Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Presentation4
Document related concepts
Burroughs MCP wikipedia , lookup
Distributed operating system wikipedia , lookup
Linux adoption wikipedia , lookup
Copland (operating system) wikipedia , lookup
Plan 9 from Bell Labs wikipedia , lookup
Spring (operating system) wikipedia , lookup
Mobile operating system wikipedia , lookup
History of Unix wikipedia , lookup
Security-focused operating system wikipedia , lookup
Transcript
COMP2221
Networks in Organisations
Richard Henson
February 2014
Week 4: Some Important
Network Operating Systems
• Objective:
Name significant network operating systems in
developments towards today’s/tomorrows
organisational networks
Briefly explain features of a typical network
operating system (server end & client end)
Explain a (network) operating system architecture
in terms of a multi-layered model
What are Operating Systems?
• Bundle of Software!
many programs working together
• Make the computer function…
control of hardware
platform to support applications
• including user interface
utilities to control the platform
• e.g. disk/file management
Software Layers and
Operating Systems (OS)
Applications
os functions & user interface
os kernel
CPU, motherboard
What if the Operating System
has software faults?
• The platform becomes “unstable”!!
• Could be errors in
hardware control?
user interface?
utilities?
• What would happen to:
applications running on a poorly designed
platform?
businesses depending on such apps?
Software Faults & CWE
• Lot of recent interest in why software (even
•
some operating systems…) is so unreliable
Mitre Corporation (US) with govt backing…
classified software fault types into a Common
Weakness Enumeration (CWE)
• community developed, formal list of software
weakness types
• Intended use of CWE:
to better describe software weaknesses in
architecture, design, or code
6
[TSI/2012/183]
© Copyright 2003-2012
More about CWE
• CWE provides:
standard measuring stick for software tools
targeting software weaknesses
common baseline standard for efforts to
identify, mitigate, and prevent software
weaknesses
• Currently 943 distinct CWE entries
identified by Mitre!! (version 2.6)
http://cwe.mitre.org/data
more commonly encountered weaknesses
usually “repeat offenders”
Example of an
operating system flaw
• Apple:
dangerous flaw revealed last week-end in
iOS 7 and X (21/2/14)
http://gizmodo.com/why-apples-hugesecurity-flaw-is-so-scary1529041062?utm_campaign=socialflow_gi
zmodo_facebook&utm_source=gizmodo_fa
cebook&utm_medium=socialflow
CWE Top 25 faults (part 1)
Rank
ID
Name
1
CWE-79
2
CWE-89
3
CWE-120
4
5
6
7
CWE-352
CWE-285
CWE-807
CWE-22
8
9
CWE-434
CWE-78
10
11
12
13
CWE-311
CWE-798
CWE-805
CWE-98
Failure to Preserve Web Page Structure ('Cross-site
Scripting')
Improper Sanitization of Special Elements used in an
SQL Command ('SQL Injection')
Buffer Copy without Checking Size of Input ('Classic
Buffer Overflow')
Cross-Site Request Forgery (CSRF)
Improper Access Control (Authorization)
Reliance on Untrusted Inputs in a Security Decision
Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
Unrestricted Upload of File with Dangerous Type
Improper Sanitization of Special Elements used in an OS
Command ('OS Command Injection')
Missing Encryption of Sensitive Data
Use of Hard-coded Credentials
Buffer Access with Incorrect Length Value
Improper Control of Filename for Include/Require
Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183]
© Copyright 2003-2012
CWE Top 25 faults (part 2)
Rank
ID
14
15
CWE-129 Improper Validation of Array Index
CWE-754 Improper Check for Unusual or Exceptional
Conditions
CWE-209 Information Exposure Through an Error Message
CWE-190 Integer Overflow or Wraparound
CWE-131 Incorrect Calculation of Buffer Size
CWE-306 Missing Authentication for Critical Function
CWE-494 Download of Code Without Integrity Check
CWE-732 Incorrect Permission Assignment for Critical
Resource
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWE-362 Race Condition
16
17
18
19
20
21
22
23
24
25
Name
[TSI/2012/183]
© Copyright 2003-2012
TSI
Logo
•
•
Susceptibilities
The confirmed presence of one or more
vulnerabilities within an implemented system, such
as the presence of an operating system with a
buffer overflow defect
Susceptibilities in systems stem from:
a. initial implementation
b. changes to software, such as from adding new
facilities or the correction of detected errors
(‘patching’)
c. use of utility programs, which may be capable of
circumventing security measures in the controlling or
application software
[TSI/2013/306 | Draft 0.B | 2014-02-10]
TSI
Logo
•
Vulnerabilities
Vulnerabilities can be:
The existence of a generic weakness in a particular
platform, such as a buffer overflow occurring in a
specific operating system or application
Interactions between multiple software elements that
bypass intended controls
Accidental actions of software developers that result
in defects and deviations
Deliberate actions of software developers that bypass
intended controls, such as trap doors that permit
unauthorised access to the system
[TSI/2013/306 | Draft 0.B | 2014-02-10]
Vulnerabilities from
Major Vendors (2011 figures)
[TSI/2012/183]
© Copyright 2003-2012
Software Weakness Mitigation
• What to do about all these faults….?
