DOCSLIB.ORG

Securing Linux

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page iii How to Cheat at Securing Linux Mohan Krishnamurthy Eric S. Seagren Raven Alder Aaron W. Bayles Josh Burke Skip Carter Eli Faskha 466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page iv Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 How to Cheat at Securing Linux Copyright © 2008 by Elsevier, Inc.All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN-13: 978-1-59749-207-2 Publisher:Amorette Pedersen Cover Designer: Michael Kavish Acquisitions Editor:Andrew Williams Indexer: Michael Ferreira Page Layout and Art: Patricia Lupien For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email [email protected]. 466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page v Contributing Authors Mohan Krishnamurthy Madwachar (OPSA, OPST) is the GM – Network Security,Almoayed Group, Bahrain. Mohan is a key contributor to their projects division and plays an important role in the organization’s Network Security initiatives. Mohan comes from a strong networking, security and training background. His tenure with companies, such as Schlumberger Omnes and Secure Network Solutions India adds to his experience and expertise in implementing large and complex network and security projects. Mohan holds leading IT industry standard and vendor certifications in systems, networking and security. He is a member of the IEEE and PMI. Mohan would like to dedicate his contributions to this book to his brother Anand, his wife Preethi Anand and their sweet daughter Janani. Mohan has co-authored two books Designing & Building Enterprise DMZs (ISBN: 1597491004) and Configuring Juniper Networks NetScreen & SSG Firewalls (ISBN: 1597491187) published by Syngress. He also writes in newspaper columns on various subjects and has contributed to leading con- tent companies as a technical writer and a subject matter expert. Eric S. Seagren (CISA, CISSP-ISSAP,SCNP,CCNA, CNE-4, MCP+I, MCSE-NT) has 10 years of experience in the computer industry, with the last eight years spent in the financial services industry working for a Fortune 100 company. Eric started his computer career working on Novell servers and performing general network troubleshooting for a small Houston-based company. Since he has been working in the financial ser- vices industry, his position and responsibilities have advanced steadily. His duties have included server administration, disaster recovery responsibilities, business continuity coordinator,Y2K remediation, network vulnerability assessment, and risk management responsibilities. He has spent the last few years as an IT architect and risk analyst, designing and evaluating secure, scalable, and redundant networks. v 466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page vi Eric has worked on several books as a contributing author or technical editor.These include Hardening Network Security (McGraw-Hill), Hardening Network Infrastructure (McGraw-Hill), Hacking Exposed: Cisco Networks (McGraw-Hill), Configuring Check Point NGX VPN-1/FireWall-1 (Syngress), Firewall Fundamentals (Cisco Press), and Designing and Building Enterprise DMZs (Syngress). He has also received a CTM from Toastmasters of America. Aaron W. Bayles is a senior security consultant with Sentigy, Inc. of Houston,TX. He provides service to Sentigy’s clients with penetration testing, vulnerability assessment, and risk assessments for enterprise net- works. He has over 9 years experience with INFOSEC, with specific expe- rience in wireless security, penetration testing, and incident response.Aaron’s background includes work as a senior security engineer with SAIC in Virginia and Texas.He is also the lead author of the Syngress book, InfoSec Career Hacking, Sell your Skillz, Not Your Soul. Aaron has provided INFOSEC support and penetration testing for mul- tiple agencies in the U.S. Department of the Treasury, such as the Financial Management Service and Securities and Exchange Commission, and the Department of Homeland Security, such as U. S. Customs and Border Protection. He holds a Bachelor’s of Science degree in Computer Science with post-graduate work in Embedded Linux Programming from Sam Houston State University and is also a CISSP. Raven Alder is a Senior Security Engineer for IOActive, a consulting firm specializing in network security design and implementation. She specializes in scalable enterprise-level security, with an emphasis on defense in depth. She designs large-scale firewall and IDS systems, and then performs vulner- ability assessments and penetration tests to make sure they are performing optimally. In her copious spare time, she teaches network security for LinuxChix.org and checks cryptographic vulnerabilities for the Open Source Vulnerability Database. Raven lives in Seattle, WA. Raven was a contributor to Nessus Network Auditing (Syngress Publishing, ISBN: 1- 931836-08-6). vi 466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page vii Dr. Everett F. (Skip) Carter, Jr. is President of Taygeta Network Security Services (a division of Taygeta Scientific Inc.).Taygeta Scientific Inc. pro- vides contract and consulting services in the areas of scientific computing, smart instrumentation, and specialized data analysis.Taygeta Network Security Services provides security services for real-time firewall and IDS management and monitoring, passive network traffic analysis audits, external security reviews, forensics, and incident investigation. Skip holds a Ph.D. and an M.S. in Applied Physics from Harvard University. In addition he holds two Bachelor of Science degrees (Physics and Geophysics) from the Massachusetts Institute of Technology. Skip is a member of the American Society for Industrial Security (ASIS). He was contributing author of Syngress Publishing’s book, Hack Proofing XML (ISBN: 1-931836-50-7). He has authored several articles for Dr. Dobbs Journal and Computer Language as well as numerous scientific papers and is a former columnist for Forth Dimensions magazine. Skip resides in Monterey, CA, with his wife,Trace, and his son, Rhett. Josh Burke (CISSP) is an independent information security consultant in Seattle, Washington. He has held positions in networking, systems, and secu- rity over the past seven years in the technology, financial, and media sectors. A graduate of the business school at the University of Washington, Josh concentrates on balancing technical and business needs for companies in the many areas of information security. He also promotes an inclusive, positive security philosophy for companies, which encourages communicating the merits and reasons for security policies, rather than educating only on what the policies forbid. Josh is an expert in open-source security applications such as Snort, Ethereal, and Nessus. His research interests include improving the security and resilience of the Domain Name System (DNS) and the Network Time Protocol (NTP). He also enjoys reading about the mathematics and history of cryptography, but afterward often knows less about the subject than when he started. vii 466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page viii Eli Faskha (Security+, Check Point Certified Master Architect, CCSI, CCSE, CCSE+, MCP). Based in Panama City, Panama, Eli is Founder and President of Soluciones Seguras, a company that specializes in network security and is a Check Point Gold Partner and Nokia Authorized Partner. He was Assistant Technical Editor for Syngress’ Configuring Check Point NGX VPN-1/Firewall-1 (ISBN: 1597490318) book and Contributing Author for Syngress’ Building DMZs for the Enterprise (ISBN: 1597491004). Eli is the most experienced Check Point Certified Security Instructor and Nokia Instructor in the region, and
Recommended publications
  • Software Security for Open-Source Systems

