DOCSLIB.ORG

Clean Application Compartmentalization with SOAAP

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Clean Application Compartmentalization with SOAAP Clean Application Compartmentalization with SOAAP Khilan Gudka Robert N.M. Watson Jonathan Anderson University of Cambridge University of Cambridge Memorial University Cambridge, UK Cambridge, UK St. Johns, NL, Canada [email protected] [email protected] [email protected] David Chisnall Brooks Davis Ben Laurie University of Cambridge SRI International Google UK Ltd. Cambridge, UK Menlo Park, CA, USA London, UK [email protected] [email protected] [email protected] Ilias Marinos Peter G. Neumann Alex Richardson University of Cambridge SRI International University of Cambridge Cambridge, UK Menlo Park, CA, USA Cambridge, UK [email protected] [email protected] [email protected] ABSTRACT ploitation of vulnerabilities. It seeks to employ the prin- Application compartmentalization, a vulnerability mitiga- ciple of least privilege by granting each compartment only tion technique employed in programs such as OpenSSH and the rights that it requires to operate [37]. It is used in the Chromium web browser, decomposes software into iso- software ranging from OpenSSH [35] to the Chromium web lated components to limit privileges leaked or otherwise browser [36] to limit rights available to an attacker follow- available to attackers. However, compartmentalizing appli- ing a successful exploit. Recently disclosed vulnerabilities cations { and maintaining that compartmentalization { is such as Heartbleed [29], Shellshock [31], and a symlink at- hindered by ad hoc methodologies and significantly increased tack vulnerability in Wget [30], illustrate the importance of programming effort. In practice, programmers stumble protecting software not just from known exploit techniques through (rather than overtly reason about) compartmental- (e.g., stack canaries mitigating buffer overflows), but also ization spaces of possible decompositions, unknowingly trad- from unknown future classes of vulnerabilities. ing off correctness, security, complexity, and performance. Application compartmentalization proves surprisingly We present a new conceptual framework embodied in an subtle: contrary to the implied suggestion of simplistic de- LLVM-based tool: the Security-Oriented Analysis of Appli- scriptions (\Application X has been privilege separated"), cation Programs (SOAAP) that allows programmers to rea- there are many possible compartmentalizations of most pro- son about compartmentalization using source-code annota- grams within a compartmentalization space that reflects dif- tions (compartmentalization hypotheses). We demonstrate ferent tradeoffs among correctness, security, complexity, and considerable benefit when creating new compartmentaliza- performance. Selecting a suitable point in this space is tions for complex applications, and analyze existing com- challenging, as implementing compartmentalization requires partmentalized applications to discover design faults and considerable effort and can disrupt code structure. This maintenance issues arising from application evolution. choice is crucial, as it can be difficult to change strategy after implementation: the non-trivial code changes made to application structure are often specific to the selected com- Categories and Subject Descriptors partmentalization. Design choices and tradeoffs are infre- D.4.6 [Operating Systems]: Security and Protection quently revisited { even as understanding of program secu- rity grows due to discovered vulnerabilities, or as program Keywords functionality evolves beyond its compartmentalization. Reasoning about compartmentalization tradeoffs is diffi- Security, Compartmentalization, Vulnerability Mitigation cult for many reasons. Information about past vulnerabil- ities { often a good predictor of future vulnerabilities { is 1. INTRODUCTION not easily accessible. Call graphs of compartmentalized ap- Application compartmentalization decomposes software plications are extremely complex, and simple control-flow into isolated but collaborating components to mitigate ex- analysis cannot follow manually encoded cross-domain ac- tions { typically via Inter-Process Communication (IPC) { Permission to make digital or hard copies of all or part of this work for personal or found in real-world applications. Even where call graphs classroom use is granted without fee provided that copies are not made or distributed can be extracted, control flow is only a starting point: in for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the the compartmentalization adversary model, naively written author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or code may be vulnerable, but