OS Security (Tutorial) - Page 3
Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 44

Thread: OS Security (Tutorial)

  1. #21
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Originally posted here by gore
    OS/2 isn't even an OS, it's a bastard child that IBM gave birth too with Microsoft because no one had the balls to hand them a coat hangor.
    Man, you should go out (of linux) more frequently. :P
    OS/2 is an amazing O.S. In fact some HSM still use it instead a Unix flavor.
    IT world didnt start when Unix was born. It started far earlier. And some of that T-Rex O.S. are still present nowadays.

    However i agree with you about Linux. Its just another "flavor". It was written (copied) from scratch, but it stills use Unix ideas and concept about kernel construction. So, Linux is a *nix.

    Although i've read those considerations about xenix (as far i know xenix WAS a Unix flavor), I cant see those structures on Windows NT (and beyond). Can someone list that "similarities" from Windows to *nix? I would like to have those references...
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  2. #22
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Xenix was yet another UNIX Os that Microsoft sold that SCO made for them, and when IBM came out with the PC, they said the hell with this and went after DOS, which they bought from Tim Patterson from Seattle Computer Products, named Q-DOS. Which stands for "Quick - Dirty - OS".

    they bought it, changed the name to MS-DOS and PC-DOS, and renamed it in the OS code, even though if you look hard enough, the original version of DOS still had QDOS written in it somewhere, as they forgot to change it I guess.

    Windows now has to have a GUI to run, UNIX does not. There are quite a few differences from UNIX and Windows, and for looking at them... Well, I've never seen much of a comparison like what you're asking for though.

    Now, being a BOFH, you're not making me think OS/2 is good in any way shape or form. I wouldn't even whipe my ass with an OS/2 manual. The staples hurt.

    I use Linux all the time, but not just Linux. I also use BSD, Windows, DOS (Real DOS, no pussy Windows NT CMD shell) and BeOS. I also play with OSs no one has ever heard of because the only people using it are people writing it and a few who know about it. Heh, I should make a list one day.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  3. #23
    Senior Member
    Join Date
    Jun 2002
    Posts
    394
    so you use alot of operating systems, and play with ones that most people wouldn't have heard about. but by play there, do you mean use ... or are you ripping them appart in hopes of say fashioning your own operating system from pieces of the ones you play with?
    Hmm...theres something a little peculiar here. Oh i see what it is! the sentence is talking about itself! do you see that? what do you mean? sentences can\'t talk! No, but they REFER to things, and this one refers directly-unambigeously-unmistakably-to the very sentence which it is!

  4. #24
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted here by MsMittens
    Hrmm.. I am curious as to what Catch considers a "true unix". I suppose the AT&T Unix would be it but aren't OSes like BSD (Free, Open, BSD itself), Solaris, HP, etc. evolutions of true Unix???
    Me too, given the BSDs are (or at least were in the not too distant past) genetic unixes. Solaris is a true Unix operating system, as are HP-UX, AIX, AT&T's Unix, etc...

    It's all well and good to be vague when labeling "Operating Systems" like linux, but the truth of the matter is Linux is just the kernel, and is highly configurable at that. Combine this fact with the possibility of obtaining supported patches from government organizations whose sole aim is providing security models from government specifications, and you end up with even more vaguely worded half-truth. It is about as correct as saying "IIS is vulnerable to Code Red". It would be nice to see specifics about what is being discussed. As catch says at a number of points, the default install is not relevant because "the default configuration is the measure of a [given] system, not the OS." In turn, default kernel configuration is irrelevant.

    Catch, you are however incorrect when you state:
    The Admin/System accounts can be resricted by the security policy, root cannot be.
    It is incorrect since the root account CAN be restricted, whether it's through something like User Mode Linux, the NSA SELinux patches, or some other means -- the point being the potential to restrict the account is there.

    Anyway, SELinux and UserMode Linux are both projects that exist that bring certain types of the functionality being discussed here into the kernel. NSA's SELinux doesn't make linux into a "trusted" operating system, however it does take a large step in the direction of what catch is discussing.
    http://www.nsa.gov/selinux/
    http://user-mode-linux.sourceforge.net/
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  5. #25
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I consider any system with a UN*X style architecture that came after UN*X to be UN*X based.

    DOS is not UN*X based because it isn't multi-user/multiprocessing.
    Windows NT isn't UN*X based because it uses a microkernel architecture.
    QNX isn't UN*X based because it too uses a microkernel architecture.
    Trusted Solaris/IRIX/HP-VV are not UN*X based because they use labeled protection models and don't have superuser accounts, among other reasons.
    etc...