    Software Security for Open-Source Systems

    Open-Source Security Software Security for Open-Source Systems Debate over whether open-source software development leads to more or less secure software has raged for years. Neither is in- trinsically correct: open-source software gives both attackers and defenders greater power over system security. Fortunately, several security-enhancing technologies for open-source sys- tems can help defenders improve their security. classify methods that CRISPIN ome people have claimed that open-source ensure and enforce COWAN software is intrinsically more secure than closed the “nothing else” part into three broad categories: WireX source,1 and others have claimed that it’s not.2 Communications Neither case is absolutely true: they are essen- • Software auditing, which prevents vulnerabilities by Stially flip sides of the same coin. Open source gives both searching for them ahead of time, with or without auto- attackers and defenders greater analytic power to do matic analysis something about software vulnerabilities. If the defender • Vulnerability mitigation, which are compile-time tech- does nothing about security, though, open source just niques that stop bugs at runtime gives that advantage away to the attacker. • Behavior management, which are operating system fea- However, open source also offers great advantages to tures that either limit potential damage or block specif- the defender, giving access to security techniques that are ic behaviors known to be dangerous normally infeasible with closed-source software. Closed source forces users to accept the level of security diligence Software auditing that the vendor chooses to provide, whereas open source The least damaging software vulnerability is the one that lets users (or other collectives of people) raise the bar on never happens.
  • Jitk: a Trustworthy In-Kernel Interpreter Infrastructure