it is exposure to malicious data republish, to post on servers or to redistribute to lists, requires prior specific permission that causes exploits { requiring reasoning about a combi- and/or a fee. Request permissions from [email protected]. nation of vulnerabilities, information flow from dangerous CCS’15 October 12–16, 2015, Denver, Colorado, USA. sources, and uncompartmentalized code. Application fail- Copyright is held by the owner/author(s). Publication rights licensed to ACM. ures due to compartmentalization are frequently mysterious: ACM 978-1-4503-3832-5/15/10$15.00 DOI: http://dx.doi.org/10.1145/2810103.2813611. the libraries they link against are often designed without the expectation of sandboxing, and failures may not be detected 2. CONCEPTUAL FRAMEWORK by testing. Finally, performance characteristics are critical, Application compartmentalization rests on the principle of with compartmentalization boundaries often selected that least privilege: compromised components yield fewer rights are not based on ideal security boundaries, but rather on ac- to attackers, and offer fewer opportunities to compromise the ceptable performance (e.g., in Capsicum where gzip rather rest of the system. Karger first proposed using access con- than zlib is sandboxed [41]). Even then, performance im- trol for vulnerability mitigation while working on capability pacts are difficult to predict. systems [18], and took as his threat model the trojan horse: Application developers would ideally be able to explore subverted software working on behalf of the adversary. Con- how new or changing compartmentalization would affect fac- temporary compartmentalization for vulnerability mitiga- tors such as security and performance without paying the full tion, sometimes referred to as privilege separation, saw its cost of implementation, letting them more easily identify a foundations in work by Provos et al. [35] and Kilpatrick [19], preferred spot in the compartmentalization space. For ex- and has been applied to complex, security-relevant programs ample, partitioning decompression from decryption can pre- such as OpenSSH and the Chromium web browser, both of vent decompression-related vulnerabilities from leaking key- which hold substantial effective privilege and perform com- ing material { but at great costs to both code complexity plex processing of untrustworthy, network-originated data. and run-time performance. The overhead of this compart- Compartmentalization adopts a de facto, and quite strong, mentalization may be too high for production use, requiring threat model in which attackers gain total control of com- another approach, such as having per-client compartments. promised compartments as a result of poorly crafted C code This exploration is comparable to the use of performance- (or other program weaknesses) being being exposed to ma- profiling tools to identify the hot spots in an application licious input. For example, buffer-overflow attacks triggered that would benefit most from optimization. Similarly, se- by network input might allow malicious code to be executed, curity profiling tools could enable the developer to deter- or program control flow to be fully subverted by the at- mine whether a particular compartmentalization was \worth tacker. We generalize this model, adding software supply- it", namely that it would give sufficient security gains while chain vulnerabilities involving explicitly trojaned software not exceeding tolerable performance overheads. Such an ap- without the need for malicious input { e.g., back doors be- proach would also allow continuous automatic reevaluation ing inserted following compromise of a software vendor's as application source code evolves, ensuring that, for exam- source-code repository. Weaker attacks, which fall short of ple, refactorings do not accidentally move vulnerable code arbitrary code execution, are also important: the OpenSSL to a more privileged context. To this end, this paper: Heartbleed vulnerability allows read access to victim mem- • Describes a conceptual framework for compartmental- ory, which might reveal keys allowing further access, but ization grounded in isolation and controlled communi- does not immediately allow arbitrary manipulation. cation. Possible program compartmentalizations, each Compartmentalization rests on three underpinnings: a with differing design tradeoffs in terms of complexity, strong Trusted Computing Base (TCB) able to protect its performance, security, and functionality, exist within own integrity [2]; compartment isolation (implemented by compartmentalization spaces. We also describe a set of the TCB), which provides strong prevention of interference compartmentalization design patterns reflecting com- between isolated program instances [10]; and controlled com- mon approaches
