DOCSLIB.ORG

Towards Application Security on Untrusted Operating Systems Dan R

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Towards Application Security on Untrusted Operating Systems Dan R Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT CSAIL & VMware, Inc.∗ VMware, Inc. [email protected] [email protected] Abstract OS compromise, the implications of continuing to rely on OS services if they turn malicious are poorly understood. Complexity in commodity operating systems makes We explore this problem and potential solutions in the compromises inevitable. Consequently, a great deal of context of Overshadow, a virtualization-based system we work has examined how to protect security-critical por- developed that protects applications in a VM from the tions of applications from the OS through mechanisms guest operating system in that VM. Overshadow attempts such as microkernels, virtual machine monitors, and new to maintain the secrecy and integrity of an application’s processor architectures. Unfortunately, most work has data even if the OS is completely compromised. For each focused on CPU and memory isolation and neglected major OS component, we examine how malicious behav- OS semantics. Thus, while much is known about how ior could undermine application secrecy and integrity, to prevent OS and application processes from modifying and suggest potential mitigations. While we present our each other, far less is understood about how different OS analysis and solutions in the context of Linux and Over- components can undermine application security if they shadow, they are more generally applicable to any system turn malicious. attempting to secure application execution in the face of We consider this problem in the context of our work a compromised OS. on Overshadow, a virtual-machine-based system for We begin with a review of systems that enforce iso- retrofitting protection in commodity operating systems. lation between protected applications and untrusted op- We explore how malicious behavior in each major OS sub- erating systems in Section 2. Next, we explain how a system can undermine application security, and present malicious OS can subvert them, using false system call potential mitigations. While our discussion is presented return values to trick an application into revealing its in terms of Overshadow and Linux, many of the prob- secrets, and argue for a solution based on a verifiable lems and solutions are applicable to other systems where system call interface in Section 3. Finally, we examine trusted applications rely on untrusted, potentially mali- the implications of making specific OS components un- cious OS components. trusted, and propose defenses against possible attacks, in Section 4. 1 Introduction 2 Isolation Architectures Commodity operating systems are tasked with storing and processing our most sensitive information, from man- Traditional commodity operating systems are monolithic aging financial and medical records to carrying out online programs that directly manage all hardware, so any OS purchases. The generality and rich functionality these exploit results in total system compromise. A variety systems provide leads to complexity in their implementa- of architectures have been proposed to mitigate the im- tion, and hence their assurance often falls short. pact of an OS compromise by providing memory and Many solutions have been proposed for enhancing the CPU isolation using a separate layer below the commod- assurance of these systems. Some use microkernels to ity OS, either in the form of a virtual machine monitor, contain potentially malicious behavior by placing major microkernel or architectural extensions — taking sole OS and application components into separate isolated responsibility for protection out of the hands of the OS. processes [11]. Others, such as NGSCB (formerly Palla- These architectures prevent a compromised OS from dium) [3], Proxos [12], XOM [7], and Overshadow [2], reading or modifying application CPU and memory state. attempt to retrofit orthogonal, higher assurance execution We are primarily interested not in these attacks but rather environments alongside a commodity OS, allowing part what comes next, i.e. once we have prevented direct at- or all of an application to run in a protected environment, tacks on application state, how we can prevent higher- but still use OS services. Unfortunately, while these sys- level attacks based on modifying the semantics of system tems provide CPU and memory isolation in the face of calls. However, CPU and memory isolation is a prereq- uisite for our work, so we begin with a survey of these ∗Work done during an internship at VMware, Inc. isolation architectures. Microkernel-based architectures, such as those based on L4 [5], divide both the application and OS into mul- tiple components, placing each in its own process. In Proxos, a virtual-machine-based system, trusted compo- nents including the protected applications and a trusted “private OS” are placed in a single VM, that runs along- side another VM running a commodity OS [12]. A proxy forwards the application’s system calls