* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Presentation4
Survey
Document related concepts
Burroughs MCP wikipedia , lookup
Distributed operating system wikipedia , lookup
Linux adoption wikipedia , lookup
Copland (operating system) wikipedia , lookup
Plan 9 from Bell Labs wikipedia , lookup
Spring (operating system) wikipedia , lookup
Mobile operating system wikipedia , lookup
History of Unix wikipedia , lookup
Security-focused operating system wikipedia , lookup
Transcript
COMP2221 Networks in Organisations Richard Henson February 2014 Week 4: Some Important Network Operating Systems • Objective: Name significant network operating systems in developments towards today’s/tomorrows organisational networks Briefly explain features of a typical network operating system (server end & client end) Explain a (network) operating system architecture in terms of a multi-layered model What are Operating Systems? • Bundle of Software! many programs working together • Make the computer function… control of hardware platform to support applications • including user interface utilities to control the platform • e.g. disk/file management Software Layers and Operating Systems (OS) Applications os functions & user interface os kernel CPU, motherboard What if the Operating System has software faults? • The platform becomes “unstable”!! • Could be errors in hardware control? user interface? utilities? • What would happen to: applications running on a poorly designed platform? businesses depending on such apps? Software Faults & CWE • Lot of recent interest in why software (even • some operating systems…) is so unreliable Mitre Corporation (US) with govt backing… classified software fault types into a Common Weakness Enumeration (CWE) • community developed, formal list of software weakness types • Intended use of CWE: to better describe software weaknesses in architecture, design, or code 6 [TSI/2012/183] © Copyright 2003-2012 More about CWE • CWE provides: standard measuring stick for software tools targeting software weaknesses common baseline standard for efforts to identify, mitigate, and prevent software weaknesses • Currently 943 distinct CWE entries identified by Mitre!! (version 2.6) http://cwe.mitre.org/data more commonly encountered weaknesses usually “repeat offenders” Example of an operating system flaw • Apple: dangerous flaw revealed last week-end in iOS 7 and X (21/2/14) http://gizmodo.com/why-apples-hugesecurity-flaw-is-so-scary1529041062?utm_campaign=socialflow_gi zmodo_facebook&utm_source=gizmodo_fa cebook&utm_medium=socialflow CWE Top 25 faults (part 1) Rank ID Name 1 CWE-79 2 CWE-89 3 CWE-120 4 5 6 7 CWE-352 CWE-285 CWE-807 CWE-22 8 9 CWE-434 CWE-78 10 11 12 13 CWE-311 CWE-798 CWE-805 CWE-98 Failure to Preserve Web Page Structure ('Cross-site Scripting') Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Cross-Site Request Forgery (CSRF) Improper Access Control (Authorization) Reliance on Untrusted Inputs in a Security Decision Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Unrestricted Upload of File with Dangerous Type Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') Missing Encryption of Sensitive Data Use of Hard-coded Credentials Buffer Access with Incorrect Length Value Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183] © Copyright 2003-2012 CWE Top 25 faults (part 2) Rank ID 14 15 CWE-129 Improper Validation of Array Index CWE-754 Improper Check for Unusual or Exceptional Conditions CWE-209 Information Exposure Through an Error Message CWE-190 Integer Overflow or Wraparound CWE-131 Incorrect Calculation of Buffer Size CWE-306 Missing Authentication for Critical Function CWE-494 Download of Code Without Integrity Check CWE-732 Incorrect Permission Assignment for Critical Resource CWE-770 Allocation of Resources Without Limits or Throttling CWE-601 URL Redirection to Untrusted Site ('Open Redirect') CWE-327 Use of a Broken or Risky Cryptographic Algorithm CWE-362 Race Condition 16 17 18 19 20 21 22 23 24 25 Name [TSI/2012/183] © Copyright 2003-2012 TSI Logo • • Susceptibilities The confirmed presence of one or more vulnerabilities within an implemented system, such as the presence of an operating system with a buffer overflow defect Susceptibilities in systems stem from: a. initial implementation b. changes to software, such as from adding new facilities or the correction of detected errors (‘patching’) c. use of utility programs, which may be capable of circumventing security measures in the controlling or application software [TSI/2013/306 | Draft 0.B | 2014-02-10] TSI Logo • Vulnerabilities Vulnerabilities can be: The existence of a generic weakness in a particular platform, such as a buffer overflow occurring in a specific operating system or application Interactions between multiple software elements that bypass intended controls Accidental actions of software developers that result in defects and deviations Deliberate actions of software developers that bypass intended controls, such as trap doors that permit unauthorised access to the system [TSI/2013/306 | Draft 0.B | 2014-02-10] Vulnerabilities from Major Vendors (2011 figures) [TSI/2012/183] © Copyright 2003-2012 Software Weakness Mitigation • What to do about all these faults….? • Many concepts and practices needed for Trustworthy development of software have existed for many years… “Due Diligence” Pareto 80:20 14 [TSI/2012/183] © Copyright 2003-2012 Due Diligence Implies software should be reasonably trustworthy…. • what does “reasonably” mean? Implementations vary with Audiences and Assurance Requirements Pareto 80:20 (favoured by TSI) Practice improved iteratively using existing experience Example: • switching on and acting on Compiler Warning Flags… would obviates many common “repeat offender” weaknesses • If only this was normal practice!!! It could be…. Apps and Operating Systems • Applications need a platform… better designed platform…? • easier to design trustworthy apps • Mobile phone app vulnerabilities by malware for platform (F-Secure, 2012): http://www.f-secure.com/static/doc/labs_global/Research/Mobile%20Threat%20Report%20Q3%202012.pdf Apple iOS: 1.1 Symbian: 29.8 Android: 62.8 Windows mobile: 0.6 Why the differences? • Apps written to use operating system (os) platform appropriately… well designed os restricts/prevents inappropriate use poorly designed os allows sloppy habits • but may have performance advantages… (!) • e.g. Android top 25 vulnerabilities (CWE): http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id19997/Google-Android.html Early Operating Systems • Each of the early computers was unique each had to have its own purpose-built operating system • IBM: world’s first mass produced “mainframe” IBM 701 (1952) • purchasers expected to write their the operating system themselves! • first “mass produced” operating system written by General Motors: GM-NAA I/O in 1956 adopted by IBM as IBSYS IBM hugely successful; by 1980s, allegedly bigger than US government (?) First British Operating system • Leo 3 was the first mass produced British Computer 94 units built 1961-1969 • full list of buyers http://www.leocomputers.org.uk/newleo3s.htm each had a loudspeaker connected to the CPU… so operators could tell if it was “looping” had a multi-tasking operating system called “master program” • Some continued in service until 1981 First Minicomputer & Operating system • Produced by Digital Equipment Corporation (DEC) in 1963 called the PDP-6 • “mini” in size compared to mainframes • huge by today's standards operating system called “monitor” • • • • • evolved into the TOPS10 (1970) ran on the legendary PDP-10 still going until 1988 can get it even now: http://www.inwap.com/pdp10/96license.txt Unix • Spin-off (1969) from project MULTICS First attempt at a multiuser operating system • Consortium including Bell Labs, AT&T, US equivalent of BT at that time • FAILED! Too ambitious… Bell Labs: cut down derivation called UNICS -> UNIX • written in assembly language by Ken Thompson • sharing of processes also being explored in The ARPAnet project • Commercial Challenge: • DEC PDP-7 minicomputer • needed a general purpose “time sharing” operating system for multiuser use… • their own os “monitor” had not yet matured into TOPS-10 Thompson, Ritchie, “B”, NB, “C” & Unix • Thompson looking for a high-level language to develop a time sharing os • briefly toyed with Fortran • worked with colleague Dennis Ritchie to create their own higher level language – “B”, based on BCPL • http://cm.bell-labs.com/cm/cs/who/dmr/kbman.html • development of B = newB (NB) • development of NB -> C • Unix kernel was rewritten in “C” (1973) Development of Unix/C • “C” compiler completed by Ritchie in 1972 • Further commercial Unix versions (for • • Honeywell & IBM) released in 1973 “C” further developed during 1973-7 Full definition of language as Kernighan & Ritchie “C” (1978) rapidly gained universal acclaim • Unix still written in “C” to present day! 32-bit processing from the outset Open Sourceness of Unix • AT&T not allowed to be a commercial company • could not sell Unix • gave a copy away free to any developer who wanted to use it! • many universities contributed to its development • Result (in 1979): Unix version 7 • still recognisable today! Silicon Valley, TCP/IP and Unix • University of California created The ARPAnet (1969) • 1975 onwards: Berkeley, north of San Francisco • hub for its own unique brand of Unix developments • start of “Silicon Valley” (IT hot spot around SF) • ARPAnet team • developed TCP/IP • 1980, gained approval through RFC • operating system that would support TCP/IP arrived in 1983… • Berkeley Unix (v4.2) packaged with TCP/IP protocol stack • Sun Microsystems producing the hardware… Bell Labs Unix becomes Commercial… • US Dept of Justice broke up AT&T in 1984 • Bell Labs then allowed to sell their Unix source code… • Fortunately for SCO (Santa Cruz Operations) they had ported Bell Unix to Intel hardware the previous year (!) • SCO Unix for PC became a lucrative business market • operating system provided security on a PC where DOS couldn’t… Bad days for Unix… • Unix free by nature from outset not so on an Intel PC, thanks to SCO!!! Bell Labs jealously guarded the source code… universities lost interest • Unix became expensive to buy… and was still not user-friendly or easy to use so even more expensive to own! Linux • From 1992 (Linus Torvalds, University of Helsinki) made free Unix possible again! LINUX – based on his name… • Took… Stallman’s GNU open source Unix • which Tanenbaum had developed into MINIX… very stable secure file system very efficient, optimised code earlier versions ran on an Intel 486! • Still Unix, still a server-end system for client-server networking, need client-end software: • e.g. Banyan VINES Linux • Still freely available via Internet! • Huge range of software tools for managing • UNIX networks available for download Problems (compared to Windows): not as easy to manage limited on-screen help limited range of good application software not all hardware has UNIX/LINUX driver software Linux for Mobile • Variety of platforms: Symbian Android • If Linux is so good re trustworthiness & security, why is Android so bad??? Operating Systems for PC Ethernet Networks • Original Topology (1980s, early 90s): bus, coaxial cable & BNC connectors (!) • DOS? No way! not designed for: • server end stuff • distributed communications • security… Windows Server Developments since 2000 • 2003 Server more improvements to active directory 64-bit version available! • 2008 Server file system enhancements active directory: • • directory tree extended • better management tools (larger networks) Although Bill Gates may have retired, Steve Cutler is still with them (helped with “Azure” and now…Xbox) http://www.amd.com/usen/assets/content_type/DownloadableAssets/Micr osoft_Video_Statement.wmv Client-side Developments… • Microsoft Domination… XP: finished off the evolution from Windows 95/98 Vista: mainly a desktop change • not universally appreciated! • mobile devices started to have: CPUs & operating systems (!) user interfaces & use apps… • Reaction to Vista… Apple became popular other “mobile” desktops became popular • Windows 7 stopped the rot… • Windows Mobile: good platform for apps but Windows client-end dominance lost for good… Which Server operating system would the larger company use today? • IBM, or other “mainframe”? • Windows 2008? 2012? • Unix versions (incl. Linux) why not? very popular with finance industry & previous IBM customers! popular with previous DEC customers open source complex, but suits companies that value and develop technologies And the small business? • Lot of contradictory advice use Linux!? Windows? Apple? don’t bother? • use virtualisation • outsource Don’t bother with… clients? servers? • use The Cloud • BYOD (most users own smartphones)? • Who should they listen to? Why? os platforms for tomorrow? • Businesses need to plan ahead… crucial if involved in procurement for and management of networks investment could be expected to last 5 years! next Windows/AppleOS/Unix/Linux? others? will servers be “old hat”? Will all clients be “dumb”? • Time to do a little research...