Load more

Recommended publications
  • Katalog Elektronskih Knjiga
    KATALOG ELEKTRONSKIH KNJIGA Br Autor Naziv Godina ISBN Str. Porijeklo izdavanja 1 Peter Kent Pay Per Click Search 2006 0-471-74594-3 130 Kupovina Engine Marketing for Dummies 2 Terry Large Access 1 2007 Internet Freeware 3 Kevin Smith Excel Lassons & Tutorials 2004 Internet Freeware 4 Terry Michael Photografy Tutorials 2006 Internet Freeware Janine Peterson Phil Pivnick 5 Jake Ludington Converting Vinyl LPs 2003 Internet Freeware to CD 6 Allen Wyatt Cleaning Windows XP 2004 0-7645-7311-X Poklon for Dummies 7 Peter Kent Sarch Engine Optimization 2006 0-4717-5441-2 Kupovina for Dummies 8 Terry Large Access 2 2007 Internet Freeware 9 Dirk Dupon How to write, create, 2005 Internet Freeware promote and sell E-books on the Internet 10 Chayden Bates eBook Marketing 2000 Internet Freeware Explained 11 Kevin Sinclair How To Choose A 1999 Internet Freeware Homebased Bussines 12 Bob McElwain 101 Newbie-Frendly Tips 2001 Internet Freeware 13 Windows Basics 2004 Poklon 14 Michael Abrash Zen of Graphic 2005 Poklon Programming, 2. izdanje 15 13 Hot Internet 2000 Internet Freeware Moneymaking Methods 16 K. Williams The Complete HTML 1998 Poklon Teacher 17 C. Darwin On the Origin of Species Internet Freeware 2/175 Br Autor Naziv Godina ISBN Str. Porijeklo izdavanja 18 C. Darwin The Variation of Animals Internet Freeware 19 Bruce Eckel Thinking in C++, Vol 1 2000 Internet Freeware 20 Bruce Eckel Thinking in C++, Vol 2 2000 Internet Freeware 21 James Parton Captains of Industry 1890 399 Internet Freeware 22 Bruno R. Preiss Data Structures and 1998 Internet
    [Show full text]
  • Mac OS X Server Administrator's Guide
    034-9285.S4AdminPDF 6/27/02 2:07 PM Page 1 Mac OS X Server Administrator’s Guide K Apple Computer, Inc. © 2002 Apple Computer, Inc. All rights reserved. Under the copyright laws, this publication may not be copied, in whole or in part, without the written consent of Apple. The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Macintosh, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. AirPort, Extensions Manager, Finder, iMac, and Power Mac are trademarks of Apple Computer, Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Netscape Navigator is a trademark of Netscape Communications Corporation. RealAudio is a trademark of Progressive Networks, Inc. © 1995–2001 The Apache Group. All rights reserved. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. 062-9285/7-26-02 LL9285.Book Page 3 Tuesday, June 25, 2002 3:59 PM Contents Preface How to Use This Guide 39 What’s Included
    [Show full text]
  • Bibliography of Erik Wilde
    dretbiblio dretbiblio Erik Wilde's Bibliography References [1] AFIPS Fall Joint Computer Conference, San Francisco, California, December 1968. [2] Seventeenth IEEE Conference on Computer Communication Networks, Washington, D.C., 1978. [3] ACM SIGACT-SIGMOD Symposium on Principles of Database Systems, Los Angeles, Cal- ifornia, March 1982. ACM Press. [4] First Conference on Computer-Supported Cooperative Work, 1986. [5] 1987 ACM Conference on Hypertext, Chapel Hill, North Carolina, November 1987. ACM Press. [6] 18th IEEE International Symposium on Fault-Tolerant Computing, Tokyo, Japan, 1988. IEEE Computer Society Press. [7] Conference on Computer-Supported Cooperative Work, Portland, Oregon, 1988. ACM Press. [8] Conference on Office Information Systems, Palo Alto, California, March 1988. [9] 1989 ACM Conference on Hypertext, Pittsburgh, Pennsylvania, November 1989. ACM Press. [10] UNIX | The Legend Evolves. Summer 1990 UKUUG Conference, Buntingford, UK, 1990. UKUUG. [11] Fourth ACM Symposium on User Interface Software and Technology, Hilton Head, South Carolina, November 1991. [12] GLOBECOM'91 Conference, Phoenix, Arizona, 1991. IEEE Computer Society Press. [13] IEEE INFOCOM '91 Conference on Computer Communications, Bal Harbour, Florida, 1991. IEEE Computer Society Press. [14] IEEE International Conference on Communications, Denver, Colorado, June 1991. [15] International Workshop on CSCW, Berlin, Germany, April 1991. [16] Third ACM Conference on Hypertext, San Antonio, Texas, December 1991. ACM Press. [17] 11th Symposium on Reliable Distributed Systems, Houston, Texas, 1992. IEEE Computer Society Press. [18] 3rd Joint European Networking Conference, Innsbruck, Austria, May 1992. [19] Fourth ACM Conference on Hypertext, Milano, Italy, November 1992. ACM Press. [20] GLOBECOM'92 Conference, Orlando, Florida, December 1992. IEEE Computer Society Press. http://github.com/dret/biblio (August 29, 2018) 1 dretbiblio [21] IEEE INFOCOM '92 Conference on Computer Communications, Florence, Italy, 1992.
