Transcript Chapter 4

Topic 5a
Operating System Fundamentals
What is an operating system?
• a computer is comprised of various types
of software
•
•
•
•
•
•
device drivers (storage, I/O, etc.)
process and control software
memory management
user interface software
utility software
application software
Early computers (1940-1960's) required
all of these types of software to be loaded
every time an application was run
• this was early 'batch' processing
The 'operating system' became the set of
software that
•
•
•
•
initialize the computer
run diagnostic checks
provide for device management
prepare the computer for an application
As operating systems evolved through the 19601980's they gained more functions
•
•
•
•
•
provide graphic user interface
provide set of user utility programs
manage multiple processes and users
provide network functionality
some operating systems are special-purpose
An important base function of the operating
system is to provide an interface between the
application software and the hardware
•
today, this set of low-level OS
functions is called the OS 'kernel‘
• An OS kernel is typically always kept
in memory – for greatest speed
• Many OS’s today are built on top of
the Linux kernel, or some variation
There are many operating systems - not all are current
• the forensics examiner must be on the lookout for
older, obsolete operating systems
• a criminal might try using these hoping to
thwart an investigation
Here is a listing of scores of operating systems with
pointers to more information
http://en.wikipedia.org/wiki/List_of_operating_systems
the most important operating systems for the forensic
examiner today are:
- Microsoft Windows (and DOS)
- Macintosh OSX
- Unix/Linux
- Android
- Apple iOS
many forensics labs will need to have hardware and
software to deal with these
there may be the occasion to locate hardware/software
for an older OS
• example OS9 - unix-like OS for 8-bit Motorola
6809 based micros
As much as 50% of all system vulnerabilities
are in the OS
• system devices such as routers, IDS's and
firewalls also have operating systems
• the most effective mitigation strategy is to
• harden the OS
• ensure that security patches are
installed as soon as they are available
Hardening an operating system
- installation/configuration measures that
can reduce the OS exposure
- closing unneeded ports
- turning off (or not installing) unneeded
services
- removing auto-response banner messages
- note: there are many more hardening
steps – most of these are OS or
application specific
patch management
- applying security patches as soon as they are
available
- servers, network appliances, workstations,
etc.
- having a back-down strategy if needed
- many applications may need to be tested
after a patch is applied
- zero-day vulnerability - one for which a
patch is not available
processes (tasks) and states
- early computers were single-process
systems
- could only run a single program
(task) at a time
- the DOS operating system worked
like this
- switching tasks had to be done
manually
processes (tasks) and states
- later computer operating systems introduced
the concept of multi-processing (multi-tasking)
- a single user could have multiple tasks
running simultaneously
- a given task could have multiple
sub-tasks (threads)
- the OS manages process memory
(memory management) and other resources
and would switch between tasks as needed
- for example, listening to music while
writing a paper while having a chat
window open while having a browser
window open
Process (task) management
requires that the OS properly
handle the memory/resource
management of the various tasks
and threads
- various ways to do this
include system calls, message
passing, stacks/heaps
Processes have various states
- running, waiting, created, terminated,
etc.
- the process management function of the
OS ensures that memory is adjusted,
that resources are available, and that
processes run when appropriate
Process privilege and priority
- some processes require greater privileges
(such as root or administrtator)
- this should be done only when
absolutely needed
- a popular way to attack a system is to
exploit a vulnerability in a process that
has root privs
- using an LPA is one way to restrict
privileges
- sandboxing is another approach
Processes may be prioritized
- real-time processes typically have
greater priority
- note: process management today is
typically called 'task' management
- the early term for computers able to
manage multiple tasks on a single
processor was 'multi-processing‘
- today we call it 'multi-tasking‘
- multi-processing is used to
describe situations where there are
multiple CPUs available
Memory management
- process/task management requires
that the memory associated
with a task be available in the
address space where it is requested
- one can think of this as like a
sliding window
- memory may be swapped to/from
storage
- this is called virtual memory
- gives the illusion of having more
real memory than you actually
have
File systems
- this determines how the bits of files are
mapped onto storage devices.
- examples include FAT, NTFS, EXT3, etc.
- it is extremely relevant to cyber-forensics,
since file system features (like slack space)
can be exploited to hide data
- we will cover file systems in more detail in
subsequent topics
Virtualization
- this refers to running an instance of an operating
system as a process
- possible since, in theory, any UTM (Universal
Turing Machine) can simulate any other UTM
- for example, running Mac OSX in a VM on a
Windows computer, or running Unbuntu Linux
in a VM on a windows computer
Virtualization:
- the actual program run is called a 'virtual
machine'
- it is a simulation of a processor, with
specific resources
- the OS is installed on the virtual
machine
- the program that creates or manages
VMs is called a 'hypervisor'
- virtualization has many uses in
cyber-forensics, we will discuss this
in greater depth later
Fundamental security design principles:
- domain separation
- separating tasks from resources
- the hypervisor or OS would mediate
resource access
- sandboxing is an example of this
Fundamental security design principles:
- process isolation
- preventing processes/tasks from
communicating with each other
or sharing resources such as memory
- resource encapsulation
- methods used to protect a resource
- for example, specific system calls and
specific privilege requirements