The Flask Security Architecture: System Support for Diverse Security Policies
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Building a Reliable Storage Stack
Building a Reliable Storage Stack Ph.D. Thesis David Cornelis van Moolenbroek Vrije Universiteit Amsterdam, 2016 This work was supported by the European Research Council Advanced Grant 227874. This work was carried out in the ASCI graduate school. ASCI dissertation series number 355. Copyright © 2016 by David Cornelis van Moolenbroek. ISBN 978-94-028-0240-5 Cover design by Eva Dienske. Printed by Ipskamp Printing. VRIJE UNIVERSITEIT Building a Reliable Storage Stack ACADEMISCH PROEFSCHRIFT ter verkrijging van de graad Doctor aan de Vrije Universiteit Amsterdam, op gezag van de rector magnificus prof.dr. V. Subramaniam, in het openbaar te verdedigen ten overstaan van de promotiecommissie van de Faculteit der Exacte Wetenschappen op maandag 12 september 2016 om 11.45 uur in de aula van de universiteit, De Boelelaan 1105 door David Cornelis van Moolenbroek geboren te Amsterdam promotor: prof.dr. A.S. Tanenbaum To my parents Acknowledgments This book marks the end of both a professional and a personal journey–one that has been long but rewarding. There are several people whom I would like to thank for accompanying and helping me along the way. First and foremost, I would like to thank my promotor, Andy Tanenbaum. While I was finishing up my master project under his supervision, he casually asked me “Would you like to be my Ph.D student?” during one of our meetings. I did not have to think long about the answer. Right from the start, he warned me that I would now have to conduct original research myself; only much later did I understand the full weight of this statement. -
Free Software Philosophy, History and Practice
Introduction (and some quick reminders) History and philosophy Legal aspects Free Software Philosophy, history and practice Luca Saiu [email protected] http://ageinghacker.net GNU Project Screencast version Paris, October 2014 Luca Saiu <[email protected]> Free Software — Philosophy, history and practice Introduction (and some quick reminders) History and philosophy Legal aspects Introducing myself I’m a computer scientist living and working somewhere around Paris... ...and a GNU maintainer. I’m also an associate member of the Free Software Foundation, a fellow of the Free Software Foundation Europe and an April adherent. So I’m not an impartial observer. Luca Saiu <[email protected]> Free Software — Philosophy, history and practice Introduction (and some quick reminders) History and philosophy Legal aspects Contents 1 Introduction (and some quick reminders) 2 History and philosophy The hacker community The GNU Project and the Free Software movement Linux and the Open Source movement 3 Legal aspects Copyright Free Software licenses Luca Saiu <[email protected]> Free Software — Philosophy, history and practice Introduction (and some quick reminders) History and philosophy Legal aspects Reminders about software — source code vs. machine code Source code vs. machine code Quick demo Luca Saiu <[email protected]> Free Software — Philosophy, history and practice Programs are linked to libraries static libraries shared libraries Libraries (or programs) request services to the kernel Programs invoke with other programs Programs communicate with other programs... ...on the same machine ...over the network We’re gonna see that this has legal implications. Introduction (and some quick reminders) History and philosophy Legal aspects Reminders about software — linking In practice, programs don’t exist in isolation. -
The Flask Security Architecture: System Support for Diverse Security Policies
The Flask Security Architecture: System Support for Diverse Security Policies Ray Spencer Secure Computing Corporation Stephen Smalley, Peter Loscocco National Security Agency Mike Hibler, David Andersen, Jay Lepreau University of Utah http://www.cs.utah.edu/flux/flask/ Abstract and even many types of policies [1, 43, 48]. To be gen- erally acceptable, any computer security solution must Operating systems must be flexible in their support be flexible enough to support this wide range of security for security policies, providing sufficient mechanisms for policies. Even in the distributed environments of today, supporting the wide variety of real-world security poli- this policy flexibility must be supported by the security cies. Such flexibility requires controlling the propaga- mechanisms of the operating system [32]. tion of access rights, enforcing fine-grained access rights and supporting the revocation of previously