    XENIX is UN*X based, Secure (and later Trusted XENIX after being sold to TIS) XENIX is what NT is based on, with influences form VMS of course. Neither Secure XENIX or VMS are UN*X based.

    While many of these systems may function similarly from the user's vantage, they are not the same and this is done for simplicity of acceptance. It is easier to introduce a system that seems to work like a system people are already familiar with.

    It is incorrect since the root account CAN be restricted, whether it's through something like User Mode Linux, the NSA SELinux patches, or some other means -- the point being the potential to restrict the account is there.
    Once these changes are made, the system is no longer considered Linux, as the kernel is not the same as the one distributed from kernel.org (This i what I refer to as Linux, anything else would be a variant and no longer Linux by my terms, as I beleve is standard to not do so. I note aditional variants below.). It is true these changes can be made, but I wanted to leave them out because they complicate the issue which so many people are already having trouble with. If I wanted to, I could have a multiuser patch developed for DOS, but I wouldn't say DOS is a multiuser system, same principal applies here.

    There is also a Trusted Linux project that HP is running (last I checked anyhow) and a trusted PS2 Linux as well that the guys from Argus Systems were working on, as well as Pitbull and Pitbull LX also from Argus Systems. Again, these systems are changed in fundemental ways and would no longer be refered to as "Linux."

    cheers,

    catch

  6. #26
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    IBM beat you too that multi user DOS thing DOS-2000 is a Multi User OS and is DOS. I have bit more about it in my OS paper I've been working on.

    Catch, do you like Linux at all? Or don't use it? Just wondering about that. I knwo you like AIX, I still have the PM from last year where you and me talked about this. Overall I think this has been a very good discussion, and no one has flamed anyone. Some difference in opinion and so on, but no flaming.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  7. #27
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted here by catch
    Once these changes are made, the system is no longer considered Linux, as the kernel is not the same as the one distributed from kernel.org (This i what I refer to as Linux, anything else would be a variant and no longer Linux by my terms, as I beleve is standard to not do so. I note aditional variants below.).
    So according to your arbitrary decision on what Linux is, all the information in the tutorial is accurate. If you take a differing viewpoint, it is wholly inaccurate. How can you factually state something that varies based on a matter of opinion? Even if I agreed with your statements, you are still incorrect since many of the distribution companies that distribute linux also modify the kernel to suit their needs -- well beyond backporting. Windows XP Home, Windows XP Pro, Windows Mobile, etc., are all variants of Windows, and they offer different security mechanisms, does that mean XP Home is not Windows? No, it means it is simply a variant offered by the vendor. If your contention is that variants should only come with the vendor to be valid it still makes no sense, since the vendor in this instance is whoever distributes the packages. In reality, kernel features in Linux are as interchangable as application software on Windows. You can't restrict Linux's capabilities with your paid Operating System mindset and still offer a constructive discussion IMO, and that is pretty much what I see going on here. Please feel free to explain to me how this isn't the case.


    It is true these changes can be made, but I wanted to leave them out because they complicate the issue which so many people are already having trouble with. If I wanted to, I could have a multiuser patch developed for DOS, but I wouldn't say DOS is a multiuser system, same principal applies here.
    They don't really complicate the issue when you admit that it can be done. The only thing it complicates is the validity of your argument. The point I am making is not that Linux does this by default, which you yourself say is irrelevant, it is that Linux is CAPABLE of the actions you say it isn't, but it requires a bit of extra work/patches.

    There is also a Trusted Linux project that HP is running (last I checked anyhow) and a trusted PS2 Linux as well that the guys from Argus Systems were working on, as well as Pitbull and Pitbull LX also from Argus Systems. Again, these systems are changed in fundemental ways and would no longer be refered to as "Linux."
    The changes are not as fundamental as you seem to believe. The kernel is designed in a modular fashion allowing simple modification of various parts while still maintaining the functionality of the rest. It might surprise you to know that there are already a number of built in ACL options, and if I recall correctly, they have either added or will be adding soon experimental support for the NSA's alternate ownership schemas.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #28
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Originally posted here by gore
    Xenix was yet another UNIX Os that Microsoft sold that SCO made for them
    Xenix was straight up 7th Edition Unix licensed to MS from AT&T. MS then modiified it with some BSD code and let other companies distribute in for various 16-bit arches. SCO released the version for the 8086 and later ported it to the 80386(32bit) and renamed it SCO Unix.

