00:00:00
so as we look at this first slide it
00:00:03
says Security in a server operating
00:00:05
system so we're going to be looking at
00:00:07
this through the rosecolor glasses of
00:00:10
protecting your server whether it's
00:00:12
Windows Linux or anything in between
00:00:16
we're looking at how to protect that
00:00:18
server from potential exploitations and
00:00:21
we're also looking at what would happen
00:00:23
if the kernel itself was exploited
00:00:26
against so as I'm progressing through
00:00:28
the next the next slide it says allows
00:00:32
access to all physical devices and
00:00:34
potentially allows the attacker to
00:00:36
access resources so it's no wonder why
00:00:40
we have all of these exploitations that
00:00:42
we hear about the more devices that
00:00:44
connect to the big ey internet meaning
00:00:48
the more windows that there are we all
00:00:51
know that the more windows that you open
00:00:53
yeah the light can come in like a house
00:00:57
the more windows that there are but we
00:00:59
all know that there are things also that
00:01:02
we don't want that can come into now
00:01:06
interestingly enough the erasing
00:01:09
footsteps icon as it is shown here
00:01:12
refers to the fact that one of the goals
00:01:16
is quote unquote
00:01:18
persistence so once you pone a system
00:01:21
for example the exploited one or the
00:01:25
victim can go ahead and change the you
00:01:28
know the victim's computer's
00:01:31
registration system is actually changed
00:01:34
so the exploitation can remain
00:01:38
clandestine so even if the victim
00:01:40
reboots his computer you know turning it
00:01:42
on and turning turning it off and
00:01:44
turning on on again the exploitation
00:01:48
still endures the point of this next
00:01:51
slide is that the kernel although is the
00:01:54
nucleus or Center Point or brain if you
00:01:58
will of the OS there is still a need to
00:02:03
display things in a layered approach
00:02:06
applications of course will always be
00:02:08
front-facing for example apps generally
00:02:12
have a user interface or UI and every
00:02:16
action or event that the user does
00:02:19
eventually will be making their way to
00:02:22
the lower for example for the to the
00:02:25
lower layer for example making a user
00:02:28
that makes an simple mail transfer
00:02:31
protocol request or SMTP request to send
00:02:35
out an email that request of course has
00:02:38
to be processed through the CPU in
00:02:41
memory using devices such as the hard
00:02:44
drive and transmitting the data through
00:02:48
network interface cards all of this is
00:02:51
connected to each other via the kernel
00:02:55
kind of like the world's quickest office
00:02:58
admin okay then the next slide is
00:03:01
servers abstracted now abstracted means
00:03:05
that only the vital parts are visualized
00:03:08
if you kind of go into too much detail
00:03:12
meaning you know you look at the trees
00:03:14
as opposed to the forest through the
00:03:17
trees then overall system comprehension
00:03:20
kind of recedes kind of like my hairline
00:03:23
it kind of recedes or comprehension kind
00:03:26
of just goes
00:03:27
down now as you
00:03:30
can see the hardware layer is resides at
00:03:33
the bottom and is the basis for all of
00:03:37
the top layer things all the top layer
00:03:40
events that are going on this includes
00:03:43
web browsers uis you know the things
00:03:45
that the end users quote unquote can see
00:03:49
and do they have the direct I'm going to
00:03:52
say access to be able to touch and man
00:03:55
manipulate them the end result is that
00:03:58
if the user process
00:04:00
gets corrupted or makes a swift exit
00:04:04
it's okay because the user quote unquote
00:04:06
owns the web browser process now it
00:04:09
doesn't necessarily have an impact on
00:04:12
the other users this is because that
00:04:16
there are different actual quote unquote
00:04:19
modes so the user mode has permissions
00:04:24
such that only only areas in memory a
00:04:28
user is granted
00:04:30
is in the quote unquote user space now
00:04:34
this user space doesn't mingle with the
00:04:38
kernel mode the user mode lives or
00:04:43
resides in that upper area and the
00:04:46
kernel mode lives down here in the lower
00:04:50
area so when your web browser crashes
00:04:54
and of course you should uh know and
00:04:56
understand that the web browser would
00:04:58
operate in user mode
00:05:00
then the PC in general will not crash or
00:05:04
that web browser process which is owned
00:05:07
by the user won't have an effect on
00:05:10