    [Show full text]
  • Capsicum: Practical Capabilities for UNIX
    Capsicum: practical capabilities for UNIX Robert N. M. Watson Jonathan Anderson Ben Laurie University of Cambridge University of Cambridge Google UK Ltd. Kris Kennaway Google UK Ltd. Abstract significant technical limitations: current OS facilities are simply not designed for this purpose. Capsicum is a lightweight operating system capabil- The access control systems in conventional (non- ity and sandbox framework planned for inclusion in capability-oriented) operating systems are Discretionary FreeBSD 9. Capsicum extends, rather than replaces, Access Control (DAC) and Mandatory Access Control UNIX APIs, providing new kernel primitives (sandboxed (MAC). DAC was designed to protect users from each capability mode and capabilities) and a userspace sand- other: the owner of an object (such as a file) can specify box API. These tools support compartmentalisation of permissions for it, which are checked by the OS when monolithic UNIX applications into logical applications, the object is accessed. MAC was designed to enforce an increasingly common goal supported poorly by dis- system policies: system administrators specify policies cretionary and mandatory access control. We demon- (e.g. “users cleared to Secret may not read Top Secret strate our approach by adapting core FreeBSD utilities documents”), which are checked via run-time hooks in- and Google’s Chromium web browser to use Capsicum serted into many places in the operating system’s kernel. primitives, and compare the complexity and robustness Neither of these systems was designed to address the of Capsicum with other sandboxing techniques. case of a single application processing many types of in- formation on behalf of one user. For instance, a mod- 1 Introduction ern web browser must parse HTML, scripting languages, images and video from many untrusted sources, but be- Capsicum is an API that brings capabilities to UNIX.
    [Show full text]
  • Sandboxing with Capsicum
    SECURITY Sandboxing with Capsicum PAWEL JAKUB DAWIDEK AND MARIUSZ ZABORSKI Pawel Jakub Dawidek is a ery few programmers have managed to successfully use the principle co-founder and CTO at Wheel of least privilege, as found in OpenSSH, Postfix, and djbdns. Capsi- Systems and a FreeBSD cum, introduced in 2010, adds a capability model designed to make it committer who lives and works V easier for programmers to reason about how to split a program into privileged in Warsaw, Poland. He is the and unprivileged portions. In this article, we describe the changes made in author of various GEOM classes, including the disk-encryption class GELI; he implemented Capsicum since 2010, compare Capsicum to earlier sandboxing techniques, the Highly Available Storage (HAST) daemon and look at the new Casperd, which makes it simpler to split programs. for distributing audit trail files (auditdistd), and Long ago, people started to recognize that security models proposed by the mainstream nowadays is mostly working on the Capsicum operating systems, including Windows, Mac OS X, and all kinds of UNIX-like systems, are framework and the Casper daemon. simply naive: All you need to do is to write programs that have no bugs. That’s indeed naive. [email protected] Let’s also state an obvious rule: The more code we write, the more bugs we introduce, some of which may jeopardize the security of our system. Once we accept this fact, where do we go? Mariusz Zaborski is currently We could only develop very small programs, which are easy to audit, but this again would be working as a software a bit naive.
