SystemsSec 2016W Lecture 4: Difference between revisions

From Soma-notes
Line 25: Line 25:
====(Complex Security) Policies====
====(Complex Security) Policies====
''"Suck, don’t make them."'' - Anil, 2016.
''"Suck, don’t make them."'' - Anil, 2016.
We can’t approximate how humans approach information with logic systems, so we shouldn't try. If we could we would have solved the AI problem.
We can’t approximate how humans approach information with logic systems, so we shouldn't try.


====MULTICS====
====MULTICS====

Revision as of 00:38, 5 February 2016

Topics & Readings


  • chroot jails
  • MULTICS

Class Notes


Jails

A chroot jail isolates a single process from the rest of the system, and should be used by non-root users.

  • BSD mechanism, not really a Linux thing
  • limiting hierarchy to make a non-root dir seem like the root dir, forces hierarchy to be duplicated so that nothing seems weird
  • fake root user gets ‘jailed’ into subset of hierarchy, and doesn’t really have real root privileges
  • process has a different root dir in kernel, but to the fake root user it still seems like the root dir
  • one kernel space, multiple user spaces
  • kind of like OS virtualization
DD-WRT

DD-WRT is firmware for routers. LinkSys used to make a router models that came with a Linux kernel on them, the WRT54G series.

Proxy vs VPN tunneling

  • proxies are for HTTP specifically
  • VPN is for any internet traffic

If you're having a hard time understanding networking, TCP IP illustrated , look into reading these 3 volumes. They are highly recommended by Anil.

(Complex Security) Policies

"Suck, don’t make them." - Anil, 2016. We can’t approximate how humans approach information with logic systems, so we shouldn't try.

MULTICS

Multiplexed Information and Computing Service

  • supposed to be a “grown up” OS
  • first OS to take security seriously
  • took a "shotgun approach" to security, too much generality
  • implemented a ring system which was overly complicated

UNIX

Our favourite open sourced OS. All praise to the GNU.

  • simplest mechanisms, most usable

SELinux

Security Enhanced Linux A set of kernel modifications whose goals are to make the Linux kernel more secure. These mainly include implementing and enforcing security policies.

Reference Monitor

  • software that mediates all security decisions
  • MULTICS designed to have a reference monitor, which was their ring system
  • UNIX doesn’t really have one, processes (kind of) moderate security decisions together

Important Questions


Jails

  • What is an OS jail?
  • What would happen if a user broke out of a jail?

MULTICS

  • What is it?
  • What was good/bad about MULTICS?
  • How did MULTICS affect UNIX?

Reference Monitor

  • What is it?
  • What is it's role in an OS?
  • How is it implemented in UNIX and MULTICS?