• Many concepts and practices
needed for Trustworthy development
of software have existed for many
years…
“Due Diligence”
Pareto 80:20
14
[TSI/2012/183]
© Copyright 2003-2012
Due Diligence
Implies software should be
reasonably trustworthy….
• what does “reasonably” mean?
Implementations vary with Audiences
and Assurance Requirements
Pareto 80:20
(favoured by TSI)
Practice improved iteratively using
existing experience
Example:
• switching on and acting on Compiler
Warning Flags…
would obviates many common “repeat offender”
weaknesses
• If only this was normal practice!!! It
could be….
Apps and Operating Systems
• Applications need a platform…
better designed platform…?
• easier to design trustworthy apps
• Mobile phone app vulnerabilities by malware
for platform (F-Secure, 2012):
http://www.f-secure.com/static/doc/labs_global/Research/Mobile%20Threat%20Report%20Q3%202012.pdf
Apple iOS: 1.1
Symbian: 29.8
Android: 62.8
Windows mobile: 0.6
Why the differences?
• Apps written to use operating system
(os) platform appropriately…
well designed os restricts/prevents
inappropriate use
poorly designed os allows sloppy habits
• but may have performance advantages… (!)
• e.g. Android top 25 vulnerabilities (CWE):
http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id19997/Google-Android.html
Early Operating Systems
• Each of the early computers was
unique
each had to have its own purpose-built
operating system
• IBM: world’s first mass produced
“mainframe”
IBM 701 (1952)
• purchasers expected to write their the
operating system themselves!
• first “mass produced” operating system
written by General Motors: GM-NAA I/O in
1956
adopted by IBM as IBSYS
IBM hugely successful; by 1980s,
allegedly bigger than US government (?)
First British Operating system
• Leo 3 was the first mass produced British
Computer
94 units built 1961-1969
• full list of buyers http://www.leocomputers.org.uk/newleo3s.htm
each had a loudspeaker connected to the
CPU… so operators could tell if it was “looping”
had a multi-tasking operating system called
“master program”
• Some continued in service until 1981
First Minicomputer
& Operating system
• Produced by Digital Equipment Corporation
(DEC) in 1963
called the PDP-6
• “mini” in size compared to mainframes
• huge by today's standards
operating system called “monitor”
•
•
•
•
•
evolved into the TOPS10 (1970)
ran on the legendary PDP-10
still going until 1988
can get it even now:
http://www.inwap.com/pdp10/96license.txt
Unix
• Spin-off (1969) from project MULTICS
First attempt at a multiuser operating system
• Consortium including Bell Labs, AT&T,
US equivalent of BT at that time
• FAILED! Too ambitious…
Bell Labs: cut down derivation called UNICS -> UNIX
• written in assembly language by Ken Thompson
• sharing of processes also being explored in The ARPAnet
project
• Commercial Challenge:
• DEC PDP-7 minicomputer
• needed a general purpose “time sharing” operating system
for multiuser use…
• their own os “monitor” had not yet matured into TOPS-10
Thompson, Ritchie,
“B”, NB, “C” & Unix
• Thompson looking for a high-level language
to develop a time sharing os
• briefly toyed with Fortran
• worked with colleague Dennis Ritchie to create
their own higher level language – “B”, based on
BCPL
• http://cm.bell-labs.com/cm/cs/who/dmr/kbman.html
• development of B = newB (NB)
• development of NB -> C
• Unix kernel was rewritten in “C” (1973)
Development of Unix/C
• “C” compiler completed by Ritchie in 1972
• Further commercial Unix versions (for
•
•
Honeywell & IBM) released in 1973
“C” further developed during 1973-7
Full definition of language as Kernighan &
Ritchie “C” (1978)
rapidly gained universal acclaim
• Unix still written in “C” to present day!
