Topic 2: Operating Systems

Authentication, Reference Monitors, Unix and Linux and Windows

Why is storing plaintext passwords insecure? And what is the better approach?

Plaintext storage means any database breach reveals all passwords directly.

The better approach is to store only the one-way hash of each password - authentication is done by hashing the entered password and comparing hashes

Why do long passphrases outperform complex, but short passwords

A 4-word passphrase with a symbol takes much longer to brute-force compared to short but “complex” passwords.

Entropy (length x variety) is what matters

What are the three categories of authentication credentials?

• Something you know (e.g., password)

• Something you have (e.g., token)

• Something you are (e.g., biometrics)

Together, these form the basis of all identity verification

How does brute-force password cracking difficulty scale?

Difficulty is (character count x length)

A short password using only lowercase letters can be cracked in milliseconds

• Adding uppercase, symbols, digits dramatically increases the search space

• Length matters more than character set size

What is password salting and why does it help?

A salt is a unique random value added to each password before hashing. Benefits:

1. Same password produces different hashes per user, slower bulk cracking

2. Prevents pre-computed rainbow table attack.

Combined with slow hashing, security improves massively

Why are passwords problematic as an authentication method?

Passwords can be forgotten, guessed or phished.

They are vulnerable to spoofing, compromised password files and keylogging.

Weak passwords make all these attacks far easier.

What is a rainbow table attack and how does salting defeat it?

A rainbow table is a pre-computed lookup of hash → password pairs, allowing instant reverse-lookup.

Salting defeats it because the attacker would need a separate rainbow table for every possible salt value - computationally impractical

What are the two key properties of a strong cryptographic hash function?

1. Output is indistinguishable from random noise

2. A tiny change in input produces a completely different hash (avalanche effect). This makes reverse-engineering the input computationally infeasible

Compare inherent, possession, and knowledge factors - which can be changed if compromised?

• Knowledge (passwords): can be changed

• Possession (tokens/phones): can be replaced

• Inherent (biometrics): cannot be changed

Only biometrics are irreplaceable once compromised

Why is a biometric credential fundamentally different from a password if compromised?

A biometric can never be changed. If your fingerprint hash is stolen, you cannot issue yourself a new fingerprint. This is a permanent risk unlike a password, which can simply be reset.

Why do passwords persist despite better alternatives?

Passwords are hard to beat on the combination of:

• always available

• portable across devices

• free

• no hardware needed

• users already understand them

Despite flaws, no alternative matches this balance of availability, portability and convenience

What are the risks of using a password manager?

The master password is a single point of failure - an attractive high-value target. The vault itself can be breached.

You must still trust the third party with all your authentication data and worry about vendor leaks or malware.

What is MFA (Multi-Factor Authentication) and why does it improve security?

MFA requires two or more credential types (know + have, know + are).

Even if one factor is compromised (e.g., password stolen), the attacker cannot authenticate without the second factor

What is the difference between OTP hardware tokens and FIDO security keys (WebAuthn)?

• OTP tokens generate a time/counter-based code (6-8 digits, changes every ~30s) that the user types manually.

• Security keys use public-key cryptography - private key stays on the device, challenge-response is automatic, no code to type

What are FAR and FRR in biometric systems?

FAR (False Acceptance Rate): the system accepts an imposter

FRR (False Rejection Rate): the system rejects a legitimate user

There is a trade-off - lowering one raises the other. The crossover point is the Equal Error Rate (ERR)

What is the biometric authentication process (enrolment vs verification)?

Enrolment:

1. capture biometric

2. extract features

3. create and store template

Verification:

1. capture biometric

2. extract features

3. compare against stored template

4. decision logic with a threshold

What are CPU privilege rings (Ring 0 vs Ring 3)?

x86 CPUs have 4 privilege levels.

• Ring 0 → the most privileged (kernel)

• Ring 3 → least privileged (user applications)

Windows and Linux use only rings 0 and 3. A status flag in the CPU determines the current mode.

Explain the Spectre/Meltdown attack mechanism

CPUs speculatively execute code ahead of time (e.g. past a conditional). Changes are rolled back if the branch was wrong - but the CPU cache is not rolled back. An attacker flushes the cache, triggers speculative execution of a secret read, then measures cache timing to infer the secret data.

Compare segmentation and paging for memory protection

• Segmentation: divides memory into logical units of variable size - good for security, complex to manage, rarely used in modern OSes.

• Paging: divides memory into equal-size pages → efficient management, less granular for acces control, universally used today.

What is a TPM (Trusted Platform Module)?

A tamper-proof chip co-existing with the CPU.

It stores cryptographic keys and can perform crypto operations. Critically, it records what hardware and software booted, allowing the system to prove the integrity of its boot sequence to the OS and applications.

Why is placing a security mechanism at a lower software layer generally better?

Lower placement means:

• higher assurance of security

• simpler structures

• lower performance overhead

• fewer layer-below attack surfaces

The trade-off is that access control decisiona are more removed from application context

What is a rootkit and how does it exploit kernel access?

A rootkit runs at Ring 0 (PL 0) → e.g., via a compromised driver → and patches the kernel’s interrupt handler.

It inserts its own pre_hook() into the syscall chain, giving it invisible control over all OS operations.

How does a system call allow a user code to safely call kernel functions?

User code issues an interrupt (e.g., int 0×80 or sysenter).

The CPU switches to Ring 0 and jumps to the kernel’s Interrupt Descriptor Table (IDT) handler.

The kernel performs the operation and returns via iret/sysexit

Define a Reference Monitor and its three required properties

It is an Abstract machine that mediates all access to objects by subjects.

It must be:

• Tamper-proof/resistant

• Always invoked whenever access is required

• Verifiable - small enough to be analysed for correctness

What is the difference between Discretionary Access Control (DAC) and Mandatory Access Control (MAC)?

• DAC → the resource owner decides who gets access - used in most consumer systems

• MAC → a system-wide policy (administer-controlled) overrides owner preferences → used in high-security contexts (military, government).

What is setuid and what security risk does it introduce?

The setuid bit on an executable causes it to run with the file owner’s privileges rather than the caller’s.

E.g., /usr/bin/passwd runs as root so it can write /etc/shadow. in the lab

Risk: a vulnerable setuid program can be exploited for privilege escalation

What is the difference between a Principal and a Subject

• Principal → an entity that can be granted access (e.g., a user identity) - used in security policy discussion

• Subject → an active entity in an IT system (e.g., a running process) - used when discussing OS enforcement of policies

What information is stored in /etc/passwd?

Each line contains:

“username : x : UID : GID : Gecos-field : home-directory : shell”

The “x” means the password hash is stored separately in /etc/shadow. It stores user accounts, not just passwords

Why is root’s UID 0 significant and what is the danger of changing it?

Root’s UID is hardcoded into the Linux kernel at multiple points.

Changing it breaks kernel internals

A 2003 incident showed an anonymous commit that accidentally set current→uid=0,,, which would grant any process root privileges

What are Linux Security Modules (LSM) and what do they enable?

LSM provides hooks in security-sensitive kernel code paths.

After the standard DAC check, the LSM hook calls a luggable security module (e.g., AppArmor), enabling Mandatory Access Control on top of Unix DAC.

Explain Unix file permission bits

(e.g., - r w - r - - r - -)

9 bits in 3 groups (owner, group, others)

Each with read,write,execute. For directories:

• r = list files

• w = add/remove files

• x = traverse

Example: 0644 = owner rw, group r, others r

What is an inode and what security information does it hold?

An inode stores metadata for a file: owner UID/GID, permission bits (rwx for owner/group/other), timestamps, and links count.

Every file name maps to an inode; the inode is the authoritative source for access control decisions.

What is the Windows Secure Attention Sequence (SAS)?

Ctrl + Alt + Delete - a hardware-level key combination that is directly intercepted by “Winlogon” → cannot be spoofed by applications.

It ensures the real login screen is shown preventing a malicious program from capturing your password via a fake logon dialog.

What is a Windows Access Token and what does it contain?

A data structure created at logon that stores the session’s security credentials:

• User SID

• Groups and Alias SIDs

• Privileges

• Defaults for new objects

• Miscellaneous data

It is attached to every process and used for all access control decisions

What is a security identifier (SID) in Windows?

A unique identifier assigned to every security principal (user, group, computer).

Format: “S-1-5-21-…-RID”

SIDs persist even if the account is renamed.

They are used in access tokens and ACLs rather than usernames.

How does domain logon differ from local logon in Windows?

Local logon uses NTLM and checks credentials against the local SAM database.

Domain logon replaces NTLM with Kerberos and authenticates against an Active Directory Domain Controller via the remote LSA

What is an Access Control List (ACL) and how does it differ from an Access Control Matrix?

An ACL is a per-object list of access control entries (ACEs) specifying which SIDs have which rights

An Access Control Matrix stores rights for every subject-object pair → more granular but impractical at scale due to memory requirements

What is User Account Control (UAC) and why was it introduced?

UAC limits applications to standard user privileges even when logged in as admin.

Elevated privileges require an explicit prompt. This reduces the impact of malware → a compromised process does not automatically get admin rights

Describe the Windows architecture layers

Top

• User Mode → user processes, service processes, system processes (Winlogon, Security Sybsystem), environment subsystems, subsystem DLLs

• System Call Interface (dtdll.dll)

• Kernel Mode → kernel, kernel-mode drivers, Reference monitor, Process/Memory Manager, HAL

• Hypervisor (Hyper-V)

What is Active Directory and what role does a Domain Controller play?

Active Directory is a centralised directory service managing users, computers, groups and policies across a domain.

The Domain Controller holds the AD database, authenticates users via Kerberos, and manages group policies for all domain-joined machines