granted ac- Supporting policy flexibility in the operating system is cess rights. Previous systems are lacking in at least one a hard problem that goes beyond just supporting multi- of these areas. In this paper we present an operating ple policies. The system must be capable of supporting system security architecture that solves these problems. fine-grained access controls on low-level objects used to Control over propagation is provided by ensuring that perform higher-level functions controlled by the secu- the security policy is consulted for every security deci- rity policy. Additionally, the system must ensure that sion. This control is achieved without significant perfor- the propagation of access rights is in accordance with mance degradation through the use of a security decision the security policy. -
Microkernels Meet Recursive Virtual Machines
Microkernels Meet Recursive Virtual Machines Bryan Ford Mike Hibler Jay Lepreau Patrick Tullmann Godmar Back Stephen Clawson Department of Computer Science, University of Utah Salt Lake City, UT 84112 [email protected] http://www.cs.utah.edu/projects/flux/ Abstract ªverticallyº by implementing OS functionalityin stackable virtual machine monitors, each of which exports a virtual Thispaper describes a novel approach to providingmod- machine interface compatible with the machine interface ular and extensible operating system functionality and en- on which it runs. Traditionally,virtual machines have been capsulated environments based on a synthesis of micro- implemented on and export existing hardware architectures kernel and virtual machine concepts. We have developed so they can support ªnaiveº operating systems (see Fig- a software-based virtualizable architecture called Fluke ure 1). For example, the most well-known virtual machine that allows recursive virtual machines (virtual machines system, VM/370 [28, 29], provides virtual memory and se- running on other virtual machines) to be implemented ef- curity between multiple concurrent virtual machines, all ®ciently by a microkernel running on generic hardware. exporting the IBM S/370 hardware architecture. Further- A complete virtual machine interface is provided at each more, special virtualizable hardware architectures [22, 35] level; ef®ciency derives from needing to implement only have been proposed, whose design goal is to allow virtual new functionality at each level. This infrastructure allows machines to be stacked much more ef®ciently. common OS functionality, such as process management, demand paging, fault tolerance, and debugging support, to This paper presents a new approach to OS extensibil- be provided by cleanly modularized, independent, stack- ity which combines both microkernel and virtual machine able virtual machine monitors, implemented as user pro- concepts in one system. -
All Computer Applications Need to Store and Retrieve Information
MyFS: An Enhanced File System for MINIX A Dissertation Submitted in partial fulfillment of the requirement for the award of the degree of MASTER OF ENGINEERING ( COMPUTER TECHNOLOGY & APPLICATIONS ) By ASHISH BHAWSAR College Roll No. 05/CTA/03 Delhi University Roll No. 3005 Under the guidance of Prof. Asok De Department Of Computer Engineering Delhi College Of Engineering, New Delhi-110042 (University of Delhi) July-2005 1 CERTIFICATE This is to certify that the dissertation entitled “MyFS: An Enhanced File System for MINIX” submitted by Ashish Bhawsar in the partial fulfillment of the requirement for the award of degree of Master of Engineering in Computer Technology and Application, Delhi College of Engineering is an account of his work carried out under my guidance and supervision. Professor D. Roy Choudhury Professor Asok De Head of Department Head of Department Department of Computer Engineering Department of Information Technology Delhi College of Engineering Delhi College of Engineering Delhi Delhi 2 ACKNOWLEDGEMENT It is a great pleasure to have the opportunity to extent my heartiest felt gratitude to everybody who helped me throughout the course of this project. I would like to express my heartiest felt regards to Dr. Asok De, Head of the Department, Department of Information Technology for the constant motivation and support during the duration of this project. It is my privilege and owner to have worked under the supervision. His invaluable guidance and helpful discussions in every stage of this thesis really helped me in materializing this project. It is indeed difficult to put his contribution in few words. I would also like to take this opportunity to present my most sincere regards to Dr. -
