Operating Systems 2015F Lecture 22

From Soma-notes
Revision as of 21:27, 25 November 2015 by Soma (talk | contribs) (Created page with "==Video== The video for the lecture given on November 25, 2015 [http://homeostasis.scs.carleton.ca/~soma/os-2015f/lectures/comp3000-2015f-lec21-25Nov2015.mp4 is now available...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Video

The video for the lecture given on November 25, 2015 is now available.

Notes

Lecture 21
----------

no last assignment

What is research?
 * Asking questions and figuring out the answers
 * Questions are much more important than answers
 * Questions are much *harder* than answers

What question you ask determines what answer you'll get

The research literature
 - many many publications
 - hard to tell what is any good

Reseachers know who to trust in their area, and, how in general to determine trust
 - do spot checks for obvious errors, based on what you do know
 - do they give full details about what they did? could you reproduce it?
 - surprising results require extraordinary evidence


If you're outside the field, look at
 - publication reputation
 - citation counts and quality

to learn more about operating systems research...
what are the well-respected venues?

Conferences, not journals

 USENIX OSDI
 ACM SOSP

When should you *really* look at the research literature?

You're trying to solve a hard problem and aren't sure what approach to take.
 * look to see what other people have done in response to similar problems!

What about computer security?
 * even more publications

But there's a truth to research...
 - most of it isn't any good

Why?
 - a lot of research doesn't work in practice
 - a lot of conclusions are premature

Computer security research is mostly bad

Cryptography is mostly bad.  And dangerous.
* easy to implement
* hard to implement well

If you make a mistake, your crypto is worse than useless
* security cannot be specified or completely defined
* attacks exploit details that you didn't think about

Timing attacks

Game in encryption: encrypt and decrypt without disclosing the plaintext or the key

For many encryption algorithms, execution time is a function of the plaintext and/or key

Watch how long a computer takes to encrypt something, and you can figure out the key

1970's, Data Encryption Standard (DES)
 - first developed by IBM
 - "fixed" by the NSA
   - halved the key (much easier to break)
   - fiddled with the constants in the algorithm

Any security technology may improve and reduce your security at the same time

security is confidentiality, availability, and integrity
Example: encrypting a hard disk

Why not use biometrics
 - fingerprints
 - facial recognition

It is all about your threat model
 - any technology helps with certain risks and harms versus others
 - what do you care about?

Tradeoffs are inherent to technology