32-bit processing from the outset
Open Sourceness of Unix
• AT&T not allowed to be a commercial
company
• could not sell Unix
• gave a copy away free to any developer who
wanted to use it!
• many universities contributed to its development
• Result (in 1979): Unix version 7
• still recognisable today!
Silicon Valley, TCP/IP and Unix
• University of California created The ARPAnet
(1969)
• 1975 onwards: Berkeley, north of San
Francisco
• hub for its own unique brand of Unix developments
• start of “Silicon Valley” (IT hot spot around SF)
• ARPAnet team
• developed TCP/IP
• 1980, gained approval through RFC
• operating system that would support TCP/IP arrived
in 1983…
• Berkeley Unix (v4.2) packaged with TCP/IP protocol stack
• Sun Microsystems producing the hardware…
Bell Labs Unix becomes
Commercial…
• US Dept of Justice broke up AT&T in 1984
• Bell Labs then allowed to sell their Unix source
code…
• Fortunately for SCO (Santa Cruz Operations)
they had ported Bell Unix to Intel hardware
the previous year (!)
• SCO Unix for PC became a lucrative business
market
• operating system provided security on a PC where
DOS couldn’t…
Bad days for Unix…
• Unix free by nature from outset
not so on an Intel PC, thanks to SCO!!!
Bell Labs jealously guarded the source
code…
universities lost interest
• Unix became expensive to buy… and
was still not user-friendly or easy to use
so even more expensive to own!
Linux
• From 1992 (Linus Torvalds, University of
Helsinki) made free Unix possible again!
LINUX – based on his name…
• Took…
Stallman’s GNU open source Unix
• which Tanenbaum had developed into MINIX…
very stable
secure file system
very efficient, optimised code
earlier versions ran on an Intel 486!
• Still Unix, still a server-end system
for client-server networking, need client-end
software:
• e.g. Banyan VINES
Linux
• Still freely available via Internet!
• Huge range of software tools for managing
•
UNIX networks available for download
Problems (compared to Windows):
not as easy to manage
limited on-screen help
limited range of good application software
not all hardware has UNIX/LINUX driver software
Linux for Mobile
• Variety of platforms:
Symbian
Android
• If Linux is so good re trustworthiness &
security, why is Android so bad???
Operating Systems for PC
Ethernet Networks
• Original Topology (1980s, early 90s):
bus, coaxial cable & BNC connectors (!)
• DOS?
No way! not designed for:
• server end stuff
• distributed communications
• security…
Windows Server
Developments since 2000
• 2003 Server
more improvements to active directory
64-bit version available!
• 2008 Server
file system enhancements
active directory:
•
• directory tree extended
• better management tools (larger networks)
Although Bill Gates may have retired, Steve Cutler is
still with them (helped with “Azure” and now…Xbox)
http://www.amd.com/usen/assets/content_type/DownloadableAssets/Micr
osoft_Video_Statement.wmv
Client-side Developments…
• Microsoft Domination…
XP: finished off the evolution from Windows 95/98
Vista: mainly a desktop change
• not universally appreciated!
• mobile devices started to have:
CPUs & operating systems (!)
user interfaces & use apps…
• Reaction to Vista…
Apple became popular
other “mobile” desktops became popular
• Windows 7 stopped the rot…
• Windows Mobile: good platform for apps
but Windows client-end dominance lost for
good…
Which Server operating
system would the larger
company use today?
•
IBM, or other “mainframe”?
•
Windows 2008? 2012?
•
Unix versions (incl. Linux)
why not?
very popular with finance industry & previous
IBM customers!
popular with previous DEC customers
open source
complex, but suits companies that value and
develop technologies
And the small business?
• Lot of contradictory advice
use Linux!? Windows? Apple?
don’t bother?
• use virtualisation
• outsource
Don’t bother with… clients? servers?
• use The Cloud
• BYOD (most users own smartphones)?
• Who should they listen to? Why?
os platforms for tomorrow?
• Businesses need to plan ahead…
crucial if involved in procurement for and
management of networks
investment could be expected to last 5
years!
next Windows/AppleOS/Unix/Linux?
others? will servers be “old hat”? Will all
clients be “dumb”?
• Time to do a little research...
