71 \noindent This unikernel is based on the functional |
71 \noindent This unikernel is based on the functional |
72 programming language Ocaml, which provides added security |
72 programming language Ocaml, which provides added security |
73 (Ocaml does not allow buffer overflow attacks, for example). |
73 (Ocaml does not allow buffer overflow attacks, for example). |
74 If you want to test the security of MirageOS, the |
74 If you want to test the security of MirageOS, the |
75 developers issued a Bitcoin challenge: if you can break into |
75 developers issued a Bitcoin challenge: if you can break into |
76 their system, you can get 10 Bitcoins |
76 their system at |
77 |
77 |
78 \begin{center} |
78 \begin{center} |
79 \url{http://ownme.ipredator.se} |
79 \url{http://ownme.ipredator.se} |
80 \end{center} |
80 \end{center} |
|
81 |
|
82 \noindent |
|
83 you can get 10 Bitcoins. This is approximately |
81 |
84 |
82 However, sometimes you cannot, or do not want to, get rid of |
85 However, sometimes you cannot, or do not want to, get rid of |
83 the operating system. In such cases it is still a good idea |
86 the operating system. In such cases it is still a good idea |
84 to minimise the attack surface. For this it helps if the |
87 to minimise the attack surface. For this it helps if the |
85 network application can be split into two parts---an |
88 network application can be split into two parts---an |
88 \begin{center} |
91 \begin{center} |
89 \begin{tikzpicture}[scale=1] |
92 \begin{tikzpicture}[scale=1] |
90 |
93 |
91 \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); |
94 \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); |
92 \draw (4.7,1) node {Internet}; |
95 \draw (4.7,1) node {Internet}; |
93 \draw (-2.7,1.7) node {\footnotesize Application}; |
96 \draw (-2.7,1.5) node {\footnotesize |
|
97 \begin{tabular}{c}Application\\(dangerous part)\end{tabular}}; |
94 \draw (0.6,1.7) node {\footnotesize Interface}; |
98 \draw (0.6,1.7) node {\footnotesize Interface}; |
95 \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; |
99 \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; |
96 \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; |
100 \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; |
97 |
101 |
98 \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); |
102 \draw[line width=1mm] (-1.6, 0) rectangle (-3.8,2); |
99 |
103 |
100 \draw[white] (1.7,1) node (X) {}; |
104 \draw[white] (1.7,1) node (X) {}; |
101 \draw[white] (3.7,1) node (Y) {}; |
105 \draw[white] (3.7,1) node (Y) {}; |
102 \draw[<->, line width = 2mm] (X) -- (Y); |
106 \draw[<->, line width = 2mm] (X) -- (Y); |
103 |
107 |
104 \draw[<->, line width = 1mm] (-0.6,1) -- (-1.6,1); |
108 \draw[<->, line width = 1mm] (-0.4,1) -- (-1.5,1); |
105 \end{tikzpicture} |
109 \end{tikzpicture} |
106 \end{center} |
110 \end{center} |
107 |
111 |
108 \noindent The idea is that all heavy-duty lifting in the |
112 \noindent The idea is that all heavy-duty lifting, or |
109 application (for example database access) is done by a |
113 dangerous operations, in the application (for example database |
110 privileged process. All user input from the internet is |
114 access or writing a file) is done by a privileged process. All user input from |
111 received by an \emph{un}privileged process, which is |
115 the internet is received by an \emph{un}privileged process, |
112 restricted to only receive user input from the Internet and |
116 which is restricted to only receive user input from the |
113 communicates with the privileged process. This communication, |
117 Internet and communicates with the privileged process. This |
114 however, needs to be sanitised, meaning any unexpected |
118 communication, however, needs to be sanitised, meaning any |
115 user-input needs to be rejected. The idea behind this split is |
119 unexpected user-input needs to be rejected. The idea behind |
116 that if an attacker can take control of the |
120 this split is that if an attacker can take control of the |
117 \emph{un}privileged process, then he or she cannot do much |
121 \emph{un}privileged process, then he or she cannot do much |
118 damage. However, the split into such privileged and |
122 damage. However, the split into such privileged and |
119 unprivileged processes requires an operating system that |
123 unprivileged processes requires an operating system that |
120 supports Unix-style access controls, which look at next. |
124 supports Unix-style access controls, which look at next. |
121 |
125 |