    Jitk: a Trustworthy In-Kernel Interpreter Infrastructure

    Jitk: A trustworthy in-kernel interpreter infrastructure Xi Wang, David Lazar, Nickolai Zeldovich, Adam Chlipala, Zachary Tatlock MIT and University of Washington Modern OSes run untrusted user code in kernel In-kernel interpreters - Seccomp: sandboxing (Linux) - BPF: packet filtering - INET_DIAG: socket monitoring - Dtrace: instrumentation Critical to overall system security - Any interpreter bugs are serious! 2/30 Many bugs have been found in interpreters Kernel space bugs - Control flow errors: incorrect jump offset, ... - Arithmetic errors: incorrect result, ... - Memory errors: buffer overflow, ... - Information leak: uninitialized read Kernel-user interface bugs - Incorrect encoding/decoding User space bugs - Incorrect input generated by tools/libraries Some have security consequences: CVE-2014-2889, ... See our paper for a case study of bugs 3/30 How to get rid of all these bugs at once? Theorem proving can help kill all these bugs seL4: provably correct microkernel [SOSP'09] CompCert: provably correct C compiler [CACM'09] This talk: Jitk - Provably correct interpreter for running untrusted user code - Drop-in replacement for Linux's seccomp - Built using Coq proof assistant + CompCert 5/30 Theorem proving: overview specification proof implementation Proof is machine-checkable: Coq proof assistant Proof: correct specification correct implementation Specification should be much simpler than implementation 6/30 Challenges What is the specification? How to translate systems properties into proofs? How to extract a running
  • Auditing Overhead, Auditing Adaptation, and Benchmark Evaluation in Linux Lei Zeng1, Yang Xiao1* and Hui Chen2

    Auditing Overhead, Auditing Adaptation, and Benchmark Evaluation in Linux Lei Zeng1, Yang Xiao1* and Hui Chen2

    SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2015; 8:3523–3534 Published online 4 June 2015 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1277 RESEARCH ARTICLE Auditing overhead, auditing adaptation, and benchmark evaluation in Linux Lei Zeng1, Yang Xiao1* and Hui Chen2 1 Department of Computer Science, The University of Alabama, Tuscaloosa 35487-0290, AL, U.S.A. 2 Department of Mathematics and Computer Science, Virginia State University, Petersburg 23806, VA, U.S.A. ABSTRACT Logging is a critical component of Linux auditing. However, our experiments indicate that the logging overhead can be significant. The paper aims to leverage the performance overhead introduced by Linux audit framework under various us- age patterns. The study on the problem leads to an adaptive audit-logging mechanism. Many security incidents or other im- portant events are often accompanied with precursory events. We identify important precursory events – the vital signs of system activity and the audit events that must be recorded. We then design an adaptive auditing mechanism that increases or reduces the type of events collected and the frequency of events collected based upon the online analysis of the vital-sign events. The adaptive auditing mechanism reduces the overall system overhead and achieves a similar level of protection on the system and network security. We further adopt LMbench to evaluate the performance of key operations in Linux with compliance to four security standards. Copyright © 2015 John Wiley & Sons, Ltd. KEYWORDS logging; overhead; Linux; auditing *Correspondence Yang Xiao, Department of Computer Science, The University of Alabama, 101 Houser Hall, PO Box 870290, Tuscaloosa 35487-0290, AL, U.S.A.
  • Hardening Linux

    Hardening Linux

    eBooks-IT.org 4444_FM_final.qxd 1/5/05 12:39 AM Page i eBooks-IT.org Hardening Linux JAMES TURNBULL 4444_FM_final.qxd 1/5/05 12:39 AM Page ii eBooks-IT.org Hardening Linux Copyright © 2005 by James Turnbull All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN (pbk): 1-59059-444-4 Printed and bound in the United States of America 987654321 Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. Lead Editor: Jim Sumser Technical Reviewer: Judith Myerson Editorial Board: Steve Anglin, Dan Appleman, Ewan Buckingham, Gary Cornell, Tony Davis, Jason Gilmore, Chris Mills, Dominic Shakeshaft, Jim Sumser Project Manager: Kylie Johnston Copy Edit Manager: Nicole LeClerc Copy Editor: Kim Wimpsett Production Manager: Kari Brooks-Copony Production Editor: Kelly Winquist Compositor: Linda Weidemann Proofreader: Lori Bring Indexer: Kevin Broccoli Artist: Kinetic Publishing Services, LLC Cover Designer: Kurt Krames Manufacturing Manager: Tom Debolski Distributed to the book trade in the United States by Springer-Verlag New York, Inc., 233 Spring Street, 6th Floor, New York, NY 10013, and outside the United States by Springer-Verlag GmbH & Co. KG, Tiergartenstr. 17, 69112 Heidelberg, Germany. In the United States: phone 1-800-SPRINGER, fax 201-348-4505, e-mail [email protected], or visit http://www.springer-ny.com.
  • Chapter 1. Origins of Mac OS X