    Originally posted here by catch
    I consider any system with a UN*X style architecture that came after UN*X to be UN*X based.

    DOS is not UN*X based because it isn't multi-user/multiprocessing.
    There are alot better reasons than that, but fair enough.

    Windows NT isn't UN*X based because it uses a microkernel architecture.

    Windows NT 3.51 was built on modified microkernel architecture but every revision of NT since then has taken it further away from that arch. Of course it depends who you ask but as you have said yourself you do not code, I can tell you as someone who does, that Windows includes device drivers, portions of the Windows subsytem, registry functions, power management , and more which is not what a microkernel is all aobut, and I believe its VERY contestable that it remains a microkernel.


    QNX isn't UN*X based because it too uses a microkernel architecture.

    True enough, QNX is a true microkernel, you can also get the whole OS on 1.44MB floppy which I think you may be hard pressed to with Windows XP.

    Trusted Solaris/IRIX/HP-VV are not UN*X based because they use labeled protection models and don't have superuser accounts, among other reasons.
    etc...

    Ok, thats just silly. A secure or "trusted" UNIX system (including all the ones above) just means they are on the NSA's EPL (Evaluated Product List) and have been given a indexed rating of the "assurance" level you can expect. This does not make them any less UNIX based or UNIX like. If you are so sure they are not UNIX maybe you can explain to me why all the afore mentioned companies have been paying for their UNIX IP for the last 20 years.

    XENIX is UN*X based, Secure (and later Trusted XENIX after being sold to TIS) XENIX is what NT is based on, with influences form VMS of course. Neither Secure XENIX or VMS are UN*X based.

    Ugh. VMS was created by Digital and is not UNIX - true. One of the engineers Dave Cutler (also RSX-11) was later hired by MS to design NT - right. However. NT is not based on Xenix (aka UNIX) it was orignally intented to be an extension of the OS/2 api, hence why it was originally named OS/2 3, but after the release of Windows 3.0 they decided to hell with that and to extend the Windows api instead.


    Once these changes are made, the system is no longer considered Linux, as the kernel is not the same as the one distributed from kernel.org (This i what I refer to as Linux, anything else would be a variant and no longer Linux by my terms, as I beleve is standard to not do so. I note aditional variants below.). It is true these changes can be made, but I wanted to leave them out because they complicate the issue which so many people are already having trouble with. If I wanted to, I could have a multiuser patch developed for DOS, but I wouldn't say DOS is a multiuser system, same principal applies here.

    I understand your point here but for the sake of discussion, is it productive? Lets say they are linux based or linux like. I mean is my Windows NT with SP6 still Windows NT? How about SP4? What about the kernel hooks Norton Anti-Virus puts in, still Windows? Yes I realize all these kernel patches (aka Service Packs) come from MS but Windows is a comercial operating system, and Linux is well,er.... Linux. Just keep in mind that all your EPL stuff and government auditing and such, takes time and a shitload of money. Who is going to pay for all this for Linux? Honestly, probably IBM,Novell,or SGI will, heh-heh , but I digress - SELinux can be used to introduce Mandatory Access Controls as well as some other security models in Linux and is a good application of some of the subject matter you covered in your tutorial.



    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  9. #29
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    For Xenix, well, I guess I read it wrong (Heh, go a week doing what I do and you'd make mistakes too) but I thought it said SCO made XENIX for Microsoft. Guess they only did a port then?

    NT being a Micro Kernel... Heh, I had only heard of it but never believed it. NT is actually a Micro Kernel? Or was?

    Windows Kernels is a weak point for me, I couldn't tell you a damned thnig about them. Is 2000 Micro? XP?

    If they are not, are they mixed in a way at all?

    Not that I like Micro Kernels. too much a pain in the ass from the looks of it. Too me a Micro Kernel is like a Network. Well, a poorly designed one. All those cables that seem to forma big ball, all somehow hooked into a router, and none of them marked or color coded. Heh, at that point a lawn mower or an axe are your only hopes.

    Does EPL honestly mean anything to any of you other than the fact that a company has money and wants new marketing? I don't pay attention to those ratings. Seems like a load of **** too me. NT had a C2 rating where I read. Special / Ideal conditions, registry edit, no Network Cable... I'm not sure exactly how much all of that is true, and I tend not to believe all of it.

    VMS is an Os I've never used, and I didn't think it was really based on UNIX, but it seems to be used for very similar purposes. Does anyone have any images of VMS?

