Operating Systems

OPERATING SYSTEMS

The Basic Functions of an Operating System:

addressing. Memory management. File Systems. File system management. Access control. System Access Control. File Access Control. Executable permission. Networking. Internet access. Security. Passwords. Encryption. Program Control. Flow Control.

Let’s go done this list. A computer has a processing unit (CPU), memory—both internal and external, and input / output devices. That is resolving a computer down to its fundamental components.

Memory is where data is stored. Each piece of memory has an indicator, an address. Memory comes in several flavors. Memory can be on permanent (external) storage device like a disk drive, SSD – Solid State Disk, USD drive, etc. This kind of memory usually takes more time to write and less time to read. Memory can be “internal” and not permanent – usually referred to volatile. This is called RAM – Random Access Memory or ROM – Read Only Memory. RAM is usually a circuit board, very fast and volatile. ROM is very fast and can not be modified or non-volatile. Writing to ROM is very slow. It is burned into the chip.

The operating system has a boot sector that starts up the machine. The boot sector is usually starts at zero, the very beginning of the drive. When the machine starts up, the operating system is copied into RAM also, starting at position zero. Needless to say, programs should not be allowed to overwrite the operating system or; tables or data that belongs to the operating system.

Registers are a special kind of memory that the CPU uses. Registers contain special pieces of information such as the address—where–the next program instruction is. This is a very important piece of information. Altering the address of the next program instruction can have disastrous consequences to normal operatoins and data security. Math operations and comparisons are done in special registers.

A lot of hacking goes into trying to get into the operating and system memory; trying to read or write system information or; changing commands, especially turning a system command into a user command. This can sometimes be done with something called “smashing the stack”.¹

Addressing is done by labeling, sequentially ordering [naming 1, 2, 3..] every piece of information. For example, labeling every character from 0-1,073,741,824 bytes, which is the number of bytes in one gigabyte.

Memory management – is taking charge of memory. Making sure everything is labeled properly. Everything is in its place. Making sure only the right people can access (see or write to) the data that belongs to them or the data they have permission to handle.

In more practical terms, this means, ordinary users should not be able to alter system memory, whether in RAM or on disk.

File Systems – You may already be familiar with this. Directories, folders. A field is group of characters that has a specific meaning and data type. For example a zip code. This is the base unit of data. A record is made up of fields. A file is collection of records, where each record has the same format, known as a record layout. All the layout and relations of all the files in the database is known as the schema.

File system management – Making, creating and managing the file system is the responsibility of the operating. This includes where data is placed. What the data looks like. What the data types written and read are, if it is numbers or letters. Making sure data is encrypted and decrypted. Making sure data is decrypted only for those for whom is should be decrypted – authorized users.

Data integrity is also handled by the operating system. This means that the data remains the same and is not changed unless it should be. This means only authorized users can make a change. Also, it means that the system should check for electronic failures and fix them when they occur. This is possible with with certain kinds of data organization such as RAID² ³ and disk striping, which is not really within the scope of this book.

File Deletion vs. File shredding – File systems create and delete files. How does the file manager delete files? What does deleted really mean? The file system has an index. The index is itself a file. Every entry in the index file is a description of the file. The name of the file. Who has which permissions to that file. The address on disk where the file physically starts and the length of the file. There may be more information, but this is enough to find the file, traverse it and access all the data in the file. When a file is deleted, this information is not destroyed. Rather, a mark is simply put at the beginning of the record to indicate, that this file is no longer in use. In older versions of Windows, this was a question mark.

This methodology is used by many different file systems and programs that manage files. For example, many email readers do not actually delete emails when you press delete. All the emails are kept in one big, long file. The emails are entered sequentially one after the other. If an email is “deleted”, an mark is put at the beginning of that email. When the reader parses (goes through the file from beginning to end) looking for emails to display, the email reader simply skips a “deleted” email.

To actually remove the deleted emails from the file, some kind of condense or compact routine has to be run. This routine will copy all the active emails to a new temporary file while skipping over the deleted emails. Then, the file with the name that the email reader uses, is deleted and the new temporary file is given the name of the file that the email reader looks for.