    Chapter 1. Origins of Mac OS X

    1 Chapter 1. Origins of Mac OS X "Most ideas come from previous ideas." Alan Curtis Kay The Mac OS X operating system represents a rather successful coming together of paradigms, ideologies, and technologies that have often resisted each other in the past. A good example is the cordial relationship that exists between the command-line and graphical interfaces in Mac OS X. The system is a result of the trials and tribulations of Apple and NeXT, as well as their user and developer communities. Mac OS X exemplifies how a capable system can result from the direct or indirect efforts of corporations, academic and research communities, the Open Source and Free Software movements, and, of course, individuals. Apple has been around since 1976, and many accounts of its history have been told. If the story of Apple as a company is fascinating, so is the technical history of Apple's operating systems. In this chapter,[1] we will trace the history of Mac OS X, discussing several technologies whose confluence eventually led to the modern-day Apple operating system. [1] This book's accompanying web site (www.osxbook.com) provides a more detailed technical history of all of Apple's operating systems. 1 2 2 1 1.1. Apple's Quest for the[2] Operating System [2] Whereas the word "the" is used here to designate prominence and desirability, it is an interesting coincidence that "THE" was the name of a multiprogramming system described by Edsger W. Dijkstra in a 1968 paper. It was March 1988. The Macintosh had been around for four years.
  • Australian Open Source Industry & Community Report 2008

    Australian Open Source Industry & Community Report 2008

    The Australian Open Source Industry & Community Report 2008 Sponsors & Industry Community Map of Education & Supporters Respondents Skills 5 9 11 12 15 Careers & Innovation The Market Business Opinion Employment Development 17 19 19 21 23 Methodology. The Australian Open Source Industry & Community Report was Promotion commissioned and executed by Waugh Partners, with the financial support of sponsors, NICTA, IBM and Fujitsu. The Census was directly promoted through a national roadshow which traveled to every capital city, on several mailing lists including Linux We worked closely with psychometricians and statisticians provided by Australia, Open Source Industry Australia and user groups around the NICTA, our primary research partner, to ensure the end-to-end quality country, and through direct contact with Open Source community of the research. While our sponsors and supporters provided feedback members and companies. Indirect promotion included blogging, media at numerous points throughout the project lifecycle, this report is the coverage, and notification to members of the Australia Computer result of independent analysis by Waugh Partners. It is based on data Society, AIIA, OzZope and numerous other organisations. collected through a pair of online surveys held between October and December 2007. Projections Community We have been very careful to make conservative projections, particularly related to industry revenue. The community survey was aimed at “individuals who contribute to Open Source projects and communities in any capacity, not just Our projected industry and export revenue figures are based upon software development”, and received 315 complete and legitimate the projected industry size and spread of companies compared to the responses, with 66 incomplete.
  • Packet Capture Procedures on Cisco Firepower Device

    Packet Capture Procedures on Cisco Firepower Device

    Packet Capture Procedures on Cisco Firepower Device Contents Introduction Prerequisites Requirements Components Used Steps to Capture Packets Copy a Pcap File Introduction This document describes how to use the tcpdump command in order to capture packets that are seen by a network interface of your Firepower device. It uses Berkeley Packet Filter (BPF) syntax. Prerequisites Requirements Cisco recommends that you have knowledge of the Cisco Firepower device and the virtual device models. Components Used This document is not restricted to specific software and hardware versions. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Warning: If you run tcpdump command on a production system, it can impact network performance. Steps to Capture Packets Log in to the CLI of your Firepower device. In versions 6.1 and later, enter capture-traffic. For example, > capture-traffic Please choose domain to capture traffic from: 0 - eth0 1 - Default Inline Set (Interfaces s2p1, s2p2) In versions 6.0.x.x and earlier, enter system support capture-traffic. For example, > system support capture-traffic Please choose domain to capture traffic from: 0 - eth0 1 - Default Inline Set (Interfaces s2p1, s2p2) After you make a selection, you will be prompted for options: Please specify tcpdump options desired. (or enter '?' for a list of supported options) Options: In order to capture sufficient data from the packets, it is necessary to use the -s option in order to set the snaplength correctly.
  • Adecuándose a La Norma ISO/IEC 1799 Mediante Software Libre

