What’s the next set of concepts I need to learn about in order to advance in my journey towards a security career? Glad you asked! They are the Boot Process, Process Initialization, Process Management & Process Debugging!
In my previous writeup, we covered very fundamental concepts and expertise that you need to develop if you would like pursue a career in Security. We’re going to start doing more practical work in this post.
Reverse engineers need to figure out what the heck is going on in a program or a system. How do they do this? With basic linux troubleshooting skills. In this writeup, we’ll learn about how to learn what is going on in an operating linux system.
These topics can be a little tedious. I urge you to resist the urge to learn “enough to get by” and master these topics. A large volume of your practical security work will build upon this knowledge.
Learn about the Boot Process
The boot process is the set of activities that initiated when we apply power to a linux system. An attacker with physical access to a device will succeed if your boot process fails to check for authentic & authorized software. A boot process that authenticates software reduces the risk physical access attackers.
The boot process is critical to the security of voting systems, commercial kiosks, mobile devices and IoT devices. Knowledge of the boot process will prepare you for future discussions involving “secure boot.”
This boot process overview will help establish the foundation you’ll need when you’re ready to learn how Secure Boot works: https://linuxjourney.com/lesson/boot-process-overview
Many IoT devices use uboot. This video does a nice job bringing you up to speed on the basics of uboot: https://youtu.be/INWghYZH3hI
Learn about the “Root of Trust” in IoT. This video is exceptionally accessible and delivers education on a large body of relevant material: https://www.youtube.com/watch?v=h2sdaGsAs7o
Learn about Process Initialization
An operating system launches a a large quantity of processes after initialization. Incident response engineers need to identify how processes launched. You may be responsible for delivering solutions that work after a system reboot. Process Initialization is the set of activities you have to master to perform those tasks. Process initialization in linux has become somewhat controversial in the last few years. Sysv Init is the legacy approach to process initialization in linux. In the last 6 years, systemd has become a dominant solution for initialization lof linux distributions.
You can learn about sysv init & systemd here: https://linuxjourney.com/lesson/sysv-overview
For an opinionated review of systemd, watch this video: https://youtu.be/o_AIw9bGogo
Learn about Process Management
You will need to diagnose how an application is performing. You will need to test how a misbehaving application is launched, how much memory, cpu & cache the application is consuming, etc. https://linuxjourney.com/lesson/monitor-processes-ps-command
Learn about Process Debugging
You have to be able to inspect how a process is performing to identify the effectiveness of it’s security. To do that you need to learn process debugging. You’re ready to start doing real security work after you develop some basic debugging skills. Debugging is a very large topic. I’d go through material like this to get a lay of the land for all the tools you could use for debugging. This is not a comprehensive list:
https://www.thegeekstuff.com/2011/12/linux-performance-monitoring-tools/
Here’s a nice Linux Foundation talk on Debugging Methodologies: https://www.youtube.com/watch?v=1u3pkSULOeM
Julia Evans writes great intro zines for various linux concepts. Julia gave an accessible presentation to strace basics here: https://www.youtube.com/watch?v=4pEHfGKB-OE
You have to learn how to use GDB on applications you didn’t write: https://www.techbeamers.com/how-to-use-gdb-top-debugging-tips/
Learn how to debug an application’s System Calls using strace. https://blog.packagecloud.io/eng/2016/02/29/how-does-strace-work/
Learn how to use strace with GDB: http://hondu.co/blog/write-a-strace-and-gdb
Analyzing tcpdump to wireshark with strace:
https://ops.tips/blog/tcpdump-to-wireshark-in-realtime/
Using strace to figure out how git push over ssh works:
http://kamalmarhubi.com/blog/2015/11/21/using-strace-to-figure-out-how-git-push-over-ssh-works/
Debugging Embedded Devices using GDB: https://www.youtube.com/watch?v=FnfuxDVFcWE
You’ll also need to learn about interprocess communication within Linux done through Dbus. Dbus is a daemon that provides easy, simple IPC communications.
Learn about dbus basics: https://www.freedesktop.org/wiki/Software/dbus/
Systemd and dbus https://youtu.be/-bEzHG2u8XA
In my next post, we’ll start talking about networking. Did you find this nourishing? Something missing? Send me a nudge on twitter or linkedin and we’ll make it even better.