PAM and Operating Systems Concepts Quiz

Questions and Answers

What is the primary vulnerability associated with the 'pass the hash' attack?

The primary vulnerability is that an attacker only needs to obtain the password hash, rendering the security of hashing ineffective.

Why is Kerberos preferred over NTLM in larger Windows networks?

Kerberos is preferred because it provides a more secure authentication mechanism compared to NTLM, which is older and has known vulnerabilities.

How did the development of PAM in 1995 change user authentication management?

PAM centralized user authentication management, allowing various programs to utilize a common authentication library instead of handling it independently.

List one significant function of the 'auth' activity in PAM.

The 'auth' activity in PAM is responsible for verifying user credentials, typically through passwords or other authentication methods like tokens or fingerprints.

What role does the 'account' activity play in PAM, following user authentication?

The 'account' activity decides whether an authenticated user is allowed to log in based on account permissions and conditions.

What is the primary function of PAM control flags in authentication?

PAM control flags determine the outcome of authentication modules, dictating whether to stop immediately, continue but report failure, or ignore results depending on the situation.

Explain the concept of protection rings in operating systems.

Protection rings are hierarchical levels of privilege in an operating system, where ring 0 has the highest privileges and interacts directly with hardware, while ring 3 has the least privileges and runs user applications.

How does a user process execute a system call in a protected operating environment?

A user process executes a system call by transitioning from user space (ring 3) to kernel space (ring 0) through a defined interface provided by the operating system.

What happens when a process attempts to execute a ring 0 instruction from ring 3?

The attempt results in a SIGILL (illegal instruction) signal, preventing execution due to insufficient privileges.

What would be the result of a PAM requisite module failing during authentication?

If a PAM requisite module fails, the authentication process immediately returns failure and halts further checks.

Define the role of system calls in the context of process management.

System calls serve as the interface for user processes to request services from the operating system, such as creating or terminating processes and managing memory.

What is the difference between sufficient and optional PAM control flags?

A sufficient flag indicates that if the module passes, authentication succeeds and further checks stop, while an optional flag means the result is ignored and does not affect authentication.

In the context of the operating system, what does user authentication involve?

User authentication involves verifying credentials, such as passwords, to determine if an entity is allowed access to a resource.

What two fundamental concepts are essential for access control in an operating system?

A protection system and a reference monitor.

How does a system implement Mandatory Access Control (MAC)?

By allowing only trusted administrators to modify the protection state via trusted software.

What characterizes a system that uses Discretionary Access Control (DAC)?

Users can modify the protection state at their discretion.

What does an access control matrix represent?

It represents an access control policy by showing what operations processes can perform on files.

What flexibility do Access Control Lists (ACLs) provide over traditional user/group models?

ACLs allow arbitrary permissions to be granted to specific users and groups.

What information is stored for each user in an operating system regarding groups?

User ID (uid), group ID (gid), and a groups list.

What are the three user IDs associated with each process?

Real user ID, Effective user ID, and Saved user ID.

What three types of permissions can be assigned to a file?

Read (r), write (w), and execute (x).

What is required to traverse a directory in a Linux file system?

Execute permission on the directory.

When a process wants to access a file, what is the first check that occurs?

The system checks the permissions associated with the file.

What is the purpose of the setuid bit in Linux?

The setuid bit allows users to run a program with the permissions of the program's owner, typically enabling access to privileged resources.

What distinguishes horizontal privilege escalation from vertical privilege escalation?

Horizontal privilege escalation refers to gaining privileges of another unprivileged user, while vertical escalation involves obtaining root or kernel privileges.

How does the fork() function affect UID inheritance in a new process?

The fork() function creates a new process where the child inherits the real, effective, and saved UIDs from the parent.

What is virtual memory and how does it enhance memory management?

Virtual memory allows processes to use virtual addresses which are mapped to physical addresses, enabling more efficient use of system memory.

What role does the Memory Management Unit (MMU) play in virtual memory?

The MMU performs the mapping of virtual addresses to physical addresses, facilitating the use of virtual memory.

What is a local root exploit?

A local root exploit is a vulnerability that allows an unprivileged user to gain root rights on a system.

Explain how setuid programs like 'su' and 'ping' use the setuid bit.

'su' allows users to switch to another user, typically root, while 'ping' requires elevated permissions to access raw network sockets.

Why is memory access control important in an operating system?

Memory access control is crucial for security, preventing one process from reading or writing to the memory of another process.

Describe the impact of context switches on the Translation Lookaside Buffer (TLB).

Context switches necessitate flushing the TLB to ensure that the correct memory address mappings are used for the new process.

What is the significance of PAM in user authentication for setuid programs?

PAM (Pluggable Authentication Module) provides a flexible framework for authenticating users before granting them elevated privileges through setuid programs.