    Adecuándose a La Norma ISO/IEC 1799 Mediante Software Libre

    Adecu´andose a la norma ISO/IEC 1799 mediante software libre * Jose Fernando Carvajal Vi´on Grupo de Inter´esen Seguridad de ATI (ATI-GISI) <[email protected]> Javier Fern´andez-Sanguino Pe˜na Grupo de Inter´esen Seguridad de ATI (ATI-GISI) <[email protected]> 28 de octubre de 2002 Resumen Este art´ıculo muestra la forma de adecuar a la norma ISO/IEC 17999 un sistema de informaci´onimplementado en un servidor cuyo software de sistema operativo se basa en alguna alternativa de software Libre y c´odigo abierto. La utilizaci´onde una distribuci´onDebian GNU/Linux sirve como base a la que a˜nadir las utilidades y paquetes necesarios para conseguir el objetivo. ´Indice 1. Introducci´on 1 2. Objetivo y Asunciones 2 3. Cumplimiento de la Norma ISO/IEC 17799 en GNU/Linux 4 4. Conclusiones 4 5. Referencias 5 6. Referencias de herramientas 7 7. Referencias Generales 11 *Copyright (c) 2002 Jose Fernando Carvajal y Javier Fern´andez-Sanguino. Se otorga permiso para copiar, distribuir y/o modificar este documento bajo los t´erminos de la Licencia de Documen- taci´onLibre GNU, Versi´on1.1 o cualquier otra versi´onposterior publicada por la Free Software Foundation. Puede consultar una copia de la licencia en: http://www.gnu.org/copyleft/fdl.html 1 1. Introducci´on De forma general para mantener la seguridad de los activos de informaci´on se deben preservar las caracter´ısticas siguientes [1]. 1. Confidencialidad: s´oloel personal o equipos autorizados pueden acceder a la informaci´on. 2. Integridad: la informaci´on y sus m´etodos de proceso son exactos y completos.
  • Ebpf-Based Content and Computation-Aware Communication for Real-Time Edge Computing

    Ebpf-Based Content and Computation-Aware Communication for Real-Time Edge Computing

    eBPF-based Content and Computation-aware Communication for Real-time Edge Computing Sabur Baidya1, Yan Chen2 and Marco Levorato1 1Donald Bren School of Information and Computer Science, UC Irvine e-mail: fsbaidya, [email protected] 2America Software Laboratory, Huawei, e-mail: [email protected] Abstract—By placing computation resources within a one-hop interference constraints on IoT data streams and facilitate their wireless topology, the recent edge computing paradigm is a key coexistence. enabler of real-time Internet of Things (IoT) applications. In In this paper, we propose a computation-aware commu- the context of IoT scenarios where the same information from a sensor is used by multiple applications at different locations, the nication control framework for real-time IoT applications data stream needs to be replicated. However, the transportation generating high-volume data traffic processed at the network of parallel streams might not be feasible due to limitations in the edge. Driven by QoC requirements, the framework provides capacity of the network transporting the data. To address this real-time user-controlled packet replication and forwarding issue, a content and computation-aware communication control inside the in-kernel Virtual Machines (VM) using an extended framework is proposed based on the Software Defined Network (SDN) paradigm. The framework supports multi-streaming using Berkeley Packet Filter (eBPF) [9]. The implementation uses the extended Berkeley Packet Filter (eBPF), where the traffic flow the concepts of SDN and NFV to achieve highly program- and packet replication for each specific computation process is able and dynamic packet replication. Resource allocation is controlled by a program running inside an in-kernel Virtual Ma- semantic and content-aware, and, in the considered case, chine (VM).
  • Building Embedded Linux Systems ,Roadmap.18084 Page Ii Wednesday, August 6, 2008 9:05 AM

    Building Embedded Linux Systems ,Roadmap.18084 Page Ii Wednesday, August 6, 2008 9:05 AM