Composing Abstractions Using the Null-Kernel
Composing Abstractions using the null-Kernel James Litton Deepak Garg University of Maryland Max Planck Institute for Software Systems Max Planck Institute for Software Systems [email protected] [email protected] Peter Druschel Bobby Bhattacharjee Max Planck Institute for Software Systems University of Maryland [email protected] [email protected] CCS CONCEPTS hardware, such as GPUs, crypto/AI accelerators, smart NICs/- • Software and its engineering → Operating systems; storage devices, NVRAM etc., and to efficiently support new Layered systems; • Security and privacy → Access control. application requirements for functionality such as transac- tional memory, fast snapshots, fine-grained isolation, etc., KEYWORDS that demand new OS abstractions that can exploit existing hardware in novel and more efficient ways. Operating Systems, Capability Systems At its core, the null-Kernel derives its novelty from being ACM Reference Format: able to support and compose across components, called Ab- James Litton, Deepak Garg, Peter Druschel, and Bobby Bhattachar- stract Machines (AMs) that provide programming interfaces jee. 2019. Composing Abstractions using the null-Kernel. In Work- at different levels of abstraction. The null-Kernel uses an ex- shop on Hot Topics in Operating Systems (HotOS ’19), May 13–15, 2019, Bertinoro, Italy. ACM, New York, NY, USA, 6 pages. https: tensible capability mechanism to control resource allocation //doi.org/10.1145/3317550.3321450 and use at runtime. The ability of the null-Kernel to support interfaces at different levels of abstraction accrues several 1 INTRODUCTION benefits: New hardware can be rapidly deployed using rela- tively low-level interfaces; high-level interfaces can easily Abstractions imply choice, one that OS designers must con- be built using low-level ones; and applications can benefit front when designing a programming interface to expose. -
Bushnell Family Genealogy, 1945
BUSHNELL FAMILY GENEALOGY Ancestry and Posterity of FRANCIS BUSHNELL (1580 - 1646) of Horsham, England And Guilford, Connecticut Including Genealogical Notes of other Bushnell Families, whose connections with this branch of the family tree have not been determined. Compiled and written by George Eleazer Bushnell Nashville, Tennessee 1945 Bushnell Genealogy 1 The sudden and untimely death of the family historian, George Eleazer Bushnell, of Nashville, Tennessee, who devoted so many years to the completion of this work, necessitated a complete change in its publication plans and we were required to start anew without familiarity with his painstaking work and vast acquaintance amongst the members of the family. His manuscript, while well arranged, was not yet ready for printing. It has therefore been copied, recopied and edited, However, despite every effort, prepublication funds have not been secured to produce the kind of a book we desire and which Mr. Bushnell's painstaking work deserves. His material is too valuable to be lost in some library's manuscript collection. It is a faithful record of the Bushnell family, more complete than anyone could have anticipated. Time is running out and we have reluctantly decided to make the best use of available funds by producing the "book" by a process of photographic reproduction of the typewritten pages of the revised and edited manuscript. The only deviation from the original consists in slight rearrangement, minor corrections, additional indexing and numbering. We are proud to thus assist in the compiler's labor of love. We are most grateful to those prepublication subscribers listed below, whose faith and patience helped make George Eleazer Bushnell's book thus available to the Bushnell Family. -
AHS 02 02 Content 20140102
Advances in Historical Studies, 2013, 2, 19-104 Published Online June 2013 in SciRes (http://www.scirp.org/journal/ahs/) TABLE OF CONTENTS Volume 2 Number 2 June 2013 Letter from Chief-Managing Editorial Staff ARTICLES The Roots of the Theoretical Models of the Nanotechnoscience in the Electric Circuit Theory V. Gorokhov……………………………………………………………..…………………………………………………………………………19 Reflections on the Scientific Conceptual Streams in Leonardo da Vinci and His Relationship with Luca Pacioli R. Pisano……………………………………………………………………………………………………………………………………………32 Reclaiming Realism for the Left: Gar Alperovitz and the Decision to Use the Atomic Bomb P. N. Kirstein……………………………………………………………………………………………………………………….………………46 MISCELLANEA Megalithism and Tribal Ritualism: A Passage through the Kurumbas of Attappadi M. Poyil…………………………………………………………………………………………………………………………………….