https://homeostasis.scs.carleton.ca/wiki/index.php?action=history&feed=atom&title=Operating_Systems_2019W_Lecture_23Operating Systems 2019W Lecture 23 - Revision history2026-04-05T17:00:50ZRevision history for this page on the wikiMediaWiki 1.42.1https://homeostasis.scs.carleton.ca/wiki/index.php?title=Operating_Systems_2019W_Lecture_23&diff=22326&oldid=prevSoma: Created page with "==Video== The video for the lecture given on April 8, 2019 [https://homeostasis.scs.carleton.ca/~soma/os-2019w/lectures/comp3000-2019w-lec23-20190408.m4v is now available]...."2019-04-09T00:19:03Z<p>Created page with "==Video== The video for the lecture given on April 8, 2019 [https://homeostasis.scs.carleton.ca/~soma/os-2019w/lectures/comp3000-2019w-lec23-20190408.m4v is now available]...."</p>
<p><b>New page</b></p><div>==Video==<br />
<br />
The video for the lecture given on April 8, 2019 [https://homeostasis.scs.carleton.ca/~soma/os-2019w/lectures/comp3000-2019w-lec23-20190408.m4v is now available].<br />
<br />
==Notes==<br />
<br />
<pre><br />
Lecture 23<br />
----------<br />
<br />
Systems security<br />
<br />
- not crypto(graphy)<br />
<br />
Cryptography is amazing technology, but it is very brittle<br />
- almost nothing is proved secure<br />
- implementation is very very tricky and it is very easy to make<br />
a mistake that undermines all security guarantees<br />
<br />
Debian openssl predictable PRNG flaw<br />
- someone was trying to get rid of valgrind warnings<br />
- the uninitialized memory was used to gather entropy from the OS...<br />
<br />
Can we make perfect software?<br />
- if you can prove it correct...maybe?<br />
- proofs can be flawed and can make false assumptions<br />
<br />
When we find vulnerabilities, we're engaging in a process that never ends.<br />
<br />
But any vulnerability could undermine a whole system's security<br />
<br />
On Linux, the "trusted computing base" (TCB) is<br />
- Linux kernel<br />
- bootloader<br />
- every process running as root (started at boot or setuid root)<br />
- some partially privileged processes/executables<br />
<br />
Security standard practice is that we want as small of a TCB as possible<br />
- but this isn't practical, at least with current development practices<br />
<br />
How can we have security with flawed software?!<br />
<br />
I believe this is possible, because other systems are highly flawed yet<br />
are reasonably secure: living systems<br />
- we all have a variety of imperfect defenses<br />
- but they work well enough to keep most of us alive most of the time<br />
<br />
Modern computer antivirus is like requiring a vaccine against every virus<br />
<br />
Living systems use a combination of<br />
- barriers & general defenses<br />
- adaptive defense<br />
- diversity<br />
<br />
<br />
The adaptive immune system<br />
- notices damage & other strange behavior<br />
- tries many possible solutions<br />
- ramps up solutions that work<br />
<br />
Say I want a system to detect malicious system calls<br />
- if I do large-scale learning (monitor milions of systems, get their<br />
system calls, look for bad ones), I will face certain fundamental problems<br />
- you have to stay small if you want the accuracy to be usable<br />
<br />
My strategy<br />
- monitor locally<br />
- do stupid learning (table lookup)<br />
- don't do anything too dangerous in response to detected problems<br />
(don't kill processes or delete data)<br />
<br />
For example, slow down unusually behaving processes<br />
<br />
But the understandability problem is fundamental<br />
<br />
</pre></div>Soma