    I'm asking questions not because I'm JUST wondering, but too keep this going.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  10. #30
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Yes we can dance around what an exact definition of Linux is... the system Torvalds invented did not have the functionality of which you speak. If you say that root can be removed from the security policy and your average person reading this gose out and gets any of the major flavors of Linux, will they be able to do that? Of course not... Linux being open source can be completely modified... so what then is the functional definition of Linux? I used the one I'd heard most frequently (the kernel as provided by kernel.org), you disagree with this, and I recognized your points as valid exceptions... I still contented that systems like SE Linux are the exception to Linux and not the rule, and therefore constitute individual systems and not Linux as a whole.

    How about you tell me what, in your expert opinion defines the Linux operating systems and we can continue the conversation from there?

    I believe its VERY contestable that it remains a microkernel.
    As I replied to chsh, I am going with accepted definitions... the NCSC and NIST both say Windows NT is a microkernel. This was a paper on the abstracts of operating system security, not on arguing semantics of specific systems, variants of these systems, or anything else of that nature.

    Ok, thats just silly. A secure or "trusted" UNIX system (including all the ones above) just means they are on the NSA's EPL (Evaluated Product List) and have been given a indexed rating of the "assurance" level you can expect. This does not make them any less UNIX based or UNIX like. If you are so sure they are not UNIX maybe you can explain to me why all the afore mentioned companies have been paying for their UNIX IP for the last 20 years.
    I am sorry here Maestr0, but this is incorrect. Trusted Solaris, Trusted IRIX, and HP-VV are completely different operating systems than their untrusted counterparts. They are merely work alikes (that is they can be used for the same tasks, not that they function exactly the same). These systems have modified the architecture to allow for a reference monitor concept, they have their discretionary access policies extended, mandatory access controls added, in fact one of the aspects that is unchanged from their untrusted counterparts is the assurances. Systems like Trusted Solaris are rated at B1, which means no additional assurances over their untrusted counterparts.
    The aforementioned companies still pay for UN*X rights with regard to their standard operating systems (Solaris, IRIX, HP-UX) and for specific technologies in these other systems.

    The trusted operating system arena has been an interesting one, frequent attempts to make a security kernel, and then run UN*X on top of that have left many people confused about what exactly the definitions of everything is... again I opted to use what I felt to be the most common and widely accepted definitions as I was in no way wishing to enter a debate based on terminology.

    Ugh. VMS was created by Digital and is not UNIX - true. One of the engineers Dave Cutler (also RSX-11) was later hired by MS to design NT - right. However. NT is not based on Xenix (aka UNIX) it was orignally intented to be an extension of the OS/2 api, hence why it was originally named OS/2 3, but after the release of Windows 3.0 they decided to hell with that and to extend the Windows api instead.
    I didn't say it was based on XENIX, I said Secure XENIX, which is a totally different animal, again that is a functional replacement, but very different on the inside. In fact nearly NT's entire security policy (excluding mandatory access controls) is lifted directly from Secure Xenix.

    I understand your point here but for the sake of discussion, is it productive? Lets say they are linux based or linux like.
    No, it isn't productive, nor is it the path I wanted this to take. It was supposed to be an abtract about quantifying operating system security... not comparing and complaining about specific definitions of operating systems. I attempted to use the most widely accepted definitions and I hope the fact that I have clairified this will put an end to such debated points here... otherwise the original subject will be left behind over irrelevant semantics.

    I mean is my Windows NT with SP6 still Windows NT? How about SP4? What about the kernel hooks Norton Anti-Virus puts in, still Windows?
    Again, these matters would need to be resolved by those talking about the systems in which they are comparing, I merely wished to provide the format in simpler terms, which is used to measure OS security. (The norton system, would be a specific system and not the OS as a whole, and NTSP6 vs SP4 offer the same models, and capabilities, the only difference would be assurances.

    Just keep in mind that all your EPL stuff and government auditing and such, takes time and a shitload of money. Who is going to pay for all this for Linux?
    You are the one that brought up the EPL's, not me. Besides, redhat and I think suse have already been evaluated against ISO-15408.

    SELinux can be used to introduce Mandatory Access Controls as well as some other security models in Linux and is a good application of some of the subject matter you covered in your tutorial.
    Yes it can, but this article wasn't about specific operating systems or their non-production level, extensions. The operating systems I mentioned were simply to clarify a point with something people might be more famialir with and to make some elements a little less abstract by showing their context.

    cheers,

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides