Topic 5aOperating System Fundamentals

What is an operating system?

•a computer is comprised of various types of software

• device drivers (storage, I/O, etc.)• process and control software• memory management• user interface software• utility software• application software

Early computers (1940-1960's) required all of these types of software to be loaded every time an application was run

•this was early 'batch' processing

The 'operating system' became the set of software that

• initialize the computer• run diagnostic checks• provide for device management• prepare the computer for an application

As operating systems evolved through the 1960-1980's they gained more functions

• provide graphic user interface• provide set of user utility programs• manage multiple processes and users• provide network functionality• some operating systems are special-purpose

An important base function of the operating system is to provide an interface between the application software and the hardware

• today, this set of low-level OS functions is called the OS 'kernel‘

• An OS kernel is typically always kept in memory – for greatest speed

• Many OS’s today are built on top of the Linux kernel, or some variation

There are many operating systems - not all are current

• the forensics examiner must be on the lookout for older, obsolete operating systems

• a criminal might try using these hoping to thwart an investigation

Here is a listing of scores of operating systems with pointers to more information

http://en.wikipedia.org/wiki/List_of_operating_systems

the most important operating systems for the forensic examiner today are:

- Microsoft Windows (and DOS) - Macintosh OSX - Unix/Linux - Android - Apple iOS

many forensics labs will need to have hardware and software to deal with these

there may be the occasion to locate hardware/software for an older OS

• example OS9 - unix-like OS for 8-bit Motorola 6809 based micros

As much as 50% of all system vulnerabilities are in the OS

•system devices such as routers, IDS's and firewalls also have operating systems

•the most effective mitigation strategy is to

• harden the OS• ensure that security patches are

installed as soon as they are available

Hardening an operating system

- installation/configuration measures that can reduce the OS exposure

- closing unneeded ports

- turning off (or not installing) unneeded services

- removing auto-response banner messages

- note: there are many more hardening steps – most of these are OS or application specific

patch management

- applying security patches as soon as they are available

- servers, network appliances, workstations, etc.

- having a back-down strategy if needed

- many applications may need to be tested after a patch is applied

- zero-day vulnerability - one for which a patch is not available

processes (tasks) and states - early computers were single-process systems - could only run a single program (task) at a time - the DOS operating system worked like this

- switching tasks had to be done manually

processes (tasks) and states

- later computer operating systems introduced the concept of multi-processing (multi-tasking)

- a single user could have multiple tasks running simultaneously - a given task could have multiple sub-tasks (threads)

- the OS manages process memory (memory management) and other resources and would switch between tasks as needed

- for example, listening to music while writing a paper while having a chat window open while having a browser window open

Process (task) management requires that the OS properly handle the memory/resource management of the various tasks and threads

- various ways to do this include system calls, message passing, stacks/heaps

Processes have various states

- running, waiting, created, terminated, etc. - the process management function of the OS ensures that memory is adjusted, that resources are available, and that processes run when appropriate

Process privilege and priority

- some processes require greater privileges (such as root or administrtator)

- this should be done only when absolutely needed

- a popular way to attack a system is to exploit a vulnerability in a process that has root privs

- using an LPA is one way to restrict privileges - sandboxing is another approach

Processes may be prioritized

- real-time processes typically have greater priority

- note: process management today is typically called 'task' management

- the early term for computers able to manage multiple tasks on a single processor was 'multi-processing‘

- today we call it 'multi-tasking‘

- multi-processing is used to describe situations where there are multiple CPUs available

Memory management

- process/task management requires that the memory associated with a task be available in the address space where it is requested

- one can think of this as like a sliding window

- memory may be swapped to/from storage

- this is called virtual memory - gives the illusion of having more real memory than you actually have

File systems

- this determines how the bits of files are mapped onto storage devices.

- examples include FAT, NTFS, EXT3, etc.

- it is extremely relevant to cyber-forensics, since file system features (like slack space) can be exploited to hide data

- we will cover file systems in more detail in subsequent topics

Virtualization

- this refers to running an instance of an operating system as a process

- possible since, in theory, any UTM (Universal Turing Machine) can simulate any other UTM

- for example, running Mac OSX in a VM on a Windows computer, or running Unbuntu Linux in a VM on a windows computer

Virtualization:

- the actual program run is called a 'virtual machine'

- it is a simulation of a processor, with specific resources - the OS is installed on the virtual machine

- the program that creates or manages VMs is called a 'hypervisor'

- virtualization has many uses in cyber-forensics, we will discuss this in greater depth later

Fundamental security design principles:

- domain separation

- separating tasks from resources - the hypervisor or OS would mediate resource access

- sandboxing is an example of this

Fundamental security design principles:

- process isolation

- preventing processes/tasks from communicating with each other or sharing resources such as memory

- resource encapsulation

- methods used to protect a resource - for example, specific system calls and specific privilege requirements