to either the pri- vate OS or commodity OS, depending on an application- specific security policy. NGSCB takes a similar, but less backwards-compatible approach, by requiring the appli- cation to be refactored into a trusted part which runs in its own secure compartment and an untrusted part which runs on the commodity OS [3]. XOM is a processor ar- chitecture that isolates protected applications from each other and the operating system using a combination of register-level tagging and cryptographic techniques [7]. While seemingly different, all these architectures pro- vide the same basic property: some or all of the applica- Figure 1: Overshadow architecture. Trusted components tion is run in a separate protection domain from the OS. are indicated with a shaded background. In addition This protects the secrecy and integrity of resources like to the standard virtualization barrier that isolates entire registers and memory, and ensures control flow integrity, VMs from each other and the monitor, Overshadow adds i.e. control flow cannot be altered except via well-defined a second virtualization barrier that isolates protected ap- protocols such as signal delivery and system calls. plications from other components inside the same VM. Overshadow. Overshadow [2] is a system we devel- oped for protecting applications running inside a VM implement system calls securely. from the operating system in that VM. Overshadow works Figure 1 shows the components required to protect an by leveraging the virtual machine monitor’s control over application with Overshadow. In addition to the applica- memory mappings to present different views of memory tion itself, the shim, VMM, and hardware are trusted. The pages depending on the execution context. When an ap- OS kernel and all other applications, including privileged plication accesses its own memory, access proceeds as daemons and other system services, are untrusted. normal; if the OS or another application accesses it, the Overshadow uses a simple protection model based on VMM transparently encrypts the memory page and saves whole-application protection. Each application runs in its a secure hash for integrity verification. This allows all re- own secure compartment identified by a unique security source management functionality to remain in the hands ID (SID). Each process or thread thus has an associated of the OS, without compromising secrecy and integrity: SID. Every resource, such as a memory region or file, has for example, the OS can swap memory pages to disk and an owner SID. Access to a resource is permitted only if its restore them, but cannot read or modify their contents. SID is the same as that of the currently-executing thread. To adapt applications to this new execution environ- Though simple, this model is sufficient for many interest- ment, without requiring any modifications to the applica- ing applications. It would be relatively straightforward to tion or OS, we add a shim to each application at load time. extend this model to support trust relationships between The shim is user-level code (akin to a shared library), but applications and more sophisticated access control for communicates directly with the VMM via a hypercall shared resources. interface. The shim and VMM together provide secure control transfer by saving execution state in protected 3 Implications of a Malicious OS memory when an application is interrupted, and restoring The protection architectures in the previous section guar- it when the application resumes execution. The VMM antee that applications that do not interact explicitly with also redirects system calls to the shim, which adapts their the OS execute correctly, because the integrity of code semantics as necessary for compatibility; for example, and data is protected, and control flow proceeds as nor- data being passed to the OS is automatically copied to mal. Assuming the basic protection architecture is sound, unprotected memory so that the OS can access it. In no loss of integrity or data leakage is possible, although the extensions to Overshadow we propose in Section 4, availability is not guaranteed because the OS could sim- we make use of this system call interposition to help ply stop scheduling the application. However, any non-trivial program makes system calls, system calls are so intimately related to the OS im- and this presents an opportunity for a malicious OS to plementation that their correctness cannot be guaran- influence the program’s data and control flow by manipu- teed — for example, those related to kernel modules lating system call results. To take a simple example, if a or scheduling policies. multithreaded program relies on the OS to implement a • We can emulate the system call in trusted code. mutual-exclusion lock, the OS could grant the lock to two This option should also be used sparingly, since threads at once. Since the OS also handles scheduling, reimplementing system calls adds to the size of the this has the potential to create a race condition even in TCB. Nevertheless, it may be the best option for correctly written code, with arbitrarily bad consequences.
