diff -r cceb3d2dcba0 -r 67d7d239c617 handouts/ho04.tex --- a/handouts/ho04.tex Tue Jan 05 01:37:31 2016 +0000 +++ b/handouts/ho04.tex Mon Jan 11 02:05:24 2016 +0000 @@ -73,12 +73,15 @@ (Ocaml does not allow buffer overflow attacks, for example). If you want to test the security of MirageOS, the developers issued a Bitcoin challenge: if you can break into -their system, you can get 10 Bitcoins +their system at \begin{center} \url{http://ownme.ipredator.se} \end{center} +\noindent +you can get 10 Bitcoins. This is approximately + However, sometimes you cannot, or do not want to, get rid of the operating system. In such cases it is still a good idea to minimise the attack surface. For this it helps if the @@ -90,30 +93,31 @@ \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); \draw (4.7,1) node {Internet}; - \draw (-2.7,1.7) node {\footnotesize Application}; + \draw (-2.7,1.5) node {\footnotesize + \begin{tabular}{c}Application\\(dangerous part)\end{tabular}}; \draw (0.6,1.7) node {\footnotesize Interface}; \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; - \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); + \draw[line width=1mm] (-1.6, 0) rectangle (-3.8,2); \draw[white] (1.7,1) node (X) {}; \draw[white] (3.7,1) node (Y) {}; \draw[<->, line width = 2mm] (X) -- (Y); - \draw[<->, line width = 1mm] (-0.6,1) -- (-1.6,1); + \draw[<->, line width = 1mm] (-0.4,1) -- (-1.5,1); \end{tikzpicture} \end{center} -\noindent The idea is that all heavy-duty lifting in the -application (for example database access) is done by a -privileged process. All user input from the internet is -received by an \emph{un}privileged process, which is -restricted to only receive user input from the Internet and -communicates with the privileged process. This communication, -however, needs to be sanitised, meaning any unexpected -user-input needs to be rejected. The idea behind this split is -that if an attacker can take control of the +\noindent The idea is that all heavy-duty lifting, or +dangerous operations, in the application (for example database +access or writing a file) is done by a privileged process. All user input from +the internet is received by an \emph{un}privileged process, +which is restricted to only receive user input from the +Internet and communicates with the privileged process. This +communication, however, needs to be sanitised, meaning any +unexpected user-input needs to be rejected. The idea behind +this split is that if an attacker can take control of the \emph{un}privileged process, then he or she cannot do much damage. However, the split into such privileged and unprivileged processes requires an operating system that