    [Show full text]
  • Site Map - Apache HTTP Server 2.0
    Site Map - Apache HTTP Server 2.0 Apache HTTP Server Version 2.0 Site Map ● Apache HTTP Server Version 2.0 Documentation ❍ Release Notes ■ Upgrading to 2.0 from 1.3 ■ New features with Apache 2.0 ❍ Using the Apache HTTP Server ■ Compiling and Installing Apache ■ Starting Apache ■ Stopping and Restarting the Server ■ Configuration Files ■ How Directory, Location and Files sections work ■ Server-Wide Configuration ■ Log Files ■ Mapping URLs to Filesystem Locations ■ Security Tips ■ Dynamic Shared Object (DSO) support ■ Content Negotiation ■ Custom error responses ■ Setting which addresses and ports Apache uses ■ Multi-Processing Modules (MPMs) ■ Environment Variables in Apache ■ Apache's Handler Use ■ Filters ■ suEXEC Support ■ Performance Hintes ■ URL Rewriting Guide ❍ Apache Virtual Host documentation ■ Name-based Virtual Hosts ■ IP-based Virtual Host Support ■ Dynamically configured mass virtual hosting ■ VirtualHost Examples ■ An In-Depth Discussion of Virtual Host Matching ■ File descriptor limitations ■ Issues Regarding DNS and Apache ❍ Apache Server Frequently Asked Questions http://httpd.apache.org/docs-2.0/sitemap.html (1 of 4) [5/03/2002 9:53:06 PM] Site Map - Apache HTTP Server 2.0 ■ Support ❍ Apache SSL/TLS Encryption ■ SSL/TLS Encryption: An Introduction ■ SSL/TLS Encryption: Compatibility ■ SSL/TLS Encryption: How-To ■ SSL/TLS Encryption: FAQ ■ SSL/TLS Encryption: Glossary ❍ Guides, Tutorials, and HowTos ■ Authentication ■ Apache Tutorial: Dynamic Content with CGI ■ Apache Tutorial: Introduction to Server Side Includes ■ Apache
    [Show full text]
  • December 2010 VOLUME 35 NUMBER 6
    December 2010 VOLUME 35 NUMBER 6 OPINION Musings 2 RikR FaR ow SECURITY Introducing Capsicum: Practical Capabilities for UNIX 7 Robe Rt N.M. watsoN, JoNathaN THE USENIX MAGAZINE aNdeRsoN, beN LauRie, aNd kRis keNNaway The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution 18 Moheeb abu Ra Jab, Lucas baLLaRd, PaNayiotis MavRoMMatis, NieLs PRovos, aNd XiN Zhao Vulnerable Compliance 26 d aN GeeR Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically 31 Matthew hicks, MuRPh FiNNicuM, saMueL t. kiNG, MiLo M.k. MaRtiN, aNd JoNathaN M. sMith C OLUMNS Practical Perl Tools: Family Man 42 d avid N. bLaNk-edeLMaN Pete’s All Things Sun: Comparing Solaris to RedHat Enterprise and AIX 48 Petee R ba R GaLviN iVoyeur: Ganglia on the Brain 54 d ave JosePhseN /dev/random 58 Robe Rt G. Fe RReLL BOEO K reVI WS Book Reviews 60 El iZabeth Zwicky et a L. useni X NOTES Thankso t Our Volunteers 64 Ell u ie yo ng CN O FERENCES 19th USENIX Security Symposium Reports 67 Report on the 5th USENIX Workshop on Hot Topics in Security 97 Report on the 1st USENIX Workshop on Health Security and Privacy 103 Report on the 4th USENIX Workshop on Offensive Technologies 112 Report on the New Security Paradigms Workshop 117 The Advanced Computing Systems Association dec10covers.indd 1 11.17.10 1:28 PM Upcoming Events 9th USENIX CoNfErence oN fIlE aNd StoragE 2011 USENIX fEdEratEd CoNfErences Week techNologies (FASt ’11) j une 12–17, 2011, portland, OR, uSa Sponsored by USENIX in cooperation with ACM SIGOPS EventS inclUdE:
    [Show full text]
  • A Bibliography of O'reilly & Associates and O
    A Bibliography of O'Reilly & Associates and O'Reilly Media. Inc. Publishers Nelson H. F. Beebe University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA Tel: +1 801 581 5254 FAX: +1 801 581 4148 E-mail: [email protected], [email protected], [email protected] (Internet) WWW URL: http://www.math.utah.edu/~beebe/ 08 February 2021 Version 3.67 Title word cross-reference #70 [1263, 1264]. #70-059 [1263]. #70-068 [1264]. 2 [949]. 2 + 2 = 5986 [1456]. 3 [1149, 1570]. *# [1221]. .Mac [1940]. .NET [1860, 22, 186, 342, 441, 503, 591, 714, 716, 721, 730, 753, 786, 998, 1034, 1037, 1038, 1043, 1049, 1089, 1090, 1091, 1119, 1256, 1468, 1858, 1859, 1863, 1899, 1900, 1901, 1917, 1997, 2029]. '05 [461, 1532]. 08 [1541]. 1 [1414]. 1.0 [1009]. 1.1 [59]. 1.2 [1582]. 1000 [1511]. 1000D [1073]. 10g [711, 710]. 10th [2109]. 11 [1385]. 1 2 2 [53, 209, 269, 581, 2134, 919, 940, 1515, 1521, 1530, 2023, 2045]. 2.0 [2, 55, 203, 394, 666, 941, 1000, 1044, 1239, 1276, 1504, 1744, 1801, 2073]. 2.1 [501]. 2.2 [201]. 2000 [38, 202, 604, 610, 669, 927, 986, 1087, 1266, 1358, 1359, 1656, 1751, 1781, 1874, 1959, 2069]. 2001 [96]. 2003 [70, 71, 72, 73, 74, 279, 353, 364, 365, 789, 790, 856, 987, 1146, 1960, 2026]. 2003-2013 [1746]. 2004 [1195]. 2005 [84, 151, 755, 756, 1001, 1041, 1042, 1119, 1122, 1467, 2120, 2018, 2056]. 2006 [152, 153]. 2007 [618, 726, 727, 728, 1123, 1125, 1126, 1127, 2122, 1973, 1974, 2030].