Load more

Recommended publications
  • Access Control and Operating System
    Outline (may not finish in one lecture) Access Control and Operating Access Control Concepts Secure OS System Security • Matrix, ACL, Capabilities • Methods for resisting • Multi-level security (MLS) stronger attacks OS Mechanisms Assurance • Multics • Orange Book, TCSEC John Mitchell – Ring structure • Common Criteria • Amoeba • Windows 2000 – Distributed, capabilities certification • Unix Some Limitations – File system, Setuid • Information flow • Windows • Covert channels – File system, Tokens, EFS • SE Linux – Role-based, Domain type enforcement Access control Access control matrix [Lampson] Common Assumption Objects • System knows who the user is File 1 File 2 File 3 … File n – User has entered a name and password, or other info • Access requests pass through gatekeeper User 1 read write - - read – OS must be designed monitor cannot be bypassed User 2 write write write - - Reference Subjects monitor User 3 - - - read read User process ? Resource … User m read write read write read Decide whether user can apply operation to resource Two implementation concepts Capabilities Access control list (ACL) File 1 File 2 … Operating system concept • “… of the future and always will be …” • Store column of matrix User 1 read write - Examples with the resource User 2 write write - • Dennis and van Horn, MIT PDP-1 Timesharing Capability User 3 - - read • Hydra, StarOS, Intel iAPX 432, Eros, … • User holds a “ticket” for … • Amoeba: distributed, unforgeable tickets each resource User m read write write • Two variations References – store
    [Show full text]
  • Research Purpose Operating Systems – a Wide Survey
    GESJ: Computer Science and Telecommunications 2010|No.3(26) ISSN 1512-1232 RESEARCH PURPOSE OPERATING SYSTEMS – A WIDE SURVEY Pinaki Chakraborty School of Computer and Systems Sciences, Jawaharlal Nehru University, New Delhi – 110067, India. E-mail: [email protected] Abstract Operating systems constitute a class of vital software. A plethora of operating systems, of different types and developed by different manufacturers over the years, are available now. This paper concentrates on research purpose operating systems because many of them have high technological significance and they have been vividly documented in the research literature. Thirty-four academic and research purpose operating systems have been briefly reviewed in this paper. It was observed that the microkernel based architecture is being used widely to design research purpose operating systems. It was also noticed that object oriented operating systems are emerging as a promising option. Hence, the paper concludes by suggesting a study of the scope of microkernel based object oriented operating systems. Keywords: Operating system, research purpose operating system, object oriented operating system, microkernel 1. Introduction An operating system is a software that manages all the resources of a computer, both hardware and software, and provides an environment in which a user can execute programs in a convenient and efficient manner [1]. However, the principles and concepts used in the operating systems were not standardized in a day. In fact, operating systems have been evolving through the years [2]. There were no operating systems in the early computers. In those systems, every program required full hardware specification to execute correctly and perform each trivial task, and its own drivers for peripheral devices like card readers and line printers.
    [Show full text]
  • Mixed-Criticality Scheduling and Resource Sharing for High-Assurance Operating Systems
    Mixed-Criticality Scheduling and Resource Sharing for High-Assurance Operating Systems Anna Lyons Submitted in fulfilment of the requirements for the degree of Doctor of Philosophy School of Computer Science and Engineering University of New South Wales Sydney, Australia September 2018 Abstract Criticality of a software system refers to the severity of the impact of a failure. In a high-criticality system, failure risks significant loss of life or damage to the environ- ment. In a low-criticality system, failure may risk a downgrade in user-experience. As criticality of a software system increases, so too does the cost and time to develop that software: raising the criticality also raises the assurance level, with the highest levels requiring extensive, expensive, independent certification. For modern cyber-physical systems, including autonomous aircraft and other vehicles, the traditional approach of isolating systems of different criticality by using completely separate physical hardware, is no longer practical, being both restrictive and inefficient. The result is mixed-criticality systems, where software applications with different criticalities execute on the same hardware. Sufficient mechanisms are required to ascertain that software in mixed-criticality systems is sufficiently isolated, otherwise, all software on that hardware is promoted to the highest criticality level, driving up costs to impractical levels. For mixed-criticality systems to be viable, both spatial and temporal isolation are required. Current aviation standards allow for mixed-criticality systems where temporal and spatial resources are strictly and statically partitioned in time and space, allowing some improvement over fully isolated hardware. However, further improvements are not only possible, but required for future innovation in cyber-physical systems.