This process actually leaves the deleted emails on disk. Because, the deleted file is actually on disk. Just that a question mark has been put in front of the name. If I use a disk editor and give the file a proper name, I now have access to the file.

How does one delete a file so it is gone? Use a disk wipe utility. A disk wipe utility overwrites a file with binary ones and zeros. Now, there is nothing legible to read. McAffee and other security programs have a disk wipe utility.

This procedure is part of the U.S. government NIST 8088 &&& “data sanitization” standard.

Going to “Spy vs. Spy” level, with sophisticated equipment, residual magnetic signatures can be read, enabling recreation of deleted files. A bit beyond us ordinary folk for the time being. However, one can defeat reading of magnetic residue by using a data sanitization utility that does a triple polarity reverse over write. Meaning, first it writes one-zero repeatedly. Then, it writes zero-one repeatedly. Then, it writes one-zero repeatedly.

If you are a marine, get your sledgehammer and sander and do what marines do best. Absolutely, positively, destroy it overnight. 🙂

For most of us, a disk shredder is sufficient.

Access control – The operating system has to maintain memory. The operating system must know what to put where; how to retrieve information from it’s location—address. The operating system must also know who is allowed to access which pieces of information and retrieve information for only those allowed to have it—authorized users. The operating system must be careful to allow information to be stored where a user is allowed to store it. There are know as Read / Write Permissions.

From a security perspective, a virus will try to read or write what it should not be allowed to. More likely write, than read. Malicious users, attackers, will try to read what they should not be allowed to. In some cases, they will try to write where they should not be allowed. Classically, change grades or billing records.

File Access control – Related pieces of information are put into files and related files are put into file systems, which the operating system must manage. The operating system must also know who is allowed to access which files and retrieve information for only those allowed to have it—authorized users. The operating system must be careful to allow files to be written and stored only where a user is allowed to store it.

The security perspective is the same as above.

System Access control – There are user functions and system functions. For instance, a user is given space and may do with that space he/she pleases, within acceptable use policies. A user may store files and programs, which are files of a specific type. System functions however, are activities such as creating new users; changing passwords; which software may run; how much maximum memory a running program can have; directing where files should be written. An ordinary user should not be allowed to alter system access controls. Only a system administrator should be able to make such changes.

From a security perspective, both attackers and ordinary users—who may one day become attackers, as in disgruntled employees – should not be allowed to alter system access controls. This will allow unauthorized and inappropriate file access; the ability to destroy data; the ability to upload malicious programs; the ability to encrypt data in ransomware scenarios; disrupt or seize control of communications, such as Internet connectivity and in many other ways, clog up the pipes.

It is accepted practice that while an ordinary may not be allowed to system access control, personally; a user may request a system access function through the system. For example, all users, regardless of authorization level, may request validation of their user name and password. Think about it. How else could people get into a system, if they can’t request access to the password file? The entire password file! But, to maintain order and avoid malicious attacks, the request is made of the operating system, which does the job and then returns an answer. This keeps things following smoothly and maintains security as well as order.

Herein lies a weakness. Do you see it? Everyone must be able to access the password file—the entire password file. Or, they may not be able to get in. But, if you have access to the password file, can you not decrypt it? Well, that would depend on the ingenuity of the attacker and the strength of the encryption.

[To Come: An exercise at the end of the chapter will demonstrate that point.]

Executable permission. – Each file has a code to identify if it is a data file or an app. (To use modern terms.) If a file is an app, it can run. However, not all apps are equal. Not all apps can run in the same space. Not all apps can be started by just any user. The user must have permission to run the app and if the app runs some kind of system access control, the user, must implicitly be allowed to use that system function.

From a security perspective, executable permissions aid in preventing viruses from running. But, not always. If a virus should be executed, for example, a virus runs after a user opens an email attachment, the affect should be localized to that specific user, because, since that user ran the app, any reading or writing of data should be restricted to that specific users files and file space. Since such restrictions should be in effect, then, if a virus is run, it should not affect system areas. Such protection occurs in a network scenario with a server and “client” users.

In more colloquial parlance, whatever damages an individual should suffer, should not affect common ground.

