1. We're already spoken about access control in linux, but what other systems are there?
  2. In the unix-style access control, one weakness is that if one person has access to a reseource, they might be able to allow others to access that resource.
  3. "Mandatory Access Control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices etc." - Wikipedia
  4. The key is that there is a central security policy administrator that makes decisions, and individual users cannot alther rights.
  5. This makes systems nearly unusable in a shared development environment, but you can certainly see in a deployed users-only environment, this would afford extra protections. Military systems with classified data typically use some sort of sinilar nechanism.
  6. Currently, formas of MAC exist in SELinux, and is an extra layer in Ubuntu (AppArmor) and Windows.
  7. RBAC
    1. Users are mapped to ROLES, which are mapped to then to resources.
    2. This makes sense in a corporate environment where people change jobs, or their jobs change responsibilities frequently. When a new person moves into a role, just that fact be noted, not update all the the individual permissions.
  8. Intrusion detection.
    1. If our security fails in some way, it would be great to know.
    2. If we find out soon enough, we can eject the attacker before any damages is done.
    3. We can observe the attacker to try and trace he source.
    4. We can figure out how he got in to strengthen our defenses.
    5. Setting one up is an art. False negatives mean we missed an attacker (which is bad) yet false positives mean we flag a valid user, which is also bad.
    6. Intrusion Detection can be done on the network, or on the host. Since this is OS, we're looking at the host.
    7. Monitor the system to detect suspicious bahovior. 2 Approaches:
      1. Anomally detection: apply statistical tests to behavior to see if it conforms to historical norms. Can either look at a global threshold, or have a model for each indivivual account profile.
      2. Not as useful against internal threats.
      3. Signature detection: store patterns of known attacks.
    8. Audits.
      1. Native. Most systems log activity, but this might not be in a useful format. Gravelling through lots a extra data slow.
      2. Detection specific - generate audits of information that is especially useful. We try do break a single command into substeps, and record: subject, action, object, exceptions, resources used and time stamp.
      3. So a copy command has an execute step, a read step and a write step.
      4. This way we can easily break down activity by type OR OBJECT.
  9. Malware defense.
    1. Anti-virus. Don't let a virus get on the system. if it does, detect, identify and remove.
      1. Signature detection. The basic model for detection is to keep a database of unique identifiers of all known viruses, and scan for those byte sequences. Unfortunately, virus makes were long ago on the that scheme, so they began to encrypt the virus as it was installed in an executable.
      2. Generic Decryption. Whne a process is to be run, run it in simulation first, let the virus decrypt itself, and then comepare to db. slow. Slow. SLOW!!!
      3. Digital immune system (Symmantec)
      4. Behavior blocking. Just don't let programs perform certain actions, like modifying other programs. Of course, then some things become hard. Sandbox the offender until administrator can take a look.
    2. Worm countermeasures. Very similar to virus.
      1. Signature of scan patterns.
      2. Signatures in incomming packets.
      3. Payload classification.
      4. Looking for randomness in scans.
      5. limiting outbound traffic from hosts that scan too much.
      6. Shutting donw network for hosts that scan too much.
    3. Rootkit countermeasures.
      1. Once a rootkit is successfull, badguy can erase traces of rootkit.
      2. Signatures can work, if you scan at the right time.
      3. Look for interference in system calls.
      4. Scan hashes of files to saved hashes to see if they've been modified.
      5. Only secure response is complete reinstall from scratch.