    [Show full text]
  • Operating System Verification—An Overview
    Sadhan¯ a¯ Vol. 34, Part 1, February 2009, pp. 27–69. © Printed in India Operating system verification—An overview GERWIN KLEIN Sydney Research Laboratory, NICTA,∗ Australia, School of Computer Science and Engineering, University of New South Wales, Sydney, Australia e-mail: [email protected] Abstract. This paper gives a high-level introduction to the topic of formal, interactive, machine-checked software verification in general, and the verification of operating systems code in particular. We survey the state of the art, the advantages and limitations of machine-checked code proofs, and describe two specific ongoing larger-scale verification projects in more detail. Keywords. Formal software verification; operating systems; theorem proving. 1. Introduction The fastest, cheapest and easiest way to build something is properly the first time (Parker 2007). This engineer’s credo has made it into popular literature, but it seems to be largely ignored in the world of software development. In the late 1960s a software crisis was diagnosed on a summit in the Bavarian Alps (Naur & Randell 1969): Software was getting more and more complex, and we had no structured way of building it. We ended up with projects that took significantly longer than planned, were more expensive than planned, delivered results that did not fully address customer needs, or at worst were useless. This summit in the late 1960s is widely seen as the birth of the discipline of software engineering. Now, almost 40 years later, we have come a long way. There are numerous books on software engineering, a plenitude of methodologies, programming languages, and processes to choose from.
    [Show full text]
  • Scalability of Microkernel-Based Systems
    Scalability of Microkernel-Based Systems Zur Erlangung des akademischen Grades eines DOKTORS DER INGENIERWISSENSCHAFTEN von der Fakultat¨ fur¨ Informatik der Universitat¨ Fridericiana zu Karlsruhe (TH) genehmigte DISSERTATION von Volkmar Uhlig aus Dresden Tag der mundlichen¨ Prufung:¨ 30.05.2005 Hauptreferent: Prof. Dr. rer. nat. Gerhard Goos Universitat¨ Fridericiana zu Karlsruhe (TH) Korreferent: Prof. Dr. sc. tech. (ETH) Gernot Heiser University of New South Wales, Sydney, Australia Karlsruhe: 15.06.2005 i Abstract Microkernel-based systems divide the operating system functionality into individ- ual and isolated components. The system components are subject to application- class protection and isolation. This structuring method has a number of benefits, such as fault isolation between system components, safe extensibility, co-existence of different policies, and isolation between mutually distrusting components. How- ever, such strict isolation limits the information flow between subsystems including information that is essential for performance and scalability in multiprocessor sys- tems. Semantically richer kernel abstractions scale at the cost of generality and mini- mality–two desired properties of a microkernel. I propose an architecture that al- lows for dynamic adjustment of scalability-relevant parameters in a general, flex- ible, and safe manner. I introduce isolation boundaries for microkernel resources and the system processors. The boundaries are controlled at user-level. Operating system components and applications can transform their semantic information into three basic parameters relevant for scalability: the involved processors (depending on their relation and interconnect), degree of concurrency, and groups of resources. I developed a set of mechanisms that allow a kernel to: 1. efficiently track processors on a per-resource basis with support for very large number of processors, 2.