    [Show full text]
  • Protecting Commodity Operating Systems Through Strong Kernel Isolation
    Protecting Commodity Operating Systems through Strong Kernel Isolation Vasileios P. Kemerlis Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences COLUMBIA UNIVERSITY 2015 c 2015 Vasileios P. Kemerlis All Rights Reserved ABSTRACT Protecting Commodity Operating Systems through Strong Kernel Isolation Vasileios P. Kemerlis Today’s operating systems are large, complex, and plagued with vulnerabilities that allow perpetrators to exploit them for profit. The constant rise in the number of software weak- nesses, coupled with the sophistication of modern adversaries, make the need for effective and adaptive defenses more critical than ever. In this dissertation, we develop a set of novel protection mechanisms, and introduce new concepts and techniques to secure commodity operating systems against attacks that exploit vulnerabilities in kernel code. Modern OSes opt for a shared process/kernel model to minimize the overhead of opera- tions that cross protection domains. However, this design choice provides a unique vantage point to local attackers, as it allows them to control—both in terms of permissions and contents—part of the memory that is accessible by the kernel, easily circumventing protec- tions like kernel-space ASLR and WˆX. Attacks that leverage the weak separation between user and kernel space, characterized as return-to-user (ret2usr) attacks, have been the de facto kernel exploitation technique in virtually every major OS, while they are not limited to the x86 platform, but have also targeted ARM and others. Given the multi-OS and cross-architecture nature of ret2usr threats, we propose kGuard: a kernel protection mechanism, realized as a cross-platform compiler extension, which can safeguard any 32- or 64-bit OS kernel from ret2usr attacks.
    [Show full text]
  • A Technical Summary
    A Technical Summary Table A.1. Kerberos administrative ACL (MIT) Allow Deny Operation a A Add principals or policies d D Delete principals or policies m M Modify principals or policies c C Change passwords i I Inquiry the database l L List principals or policies s S Set key for principals * or x Allow all privileges Table A.2. Kerberos kadmin password policies (MIT) Option Meaning -history Minimum count of unusable old passwords -maxlife Maximum allowed lifetime -minclasses Minimum character classes -minlength Minimum password length -minlife Minimum lifetime 380 A Technical Summary Table A.3. LDAP access control list levels Level Privilege Coding Explanation none =0 No access at all auth =x Permits authentication attempt compare =cx Permits comparison search =scx Permits search filter application read =rscx Permits search result inspection write =wrscx Permits modification or deletion Table A.4. The OpenAFS access control list attributes Permission Meaning l List contents (lookup) i Create new files or directories (insert) d Delete files or directories a Change ACL attributes of directories (administer) r Read contents of files w Modify contents of files (write) k Lock files for reading read Equivalent to rl write Equivalent to rlidwk (no administrative rights) all Equivalent to rlidwka none Remove all ACL permissions Table A.5. The OpenAFS @sys names (excerpt) @sys Architecture alpha dux40 Digital UNIX 4 on an Alpha alpha dux50 Digital UNIX 5 on an Alpha i386 linux24 Linux Kernel 2.4 on Intel and compatible i386 linux26 Linux Kernel 2.6 on Intel and compatible i386 nt40 Microsoft Windows NT and later on Intel and compatible ppc darwin70 Apple MacOS X 10.3 on a PowerPC Macintosh ppc darwin80 Apple MacOS X 10.4 on a PowerPC Macintosh ppc darwin90 Apple MacOS X 10.5 on a PowerPC Macintosh rs aix52 IBM AIX 5.2 on a pSeries rs aix53 IBM AIX 5.3 on a pSeries sgi 65 SGI Irix 6.5 on a MPIS x86 darwin80 Apple MacOS X 10.4 on an Intel Macintosh x86 darwin90 Apple MacOS X 10.5 on an Intel Macintosh A Technical Summary 381 Table A.6.
