entered by the user through the keyboard.

Standard Output (stdout)

The standard output stream, typically used for writing data to the console, such as displaying output from commands.

Standard Error (stderr)

The standard error stream, used for displaying error messages and diagnostic information.

Virus

A type of malware that spreads by infecting other files, typically executable files or office files with macros.

Worm

A standalone program that spreads without needing a host file, often through user interaction like emails or vulnerabilities in software.

Trojan

Malware disguised as a useful program with hidden malicious functions, often used for stealing data or controlling infected devices.

Rootkit

Malware designed to hide its presence on a compromised system by modifying system files, processes, or creating hidden storage areas.

Damage Routine

A damage routine is the action a malware performs after being activated. It can involve stealing data, encrypting files, or disrupting network access.

Ransomware

A malware that encrypts the data on a user's system and demands a ransom for its decryption.

Spyware

A type of malware used to steal sensitive information from a user's system, often including passwords, bank details, or personal data.

Targeted Malware

Malware that explicitly targets specific users or organizations, often with highly specialized damage routines.

Digital Vandalism

Malware that directly destroys or corrupts data on a computer, often for malicious purposes.

Malware Detection

A technique where incoming files are screened for malware before being stored on the computer.

Signature-based malware detection

A method of detecting malware by analyzing patterns in files to see if they match known malicious signatures.

Code Polymorphism

A technique used by malware to evade detection by signature-based methods. It creates many variations of the same malware, making it harder to identify.

Packers

A tool used by malware to compress and obfuscate its code, making it difficult to analyze and detect.

Behavior-based malware detection

A technique that analyzes the behavior of a program to detect malicious activity, often by running it in a controlled environment.

Antivirus Software

Software designed to detect and remove malware from a system, often using both signature-based and behavior-based techniques.

Simple Integrity

A principle in the Biba model that prevents a subject from reading data with a lower integrity level than its own. It helps ensure that information with a higher integrity level isn't corrupted by access from lower integrity sources.

The Integrity Property

A principle in the Biba model that prevents a subject from writing data to an object with a higher integrity level than its own. This helps maintain the integrity of high-level data by preventing accidental or malicious modification.

Linux Security Modules (LSM)

A framework in the Linux kernel that allows different security models to be implemented without favoring any specific one. It works by introducing hooks for security-related operations.

Type Enforcement

A security mechanism used by the Linux kernel where every object, like processes, files, and sockets, has a security context or label. Access control is governed by rules that specify what actions are allowed based on these labels.

chroot Jail

A method of isolating processes within a subdirectory of the filesystem. The isolated process cannot access files outside of that subdirectory.

OS-level virtualization

A technique where an operating system provides multiple isolated user-space instances (containers, virtual environments, etc.) that share the host OS's kernel. It offers a layer of isolation with reduced overhead.

Emulation

A method of running an entire computer system in software, allowing unmodified guest operating systems to run on a host platform. This involves translating the guest OS's instructions to the host's architecture.

Software full virtualization

A type of virtualization where hardware is emulated in software, allowing the execution of guest operating systems on a different architecture.

Paravirtualization

A type of virtualization where the guest operating system and drivers are modified to work with the virtualization layer. This achieves better performance by replacing non-VM-friendly instructions with calls to the hypervisor.

Hardware Full Virtualization

A virtualization technique where the hypervisor runs in a special, privileged ring (-1) in the hardware, providing better performance and security isolation than software-based approaches.

Linux Containers (LXC)

A type of OS-level virtualization that runs multiple, isolated Linux systems within a single host. Containers share the host kernel and offer a similar but more flexible approach than chroot jails.

Namespaces

A mechanism in Linux Containers (LXC) that restricts what a container can see and interact with. By providing a different view of global resources, namespaces isolate processes.

Control groups (cgroups)

A mechanism in Linux Containers (LXC) that provides resource management for containers. It allows setting limits and managing resource sharing for groups of containers.

Android Runtime

A middleware layer in Android that runs the Dalvik Virtual Machine, providing an abstraction layer between applications and the Linux kernel. It also provides core libraries and API for applications.

Android Security Framework

A security model in Android that isolates applications within sandboxes, controlling resource access and applying permissions to limit their capabilities.

Study Notes

Authentication

• Authentication is the process of verifying the identity of an entity.
• Operating systems manage access to resources.
• Authentication ensures that the entity is who they claim to be.
• Typical authentication methods include:
  • Something you know (passwords, challenge-responses)
  • Something you are (biometrics like fingerprints)
  • Something you have (tokens, smartcards)
• Multifactor authentication combines multiple methods.
• Authentication failures can lead to impersonation.

Unix Users

• Root accounts are superusers with user ID 0.
• Root processes handle system boot, user authentication, administration, and network services.
• Root accesses and modifies permission on all files.
• Root processes can impersonate any other user, changing their User IDs.
• This process cannot be reversed.

Authentication Over Networks

• Large networks centralize user information.
• Users can log in to any machine.
• Various protocols exist (example: challenge-response).
• Centralized login servers can be vulnerable to failure.

Pluggable Authentication Modules (PAM)

• PAM allows programs to use a central authentication mechanism (rather than each program handling authentication independently).
• This centralization improves security and reduces complexity.
• PAM is a library that provides a common interface for multiple programs to access the same authentication system.

Authorization

• Authorization determines if entity X is permitted to access resource Y.

• Operating systems need to control access to resources.

• Different privilege levels (rings) control access (ring 0 being the highest privilege).

• Non-privileged code must request an operation from the Operating System if it needs to access privileged resources.

• Privileged code can directly access resources.

• System calls are used for transitions between ring 3 and ring 0.

File Systems in Unix

• Data on storage devices is structured logically as files.
• Files include names and information like access and modification times.
• Files are organized in a directory hierarchy.
• The file system maps logical information to physical storage on a device.
• System calls are used to access and manipulate files.

Access Control

• Access control (AC) is the selective restriction of resource access.
• Mechanisms authorize subjects to perform operations on objects.
• A protection system defines the access control specification.
• Reference monitors enforce the specification.
• Protection systems can be discretionary or mandatory.
  • Mandatory control restricts access modification.
  • Discretionary control allows users to manage their own access.

Protection model: matching

• Processes need to match the file's owner, a group ID within the group of the file or use other permissions.

Setuid

• Setuid allows a program to be run with the permissions of the file owner, which can permit operations that the user shouldn't normally be allowed.
• A program that is designed to have the permissions of the user who owns the program's executable needs very careful design.

Memory

• Processes use virtual addresses, not physical memory addresses.
• This process is managed by a Memory Management Unit (MMU).
• Virtual memory addresses are mapped to physical addresses by MMU, using a Page Table. This mapping is cached in the Translation Lookaside Buffer (TLB).
• Memory is segmented into fixed-size pages.
• Processes use virtual addresses, and the abstraction of the OS memory system simplifies accessing the memory system.
• Memory access control prevents improper access attempts.

Malware Detection

• Antivirus techniques and strategies will be discussed.
• Methods like signature-based detection (looking for known malicious patterns) and behavior-based detection (monitoring unusual activities) are used.