Module Review: Security & Protection
[!NOTE] This module explores the core principles of Module Review: Security & Protection, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.
1. 🔑 Key Takeaways
- Hardware is the Root of Trust: OS security relies on the CPU’s Protection Rings (Ring 0 vs Ring 3). Without hardware enforcement, software isolation is impossible.
- Least Privilege is King: Always operate with the minimum permissions necessary. Drop privileges immediately after binding ports.
- DAC vs MAC: Standard Unix permissions (DAC) are insufficient for high security. Mandatory Access Control (MAC/SELinux) enforces policy over user discretion.
- Passwords are Toxic: Never store them in plain text. Use Slow Hashes (Argon2, Bcrypt) with Salts to defeat rainbow tables.
- Memory Safety Matters: Buffer overflows (Stack Smashing) exist because languages like C don’t check bounds. Modern languages (Go, Java, Rust) prevent this class of bugs.
- Cryptography: Symmetric (AES) is for speed; Asymmetric (RSA) is for key exchange and identity.
2. 🧠 Interactive Flashcards
What happens if a Ring 3 process tries to execute a privileged instruction (like CLI)?
(Click to reveal)
The CPU triggers a General Protection Fault (GPF), and the OS terminates the process (Segfault).
Why is a Salt added to a password before hashing?
(Click to reveal)
To prevent Rainbow Table attacks. It ensures that two users with the same password have different hashes.
What is the difference between DAC and MAC?
(Click to reveal)
DAC: Owner decides permissions (chmod).
MAC: System defines policy (SELinux labels). Root cannot easily override MAC.
What does the NX Bit do?
(Click to reveal)
Marks certain memory areas (like the Stack) as Non-Executable. It prevents buffer overflow exploits from running injected shellcode.
Which encryption type is faster: AES or RSA?
(Click to reveal)
AES (Symmetric) is significantly faster (hardware accelerated). RSA is used primarily for key exchange.
3. 📝 Cheat Sheet
| Concept | Definition | Example Tool/Cmd |
|---|---|---|
| Ring 0 | Kernel Mode. Full hardware access. | OS Kernel |
| Ring 3 | User Mode. Restricted access. | Web Browser |
| Setuid | Run a program with owner’s privileges. | chmod u+s file |
| ACL | Access Control List (Granular permissions). | setfacl -m u:bob:r file |
| Salt | Random data added to password hash. | bcrypt, Argon2 |
| ASLR | Randomizes memory layout to stop exploits. | OS Kernel Feature |
| Symmetric | Same key for encrypt/decrypt. Fast. | AES-256 |
| Asymmetric | Public/Private key pair. Slow. | RSA, ECC |
| Digital Sig | Hash encrypted with Private Key. | gpg --sign |
4. 🔗 Next Steps
You have completed the Security module! Now that you understand how to protect the system, let’s look at advanced internal mechanisms.
- OS Glossary: Review terms.
- Next Module: Advanced Internals (Coming Soon).