What is the primary goal of a Trusted Computing Base (TCB) in Linux?

To protect user processes from each other and isolate the TCB from user processes.

How do loadable kernel modules benefit the Linux operating system?

They allow for modifications of the OS kernel at runtime without requiring a reboot.

Explain the significance of file descriptors in Unix systems.

File descriptors are integer indexes that map to a file descriptor table, allowing processes to reference files and devices.

What is the consequence of a child process inheriting open file descriptors?

It may lead to unauthorized I/O operations if sensitive descriptors are not closed before execution.

Describe the 'everything is a file' abstraction in Unix.

It refers to the representation of all resources, including devices and processes, as files in the file system.

What is a major advantage of a microkernel over a monolithic kernel regarding TCB size?

A microkernel has a smaller TCB, which reduces the potential attack surface for vulnerabilities.

How does access control (AC) function in a Unix system?

AC restricts access to resources based on permissions set for users and processes.

Name the system call used to close a file handle in Unix.

The system call is close().

What does the access() syscall check in Unix systems?

It checks a user’s access rights based on their real user ID.

What is the role of udev in the context of loadable kernel modules?

Udev automatically handles the loading of kernel modules.

Explain the tree hierarchy of directories in the Unix file system.

Files are logically organized in a hierarchical structure, resembling an inverted tree.

What type of support do kernel modules not have in Linux?

Kernel modules do not have floating-point support.

What is the purpose of the syscalls like open(), read(), and write() in Unix?

These syscalls allow user processes to interact with files and devices in a controlled manner.

What action is typically needed after modifying the OS kernel in traditional scenarios?

A reboot is typically required to apply the modifications.

Define the purpose of the init process in Linux.

The init process is responsible for starting user authentication and managing system services.

What is the main purpose of the No Write-Down policy in security levels?

It prevents a subject from writing to an object that has a lower security level, ensuring that sensitive information isn't leaked to less secure processes.

Explain the difference between strong tranquility and weak tranquility in security levels.

Strong tranquility means a process's security level never changes, while weak tranquility allows changes as long as they don't violate the security policy.

What is the significance of the Biba model in information integrity?

The Biba model is designed to protect the integrity of information by preventing subjects from reading/ writing information at levels below or above their own.

Describe how Linux Security Modules (LSMs) handle access control.

LSMs utilize hooks to allow the kernel to support various security models, enforcing access control decisions on security-critical resources.

What is the primary function of a chroot jail?

A chroot jail confines a process to a specified directory, making the outside file system invisible to that process.

How does OS-level virtualization differ from traditional virtualization?

OS-level virtualization operates multiple isolated user-space instances sharing the kernel, whereas traditional virtualization mimics entire hardware environments.

What role do namespaces play in containerization?

Namespaces restrict a container’s visibility of global resources, providing process-level isolation within the system.

Define control groups (cgroups) in the context of Linux containers.

Cgroups limit and manage the resource usage of different groups of processes, ensuring fair allocation of system resources.

What are the key components within the Android application layer?

The key components include Activities, Services, Broadcast Receivers, and Content Providers.

Explain application isolation in the Android security framework.

Application isolation ensures that each app operates within its secure environment, preventing access to other apps' data.

What does paravirtualization require compared to full virtualization?

Paravirtualization requires modifications to the guest OS and drivers to replace nonvirtualizable instructions with hypercalls.

What are the potential security implications of using the setuid() function improperly?

Improper use of setuid() can allow unauthorized elevation of privileges, potentially enabling users to escape privilege restrictions.

How does the concept of hardware full virtualization address the limitations of software full virtualization?

Hardware full virtualization reduces the complexity of the Virtual Machine Monitor (VMM) by introducing a protection ring specifically for the hypervisor.

Flashcards

Pass the Hash Attack

A technique where an attacker steals a password hash and uses it to gain access to a system without needing the actual password.

NTLM

A protocol used for single sign-on authentication in Windows networks, still commonly found in many organizations despite security concerns.

Pluggable Authentication Modules (PAM)

A framework that provides a centralized authentication mechanism for various applications and programs on a system, making user authentication more modular and flexible.

PAM: Authentication

A PAM activity where the system verifies a user's identity using methods like passwords, tokens, or biometrics.

PAM: Account Management

A PAM activity that determines whether a user is authorized to log in after their identity has been verified. This involves checking user permissions.

Authentication

A mechanism in operating systems that allows a user to authenticate and access resources.

Authorization

The process of determining if an authenticated entity is allowed to perform an action on a resource.

System Call

A system call is a request from user space to the OS to perform a certain operation. It allows user programs to access privileged resources like hardware.

System Call Interface

A defined interface through which user programs interact with the operating system.

PAM control flag

A control flag used in PAM to specify how module failures should be handled.

requisite

Specifies that if a PAM module fails, the authentication process immediately stops and returns failure.

required

Specifies that if a PAM module fails, the authentication process continues but returns failure in the end.