    Building Embedded Linux Systems ,roadmap.18084 Page ii Wednesday, August 6, 2008 9:05 AM Other Linux resources from O’Reilly Related titles Designing Embedded Programming Embedded Hardware Systems Linux Device Drivers Running Linux Linux in a Nutshell Understanding the Linux Linux Network Adminis- Kernel trator’s Guide Linux Books linux.oreilly.com is a complete catalog of O’Reilly’s books on Resource Center Linux and Unix and related technologies, including sample chapters and code examples. ONLamp.com is the premier site for the open source web plat- form: Linux, Apache, MySQL, and either Perl, Python, or PHP. Conferences O’Reilly brings diverse innovators together to nurture the ideas that spark revolutionary industries. We specialize in document- ing the latest tools and systems, translating the innovator’s knowledge into useful skills for those in the trenches. Visit con- ferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier online refer- ence library for programmers and IT professionals. Conduct searches across more than 1,000 books. Subscribers can zero in on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today for free. main.title Page iii Monday, May 19, 2008 11:21 AM SECOND EDITION Building Embedded Linux SystemsTomcat ™ The Definitive Guide Karim Yaghmour, JonJason Masters, Brittain Gilad and Ben-Yossef, Ian F. Darwin and Philippe Gerum Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo Building Embedded Linux Systems, Second Edition by Karim Yaghmour, Jon Masters, Gilad Ben-Yossef, and Philippe Gerum Copyright © 2008 Karim Yaghmour and Jon Masters.
  • Praise for the Official Ubuntu Book

    Praise for the Official Ubuntu Book

    Praise for The Official Ubuntu Book “The Official Ubuntu Book is a great way to get you started with Ubuntu, giving you enough information to be productive without overloading you.” —John Stevenson, DZone Book Reviewer “OUB is one of the best books I’ve seen for beginners.” —Bill Blinn, TechByter Worldwide “This book is the perfect companion for users new to Linux and Ubuntu. It covers the basics in a concise and well-organized manner. General use is covered separately from troubleshooting and error-handling, making the book well-suited both for the beginner as well as the user that needs extended help.” —Thomas Petrucha, Austria Ubuntu User Group “I have recommended this book to several users who I instruct regularly on the use of Ubuntu. All of them have been satisfied with their purchase and have even been able to use it to help them in their journey along the way.” —Chris Crisafulli, Ubuntu LoCo Council, Florida Local Community Team “This text demystifies a very powerful Linux operating system . in just a few weeks of having it, I’ve used it as a quick reference a half dozen times, which saved me the time I would have spent scouring the Ubuntu forums online.” —Darren Frey, Member, Houston Local User Group This page intentionally left blank The Official Ubuntu Book Sixth Edition This page intentionally left blank The Official Ubuntu Book Sixth Edition Benjamin Mako Hill Matthew Helmke Amber Graner Corey Burger With Jonathan Jesse, Kyle Rankin, and Jono Bacon Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Capetown • Sydney • Tokyo • Singapore • Mexico City Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks.
  • Security Bugs in Embedded Interpreters

    Security Bugs in Embedded Interpreters

    Security bugs in embedded interpreters The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2013. Security bugs in embedded interpreters. In Proceedings of the 4th Asia-Pacific Workshop on Systems (APSys '13). ACM, New York, NY, USA, Article 17, 7 pages. As Published http://dx.doi.org/10.1145/2500727.2500747 Publisher Edition Open Access Version Author's final manuscript Citable link http://hdl.handle.net/1721.1/86887 Terms of Use Creative Commons Attribution-Noncommercial-Share Alike Detailed Terms http://creativecommons.org/licenses/by-nc-sa/4.0/ Security bugs in embedded interpreters Haogang Chen Cody Cutler Taesoo Kim Yandong Mao Xi Wang Nickolai Zeldovich M. Frans Kaashoek MIT CSAIL Abstract Embedded interpreters raise interesting security con- Because embedded interpreters offer flexibility and per- cerns. First, many real-world systems do not adopt sand- formance, they are becoming more prevalent, and can be boxing techniques such as process isolation [20] or soft- found at nearly every level of the software stack. As one ware fault isolation [28] for embedded interpreters, possi- example, the Linux kernel defines languages to describe bly due to performance considerations. Consequently, a packet filtering rules and uses embedded interpreters to compromise of the interpreter is likely to lead to a com- filter packets at run time. As another example, theRAR promise of the host system as well. Second, embedded in- archive format allows embedding bytecode in compressed terpreters often validate untrusted bytecode using ad-hoc files to describe reversible transformations for decompres- rules, which is error-prone.