Mercurial Mercurial > hg > sen-material / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho04.tex
changeset 550 58c3536c5a08
parent 495 f5172bb6cf45
equal deleted inserted replaced
549:56e7e76b37e9 550:58c3536c5a08 
    52 have not seen any production use of this idea, but there are
 
    52 have not seen any production use of this idea, but there are
 
    53 plenty of examples from academia. The advantage of unikernels
 
    53 plenty of examples from academia. The advantage of unikernels
 
    54 is the rather small footprint in terms of memory, booting
 
    54 is the rather small footprint in terms of memory, booting
 
    55 times and so on (no big operating system is needed). This
 
    55 times and so on (no big operating system is needed). This
 
    56 allows unikernels to run on low-coast hardware such as
 
    56 allows unikernels to run on low-coast hardware such as
 
    57 Raspberry Pis or Cubieboards, where they can replace much more
 
    57 Raspberry Pi's or Cubieboards, where they can replace much more
 
    58 expensive hardware for the same purpose. The low booting times
 
    58 expensive hardware for the same purpose. The low booting times
 
    59 of unikernels are also an advantage when your server needs to
 
    59 of unikernels are also an advantage when your server needs to
 
    60 scale up to higher user-demands. Then it is often possible to
 
    60 scale up to higher user-demands. Then it is often possible to
 
    61 just run another instance of the single program, which can be
 
    61 just run another instance of the single program, which can be
 
    62 started almost instantly without the user seeing any delay
 
    62 started almost instantly without the user seeing any delay
 
    78 \begin{center}
 
    78 \begin{center}
 
    79 \url{http://ownme.ipredator.se}
 
    79 \url{http://ownme.ipredator.se}
 
    80 \end{center}
 
    80 \end{center}
 
    81 
    81 
    82 \noindent 
    82 \noindent 
    83 you can get 10 Bitcoins. This is approximately 
    83 you can get 10 Bitcoins. This is approximately \pounds{}41,000. 
    84 
    84 
    85 However, sometimes you cannot, or do not want to, get rid of
 
    85 However, sometimes you cannot, or do not want to, get rid of
 
    86 the operating system. In such cases it is still a good idea
 
    86 the operating system. In such cases it is still a good idea
 
    87 to minimise the attack surface. For this it helps if the
 
    87 to minimise the attack surface. For this it helps if the
 
    88 network application can be split into two parts---an 
    88 network application can be split into two parts---an 
   118 communication, however, needs to be sanitised, meaning any
 
   118 communication, however, needs to be sanitised, meaning any
 
   119 unexpected user-input needs to be rejected. The idea behind
 
   119 unexpected user-input needs to be rejected. The idea behind
 
   120 this split is that if an attacker can take control of the
 
   120 this split is that if an attacker can take control of the
 
   121 \emph{un}privileged process, then he or she cannot do much
 
   121 \emph{un}privileged process, then he or she cannot do much
 
   122 damage. However, the split into such privileged and
 
   122 damage. However, the split into such privileged and
 
   123 unprivileged processes requires an operating system that
 
   123 unprivileged process requires an operating system that
 
   124 supports Unix-style access controls, which look at next.
 
   124 supports Unix-style access controls, which we will look at next.
 
   125 
   125 
   126 \subsubsection*{Unix-Style Access Control}
 
   126 \subsubsection*{Unix-Style Access Control}
 
   127 
   127 
   128 Following the Unix-philosophy that everything is considered as
 
   128 Following the Unix-philosophy that everything is considered as
 
   129 a file, even memory, ports and so on, access control in Unix
 
   129 a file, even memory, ports and so on, access control in Unix
 
   177 
   177 
   178 There are already some special rules for directories and
 
   178 There are already some special rules for directories and
 
   179 links. If the execute attribute of a directory is \emph{not}
 
   179 links. If the execute attribute of a directory is \emph{not}
 
   180 set, then one cannot change into the directory and one cannot
 
   180 set, then one cannot change into the directory and one cannot
 
   181 access any file inside it. If the write attribute is
 
   181 access any file inside it. If the write attribute is
 
   182 \emph{not} set, then one can change existing files (provide
 
   182 \emph{not} set, then one can change existing files (provided
 
   183 they are changeable), but one cannot create new files. If the
 
   183 they are changeable), but one cannot create new files. If the
 
   184 read attribute is \emph{not} set, one cannot search inside the
 
   184 read attribute is \emph{not} set, one cannot search inside the
 
   185 directory (\pcode{ls -la} does not work) but one can access an
 
   185 directory (\pcode{ls -la} does not work) but one can access an
 
   186 existing file, provided one knows its name. Links to files
 
   186 existing file, provided one knows its name. Links to files
 
   187 never depend on the permission of the link, but the file they
 
   187 never depend on the permission of the link, but the file they
 
   203 achieved with the simple Unix access rights discussed so far.
 
