Module Review: Security & Protection
[!NOTE] This module explores the core principles of Module Review: Security & Protection, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.
1. 🔑 Key Takeaways
- Hardware is the Root of Trust: OS security relies on the CPU’s Protection Rings (Ring 0 vs Ring 3). Without hardware enforcement, software isolation is impossible.
- Least Privilege is King: Always operate with the minimum permissions necessary. Drop privileges immediately after binding ports.
- DAC vs MAC: Standard Unix permissions (DAC) are insufficient for high security. Mandatory Access Control (MAC/SELinux) enforces policy over user discretion.
- Passwords are Toxic: Never store them in plain text. Use Slow Hashes (Argon2, Bcrypt) with Salts to defeat rainbow tables.
- Memory Safety Matters: Buffer overflows (Stack Smashing) exist because languages like C don’t check bounds. Modern languages (Go, Java, Rust) prevent this class of bugs.
- Cryptography: Symmetric (AES) is for speed; Asymmetric (RSA) is for key exchange and identity.
2. 🧠 Interactive Flashcards
What happens if a Ring 3 process tries to execute a privileged instruction (like CLI)?
The CPU triggers a General Protection Fault (GPF), and the OS terminates the process (Segfault).
Why is a Salt added to a password before hashing?
To prevent Rainbow Table attacks. It ensures that two users with the same password have different hashes.
What is the difference between DAC and MAC?
DAC: Owner decides permissions (chmod).
MAC: System defines policy (SELinux labels). Root cannot easily override MAC.
What does the NX Bit do?
Marks certain memory areas (like the Stack) as Non-Executable. It prevents buffer overflow exploits from running injected shellcode.
Which encryption type is faster: AES or RSA?
AES (Symmetric) is significantly faster (hardware accelerated). RSA is used primarily for key exchange.
3. 📝 Cheat Sheet
| Concept | Definition | Example Tool/Cmd |
|---|---|---|
| Ring 0 | Kernel Mode. Full hardware access. | OS Kernel |
| Ring 3 | User Mode. Restricted access. | Web Browser |
| Setuid | Run a program with owner’s privileges. | chmod u+s file |
| ACL | Access Control List (Granular permissions). | setfacl -m u:bob:r file |
| Salt | Random data added to password hash. | bcrypt, Argon2 |
| ASLR | Randomizes memory layout to stop exploits. | OS Kernel Feature |
| Symmetric | Same key for encrypt/decrypt. Fast. | AES-256 |
| Asymmetric | Public/Private key pair. Slow. | RSA, ECC |
| Digital Sig | Hash encrypted with Private Key. | gpg --sign |
4. 🔗 Next Steps
You have completed the Security module! Now that you understand how to protect the system, let’s look at advanced internal mechanisms.
- OS Glossary: Review terms.
- Next Module: Advanced Internals (Coming Soon).