Introduction to OS Security and Worms

Questions and Answers

What mechanism does a worm use to duplicate itself?

• Cloning
• Spawn (correct)
• Rebooting
• Copying

The Morris Worm was designed to have a slow reproduction rate.

False (B)

What programming language was used to create the grappling hook program of the Morris Worm?

C

A worm can significantly affect a computer network by __________ itself among systems.

reproducing

Match the following components of the Morris Worm with their descriptions:

Grappling hook = 99 lines of C code that connects to infected machines Main program = Searches for other machines to infect rsh = Utility for easy remote task execution Finger = A UNIX utility for querying user information

Which of the following systems did the Morris Worm target primarily?

Sun Microsystems’ Sun 3 workstations (A)

The Morris Worm utilized flaws in the UNIX operating system’s security routines to propagate.

True (A)

In what year did the Morris Worm spread across the Internet?

1988

The Morris Worm was a process that could potentially __________ an entire network.

shut down

What type of computer threats does the Morris Worm represent?

Malware (D)

What does the finger utility primarily function as?

An electronic telephone directory (C)

The Morris worm targeted the finger utility by employing a buffer-overflow attack.

True (A)

What happens when the finger daemon is successfully exploited by the worm?

It executes /bin/sh, giving the worm a remote shell.

The special files that allow users to omit entering a password contain host–login name pairs known as __________.

trust files

Match the following utilities with their primary function:

Finger = Provides user information Sendmail = Handles email communication SSH = Secure shell access HTTP = Web protocol

What was the size of the string the worm queried to the finger utility?

536 bytes (C)

Sendmail does not have any debugging capabilities.

False (B)

What type of code was included in the sendmail part of the attack?

Debugging code.

The finger daemon was modified to return to a __________ within the invading string.

procedure

What is the first step the worm takes when it successfully establishes a remote shell?

It begins executing the worm program anew. (D)

What is the primary purpose of port scanning?

To detect a system’s vulnerabilities (B)

Nmap is designed to exploit known bugs in systems.

False (B)

What methodology is used by the worm to gain access to user accounts?

A three-stage password-cracking algorithm

Port scanning is typically an automated process involving a tool that attempts to create a TCP/IP connection to a specific ______.

port

Match the following tools or concepts with their descriptions:

Nmap = Tool used to discover hosts and services Sendmail = Service that can have known vulnerabilities Port scanning = Technique to detect system vulnerabilities Cracker = Individual attempting to exploit system vulnerabilities

What might a cracker do after successfully connecting to a service through port scanning?

Determine the service version and bugs (A)

The main function of a password-cracking algorithm is to protect user accounts.

False (B)

What operation system can Nmap be installed on?

Any operating system

A cracker could use port scanning to try to connect to port ______ of a system to check vulnerabilities in sendmail.

25

What is a consequence of discovering a buffer overflow vulnerability?

Creation of a privileged command shell (D)

What does the command nmap -sP 10.7.1.0/24 do?

Determines if a system is live (B)

Denial-of-service attacks aim to gain access to confidential information.

False (B)

What will the command sudo nmap -sT -p 80,443 10.7.1.0/24 check for?

Open ports 80 and 443

A denial-of-service attack can disrupt the ______ of a system.

legitimate use

Which command would provide information about the operating system version of a device?

sudo nmap -O 10.7.1.226 (B)

Using incorrect attempts to access accounts can lead to a lock on authentication mechanisms.

True (A)

What is the purpose of the command sudo nmap -A 10.7.1.226?

To gather detailed information about the device

A TCP connection disruption can result in ______ sessions if the connection setup is incomplete.

partially started

Match the Nmap command with its purpose:

nmap -sT -p 80,443 = Check for web server ports nmap -O = Identify the operating system nmap -A = Gather detailed device information nmap -sP = Identify live hosts

Study Notes

Introduction to OS Security

• Goal of OS security: Protecting valuable resources
• Security goals: Confidentiality, integrity, availability
• Threats to OS security:
  • Software: Trojan horses, buffer overflow attacks, viruses
  • Network: Worms

Worms

• Self-replicating processes that duplicate themselves
• Consume system resources and potentially lock out other processes
• Particularly potent on networks as they can spread and shut down entire networks

Morris Worm

• Created by a Cornell graduate student
• Targeted Sun Microsystems workstations and VAX computers running BSD UNIX
• Spread rapidly across the internet, consuming system resources and causing infected machines to crash

Morris Worm Design and Implementation

• Designed for rapid reproduction and distribution
• Exploited vulnerabilities in the UNIX operating system's security routines
• Utilized network utilities (rsh, finger, sendmail) to gain unauthorized access

Morris Worm Programs

• Consists of two programs: a grappling hook program and the main program
• Grappling hook program: downloaded onto a machine and used to connect back to the origin machine, uploading the main worm
• Main program: searched for other machines to establish connections and spread the worm

Morris Worm - Exploiting Utilities

• rsh: Exploited the feature for remote task execution without passwords to establish connections
• finger: Used a buffer overflow attack to exploit a vulnerability and gained access to a remote shell
• sendmail: Exploited debugging code within the utility to send and execute the grappling hook program, and systematically attempted to discover user passwords

Port Scanning

• Not an attack, but a method for detecting vulnerabilities
• Automated process that uses tools for connecting to specific ports or ranges of ports
• Used to detect vulnerabilities like known bugs in software, especially buffer overflows, which allow for the creation of privileged command shells

Nmap

• A tool for discovering hosts and services on a network
• Sends packets and analyzes responses to determine system information
• Can be installed on various operating systems
• Can identify live hosts, open ports, host operating systems, and provide information about network security

Distributed Denial of Service (DDoS)

• Aim is to disrupt legitimate use of a system or facility, not to obtain information or resources
• Categorized into two types: resource exhaustion attacks and network disruption attacks
• Resource Exhaustion:* Uses vast amounts of system resources, hindering functionality, such as downloading a CPU-intensive applet or pop-up windows.
• Network Disruption: Exploits TCP/IP protocol functionalities by interrupting network connections, like interrupting ongoing TCP sessions or overloading the system with false connection attempts.

Denial of Service (DoS)

• Can overload authentication mechanisms by repeatedly attempting incorrect logins
• Can manipulate firewalls to block traffic unnecessarily

Operating System Architectural and Hardenings

• Not discussed in the provided text but is a key concept in OS security. It involves understanding how to protect system architecture and apply security controls.

Reference

• The presentation was based on the book "Operating System Concepts" by Peterson and Silberschatz.

Description

Explore the fundamental concepts of operating system security, including its goals of confidentiality, integrity, and availability. Learn about significant threats to security, such as the Morris Worm, and its design, implementation, and impact on network systems.