    [Show full text]
  • Introduction Course Outline Why Does This Fail? Lectures Tutorials
    Course Outline • Prerequisites – COMP2011 Data Organisation • Stacks, queues, hash tables, lists, trees, heaps,…. Introduction – COMP2021 Digital Systems Structure • Assembly programming • Mapping of high-level procedural language to assembly COMP3231/9201/3891/9283 language – or the postgraduate equivalent (Extended) Operating Systems – You are expected to be competent Kevin Elphinstone programmers!!!! • We will be using the C programming language – The dominant language for OS implementation. – Need to understand pointers, pointer arithmetic, explicit 2 memory allocation. Why does this fail? Lectures • Common for all courses (3231/3891/9201/9283) void func(int *x, int *y) • Wednesday, 2-4pm { • Thursday, 5-6pm *x = 1; *y = 2; – All lectures are here (EE LG03) – The lecture notes will be available on the course web site } • Available prior to lectures, when possible. void main() – The lecture notes and textbook are NOT a substitute for { attending lectures. int *a, *b; func(a,b); } 3 4 Tutorials Assignments • Assignments form a substantial component of • Start in week 2 your assessment. • A tutorial participation mark will • They are challenging!!!! – Because operating systems are challenging contribute to your final assessment. • We will be using OS/161, – Participation means participation, NOT – an educational operating system attendance. – developed by the Systems Group At Harvard – Comp9201/3891/9283 students excluded – It contains roughly 20,000 lines of code and comments • You will only get participation marks in your enrolled tutorial. 5 6 1 Assignments Assignments • Assignments are in pairs • Don’t under estimate the time needed to do the – Info on how to pair up available soon assignments. • We usually offer advanced versions of the – ProfQuotes: [About the midterm] "We can't keep you working assignments on it all night, it's not OS.“ Ragde, CS341 – Available bonus marks are small compared to amount of • If you start a couple days before they are due, you will be late.
    [Show full text]
  • A Look at the EROS Operating System Jonathan S
    A Look at the EROS Operating System Jonathan S. Shapiro Johns Hopkins University Abstract EROS is a capability-based, secure operating system originally designed to address the needs of shared computing utilities involving mutually suspicious users. The deploy­ ment plan for the original design was to provide leased compute service to competing business entities, potentially running on a single machine. As a result, the system was structured to preserve security in the face of both hostile dynamic content and hostile users. While the EROS platform can support the efficient deployment of multilevel se­ cure environments, it is primarily focused on business security requirements. These re­ quirements often address integrity as well as security concerns. An EROS-based deploy­ ment can ensure that business-critical data is manipulated exclusively by authorized ap­ plication software, which in turn is guarded against user tampering. Simultaneously, EROS enables users to run untrusted utility software, hand private or proprietary data to that software, and be assured (within reason) that the data cannot be disclosed to the out­ side world. This paper gives a general overview of the EROS system and what it can do. The EROS research project has now ended. Further work based on the EROS system is being pursued under the CapROS project (www.capros.org). The EROS team has moved on to a successor system: Coyotos (www.coyotos.org). 1 Introduction in other publications. Others result from chains of reasoning that are omitted for reasons of space. A This paper accompanies a talk for the 2005 Libre few are opinions derived from years of in-depth Software Meeting in Dijon, France.
