Handed out: Wednesday, November 24, 2004
Due: Monday, November 29, 2004
Read:
The Confused Deputy and
Paradigm Regained.
Hand-In Procedure
You are to turn in this homework during lecture. Please write up your answers to the exercises below and hand them in to a 6.828 staff member by the end of the lecture.
The Confused Deputy
Practically all current operating systems suffer from design problems that lead to security vulnerabilities that can be traced back to the "confused deputy" problem.
| Exercise 1 Describe one situation where you've had to deal with a "confused deputy" problem in the JOS kernel: i.e., a situation where malicious user-level code could easily confuse the the kernel (acting as a "trusted deputy") into misusing its special privileges if you hadn't written special code in the kernel just to prevent this misuse. |
Access Control Paradigms
In JOS we have not put much thought or design into security: we have essentially done the minimum required to ensure (hopefully) that one user environment cannot accidentally or maliciously interfere with the normal execution of the kernel or other user environments. But this is only one of the many security properties we would desire a real operating system to have: for example, we would also like to ensure that the operating system will not somehow allow sensitive information we store on it, such as credit card numbers, passwords, or private keys, to "leak" to untrustworthy local or remote entities.
| Exercise 2 Is the JOS kernel's security model capable of enforcing true isolation between user environments as described in the "Paradigm Regained" paper? What would you have to do to the JOS kernel and/or user code in order to be able to implement the "calculator" example from section 5? (In short: a user wants to run code supplied by an untrusted manufacturer on some user-supplied data, and the user wants to be assured that this code, regardless of what it might do with the data, cannot send it back to the code's original manufacturer.) |
This completes the homework.