Networking. – We will get into networks in a separate chapter. To simplify and define this operating system function, a many computers can be connected together and talk to each other. Each computer may be totally independent and all the computers can just speak to each other. Or, all the tiny independent computers—a bunch of laptops or desktops for example, may be connected to a central computer– a server. Either way, all the operating systems on all the computers have to handle all the messages being sent over the network – otherwise known as traffic.

The operating system has to be able to send and receive messages. The operating system must also be able know which messages are and are not intended for which computer. More depth and definition in the later chapter on networks.

From a security perspective, if an attacker can get into the network somehow and listen to all the messages, then the attacker can gain all sorts of information. Messages are broken into packets. Electronic devices such as packet sniffers can listen to the traffic on a network and display the contents of the packets. This is why packet encryption is important.

Another way to do packet sniffing is to physically plug a computer into a hard-wired network. This will allow the computer to record all the traffic and save it for later. Then, with lots of time and hacking, using all sorts of programming, packets can be analyzed, read and decrypted. Network analyzers such as NMAP will do this.

Internet access – Just consider the Internet like some kind of huge network, with it’s own packet formats, that anyone, from anywhere can logon to.

Choose Your Friends Wisely

Anonymous Proverb

The operating system will handle all requests to send and receive traffic to/from the Internet. This includes addressing to which computer on the Internet the message should be sent; from which computer on the Internet the message came from; the format of the packet; encryption of outgoing packets (packets being sent out over the Internet). This will also include the displaying of web pages and whatever requests for information are made of web pages.

There are many potential attacks that are possible with Internet connectivity. One important safeguard is to restrict access from the bad guys – blocking attackers from particular networks, locations and web sites known for their malicious software. Doing so, is a full time job or at least a major job function for system or network managers.

More on this in the chapter Web Pages and Servers.

Security – is a function of the operating system. Access control is the most common security function of the operating system, which includes file access control and executable permissions. These security functions are implemented with Passwords and access levels of authorization. Different operating systems refer to access level management with different names. However, the idea is the same. It is giving permission to who can run or see or write what and; enforcing those access rules. Encryption is necessary part of making security happen, ensuring access control, issuing passwords, reading passwords and changing passwords. The operating system may offer ways to encrypt and decrypt data – in files, in messages sent over the network, in data or packets sent over the Internet.

In General

Windows – This is a commercial product. No way around that. Source code is proprietary. I am uncertain if the licensing agreement permits decompiling even for private viewing. You can run various flavors of Windows with a virtual machine.

A walk through for getting a copy of Linux, Unix & Chrome OS, will be presented below.

Linux – There are many flavors. A few open source. Ubuntu is a popular, freebie. I use Ubuntu as an example. Learning to use Linux is good. Many web servers and networks run Linux. You should learn how Linux works. In the meantime, Linux has a GUI (Graphical User Interface – Windows like user environment). Oh, it’s stable, free and a lot more secure than Windows. Don’t have to worry about viruses all the time.

There is a version of Linux &&& that is designed specifically for cyber security researchers.

Unix – There are many flavors. There are some open source version. Solaris is a popular open source version. Solaris is free. You can buy it on CDs if you like. If you buy the CDs, you will get some technical support. Many large and powerful systems run Unix. Unix has for long time standing, been considered the powerhouse operating system. Many communication networks are Unix based. While considered a techie geek thing, Solaris Unix has a nice GUI and non-techies can use it with ease too. You should learn how Unix works.

As Unix & Linux are similar, learning one, will enable you to learn the other more quickly. The 2 operating system commands and operations are very similar.

Chrome OS – This is Google’s operating system. Supposedly very secure and well tested. Although Google has put out a large bounty on Chrome OS, there are no takers. I find this odd. It portends something. I just don’t know what. Probably, that the system is very secure. However, I include it as it is becoming more popular and there is, at the time of writing this book, a $100,000- bug bounty on Chrome OS.

MAC – Sorry. You will have to learn this one on your own. MAC equipment will cost you. MAC software will cost you. Books on MAC operations and programming will cost you. There is a reason, why MACs are hacked less.

The Borg Attack. There is a reason why geeks and programmers watch SyFy. It is the imagination of techies. What we dream in tech, we can realize in tech if we work at it hard enough. Man can fly. Star Trek is the epitome scientists fantasizing about what they could do and then trying to do it. Communicators became cellphones. Tricorders become PDAs and now smartphones. Universal translator? Well, Google translate on your phone with a mic, right? So how do they hack computers in the Star Trek universe?

Apart from neurological interfaces with computers, there is an episode about the Borg, a cybernetic race that engages in conquest, turning all in their path into cyborgs like themselves. All the cyborgs are connected by some kind of communications network and computerized. Of course they have network security, command code security, very advanced security.

When a battle occurs, the Enterprise has inferior weapons that have little effect but, they do have a comm link to the enemy ship. However, they can’t hack their way in to issue an order to stop fighting or destroy a weapon system or do something useful to win the battle. Then, the captain tells the scientist working on the comm link to tell the Borg to go to sleep. It is a low security level command which they will obey and, it will effectively put the enemy out of commission, long enough to escape.

This is really an old military strategy or trick if you will. Why try and go through the heavily guarded and fortified front door, when you can go in through the back door to the kitchen? It’s not guarded, at least not heavily. Stinks from garbage and may have lots of dirty animals. It’s small. Hard to pass in a large army all at once. However, you can get in. Then, those who entered can wait until enough soldiers have entered and basically attack from behind, where no one is expecting it.

The idea is worth remembering when trying to penetrate a network or gain access to a system.

How does this relate to computers and network penetration?

Well for one, taking something simple like looking for a user name or if a piece of data exists or not. Searching is ok. That is what databases and all lookup systems do. They search. If something – a person for example – is not found, the database will tell you. How long it takes to tell you clues you in. If a database spits back “Found” right away or “Not Available” right away, you know it’s there. If it takes 10 seconds to say “Not Found,” it really is not there.

Now, if the database has different responses for different authorization or access levels, “not found” might actually be there but, you can’t see it. So, the query comes back real fast. But, if the information is really not there, it could take a while checking for it, before answering “not found.” Some systems take this into account and add time to responses, so malicious attackers can not assess what is and isn’t in the database.

There are many examples from “big data” and “small data,” where by using a few simple data points (pieces of information) and as little as two datasets; a correlation and identification can be made. This is a serious problem with anonymizing data and records. In fact, one can work with public records and figure out a lot.

In practical terms, it may be very hard to penetrate a network with guessing passwords, even with educated guesses. But, you can login as a guest and copy the password file. Then, more easily work on decrypting it. Then, gain a user name and possibly a password.

Probably the most sought after information is access. How can I get into a system? This has many parts. Where is the system? How is it connected? Wired? Wireless connection? What kind of connections? Which operating system? Where is data stored? How do I access the data? If they have services I want to use, how do I access those services? How do I get into an individual account? How do I get into an admin (system administrator level) account?

For this chapter, on operating systems, we will skip to the end and discuss how do I get into an account – user or admin? Without being a technical guru, what if they just gave me their password? Or, if I could look in their diary and see what it is?

Consider, it is sometimes easier and cheaper, for spy agencies to install cameras to watch someone enter his or her password, than it is to go through all the great hacking lengths. Yes, you are not a spy agency and can not pass as a technician from a security company, manufacture false badges and have a phony office setup to back you up. But, the idea remains the same.

If you can not make it, fake it.

– Anonymous Saying

The False Login Routine. – Old as the hills. Comes in many flavors. You seen this before. The email phishing scheme. Your bank/Twitter/Facebook/LinkedIn/whatever account has been compromised. Click here to change your password. If you look at that link, it takes you to a website that is definitely NOT Bank of Your Choice. But, it looks like just like your bank’s login! The unsavy, the unwary, enter all their login information and are then given an error message with a “Click Here” to return to the bank’s login page. The website then redirects you to the real banks website. In the meantime, all your login information has been obtained by some nefarious hacker who then proceeds to drain your accounts.

The idea is simple.

Spoof the login screen.
Get the user to enter his/her credentials.
Save those credentials.
Redirect to the real login screen.

Not everyone falls for this. But, plenty do.

There is a twist to this plan but, basically the same idea. The scenario above is for Internet access. A little modification makes this work any kind of telecommunication connection. That is, that when someone turns their computer on or; tries to access a system, instead of a starting up the communication program to connect, a signon screen appears as if the user had connected to the system. The user tries to signon. He/She gets an error. The login information is recorded. The real communication program is called.

Spoofing Internet Access Routines. – This is a slight variant of the above. One sits on a public network such as a café. One monitors the traffic and access points. One creates a “dummy” access point. One looks for someone connected to Facebook. Knock that person off the network. They reconnect to the network through the dummy access point. A false Facebook logon page is displayed. They logon to Facebook. You have their Facebook password. You can also see whatever else they login to.

This is a bit more sophisticated technically. I will cover this in depth in the chapter on networking. I mention it here because it is the same spoofing idea. Show a false logon page and capture the password. The target simply gives you their password. A lot easier than trying to decrypt a password.

Specifically

Windows

An integral part of the Windows operating system and integral to hacking the Windows operating system is the registry and registry keys. The registry is a system file that contains lots of information. Every piece of hardware has a key with information on its operation. It contains startup information for when Windows starts and lots of information for programs for startup and operation. Most programs written for Windows access the registry and make their own private keys. Malware will also access the registry and alter the keys to allow their software to start when Windows start. This is often a crucial factor in virus removal.

The registry needs maintenance. Unused keys need to be removed. Keys and links in the keys may get broken and need to be fixed or removed.

There is an interesting lesson in copy protection to be learned from Windows installation. [More to come.]

Linux

http://rufus.akeo.ie/

As an exercise, try and find this link on your own:

http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows

[Much more to come.]

Unix

Virtual Machines. – A virtual machine simulates an environment, commonly without having to reboot. It’s like running some software on your PC that lets your PC run Mac software. Or, vice versa. Making a virtual machine does not just mean the operating system. A virtual machine can have other specifications. Ex. Size of memory, number of ports, number and kinds of devices attached, anything that could be in a list of hardware.

The values to using a virtual machine are that you can create all sorts of environments on one machine, without actually having all the different operating systems. You can safely run unknown software, that even if it is malicious, it will not hurt your live equipment. You can only hurt the virtual machine, which is err…virtual. It can be erased and recreated.

Using a virtual machine is one way to circumvent time and counter locks. You can run the software as many times as you like, by simply recreating the virtual environment.

Open Source Virtual Machines

VMWare Workstation Player and VirtualBox are 2 very popular, free virtual machine software generators. Both products come with a community of users, offer documentation and training.

http://www.vmware.com/products/player/

https://www.virtualbox.org/

Read through the installation guides. Install and run a virus. See that your machine is safe. See that your machine is unaffected.

[Beware. This needs a 50 gig space minimum to install and run.]

Sandboxing. – This is creating highly restricted environments for software to run. This gives you the same safety of running unknown software that is potential malware. Unlike a vritual machine, sandboxing does not mimic another machine. All sandboxing does, it make sure that malware can not blow you away. Unknown software can not read or write to files without express permission. Unknown software, can not access the web without explicit permission. And, so on. This way, you can test software without destroying your machine.

It is highly recommended to use your browser in a sandbox, so as not to infect your machine with viruses. Web surfing is the common source of viruses. Also, running your browser in a sandbox, prevents malware from capturing, saving and transmitting, credit card or password information.

Internet Explorer and Chrome run in a sandbox. Firefox does not.

Sandboxing is used extensively in the analysis of malware to see what the malware does.

Sandboxie is a popular sandbox software Sandboxie.com There is a free home version as well as a paid for home and commercial version with additional features.

[More to come.]

Jail. – Computer jail. A highly restricted environment without network access and limited file access.

Rule Based Execution. – A method of control what can and what can not run. What new processes an existing program can “spawn”. Spawning is when a program starts another program or a new copy of itself.

1 http://phrack.org/issues/49/14.html or https://www.eecs.umich.edu/courses/eecs588/static/stack_smashing.pdf

This article is a bit technical. But, if you ignore the technical stuff for now, you can get the drift that there is a way to trick the system to get a system prompt when you should not have one and gain access to the system.

2 https://oracle-base.com/articles/misc/oracle-and-raid

3 https://en.wikipedia.org/wiki/RAID See the “Overview” section for fixing corrupted data.

Share this: