Linux kernel and OS security

Lectures each Friday 13.45-15.30u in MA 1.43. (Note: new location!)

2009-12-18: Last year's guest lecture by Pieter Ceelen & Stan Hegt from KPMG.
Title: Windows security
Topics: Windows passwords en password storage. Attacks on the Windows Stack (SEH overwrites). slides1 slides2

2010-01-14: last lecture.

This is 2WC16 - Linux kernel and OS security - 6 credit points. (Result of merging two courses.)

There are weekly exercises, and a somewhat larger project at the end.

Cooperate in groups of 1-4 people. Send solutions of exercises to aeb@cwi.nl before the start of the next lecture.

Status of received solutions of exercises.

Some old notes.

Challenge Decipher the text on the fragments of paper found in Waldheim.

Below a slowly growing list of possible final projects. For bureaucratic reasons it is best if you try to keep a 3-month deadline.

Do either:

0. The usbstick with image usbstick.7z was recovered by the police. But what is it? Describe the contents. Retrieve names and addresses, passwords and credit card numbers. What did you do to find this data?

(and any number of you may attack this forensics exercise; work in groups of at most four people),

or: pick one of the exercises or projects below (same restriction on group size, but no two groups on the same topic),
or: propose your own final project.

1. (taken) tor is an anonymizing service. Document the details. Discuss past and present security.

2. (taken) In my mailbox I find this letter. What does it do?

3. On the net I encountered 3 issues of a "terrorist" magazine called Inspire. Was it made by terrorists? Why (not)? What was these people's mother tongue? The first issue was in a pdf with virus. Wat does the virus do? This magazine advertises Asrar al-mujahideen 2.0, a cryptographic program for "secure communication". Try to analyze this program. Would communication be more secure if one used it? Why (not)?

4. We had the bad dnotify, and the ok inotify. It seems fsnotify and fanotify are coming. Parts are in the kernel, parts live as patches. Describe. How do these work? Why change? What is the status? Goal? Test.

5. Construct a filesystem image such that mounting it crashes the kernel. (Old: make an ext? image with an error and set the flag "panic-on-error". This is serious, if it has not been fixed yet, but doesnt count.)

6. Describe the Android security setup. Are there any problems?

7. (taken) How well are the various processes that apache runs for different users protected from each other?

8. (taken) In Dec 2010, a collection of about 750000 DES-encrypted passwords leaked from Gawker. It is very easy to crack 200000, and easy to crack 400000. In order to crack 500000 of them, some nontrivial approach is probably needed: describe the shape of passwords, and cover the search space with rainbow tables or similar. Similarly, in Feb 2011 a collection of about 71000 MD5-encrypted passwords leaked from HBGary, almost 59000 distinct ones. Again it is easy to crack 52000, and in order to crack 55000 of them some more advanced approach is probably needed. Statistics on the shapes of passwords can be obtained from the Rock You release of plain text passwords. Try to reach the 500000 and 55000, and describe the methods used.