………54 Temple as the Site of Struggle: Social Reform, Religious Symbols and the Politics of Nationalism in Kerala M. R. Manmathan……………………………………………………………………………………………………………..……………………57 Communities Inferred from the Books of Samuel in the Old Testament of the Bible W. Hu………………………………………………………………………………………………………………………………………………70 Les Châteaux de Landiras et de Montferrand and Their Seigneurial Families D. A. Bailey………………………………………………………………………………………………………...………………………………81 ESSAY REVIEW Borderland Theory as a Conceptual Framework for Comparative Local US and Canadian History C. Parham…………………………………………………………………………………………………………………………..………………94 Jacket: L’histoire comme images d’autres mondes [The history as images -
Harvard Cs252r Fa'13
Type Enforcement & Pluggable MAC Harvard CS252r Fa’13 Tuesday, October 22, 13 1 Practical Domain and Type Enforcement for UNIX • Badger, et al. 1995 • Trusted Information Systems Tuesday, October 22, 13 2 Domain and Type Enforcement • Every Subject is associated with a Domain • Every Object is associated with a Type Tuesday, October 22, 13 3 Boebart and Kain ’85 [7], page 23 introduces this a given user could have multiple subjects operating in diferent domains dynamically, it seems a subject and an object are associated with just one, statically: could be anything Domain and Type Enforcement • Domain Definition Table • Domain’s Access Rights to each Type • read, write, etc. • Domain Interaction Table • Domain’s Access Rights to other Domains • signal, create, destroy, etc. Tuesday, October 22, 13 4 Domain and Type Enforcement • Strict Superset of Lattice-Expressible Security Policies Tuesday, October 22, 13 5 Domain and Type Enforcement Manager budget designs Accountant Engineer salary Tuesday, October 22, 13 6 DTEL Domain and Type Enforcement Language • Encompasses Existing Security Policies • Hierarchical Types • Simple, Declarative Language Tuesday, October 22, 13 7 DTEL Operating System Entities File Hierarchy Process Hierarchy Figure 1: Mismatch Between Policy Concepts and System Structures trol configurations. A DTE specification includes ration: the type statement, the domain statement, the security attribute associations such as typelfile tnitial-domain statement, and the assign statement.’ associations as well as other access control in- The purpose of this section is not to fully document Tuesday,formation. October 22, 13 The language provides a high-level DTEL, but to demonstrate through a small example 8 view of information traditionally enurnerated in that a meaningful DTEL policy can be expressed com- type enforcement tables and includes facilities pletely in a form simple and concise enough to be ad- for superimposing security attribute bindings and ministered at reasonable cost. -
Capability Myths Demolished
Capability Myths Demolished Mark S. Miller Ka-Ping Yee Jonathan Shapiro Combex, Inc. University of California, Berkeley Johns Hopkins University [email protected] [email protected] [email protected] ABSTRACT The second and third myths state false limitations on We address three common misconceptions about what capability systems can do, and have been capability-based systems: the Equivalence Myth (access propagated by a series of research publications over the control list systems and capability systems are formally past 20 years (including [2, 3, 7, 24]). They have been equivalent), the Confinement Myth (capability systems cited as reasons to avoid adopting capability models cannot enforce confinement), and the Irrevocability and have even motivated some researchers to augment Myth (capability-based access cannot be revoked). The capability systems with extra access checks [7, 13] in Equivalence Myth obscures the benefits of capabilities attempts to fix problems that do not exist. The myths as compared to access control lists, while the Confine- about what capability systems cannot do continue to ment Myth and the Irrevocability Myth lead people to spread, despite formal results [22] and practical see problems with capabilities that do not actually exist. systems [1, 9, 18, 21] demonstrating that they can do these supposedly impossible things. The prevalence of these myths is due to differing inter- pretations of the capability security model. To clear up We believe these severe misunderstandings are rooted the confusion, we examine three different models that in the fact that the term capability has come to be have been used to describe capabilities, and define a set portrayed in terms of several very different security of seven security properties that capture the distinctions models. -
What Have We Learnt in 20 Years of L4 Microkernels?
