• No results found

Administrivia. - Wednesday March 18, 12:15-3:15pm ingates B-01 - Open book, open notes, just like midterm - Covers material from all 19 lectures

N/A
N/A
Protected

Academic year: 2021

Share "Administrivia. - Wednesday March 18, 12:15-3:15pm ingates B-01 - Open book, open notes, just like midterm - Covers material from all 19 lectures"

Copied!
34
0
0

Loading.... (view fulltext now)

Full text

(1)

Administrivia

Last project due today

- Must hand in something by midnight even if you get extension

Final Exam

- Wednesday March 18, 12:15-3:15pm in

Gates B-01

- Open book, open notes, just like midterm

- Covers material from all 19 lectures

SCPD students please take in person if possible

- Otherwise, email cs140-staff your exam monitor’s email address (using subject exam monitor)

I have special office hours next Monday, 3:00-4:00pm

- I also plan to be around most of the afternoon that day, so stop by if you have questions before exam

(2)

Themes in OS research

Performance

Functionality

System management

Extensibility

Power consumption

Security

(3)

Performance

Performance improvements always welcome

- 10% is nice, but often not super interesting - 10x can actually enable new functionality

Through early 90s, a major focus of OS research

- Makes benefits nicely quantifiable - Let to lots of incremental work

But some performance work very interesting:

- Synthesis [Massalin]

- OS made extensive use of dynamic code generation for speed

Making logically synchronous disk accesses

asynchronous [Nightingale]

(4)

Functionality

Lots of work to make distributed systems transparent

- Network operating systems (Sprite, Amoeba) - Distributed shared memory (tons of papers) - Much of this work had little impact

Plan9 [Pike] – make all functionality available

through file namespace

- Developed by the inventors of Unix, who gave up on Unix - Invented now popular abstractions such as /proc

- Mount table is no longer global, but per process group - Lots of really cool benefits to unifying abstractions in FS:

(5)

System management

Already talked about virtual machines

Plan9’s features greatly simplified management

- E.g., backups available through file system under /dump

Storage management a huge deal

- Large, virtual disks (e.g., Petal [Lee]) - Serverless network file systems [Dahlin]

- Using desktop machines for storage (Farsite [Bolosky]) - Peer-to-peer network file systems (e.g., Ivy [Morris]) - Peer-to-peer backup (e.g., Pastiche [Cox])

Application abstraction (Singularity [Hunt])

- Avoid problems associated with installing software - Packages must describe themselves declaratively

(6)

Extensibility: Microkernels

Very popular in 1980s

Idea: Provide traditional OS abstractions in servers

- E.g., Virtual memory server, file system server - Could Make for better fault isolation

- Also makes it easier to develop new OS functionality

(debugging servers potentially easier than debugging kernel)

Kernel interface is very small

- E.g., just provide simple IPC abstractions

- Note: “micro” means small interface, not small code

Most well-known example: Mach 3

(7)

Extensibility: Other architectures

Big focus in mid-90s:

- Inspired by applications that fight with the OS

- E.g., database that has to bypass the OS buffer cache - Also CPUs still slow enough that hard to saturate net

One approach: Spin [Bershad]

- Download extensions into kernel using safe language - Safely run user code in kernel, saving context switch

Another approach: Exokernel [Engler/Kaashoek]

- “Exterminate all operating system abstractions”

- Idea: Kernel should provide protection, not abstraction - Implement abstractions in user-level library

(8)

Power management

Recent hot topic for sensor networks

- Battery-powered devices

- Deployed in environments where hard to change battery

- OS techniques can extend battery lifetime from days to months

Also becoming an issue for server farms

- Cost of power + cooling comparable to cost of hardware

Some techniques

- CPU voltage scaling (requires cutting frequency—when to do?) - Careful use of wireless networks

(9)

HiStar

Developed by Nickolai Zeldovich here at Stanford

Most software cannot be trusted

- Massive, complex systems no one fully understands - Not written by security-conscious programmers

- Even good programmers make mistakes

Yet this is what people develop and want to run

Address problem through better OS interface

- HiStar: a new OS that reduces trust in software while providing Unix-like environment

(10)

Examples

Symantec AntiVirus 10 contained remote exploit

- Software deployed on 200,000,000 systems

PayMaxx web site divulges social security numbers

- Test record had SSN 000–00–0000 and no password

- After login, could access records by consecutive serial number

The list goes on. . .

- CardSystems loses 40,000,000 credit card numbers

- Jacobsen compromises T-mobile, steals secret service mail - Recommendation letters for 10,000 Stanford applicants stolen

(11)

Anti-virus software details

AV

Helper

/tmp User Data Virus DB Network

TTY

User Update

Daemon AV

Scanner

Scanner – checks files for virus signatures

Update daemon – downloads new virus signatures

How to enforce security w/o trusting AV software?

- Must not leak contents of your files to network - Must not tamper with contents of your files

(12)

What can go wrong?

AV Helper /tmp Virus DB Network TTY User User Data Update Daemon AV Scanner

(13)

What can go wrong?

AV Helper /tmp Virus DB Network TTY User User Data Update Daemon AV Scanner

Scanner sends private data to update daemon

Update daemon sends data over network

(14)

What can go wrong?

AV Helper /tmp Virus DB Network TTY User User Data Update Daemon AV Scanner

Scanner writes data to world-readable file in /tmp

(15)

What can go wrong?

