Post on 13-Dec-2015
transcript
Topic 5aOperating System Fundamentals
What is an operating system?
•a computer is comprised of various types of software
• device drivers (storage, I/O, etc.)• process and control software• memory management• user interface software• utility software• application software
Early computers (1940-1960's) required all of these types of software to be loaded every time an application was run
•this was early 'batch' processing
The 'operating system' became the set of software that
• initialize the computer• run diagnostic checks• provide for device management• prepare the computer for an application
As operating systems evolved through the 1960-1980's they gained more functions
• provide graphic user interface• provide set of user utility programs• manage multiple processes and users• provide network functionality• some operating systems are special-purpose
An important base function of the operating system is to provide an interface between the application software and the hardware
• today, this set of low-level OS functions is called the OS 'kernel‘
• An OS kernel is typically always kept in memory – for greatest speed
• Many OS’s today are built on top of the Linux kernel, or some variation
There are many operating systems - not all are current
• the forensics examiner must be on the lookout for older, obsolete operating systems
• a criminal might try using these hoping to thwart an investigation
Here is a listing of scores of operating systems with pointers to more information
http://en.wikipedia.org/wiki/List_of_operating_systems
the most important operating systems for the forensic examiner today are:
- Microsoft Windows (and DOS) - Macintosh OSX - Unix/Linux - Android - Apple iOS
many forensics labs will need to have hardware and software to deal with these
there may be the occasion to locate hardware/software for an older OS
• example OS9 - unix-like OS for 8-bit Motorola 6809 based micros
As much as 50% of all system vulnerabilities are in the OS
•system devices such as routers, IDS's and firewalls also have operating systems
•the most effective mitigation strategy is to
• harden the OS• ensure that security patches are
installed as soon as they are available
Hardening an operating system
- installation/configuration measures that can reduce the OS exposure
- closing unneeded ports
- turning off (or not installing) unneeded services
- removing auto-response banner messages
- note: there are many more hardening steps – most of these are OS or application specific
patch management
- applying security patches as soon as they are available
- servers, network appliances, workstations, etc.
- having a back-down strategy if needed
- many applications may need to be tested after a patch is applied
- zero-day vulnerability - one for which a patch is not available
processes (tasks) and states - early computers were single-process systems - could only run a single program (task) at a time - the DOS operating system worked like this
- switching tasks had to be done manually
processes (tasks) and states
- later computer operating systems introduced the concept of multi-processing (multi-tasking)
- a single user could have multiple tasks running simultaneously - a given task could have multiple sub-tasks (threads)
- the OS manages process memory (memory management) and other resources and would switch between tasks as needed
- for example, listening to music while writing a paper while having a chat window open while having a browser window open
Process (task) management requires that the OS properly handle the memory/resource management of the various tasks and threads
- various ways to do this include system calls, message passing, stacks/heaps
Processes have various states
- running, waiting, created, terminated, etc. - the process management function of the OS ensures that memory is adjusted, that resources are available, and that processes run when appropriate
Process privilege and priority
- some processes require greater privileges (such as root or administrtator)
- this should be done only when absolutely needed
- a popular way to attack a system is to exploit a vulnerability in a process that has root privs
- using an LPA is one way to restrict privileges - sandboxing is another approach
Processes may be prioritized
- real-time processes typically have greater priority
- note: process management today is typically called 'task' management
- the early term for computers able to manage multiple tasks on a single processor was 'multi-processing‘
- today we call it 'multi-tasking‘
- multi-processing is used to describe situations where there are multiple CPUs available
Memory management
- process/task management requires that the memory associated with a task be available in the address space where it is requested
- one can think of this as like a sliding window
- memory may be swapped to/from storage
- this is called virtual memory - gives the illusion of having more real memory than you actually have
File systems
- this determines how the bits of files are mapped onto storage devices.
- examples include FAT, NTFS, EXT3, etc.
- it is extremely relevant to cyber-forensics, since file system features (like slack space) can be exploited to hide data
- we will cover file systems in more detail in subsequent topics
Virtualization
- this refers to running an instance of an operating system as a process
- possible since, in theory, any UTM (Universal Turing Machine) can simulate any other UTM
- for example, running Mac OSX in a VM on a Windows computer, or running Unbuntu Linux in a VM on a windows computer
Virtualization:
- the actual program run is called a 'virtual machine'
- it is a simulation of a processor, with specific resources - the OS is installed on the virtual machine
- the program that creates or manages VMs is called a 'hypervisor'
- virtualization has many uses in cyber-forensics, we will discuss this in greater depth later
Fundamental security design principles:
- domain separation
- separating tasks from resources - the hypervisor or OS would mediate resource access
- sandboxing is an example of this
Fundamental security design principles:
- process isolation
- preventing processes/tasks from communicating with each other or sharing resources such as memory
- resource encapsulation
- methods used to protect a resource - for example, specific system calls and specific privilege requirements