Lecture 6 From L3 to seL4: What Have We Learnt in 20 Years of L4 Microkernels? Kevin Elphinstone and Gernot Heiser Operating Systems Practical 12 November, 2014 OSP Lecture 6, L4 Microkernels 1/42 Contents Introduction and design principles Brief history of microkernels L4: Basic abstractions L4: Design and implementation choices Keywords Questions OSP Lecture 6, L4 Microkernels 2/42 Outline Introduction and design principles Brief history of microkernels L4: Basic abstractions L4: Design and implementation choices Keywords Questions OSP Lecture 6, L4 Microkernels 3/42 Context and terminology I Operating system I Kernel I Monolithic kernel I Microkernel OSP Lecture 6, L4 Microkernels 4/42 Operating system I abbrv. OS I Software (collection) to interface hardware with user I Components: I Kernel: Linux, FreeBSD, Windows NT, XNU, L4, ::: I Services/daemons: sysvinit, CUPS print server, udev, ::: I Utilities: ls, Windows Commander, top I Other applications OSP Lecture 6, L4 Microkernels 5/42 Kernel I Components directly interfacing with hardware I Examples? I \Core" of OS I No general definition of \core" OSP Lecture 6, L4 Microkernels 6/42 Monolithic vs. Micro-kernel Application Syscall User VFS "ode Uni File Server Device Server IPC, file system Application Driver Scheduler, virtual memory !ernel "ode Device drivers, dispatcher IPC, virtual memory IPC Hardware Hardware Source: http://www.cse.unsw.edu.au/ OSP Lecture 6, L4 Microkernels 7/42 Monolithic vs. Micro-kernel Monolithic kernel Microkernel I IPC, scheduling, I IPC, scheduling, memory management memory management I File systems I API closer to the I Drivers hardware I Higher-level API OSP Lecture 6, L4 Microkernels 8/42 Microkernel principles: minimality I If it's not critical, leave it out of the kernel I Pros: I Small code base I Easy to debug I Trusted Computing Base, feasible for formal verification I Cons: I Harder to find the \right" API design I Harder to optimize for high-performance OSP Lecture 6, L4 Microkernels 9/42 Microkernel principles: user-level services I Drivers, file systems, etc. -
Microkernel OS Evolution
COMP9242 Advanced OS S2/2018 W01: Introduction to seL4 @GernotHeiser Copyright Notice These slides are distributed under the Creative Commons Attribution 3.0 License • You are free: – to share—to copy, distribute and transmit the work – to remix—to adapt the work • under the following conditions: – Attribution: You must attribute the work (but not in any way that suggests that the author endorses you or your use of the work) as follows: “Courtesy of Gernot Heiser, UNSW Sydney” The complete license text can be found at http://creativecommons.org/licenses/by/3.0/legalcode 2 COMP9242 S2/2018 W01 © 2017 Gernot Heiser. Distributed under CC Attribution License Reducing Trusted Computing Base: Microkernels • Idea of microkernel: IPC performance – Flexible, minimal platform is critical! – Mechanisms, not policies – Actual OS functionality provided by user-mode servers – Servers invoked by kernel-provided message-passing mechanism (IPC) – Goes back to Nucleus [Brinch Hansen’70] Application Syscall VFS User Unix File Mode Server Device Server IPC, file system Application Driver Kernel Scheduler, virtual memory Mode Device drivers, dispatcher IPC, virtual memory IPC Hardware Hardware 3 COMP9242 S2/2018 W01 © 2017 Gernot Heiser. Distributed under CC Attribution License Monolithic vs Microkernel OS Evolution Monolithic OS Microkernel OS • New features add code kernel • Features add usermode code • New policies add code kernel • Policies replace usermode code • Kernel complexity grows • Kernel complexity is stable • Adaptable • Dependable Application • Highly optimised Syscall VFS User Unix File Mode Server Device Server IPC, file system Application Driver Kernel Scheduler, virtual memory Mode Device drivers, dispatcher IPC, virtual memory IPC Hardware Hardware 4 COMP9242 S2/2018 W01 © 2017 Gernot Heiser.