Operating Systems 2015F Lecture 21: Difference between revisions
Created page with "==Notes== * Explain generating, format of patches for reports" |
No edit summary |
||
| Line 1: | Line 1: | ||
==Video== | |||
The video for the lecture given on November 25, 2015 [http://homeostasis.scs.carleton.ca/~soma/os-2015f/lectures/comp3000-2015f-lec21-25Nov2015.mp4 is now available]. | |||
==Notes== | ==Notes== | ||
* | <pre> | ||
Lecture 21 | |||
---------- | |||
no last assignment | |||
What is research? | |||
* Asking questions and figuring out the answers | |||
* Questions are much more important than answers | |||
* Questions are much *harder* than answers | |||
What question you ask determines what answer you'll get | |||
The research literature | |||
- many many publications | |||
- hard to tell what is any good | |||
Reseachers know who to trust in their area, and, how in general to determine trust | |||
- do spot checks for obvious errors, based on what you do know | |||
- do they give full details about what they did? could you reproduce it? | |||
- surprising results require extraordinary evidence | |||
If you're outside the field, look at | |||
- publication reputation | |||
- citation counts and quality | |||
to learn more about operating systems research... | |||
what are the well-respected venues? | |||
Conferences, not journals | |||
USENIX OSDI | |||
ACM SOSP | |||
When should you *really* look at the research literature? | |||
You're trying to solve a hard problem and aren't sure what approach to take. | |||
* look to see what other people have done in response to similar problems! | |||
What about computer security? | |||
* even more publications | |||
But there's a truth to research... | |||
- most of it isn't any good | |||
Why? | |||
- a lot of research doesn't work in practice | |||
- a lot of conclusions are premature | |||
Computer security research is mostly bad | |||
Cryptography is mostly bad. And dangerous. | |||
* easy to implement | |||
* hard to implement well | |||
If you make a mistake, your crypto is worse than useless | |||
* security cannot be specified or completely defined | |||
* attacks exploit details that you didn't think about | |||
Timing attacks | |||
Game in encryption: encrypt and decrypt without disclosing the plaintext or the key | |||
For many encryption algorithms, execution time is a function of the plaintext and/or key | |||
Watch how long a computer takes to encrypt something, and you can figure out the key | |||
1970's, Data Encryption Standard (DES) | |||
- first developed by IBM | |||
- "fixed" by the NSA | |||
- halved the key (much easier to break) | |||
- fiddled with the constants in the algorithm | |||
Any security technology may improve and reduce your security at the same time | |||
security is confidentiality, availability, and integrity | |||
Example: encrypting a hard disk | |||
Why not use biometrics | |||
- fingerprints | |||
- facial recognition | |||
It is all about your threat model | |||
- any technology helps with certain risks and harms versus others | |||
- what do you care about? | |||
Tradeoffs are inherent to technology | |||
</pre> | |||
Latest revision as of 21:31, 25 November 2015
Video
The video for the lecture given on November 25, 2015 is now available.
Notes
Lecture 21 ---------- no last assignment What is research? * Asking questions and figuring out the answers * Questions are much more important than answers * Questions are much *harder* than answers What question you ask determines what answer you'll get The research literature - many many publications - hard to tell what is any good Reseachers know who to trust in their area, and, how in general to determine trust - do spot checks for obvious errors, based on what you do know - do they give full details about what they did? could you reproduce it? - surprising results require extraordinary evidence If you're outside the field, look at - publication reputation - citation counts and quality to learn more about operating systems research... what are the well-respected venues? Conferences, not journals USENIX OSDI ACM SOSP When should you *really* look at the research literature? You're trying to solve a hard problem and aren't sure what approach to take. * look to see what other people have done in response to similar problems! What about computer security? * even more publications But there's a truth to research... - most of it isn't any good Why? - a lot of research doesn't work in practice - a lot of conclusions are premature Computer security research is mostly bad Cryptography is mostly bad. And dangerous. * easy to implement * hard to implement well If you make a mistake, your crypto is worse than useless * security cannot be specified or completely defined * attacks exploit details that you didn't think about Timing attacks Game in encryption: encrypt and decrypt without disclosing the plaintext or the key For many encryption algorithms, execution time is a function of the plaintext and/or key Watch how long a computer takes to encrypt something, and you can figure out the key 1970's, Data Encryption Standard (DES) - first developed by IBM - "fixed" by the NSA - halved the key (much easier to break) - fiddled with the constants in the algorithm Any security technology may improve and reduce your security at the same time security is confidentiality, availability, and integrity Example: encrypting a hard disk Why not use biometrics - fingerprints - facial recognition It is all about your threat model - any technology helps with certain risks and harms versus others - what do you care about? Tradeoffs are inherent to technology