Protection System

A fundamental concept in access control that defines what operations (like reading or writing) subjects (processes) can perform on objects (files). It's like a set of rules that govern how information is accessed.

Reference Monitor

A mechanism that enforces the access control specifications defined by the protection system. It acts as the gatekeeper, checking if a subject is allowed to access an object based on the defined rules.

Mandatory Access Control (MAC)

A type of access control where only trusted administrators can modify the protection state. This ensures that only authorized changes are made to the access rules.

Discretionary Access Control (DAC)

A type of access control where users can modify the protection state. This allows users to grant or deny access to their files based on their preferences.

Access Control Matrix

A table-like representation of access control policy. It lists subjects (processes) and objects (files) and defines what permissions subjects have on each object.

Access Control Lists (ACLs)

A method used to grant access permissions to specific users or groups for a file or directory. This flexibility allows for more granular control over file access.

User ID (uid)

A unique identifier assigned to every user for login purposes. This ID helps the operating system recognize and authenticate users.

Group ID (gid)

A unique identifier assigned to a group of users. This ID represents a collection of users with common permissions or interests.

Groups List

A set of groups that a user has access to. This includes the primary group and any additional groups the user belongs to.

Owner Permissions

The permissions granted to the owner of a file. This includes the ability to read, write, or execute the file.

What is the TCB in Linux?

The Trusted Computing Base (TCB) in Linux encompasses all code running in the Kernel space and certain privileged processes that are trusted to execute critical system operations.

What are Loadable Kernel Modules (LKMs)?

Loadable Kernel Modules (LKMs) allow the OS kernel to be modified at runtime, providing flexibility and extensibility.

Where do LKMs execute and what privileges do they have?

LKMs are loaded at runtime and execute in Kernel space (ring 0), granting them privileged access to system resources.

How do LKMs differ from regular applications?

A kernel module is not a typical application, as it doesn't execute sequentially or have automatic cleanup, and it cannot directly access user-space data or functions.

How are LKMs stored and loaded?

Modules are stored in the /usr/lib/modules/kernel_release_ directory, and loading them can be done automatically during boot or manually using the insmod command.

How does the Unix file system organize data?

The Unix file system organizes persistent data on background storage into logical units called files.

What is the 'Everything is a file' concept in Unix?

Everything in Unix is represented as a file, including devices, processes, and network connections. This makes it possible to use the same tools and API for interacting with diverse resources.

What is a file descriptor?

File descriptors are integers used by the Kernel to keep track of open files and their associated resources.

How can file descriptors create security vulnerabilities?

When a new process is created, it inherits any open file descriptors from its parent. This can lead to security vulnerabilities if sensitive file descriptors are not closed before invoking a child process.

What are the standard file descriptors?

Standard Input (stdin), Standard Output (stdout), and Standard Error (stderr) are special file descriptors used for common input and output operations.

What is Access Control?

Access Control (AC) selectively restricts access to resources based on authorization rules.

How does Access Control work?

AC mechanisms authorize requests from subjects (e.g., users, processes) to perform operations on objects (e.g., files, sockets) based on specific rules.

What is a Trusted Computing Base (TCB)?

A trusted computing base (TCB) is a set of system components trusted to enforce security policies. It includes the operating system kernel, privileged processes, and hardware security mechanisms.

What are Loadable Kernel Modules (LKMs)?

Loadable kernel modules (LKMs) are small programs that can be loaded into the kernel at runtime, extending its functionality without requiring a system reboot.

What are File Descriptors?

File descriptors are integers used by the operating system to represent open files. They act as pointers to files, allowing the system to efficiently manage access to them.

Set-User ID (SUID) Bit

A special bit set in file permissions that allows a program to run with the privileges of the file owner, not the user running it.

Setting a Program's SUID

The process of granting a program the ability to execute with the privileges of the file owner, effectively letting it act as that user.

Real UID

The user ID associated with the person who started a program (e.g., you).

Effective UID

The user ID associated with the owner of the program the user is running. It is set by the SUID bit.

Privilege Escalation

The process of gaining elevated privileges beyond what the user normally has, such as accessing files or modifying system configurations.

Horizontal Privilege Escalation

A type of privilege escalation that involves obtaining the permissions of another user who doesn't have administrative rights.

Vertical Privilege Escalation

A type of privilege escalation that involves obtaining the highest level of privileges (usually root), giving the attacker full control over the system.

Virtual Memory Mapping

A technique used in operating systems to map addresses in a program's memory (virtual addresses) to physical memory addresses on the hardware.

Memory Page

A fixed-size block of memory used by the operating system to manage memory allocation and permissions.

Page Table

A table used by the MMU to translate virtual memory addresses to physical memory addresses.