other processes like where other users
00:05:14
are operating in obviously kernel owned
00:05:17
processes are different kernel owned if
00:05:20
a kernel lives in the same area as the
00:05:24
CPU RAM and network as it shows then any
00:05:27
exploitation of the kernel space
00:05:30
does in fact have an effect on the
00:05:32
overall PC and anything attached to it
00:05:37
imagine it isn't a PC per se where the
00:05:40
user is simply playing a video game like
00:05:42
Doom or Skyrim or something imagine this
00:05:46
is a huge server so imagine this is like
00:05:50
you know in some data center in some
00:05:52
server farm and This Server happens to
00:05:55
connect to thousands of not people or
00:05:59
single Le us users but Ser but serving
00:06:03
thousands of little containers Running
00:06:06
Red Hats open shift or maybe a Ubuntu
00:06:10
platformed kuber nates which would
00:06:13
actually represent potentially thousands
00:06:17
of not people but customers or clients
00:06:21
and each single container had tens of
00:06:25
thousands of people connected to each
00:06:28
singular container
00:06:30
so imagine when a simple Doos or denial
00:06:34
service exploitation could do to one
00:06:37
single box because of course that one
00:06:39
single box would be connected to all
00:06:41
these containers you know as you know
00:06:44
kuber natti through is an orchestration
00:06:46
of multiple containers so each container
00:06:50
would connect to a potential business
00:06:52
and these potential business could have
00:06:54
thousands of people connected to it now
00:06:57
remember even the peripher
00:07:00
devices like network cards graphic cards
00:07:02
all run through the main memory thus
00:07:05
they touch the kernel mode you could
00:07:09
even see you could potentially poison a
00:07:12
network flow even potentially affecting
00:07:15
everything and everyone attached to that
00:07:18
land the kernel is responsible for
00:07:21
switching between processes in this in
00:07:24
this way it's referred to as a context
00:07:28
switch single Cor processors especially
00:07:31
had to manage multiple seemingly
00:07:34
simultaneous events that were actually
00:07:37
occurring within milliseconds of each
00:07:40
other kind of like a server at a
00:07:42
restaurant that could only carry one
00:07:44
meal at a time for a table of say four
00:07:47
people maybe the server's carriers the
00:07:50
server carriers serving tray was small
00:07:53
in CPU terms we call that single core
00:07:57
now a bigger tray in which he or she
00:08:00
could carry out all four meals at the
00:08:03
same time this means that she or he must
00:08:06
have a processor with a single core or
00:08:10
just a bigger serving tray examples
00:08:13
examples of this include the Intel
00:08:16
4004 released in
00:08:19
1971 it was the first microprocessor to
00:08:23
integrate a CPU memory and input outut
00:08:26
output controls in a single chip that
00:08:29
would be like a server as I said only
00:08:32
having a tray big enough for one plate
00:08:34
however in 2006 Intel had their first
00:08:38
quad core processor The Core 2 extreme
00:08:42
line of processors like the server now
00:08:45
have larger serving tray but like I said
00:08:48
the colonel is now able to take
00:08:52
microtransactions that seemingly occur
00:08:55
at the same time but they're able to
00:08:57
separate them only to and the only way
00:09:01
to truly have a simultaneous event is if
00:09:05
they Cur if they occurred at the same
00:09:07
time but on different cores so the
00:09:10
colonel takes from a PO per core
00:09:13
perspective is going to be able to
00:09:16
seemingly assign simultaneous events but
00:09:18
they are actually occurring micros
00:09:21
Seconds Apart like the server who is
00:09:23
able to bring more than one dish at the
00:09:26
same time simply by getting a bigger ser
00:09:29
tree so if you want simultaneous events
00:09:32
you had to have more than one core and
00:09:34
the point of all of this is that the
00:09:36
kernel is the device that is managing
00:09:39
all of this let's talk memory management
00:09:42
now each user gets their own place in
00:09:46
memory so one private area cannot access
00:09:49
another private area let's talk about
00:09:52
the mmu memory management unit that is
00:09:57
able to facilitate the Kernel's memory
00:10:01
management this is where swapping can
00:10:04
occur such that if your RAM is overused
00:10:08
or getting to capacity it can page or
00:10:12
take a virtual part of your hard drive
00:10:14
and make it accessible to your PC's
00:10:18
memory so it creates a memory map called
00:10:21
a paging table by the way when I was
00:10:24
analyzing Lars or logical partitions of
00:10:28
Unix system years ago we were always
00:10:31
concerned with the concept of thrashing
00:10:34
from Google a situation where a system
00:10:37
spends a significant amount of time
00:10:40
swapping Pages between RAM and the hard
00:10:44
disk due to insufficient memory
00:10:46
resulting in poor system performance
00:10:50
because it's constantly busy managing
00:10:52
page faults instead of actually
00:10:55
executing tasks essentially the system
00:10:59
becomes bogged down now by its own
00:11:02
paging activity leading to slowdowns and
00:11:05
decreasing efficiency so now let's talk
00:11:08
about system calls when a user does
00:11:11
something like for example run the ls
00:11:14
command the command itself which is
00:11:17
essentially as I told you before a
00:11:19
program needs system resources now these
00:11:23
system resources aren't done necessarily
00:11:26
by the user himself but through an
00:11:29
automated series of system calls it's so
00:11:33
funny how we talk about the Automation
00:11:36
in it these days like automated driving
00:11:40
cars and all the automation that might
00:11:42
go into the daily administrative tasks
00:11:45
like having an online billing system or
00:11:48
something computers have been doing
00:11:50
internal automation literally for years
00:11:54
and years decades so a user places a
00:11:57
command into their system like the ls
00:12:00
command in a series of system calls
00:12:03
occurs underneath in areas that we don't
00:12:06
see controlled of course by what the
00:12:09
kernel and the process flow is similar
00:12:13
to what you see on the screen the for
00:12:16
command creates an identical shell and
00:12:19
then it runs the exec LS command as you
00:12:23
can see user spaces stretch all the way
00:12:27
from the user going to a web browser to
00:12:30
that web browser app communicating with
00:12:33
the internal layers including the CPU
00:12:37
Network and the like the colonel needs
00:12:40
to identify this area and it does so via
00:12:44
a human readable version of your name
00:12:48
linked to the user ID now the user ID is
00:12:51
what the computer sees you as and
00:12:53
probably would not even be recognizable
00:12:56
to the human you know Vision or the
00:13:00
human site it's kind of like you know a
00:13:02
domain name services in which you're we
00:13:05
know best buy.com but it links to an IP
00:13:08
address that wouldn't be intuitive to us
00:13:11
to the kernel a user is an owner of
00:13:15
whatever process the user starts or
00:13:18
begins or in computer terms initializes
00:13:21
we can see all the user processes if we
00:13:24
use the PS command that shows the all
00:13:27
the processors processes that are going
00:13:29
on in the computer the user may not
00:13:32
interfere with the processes of other
00:13:35
users unless of course you're the root
00:13:37
user better known as the super user then
00:13:42
there are groups the primary purpose of
00:13:44
a group is to be you is to allow a user
00:13:48
to share file access with other members
00:13:51
of a group and what you see is all these
00:13:55
users all these different users are you
00:13:57
know unique to themselves they can't see
00:14:00
what each other is doing but yet they
00:14:02
are all part of the group in this case
00:14:04
they're all interns so you can imagine
00:14:07
that they might have access to things
00:14:10
that an admin might not have access to
00:14:14
but they're not going to have every all
00:14:15
the access that an admin or even a
00:14:18
seasoned you know employee or manager
00:14:20
might have uh interesting interestingly
00:14:24
enough when you create a user through
00:14:26
the user ad command your group is your
00:14:30
username so by default user 123 would be
00:14:34
in the group 123 so when these users are
00:14:37
created you have to individually create
00:14:40
another group in this case interns then
00:14:42
manually Place each member into the
00:14:46
group uh for example the first time I
00:14:48
fired up my Linux operating systems
00:14:51
through VMware or you know UTM or even
00:14:54
if it's on a bare metal I'll add the
00:14:57
user Jason during the setup but then you
00:15:00
know by default the group I belong to
00:15:02
automatically is also Jason so as I
00:15:06
create assets such as C customer list
00:15:09
email list and maybe some IP
00:15:12
intellectual property I can create
00:15:14
groups real groups and decide which
00:15:17
group can either read it write to it or
00:15:19
execute it
