Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCD 303 Essential Computer Security Spring 2013 Lecture 8 - Desktop Security OS Security Compared Reading: See References.

Published byDelilah Morris Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCD 303 Essential Computer Security Spring 2013 Lecture 8 - Desktop Security OS Security Compared Reading: See References."— Presentation transcript:

1 CSCD 303 Essential Computer Security Spring 2013 Lecture 8 - Desktop Security OS Security Compared Reading: See References

2 Overview Briefly, Overview of Linux Security OS Vulnerabilities Linux Windows Max OS X

3 Linux Security Model Linux’s traditional security model is – People or processes with “root” privileges can do anything – Other accounts can do much less Hence attacker’s goal – Get root privileges !!!!

4 File System Security In Linux everything is a file I/O to devices is via a special file – Example: /dev/cdrom allows access to the cdrom drive which is a special file Have other special files like named pipes – A conduit between processes / programs Since almost everything is a file – security very important

5 Users and Groups Users and Groups are not files Users – Someone or something capable of using files – Can be human or process – e.g. lpd (Linux Printer Daemon) runs as user lp Groups – List of user accounts – User’s main group membership specified in /etc/passwd – User can be added to additional group by editing /etc/group – Command line -> useradd, usermod, and userdel

6 User's details are kept in /etc/password maestro:x:200:100:Maestro Edward Hizzersands:/home/maestro:/bin/bash x in password file means password is stored in the shadow file Entry in /etc/shadow password file maestro:$1$fnfffc$pGteyHdicpGOfffXX4ow# 5:13064:0:99999:7::: Additional group details in /etc/group conductors:x:100: pianists:x:102:maestro,volodya Users and Groups

7 File Permissions Files have two owners: a user & a group – Each with its own set of permissions – With a third set of permissions for other Permissions are to read/write/execute in order user/group/other rw-rw -r-- 1 maestro user 35414 Mar 25 01:38 baton.txt Permission can be changed using chmod command

8 8 8 ACL:Default Permission and Abbreviation Example: UNIX  Three classes of users: owner, group, all others

9 Directory Permissions Permissions on folder slightly works different – read = list contents – write = create or delete files in directory – execute = use anything in or change working directory to this directory drwxr-x--- 8 biff drummers 288 Mar 25 01:38 extreme_casseroles

10 Comparing Operating Systems Researchers have spent a lot of time studying vulnerabilities in operating systems Which is better? Linux vs. Windows vs. Mac? Who has the fewest serious vulnerabilities? Other metric used -- how many successful attacks on a particular OS

11 Windows Design Flaws/Poor Design Decisions Windows has evolved from a single-user design to a multi-user model few years back Windows is monolithic, not modular, by design Windows depends too heavily on an RPC model Windows focuses on its familiar graphical desktop interface

12 Windows Evolved from Single-User Design to multi-user model Windows has long been hampered by its origin as Single-user system – Windows originally designed to allow both users and applications free access to entire system, which means anyone could tamper with a critical system program or file Windows XP was the first version of Windows to reflect a serious effort to isolate users from the system, Users each have their own private files and limited system privileges – This caused many legacy Windows applications to fail – Solution: Windows XP includes a compatibility mode - a mode that allows programs to operate as if they were running in the original insecure single-user design

13 Linux Based on Multi-User Design Linux does not have a history of being a single-user system – Has been designed from ground-up to isolate users from applications, files and directories that affect entire operating system Each user is given a user directory All of user’s data files and configuration files are stored – When a user runs an application, such as a word processor, that word processor runs with restricted privileges of the user

14 National Vulnerability Database Classifies and organizes reported vulnerabilities for various software programs and systems Mitre has the contract to maintain this database http://web.nvd.nist.gov/view/vuln/search?execution=e2s1 You can search this database for all the vulnerabilities associated with a system

15 Evaluation: Windows Vs. Linux Vulnerabilities The United States Computer Emergency Readiness Team (CERT) uses its own set of metrics to evaluate severity of any given security flaw Query CERT vulnerabilities notes database for “Windows” and “Linux” keywords to examine metrics for 40 most recent reported vulnerabilities A number between 0 and 180 expresses final metric, where number 180 represents the most serious vulnerability The ranking is not linear – In other words, a vulnerability ranked 100 is not twice as serious as a vulnerability ranked at 50 CERT considers any vulnerability with a score of 40 or higher to be serious enough to be a candidate for a special CERT Advisory and US-CERT technical alert

16 National Vulnerability Database Classifies and organizes reported vulnerabilities for various software programs and systems Mitre has the contract to maintain this database http://web.nvd.nist.gov/view/vuln/search?execution=e2s1

