110 likes | 190 Views
Operating Systems 15 - security. PIETER HARTEL. Contents. Authentication Passwords Tokens Biometrics Access control Policies Mechanisms Auditing Logs Intrusion detection. Passwords. Why the salt? Salt: two characters of hashed password; 4096 possibilities. Reading the password file.
E N D
Operating Systems 15 - security PIETER HARTEL
Contents • Authentication • Passwords • Tokens • Biometrics • Access control • Policies • Mechanisms • Auditing • Logs • Intrusion detection
Passwords • Why the salt? • Salt: two characters of hashed password; 4096 possibilities
Reading the password file • Output? • gccGetpwent.c • ./a.out | more • Is there a memory leak? • ls –l /etc/shadow /etc/passwd intmain(intargc, char* argv[]) { structpasswd *p; while ((p = getpwent()) != NULL) { printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd, p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell); } endpwent(); return 0; }
Tokens • Advantages • Generally stronger than passwords • Disadvantages • May require special hardware • Can be lost • Authentication protocol • Static • Dynamic password generator • Challenge response Cyber-crime Science
Biometrics [Jai00] A. K. Jain, L. Hong, and S. Pankanti. Biometric identification. Commun. ACM, 43(2):90-98, Feb 2000. http://doi.acm.org/10.1145/328236.328110 IIS
Access control policies • Policy types • Discretionary • Mandatory • Role based
Discretionary access control mechanisms (for “files”) • Enforcement by the reference monitor • The matrix is usually sliced (why?) • Access control list per object • Capabilities per subject
Role based access control • Group user by role • Encourage users to switch role • Principle of the least privilege
#define llszsizeof(structlastlog) intmain(intargc, char *argv[]) { FILE *fp=fopen("/var/log/lastlog", "r"); inti; for(i=1;i<argc;i++) { structpasswd *p = getpwnam(argv[i]); if(p == NULL) { printf("unknown user: %s\n", argv[i]); } else { structlastlogll; fseek(fp, p->pw_uid*llsz, 0); fread(&ll, llsz, 1, fp); printf("%s %s %s %s", argv[i], ll.ll_line, ll.ll_host, ctime(&ll.ll_time)); } } fclose(fp); return 0; } Monitoring logins • last • gccLastlog.c • ./a.out lecturer student • Is there a problem? • man 5 lastlog • ls –l /var/log/lastlog
Summary • Authentication and access control try to prevent problems • Auditing tries to detect problems • Technology is only part of the problem • Mechanism and policy