SystemsSec 2016W Lecture 4: Difference between revisions

Topics & Readings

• chroot jails
• MULTICS

Class Notes

Jails

• better version of chmod
• BSD mechanism, not really a Linux thing
• limiting hierarchy to make a non-root dir seem like the root dir, forces hierarchy to be duplicated so that nothing seems weird
• fake root user gets ‘jailed’ into subset of hierarchy, and doesn’t really have real root privileges
• process has a different root dir in kernel, but to the fake root user it still seems like the root dir
• one kernel space, multiple user spaces
• kind of like OS virtualization

DD-WRT

• firmware for routers
• WRT54G LinkSys router with a Linux kernel on it

Proxy vs VPN tunneling

• proxies are for HTTP specifically
• VPN is for any internet traffic
• TCP IP illustrated, to better understand networking

(Complex Security) Policies

• "Suck, don’t make them." - Anil, 2016.
• can’t approximate how humans approach information with logic systems

MULTICS

• supposed to be a “grown up” OS
• first OS to take security seriously
• took a "shotgun approach" to security, too much generality
• implemented a ring system which was overly complicated

UNIX

• simplest mechanisms, most usable

Reference Monitor

• software that mediates all security decisions
• MULTICS designed to have a reference monitor, which was their ring system
• UNIX doesn’t really have one, processes (kind of) moderate security decisions together

Important Concepts

Jails

• What is an OS jail?
• What would happen if a user broke out of a jail?

MULTICS

• What is it?
• What was good/bad about MULTICS?
• How did MULTICS affect UNIX?

Reference Monitor

• What is it?
• What is it's role in an OS?
• How is it implemented in UNIX and MULTICS?