290 likes | 385 Views
Lecture 11: Sys Admin-B. Windows Registry File Integrity fsck (both Windows and Linux). Windows Registry. Used for system and program configuration Not forced, just available E.g., .NET Framework doesn’t use it Implemented as a database Allows atomic operations
E N D
Lecture 11: Sys Admin-B • Windows Registry • File Integrity • fsck (both Windows and Linux)
Windows Registry • Used for system and program configuration • Not forced, just available • E.g., .NET Framework doesn’t use it • Implemented as a database • Allows atomic operations • Why would we need these?
Windows Registry • Used for system and program configuration • Not forced, just available • E.g., .NET Framework doesn’t use it • Implemented as a database • Allows atomic operations • Why would we need these? • Multiple processes modifying database
Windows Registry • Contains key/value pairs • Some keys contain sub-keys, sub-etc • How do we access it?
Windows Registry • Contains key/value pairs • Some keys contain sub-keys, sub-etc • How do we access it? • regedit.exe
Windows Registry • Contains key/value pairs • Some keys contain sub-keys, sub-etc • How do we access it? • regedit.exe • It naturally gets cluttered over time • Some tools will clean it to some degree
Windows Registry • So what’s in it? • System config settings • Program settings • Device driver stuff • Usernames/passwords • Encrypted via OWF • We need to be very careful editing the registry • One mistake can nuke the OS
Linux Registry? • No Windows-registry equivalent • Files are: • Plain text • Scattered • Most files are within /etc folder
File Integrity • I have a file on my computer • Files are quite large • There’s more than one of two of them • How do I know none of them have been modified • That’s hard, so let’s focus on a single file
File Integrity • How can files become corrupted? • Initially wrong • Usually during transmission • Bad storage device • Maintenance errors • Moving/copying files • Software modifying files misbehaves
File Integrity • So how do we detect this? • Crytographic hash function • For our purposes, it is… • …trivial to compute • …unlikely to have two messages give the same hash • …unlikely to change data without changing hash • …unlikely to create data that creates a particular hash
File Integrity • I’ve now created a hash for a file • Let’s assume we know the file is good • At a later time, I can re-compute a new hash and compare them
File Integrity • If they match, is the file okay? • If they don’t match, if the file bad?
File Integrity • If they match, is the file okay? • Probably • Rare collisions do happen • If they don’t match, if the file bad?
File Integrity • If they match, is the file okay? • Probably • Rare collisions do happen • If they don’t match, if the file bad? • Probably • False positives do happen. How?
File Integrity • If they match, is the file okay? • Probably • Rare collisions do happen • If they don’t match, if the file bad? • Probably • False positives do happen. How? • What if original key got corrupted?
File Integrity • Okay, so how do I know my pre-computed hashes are good?
File Integrity • Okay, so how do I know my pre-computed hashes are good? • Let’s make a hash! • Is this a bad idea?
File Integrity • Okay, so how do I know my pre-computed hashes are good? • Let’s make a hash! • Is this a bad idea? • It’s a hash of a hash • How do I know my hash of a hash is good?
File Integrity • Okay, so how do I know my pre-computed hashes are good? • Let’s make a hash! • Is this a bad idea? • It’s a hash of a hash • How do I know my hash of a hash is good? • Let’s make a hash! • Wait for it….
File Integrity • We can’t verify everything • We must be selective about what we are trying to verify
fsck • When I use my computer, I make changes to the filesystem • Add/edit/delete • Is my file saved when I save it?
fsck • When I use my computer, I make changes to the filesystem • Add/edit/delete • Is my file saved when I save it? • It’s written to an internal kernel buffer • Actual write to HDD only when the buffer is flushed (when buffer is full or at 30-second intervals)
fsck • Kernel buffer and that material on the hard drive may differ • Shut down too soon • Unmounted improperly • Additionally, hard drives go bad • Blocks can become damaged • Addressing system damaged
fsck • fsck will scan for some errors • It’ll fix them if it can • What types of errors does it look for?
fsck • Superblock contains information about file system • Size • Number of inodes • Free-block count • Free-inode count
fsck • Inodes • File format and type • Inode size • Duplicate blocks between inodes • Bad block numbers
fsck • Data blocks • Files with unallocated block number • Files with inode greater than allowed number • Free-ranging directories • Directories that aren’t attached to filesystem • Bad . and .. directories