Biba Model

A security model that focuses on protecting the integrity of information. It prevents data from being modified by unauthorized entities, ensuring that data remains accurate and reliable.

Simple Integrity Rule

A rule in the Biba model that prohibits a subject (user or process) from reading objects with a lower integrity level.

The *-Integrity Property

A rule in the Biba model that prohibits a subject from writing to an object with a higher integrity level.

Linux Security Modules (LSM)

A framework within the Linux kernel that allows for the implementation of different security models without compromising the kernel's integrity.

chroot Jail

A technique used to isolate processes within a specific directory on the file system, restricting their access to files outside that directory.

OS-Level Virtualization

A form of virtualization where multiple isolated user-space instances (containers) run on the same kernel. Containers share the host operating system's kernel but have their own file system.

Emulation

A technique for running a whole computer system in software, simulating the hardware environment and its behavior. Allows running unmodified operating systems, even from different architectures.

Virtualization

The process of simplifying the management of an operating system by introducing a software abstraction layer, known as a virtual machine monitor (VMM), or hypervisor.

Software Full Virtualization

A type of virtualization where the kernel code is translated on the fly to run on a virtual machine. The guest operating system is unaware of its virtual environment.

Paravirtualization

A type of virtualization where the guest operating system and its drivers are specifically modified to interact with the virtualization layer.

Linux Containers (LXC)

The process of running multiple isolated Linux systems (containers) as a single entity on a control host. Achieved by namespaces and control groups.

Namespaces

A mechanism that restricts what a container can see, providing process-level isolation of global resources.

Control Groups (cgroups)

A mechanism that sets upper bounds on resources that can be used by a container, controlling resource allocation within groups.

Android Runtime

The software environment where Android applications run, providing a runtime for Dalvik Virtual Machine and core libraries.

Android Sandboxing

A secure mechanism that ensures Android applications run in isolation, protecting system resources and user data.

Study Notes

Authentication

• Authentication is the process of verifying the identity of an entity.
• The operating system (OS) manages access to resources by needing to know who someone is.
• Typical user authentication involves login procedures.
• A shell is created mapped to the logged-in user.
• All programs run through the shell and are tied to the logged-in user.
• Authentication failure scenarios include impersonation.

Authentication Methods

• Authentication can be achieved through:
  • What you know: Passwords, challenge-response.
  • What you are: Biometrics (fingerprints, retina scans, voice recognition).
  • What you have: Tokens, smart cards.
• Multi-factor authentication combines multiple methods (knowledge, possession, inherence) for enhanced security.
• Typically, these issues are addressed with strong passwords, anti-counterfeiting techniques, and tamper proof hardware.
  • The text mentions potential issues with weak passwords.

Unix Users

• Unix systems have three primary account types:
  • Root account: The superuser account, with user ID 0 (root), manages system boot, user authentication, administration, and network services, and has full access.
  • User accounts: Provide interactive access to the system.
  • Account permissions can be manipulated with tools such as (etc/passwd), (etc/shadow), and (etc/group).

Authentication Over The Network

• Large corporate networks typically store user information centrally.
• User access to any machine within a network using one central directory.
• various ways for providing a protocol based log in across multiple machines
• Disadvantages of a centralized server can be single point of failure.

PAM (Pluggable Authentication Modules)

• PAM allows programs to use a central authentication mechanism.
• An example is SSH, GDM, LightDM, screen locks, su, sudo etc..
• PAM is a library used by many Unix applications for authentication.
• PAM authentication is decentralized allowing control over logging attempts and authorized actions.
• PAM is typically used to control events like user login attempts, or password changes. A PAM module controls each of those events.

Authorization

• Authorization is the process of determining if an entity (X) is allowed to access a resource (Y).
• The OS manages access to resources based on authorization rules.
• Authorization typically occurs without highly-privileged code, instead non-privileged code asks the OS for the necessary operations.
• Resources are protected using separate code in protection rings.
• Ring-0 is the highest level of privilege having direct access to hardware. Lower rings have less access.
• Attackers may use rings above 0 to obtain privileges from lower (protected) zones.

File Systems

• The file system organizes persistent data on storage devices.
• Files are logical units with names and associated information.
• Directories organize files in a hierarchical tree structure.
• System calls are the primary interface for interacting with the file system.

Access Control

• Access control (AC) manages access to resources.
• Access Control Lists (ACLs) are used to grant access permissions to users and groups.
• Access control matrices are used to represent access control policies, by listing process versus files with access rights specified
• Security properties include, but not limited to, mandatory access control (MAC) and discretionary access control (DAC).

Description

Test your knowledge on Pluggable Authentication Modules (PAM) and key operating system concepts. This quiz covers topics such as authentication management, system calls, and protection rings. Challenge yourself with questions that explore the intricacies of user authentication in modern operating systems.