    [Show full text]
  • Operating Systems and Middleware: Supporting Controlled Interaction
    Operating Systems and Middleware: Supporting Controlled Interaction Max Hailperin Gustavus Adolphus College Revised Edition 1.1 July 27, 2011 Copyright c 2011 by Max Hailperin. This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. Bibliography [1] Atul Adya, Barbara Liskov, and Patrick E. O’Neil. Generalized iso- lation level definitions. In Proceedings of the 16th International Con- ference on Data Engineering, pages 67–78. IEEE Computer Society, 2000. [2] Alfred V. Aho, Peter J. Denning, and Jeffrey D. Ullman. Principles of optimal page replacement. Journal of the ACM, 18(1):80–93, 1971. [3] AMD. AMD64 Architecture Programmer’s Manual Volume 2: System Programming, 3.09 edition, September 2003. Publication 24593. [4] Dave Anderson. You don’t know jack about disks. Queue, 1(4):20–30, 2003. [5] Dave Anderson, Jim Dykes, and Erik Riedel. More than an interface— SCSI vs. ATA. In Proceedings of the 2nd Annual Conference on File and Storage Technology (FAST). USENIX, March 2003. [6] Ross Anderson. Security Engineering: A Guide to Building Depend- able Distributed Systems. Wiley, 2nd edition, 2008. [7] Apple Computer, Inc. Kernel Programming, 2003. Inside Mac OS X. [8] Apple Computer, Inc. HFS Plus volume format. Technical Note TN1150, Apple Computer, Inc., March 2004. [9] Ozalp Babaoglu and William Joy. Converting a swap-based system to do paging in an architecture lacking page-referenced bits.
    [Show full text]
  • An Overview of Security in the Freebsd Kernel 131 Dr
    AsiaBSDCon 2014 Proceedings March 13-16, 2014 Tokyo, Japan Copyright c 2014 BSD Research. All rights reserved. Unauthorized republication is prohibited. Published in Japan, March 2014 INDEX P1A: Bold, fast optimizing linker for BSD — Luba Tang P1B: Visualizing Unix: Graphing bhyve, ZFS and PF with Graphite 007 Michael Dexter P2A: LLVM in the FreeBSD Toolchain 013 David Chisnall P2B: NPF - progress and perspective 021 Mindaugas Rasiukevicius K1: OpenZFS: a Community of Open Source ZFS Developers 027 Matthew Ahrens K2: Bambi Meets Godzilla: They Elope 033 Eric Allman P3A: Snapshots, Replication, and Boot-Environments—How new ZFS utilities are changing FreeBSD & PC-BSD 045 Kris Moore P3B: Netmap as a core networking technology 055 Luigi Rizzo, Giuseppe Lettieri, and Michio Honda P4A: ZFS for the Masses: Management Tools Provided by the PC-BSD and FreeNAS Projects 065 Dru Lavigne P4B: OpenBGPD turns 10 years - Design, Implementation, Lessons learned 077 Henning Brauer P5A: Introduction to FreeNAS development 083 John Hixson P5B: VXLAN and Cloud-based networking with OpenBSD 091 Reyk Floeter INDEX P6A: Nested Paging in bhyve 097 Neel Natu and Peter Grehan P6B: Developing CPE Routers based on NetBSD: Fifteen Years of SEIL 107 Masanobu SAITOH and Hiroki SUENAGA P7A: Deploying FreeBSD systems with Foreman and mfsBSD 115 Martin Matuška P7B: Implementation and Modification for CPE Routers: Filter Rule Optimization, IPsec Interface and Ethernet Switch 119 Masanobu SAITOH and Hiroki SUENAGA K3: Modifying the FreeBSD kernel Netflix streaming servers — Scott Long K4: An Overview of Security in the FreeBSD Kernel 131 Dr. Marshall Kirk McKusick P8A: Transparent Superpages for FreeBSD on ARM 151 Zbigniew Bodek P8B: Carve your NetBSD 165 Pierre Pronchery and Guillaume Lasmayous P9A: How FreeBSD Boots: a soft-core MIPS perspective 179 Brooks Davis, Robert Norton, Jonathan Woodruff, and Robert N.
    [Show full text]