   203 achieved with the simple Unix access rights discussed so far.
 
   204 While this situation might look like an anomaly, it is in fact
 
   204 While this situation might look like an anomaly, it is in fact
 
   205 an often occurring problem. For example looking at current
 
   205 an often occurring problem. For example looking at current
 
   206 active processes with \pcode{/bin/ps} requires access to
 
   206 active processes with \pcode{/bin/ps} requires access to
 
   207 internal data structures of the operating system, which only
 
   207 internal data structures of the operating system, which only
 
   208 root should be allowed to. In fact any of the following
 
   208 root should have access to. In fact any of the following
 
   209 actions cannot be configured for single users, but need
 
   209 actions cannot be configured for single users, but need
 
   210 privileged root access
 
   210 privileged root access
 
   211 
   211 
   212 \begin{itemize}
 
   212 \begin{itemize}
 
   213 \item changing system databases (users, groups, routing tables
 
   213 \item changing system databases (users, groups, routing tables
 
   450 key into $n$ parts according to the ``level'' where the
 
   450 key into $n$ parts according to the ``level'' where the
 
   451 decision is taken. For example one complete key for a CEO, 
   451 decision is taken. For example one complete key for a CEO, 
   452 halves of the key for the MDs and thirds for the Ds. The
 
   452 halves of the key for the MDs and thirds for the Ds. The
 
   453 problem with this kind of sharing a key is that there might be
 
   453 problem with this kind of sharing a key is that there might be
 
   454 many hundreds MDs and Ds in your organisations. Simple-minded
 
   454 many hundreds MDs and Ds in your organisations. Simple-minded
 
   455 halving or devision by three of the key just does not work.
 
   455 halving or division by three of the key just does not work.
 
   456 
   456 
   457 A much more clever solution was proposed by Blakley and Shamir
 
   457 A much more clever solution was proposed by Blakley and Shamir
 
   458 in 1979. This solution is inspired by some simple geometric
 
   458 in 1979. This solution is inspired by some simple geometric
 
   459 laws. Suppose a three-dimentional axis system. We can, clearly,
 
   459 laws. Suppose a three-dimensional axis system. We can, clearly,
 
   460 specify a point on the $z$-axis, say, by specifying its
 
   460 specify a point on the $z$-axis, say, by specifying its
 
   461 coordinates. But we could equally specify this point by a line
 
   461 coordinates. But we could equally specify this point by a line
 
   462 that intersects the $z$-axis in this point. How can a line be
 
   462 that intersects the $z$-axis in this point. How can a line be
 
   463 specified? Well, by giving two points in space. But as you
 
   463 specified? Well, by giving two points in space. But as you
 
   464 might remember from school days, we can specify the point also
 
   464 might remember from school days, we can specify the point also
 
   517 \end{center}
 
   517 \end{center}
 
   518 
   518 
   519 \noindent About secrecy and integrity, and shared access
 
   519 \noindent About secrecy and integrity, and shared access
 
   520 control I recommend to read the chapters on ``Nuclear Command
 
   520 control I recommend to read the chapters on ``Nuclear Command
 
   521 and Control'' and ``Multi-Level Security'' in Ross Anderson's
 
   521 and Control'' and ``Multi-Level Security'' in Ross Anderson's
 
   522 Security Engineering book (whose first edition is free).
 
   522 Security Engineering book (whose second edition is free).
 
   523 
   523 
   524 \end{document}
 
   524 \end{document}
 
   525 
   525 
   526 %%% Local Variables: 
   526 %%% Local Variables: 
   527 %%% mode: latex
 
   527 %%% mode: latex
sen-material