AV Helper /tmp Virus DB Network TTY User User Data Update Daemon AV Scanner

Scanner acquires read locks on virus database

- Encodes user data by locking various ranges of file

Update daemon decodes data by detecting locks

(16)

The list goes on

Scanner can call setproctitle with user data

- Update daemon extracts data by running ps

Scanner can bind particular TCP or UDP port

numbers

Scanner can relay data through another process

- Call ptrace to take over process, then write to network - Use sendmail, httpd, or portmap to reveal data

Disclose data by modulating free disk space

(17)

Information flow control

Reasoning about operations is hard

- Can you enumerate all permissible actions by scanner?

- What about helper programs spawned (gzip, ar, mime, . . . )? - What about any process that can observe scanner?

Reasoning about information flow is easier

- Policy: Don’t write my files to network unless I say so

Restructure OS to make all information flow explicit

- Has been done in a very heavy-weight fashion for military - Give individual users control over information flow

(18)

HiStar architecture

Linux

Hardware UNIX Security checks A V H el p er U p d at e A V H el p er S ca n n er U p d at e U N IX U N IX U N IX Security checks S ca n n er

HiStar

Hardware

(19)

HiStar kernel objects

(20)

Unix processes

(21)

Example: File descriptors in Unix

Suppose

A

can’t flow to

B

, but they share a file desc.

Typical mistake: Consider read-only fd to be okay

- But even a read-only fd has mutable state, such as offset pointer - Hard to catch all such shared state

(22)

Example: File descriptors in HiStar

(23)

What’s in a label?

Labels represents 2 types of information flow concern

- secrecy – preventing people from observing information - integrity – preventing people from modifying information

Each concern is represented by a

category

of taint

Secrecy categories shown as

- Different colors represent different secrecy categories

- Secrecy category in label

object tainted in that category

Integrity categories shown as

- Integrity category in label

object less tainted in that category

L

A

L

B

(“

L

A

can flow to

L

B

”) when:

(24)

Recall: Bell-LaPadula labels

X

X

X

L

1

L

1

means

L

1

L

2

h

top-secret,

{

Crypto

}i

hsecret,

i

hsecret,

{Crypto}i

h

top-secret,

i

hsecret,

{Nuclear}i

h

top-secret,

{

Nuclear

}i

h

top-secret,

{

Nuclear, Crypto

}i

(25)

HiStar labels

(26)

Downgrading privileges

Downgrading privileges are

decentralized

- Represented by per-category stars in threads’ labels - Means thread can ignore taint in that category

Any thread can create a new category

- You get the stars for the categories you create

Can implement Unix UIDs using categories

- Each UID u corresponds to two categories:

An integrity category, ui and, a secrecy category, us

- u’s shell gets those stars whenever s/he logs in

(27)

Example: virus scanner

Scanner tainted, so cannot write to network

(28)

Example: ssh-agent

(29)

Runaway processes

What if ssh-agent goes nuts?

(30)

Containers

Separate resource allocation from access control

(31)

Other HiStar applications

Untrusted login

Red-green VPNs

Web server for untrusted CGI scripts (next slide)

Distributed HiStar

Ongoing/future work:

- Scheduler resource control for reducing timing channels - New applications written by “untrusted programmers” - Allowing policies to apply to power management

(32)
(33)

Final thoughts

You are all now operating systems experts

Use this knowledge to build better applications

- Sometimes need to coax right behavior out of kernel

- Should be much easier now that you know what’s going on

Syscall interface can be an

innovation

barrier

- Much harder to change kernel than user code

- Other examples include standardized net. protocols, servers - Get these wrong and many people will suffer

Some of you will go on to design interfaces that

many people are later subjected to

(34)

How to learn more about OSes

Take CS240 – Advanced Topics in Operating Systems

- Class will bring you up to speed on OS research - Read & discuss 18–25 research papers

- By the end, should be ready to do OS research

Get involved in research!

Lot’s of interesting OS work at Stanford

- Rosenblum – launched the virtual machine resurgence - Lam – collective system, software for mobile devices

- Levis – seminal work on sensor nets & power management - Engler – tools to find OS bugs automatically

References

Related documents

Before joining the Mayors’ Institute and American Architectural Foundation in 2006, Jess served as the Community Design Director at Urban Ecology in San Francisco,

Agency: Northeast Florida State Hospital Type of Agency: Rehabilitation Hospital Population Served: adults and geriatrics Diagnostic Groups: psychological problems Contact

Manual Data Collection Tools Asset IAC Contract Management System Asset/Patch Manager Wireless Scanner Network Vuln Scanner 2 T2/3 Asset Data Repository Organize &

00-01-1C Universal Talkware Corporation 00-01-1D Centillium Communications 00-01-1E Precidia Technologies, Inc... CMI

1. Press the [ OK] button to enter music list. Use the [ ] or [ ] button to select desired audio file, and then press the [ OK] button to start playing the song. Press the [ ]

a law that lacks sufficient societal support and, therefore, does not create a focal point – leads to more illegitimate laws, it is possible to examine whether

Quiz#1: March 14, 7:30-9:30PM, Walker; covers Lectures #1-9; open book; must have calculator • No Recitation on Wednesday, March 14: instructors?. or TAs available in their

4 Taylor, Ch., A Secular Age, Cambridge, Mass., Harvard Uni. He intercambiado el orden de los puntos dos y tres tal y como aparecen en Taylor, pues me parece que es el