    [Show full text]
  • El Debat Polític D'ahir; Al Parlament De La Repúb Ica, Desenrotllat En
    EL TEMPS. - Al pla de Lleida, Penedès, Bages I Via, hi ha bol· res matinals. Per tota la resta de catalunya el cel està completament se~. pel qual motiu les glaçades I gebrades són tmpartants, I ha experimentat la temperatura un notable descens. Les mlnlmes registrades ahir han tingut lloc a Núria amb 11 graus sota zero I a Adrall I Sant Juilià de VIlatorta, amb 6 graus sota zero. IV _ Núm. 700 - Preue 10 cèntims AnY fundadort LLUIS COMPANYS Barcelona, dijous, s de febrer del 19J4 El MOMENT POUTIC El debat polític d'ahir; al Parlament de la Repúb ica, desenrotllat en un ambient de gran passió, vé a augnientar el confusionisme actual - o Uftfi[H[IA ~·~HJI11IUA[II A~~~R~A IPrieto, en nom dels socialistes, s'expresà en SENSE AUTORITAT NI GAllARDIA termes de gran violència.-Segueix la divisió l dintre el Govern lerroux, destacada novament e S darreres hores A despit de la votació de coníiança al Govern Lerroux, obtingudR en la intervenció de Martínez Barrio del Govern Lerroux després de l'apassionat debat parlamentari d'ahir, la situació politica segueiX més con1usa que mat. Si la crisi era inevitable abans d'ahir, ho és Proposicions llei sobre intensificació del Cultiu. la situació social als camps i espe­ El senyor ALVAREZ MENDIZA­ cialment a la provincia de Jaén. (Crònica del nostre redactor a Madrid Alard Prats) .rob apremiant urgencia des d'avui. La sessió parlamentària tingué l'ab· Madrid, 7. - A dos quarts i cmc surd& conseqi.ièncJa de complicar com mat la situació 1 de posar de re­ BAL presenta una esmena en la L'efervescencia que s'observa al carrer, ha tingut per fi ressò al Parla­ minuts de cinc comença la sess10 com lleu en el saló de sessions la profunda esquerda del gabinet, sense solda­ qual demana que es determinin El debat polític ment.
    [Show full text]
  • Labels and Event Processes in the Asbestos Operating System
    Labels and Event Processes in the Asbestos Operating System Petros Efstathopoulos∗ Maxwell Krohn† Steve VanDeBogart∗ Cliff Frey† David Ziegler† Eddie Kohler∗ David Mazieres` ‡ Frans Kaashoek† Robert Morris† ∗UCLA †MIT ‡Stanford/NYU http://asbestos.cs.ucla.edu/ ABSTRACT purposes [20]. Most servers instead revert to the most insecure de- sign, monolithic code running with many privileges. It should come Asbestos, a new prototype operating system, provides novel la- as no surprise that high-impact breaches continue. beling and isolation mechanisms that help contain the effects New operating system primitives are needed [21], and the best of exploitable software flaws. Applications can express a wide place to explore candidates is the unconstrained context of a new range of policies with Asbestos’s kernel-enforced label mechanism, OS. Hence the Asbestos operating system, which can enforce strict including controls on inter-process communication and system- application-defined security policies even on efficient, unprivileged wide information flow. A new event process abstraction provides servers. lightweight, isolated contexts within a single process, allowing the same process to act on behalf of multiple users while preventing Asbestos’s contributions are twofold. First, all access control it from leaking any single user’s data to any other user. A Web checks use Asbestos labels, a primitive that combines advantages server that uses Asbestos labels to isolate user data requires about of discretionary and nondiscretionary access control. Labels deter- 1.5 memory pages per user, demonstrating that additional security mine which services a process can invoke and with which other can come at an acceptable cost. processes it can interact.
    [Show full text]
  • Download Full Book
    For Business and Pleasure Keire, Mara Laura Published by Johns Hopkins University Press Keire, Mara Laura. For Business and Pleasure: Red-Light Districts and the Regulation of Vice in the United States, 1890–1933. Johns Hopkins University Press, 2010. Project MUSE. doi:10.1353/book.467. https://muse.jhu.edu/. For additional information about this book https://muse.jhu.edu/book/467 [ Access provided at 1 Oct 2021 16:48 GMT with no institutional affiliation ] This work is licensed under a Creative Commons Attribution 4.0 International License. For Business & Pleasure This page intentionally left blank studies in industry and society Philip B. Scranton, Series Editor Published with the assistance of the Hagley Museum and Library For Business & Pleasure Red-Light Districts and the Regulation of Vice in the United States, 1890–1933 mara l. keire The Johns Hopkins University Press Baltimore ∫ 2010 The Johns Hopkins University Press All rights reserved. Published 2010 Printed in the United States of America on acid-free paper 2 4 6 8 9 7 5 3 1 The Johns Hopkins University Press 2715 North Charles Street Baltimore, Maryland 21218-4363 www.press.jhu.edu Library of Congress Cataloging-in-Publication Data Keire, Mara L. (Mara Laura), 1967– For business and pleasure : red-light districts and the regulation of vice in the United States, 1890–1933 / Mara L. Keire. p. cm. — (Studies in industry and society) Includes bibliographical references and index. isbn-13: 978-0-8018-9413-8 (hbk. : alk. paper) isbn-10: 0-8018-9413-1 (hbk. : alk. paper) 1. Red-light districts—United States—History—20th century.