17 CERT: Query Result for Keyword “Microsoft”

18 CERT: Query Result for Keyword “Microsoft” (continued)

19 CERT: Query Result for Keyword “Linux”

20 CERT: Query Result for Keyword “Linux” (continued)

21 CERT: Evaluation of Query Results for Microsoft and Linux CERT web search capabilities do not produce perfectly desirable results in terms of granularity or longevity – Especially True for Linux The “Linux” search results include a number of Oracle security vulnerabilities that are common to Linux, UNIX, and Windows – In Top 40 CERT results for “Microsoft”, Top entry containing the severity metric of 78 5 entries have a severity rating of 40 or greater – In Top 40 CERT results for Linux Top entry containing the severity metric of 26.52 None other entry have a severity rating 27 or greater

22 Vulnerabilities http://blogs.zdnet.com/security/?p=758 Recent years, lots of comparisons – 2007 brought improved security with Windows Vista and Mac OS X Leopard – Compiled security flaws in Mac OS X and Windows XP and Vista and placed them side by side – Vulnerability statistics from third party vendor Secunia and broke them down by Windows XP flaws, Vista flaws, and Mac OS X flaws

23 Table of Flaws Windows vs. Mac Windows XP, Vista, and Mac OS X vulnerability stats for 2007 XP Vista XP + Vista Mac OS X Total extremely critical 3 1 4 0 Total highly critical 19 12 23 234 Total moderately critical 2 1 3 2 Total less critical 3 1 4 7 Total flaws 34 20 44 243 Average flaws/month 2.8 1.7 3.7 20.3

24 Analysis of Data Apple had more than 5 times number of flaws per month than Windows XP and Vista in 2007 – Most of these flaws were serious – This seems to go against conventional wisdom Noteworthy... – Windows Vista showed fewer flaws than Windows XP, Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren’t present in Windows XP

25 Update - Pwn2Own 2009 Want to guess the results of 2009? – Charlie Miller has done it again – 2nd consecutive year, security researcher hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple’s Safari browser – Miller launched his drive-by attack and claimed the $10,000 top prize. He also got to keep the MacBook machine – Miller said he came to the CanSecWest security conference with a plan to hack into Safari and had tested the exploit carefully to ensure “it worked the first time.” http://www.zdnet.com/blog/security/pwn2own-2009-safarimacbook- falls-in-seconds/2917 Current results https://en.wikipedia.org/wiki/Pwn2Own

26 Microsoft Vulnerabilities http://www.sans.org/top-cyber-security-risks/#trends September 2009 For past six months, over 90% of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-067

27 References The Register Security Report: Linux vs. Windows http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_li nux/#execsummary http://blog.loaz.com/timwang/index.php/2008/03/30/security_vulnerabilit y_showdown_mac_os_v Security vulnerability showdown, Mac vs. Linux vs. Ubuntu http://blog.loaz.com/timwang/index.php/2008/03/30/security_vuln erability_showdown_mac_os_v IBM report: Vulnerabilities still going unpatched http://news.cnet.com/8301-1009_3-10154662-83.html Mac versus Windows vulnerability stats for 2007 http://blogs.zdnet.com/security/?p=758

28 The End

Download ppt "CSCD 303 Essential Computer Security Spring 2013 Lecture 8 - Desktop Security OS Security Compared Reading: See References."

Similar presentations

Operating-System Structures

Operating-System Structures
What is an operating system? Is it software?

What is an operating system? Is it software?
Objectives Overview Define an operating system

Objectives Overview Define an operating system
SC ICT Certification Level 1 02 Operating Systems By Ross Parker.

SC ICT Certification Level 1 02 Operating Systems By Ross Parker.
Upgrading Software CIT 1100 Chapter4.

Upgrading Software CIT 1100 Chapter4.
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
Understanding Operating Systems 1 Overview Introduction Operating System Components Machine Hardware Types of Operating Systems Brief History of Operating.

Understanding Operating Systems 1 Overview Introduction Operating System Components Machine Hardware Types of Operating Systems Brief History of Operating.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Based on material from Computer Security, by Stallings and Brown

Based on material from Computer Security, by Stallings and Brown
Operating Systems & File Management. What is an operating system?

Operating Systems & File Management. What is an operating system?
Unix Presentation. What is an Operating System An operating system (OS) is a program that allows you to interact with the computer -- all of the software.

Unix Presentation. What is an Operating System An operating system (OS) is a program that allows you to interact with the computer -- all of the software.
Operating System.

Operating System.
SOFTWARE.

SOFTWARE.
Chapter 3  Manage the computer’s resources ◦ CPU ◦ Memory ◦ Disk drives ◦ Printers  Establish a user interface  Execute and provide services for applications.

Chapter 3  Manage the computer’s resources ◦ CPU ◦ Memory ◦ Disk drives ◦ Printers  Establish a user interface  Execute and provide services for applications.
Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.

Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Section 6.1 Explain the development of operating systems Differentiate between operating systems Section 6.2 Demonstrate knowledge of basic GUI components.

Section 6.1 Explain the development of operating systems Differentiate between operating systems Section 6.2 Demonstrate knowledge of basic GUI components.

Similar presentations

Ads by Google