    [Show full text]
  • Mobile and Embedded Device
    Mobile and Embedded Device Selecting an Operating System Why use an OS? ● In our previous work we have seen how to execute a number of tasks on our system ● Some of these tasks can run asynchronously – For example interrupt driven tasks ● So if we want to exploit the resources of our system efficiently we require some software support to do this – Namely an operating system Which Operating System? ● There are a number of choices when selecting an OS – Size, cost, features ● Free – FreeRTOS: http://www.freertos.org – TinyOS: http://www.tinyos.net – Chibios: http://www.chibios.org/ – eCos, uKOS, EROS, Nut/OS – Various Linux flavours ● Commercial – VxWorks: http://www.windriver.com – QNX: http://www.qnx.com – SafeRTOS: http://www.highintegritysystems.com/safertos.html – uC/OSII: http://www.micrium.com – Salvo: http://www.pumpkininc.com – INTEGRITY, VelOSity, THEOS, RMX Why FreeRTOS ● Free (Both “Speech” and “Beer”) – No Royalties, Open Source – Although documentation costs ● Lightweight – Low overhead, simple code ● Portable – ~8 major architectures officially supported, more unofficially ● Cooperative or Preemptive – We're going to be using preemptive ● Good Documentation – http://www.freertos.org – Look under FreeRTOS API – Functional docs plus code examples ● Developed by an Ex-Student! – Richard Barry, BSc CRTS What required from an OS? ● For small embedded systems they are required to be – Small memory footprint – Efficient use of resources – Fast ● We require what is normally called an 'executive' rather than an operating system – Lots
    [Show full text]
  • Reinterpreting Eros in Plato's Symposium
    Reinterpreting Eros in Plato’s Symposium Master’s Thesis Presented to The Faculty of the Graduate School of Arts and Sciences Brandeis University Department of Ancient Greek and Roman Studies Leonard Muellner, Advisor In Partial Fulfillment of the Requirements for Master’s Degree by Peter Caccavale May 2012 Acknowledgements I would like to thank everyone who encouraged me throughout this process including my family, friends and colleagues. Without your support and guidance I am sure this thesis would never have been successful. I owe special thanks to my advisor, Professor Leonard Muellner, whose continued guidance and suggestions transformed this thesis from scattered thoughts to a structured work. From weekly meetings to editing a constant stream of drafts, your help was invaluable and I am very thankful for all of your advice. I would also like to thank my readers, Professor Patricia Johnston and Professor Cheryl Walker. I appreciate the time you took to read such a large thesis and your suggestions and comments were instrumental in fixing my errors in both grammar and logic. Finally, I am happy to be able to thank Christina for her unwavering support and encouragement. By now you have probably heard more about Plato and Greek grammar than you ever would have wanted, but you have also added more to this work than I think you realize. P.G.C. ii ABSTRACT Redefining Eros in Plato’s Symposium A thesis presented to the Department of Classical Studies Graduate School of Arts and Sciences Brandeis University Waltham, Massachusetts By Peter Caccavale At the heart of the Symposium there lies the conceptual problem of defining the term eros in a manner that remains faithful to both its linguistic and philosophical context.
    [Show full text]