diff --git a/content/CSE4303/CSE4303_L15.md b/content/CSE4303/CSE4303_L15.md index b42552d..004ba70 100644 --- a/content/CSE4303/CSE4303_L15.md +++ b/content/CSE4303/CSE4303_L15.md @@ -59,6 +59,14 @@ ### Post-Quantum (PQ) crypto +- Fundamentally different computation paradigm than "classical" von Neumann or dataflow models +- Relies on properties of quantum physics to solve problems efficiently + - Superposition: state of quantum bit ("qubit") expressed by probability model over continuous range of values (vs. classic bit: 0 or 1 only) + - Like being able to operate on all possible bit combos of a register simultaneously, instead of operating on only one among all possibilities + - Entanglement: operating on one qubit affects others + + + ### Zero-Knowledge (ZK) proofs ### Homomorphic encryption \ No newline at end of file diff --git a/content/CSE4303/CSE4303_L16.md b/content/CSE4303/CSE4303_L16.md index a1ffb8d..1cc46e3 100644 --- a/content/CSE4303/CSE4303_L16.md +++ b/content/CSE4303/CSE4303_L16.md @@ -38,10 +38,14 @@ Context: computing stack - 2. Complete mediation (reference monitor) - 3. Correct -Isolating User Processes from Each Other +Isolating OS from Untrusted User Code + +- How do we meet the first requirement of a TCB (e.g., isolation or tamper-proofness)? + - Hardware support for memory protection + - Processor execution modes (system AND user modes, execution rings) + - Privileged instructions which can only be executed in system mode + - System calls used to transfer control between user and system code -- How do we meet the user/user isolation and separation? - - OS uses hardware support for memory protection to ensure this. System Calls: Going from User to OS Code @@ -50,16 +54,107 @@ System Calls: Going from User to OS Code - The processor execution mode or privilege ring changes when call and return happen. - x86 `sysenter` / `sysexit` instructions -## Isolating OS from Untrusted User Code +Isolating User Processes from Each Other -- How do we meet the first requirement of a TCB (e.g., isolation or tamper-proofness)? - - Hardware support for memory protection - - Processor execution modes (system AND user modes, execution rings) - - Privileged instructions which can only be executed in system mode - - System calls used to transfer control between user and system code +- How do we meet the user/user isolation and separation? + - OS uses hardware support for memory protection to ensure this. + +Virtualization + +- OS is large and complex, even different operating systems may be desired by different customers +- Compromise of an OS impacts all applications + +Complete Mediation: The TCB + +- Make sure that no protected resource (e.g., memory page or file) could be accessed without going through the TCB +- TCB acts as a reference monitor that cannot be bypassed +- Privileged instructions + +Limiting the Damage oa a Hacked OS + +Use: Hypervisor, virtual machines, guest OS and applications + +Compromise of OS in VM1 only impacts applications running on VM1 ### Secure boot and Root of Trust (RoT) +Goal: create chain of trust back to hardware-stored cryptographic keys + +#### Secure enclave: overview (Intel SGX) + +![Intel SGX](https://notenextra.com/CSE4303/Intel_SGX.png) + +Goal: keep sensitive data within hardware-isolated encrypted environment + ### Access control +Controlling Accesses to Resources + +- TCB (reference monitor) sees a request for a resource, how does it decide whether it should be granted? + - Example: Should John's process making a request to read a certain file be allowed to do so? + +- Authentication establishes the source of a request (e.g., John's UID) +- Authorization (or access control) answers the question if a certain source of a request (User ID) is allowed to read the file +- Subject who owns a resource (creates it) should be able to control access to it (sometimes this is not true) + +- Access control + - Basically, it is about who is allowed to access what. + - Two parts + - Part I - Policy: decide who should have access to certain resources (access control policy) + - Part II - Enforcement: only accesses defined by the access control policy are granted. + - Complete mediation is essential for successful enforcement + +Discretionary Access Control + +- In discretionary access control (DAC), owner of a resource decides how it can be shared + - Owner can choose to give read or write access to other users +- Two problems with DAC: + - You cannot control if someone you share a file with will not further share the data contained in it + - Cannot control "information flow" + - In many organizations, a user does not get to decide how certain type of data can be shared + - Typically the employer may mandate how to share various types of sensitive data + - Mandatory Access Control (MAC) helps address these problems + +Mandatory Access Control (MAC) Models + +- User works in a company and the company decides how data should be shared + - Hospital owns patient records and limits their sharing + - Regulatory requirements may limit sharing + - HIPAA for health information + +#### Example: Linux system controls + +Unix file access control list + +- Each file has owner and group +- Permissions set by owner + - Read, write, execute + - Owner, group, other + - Represented by vector of four octal values +- Only owner, root can change permissions + - This privilege cannot be delegated or shared +- Setid bits -- Discuss in a few slides + +Process effective user id (EUID) + +- Each process has three IDs (+ more under Linux) + - Real user ID (RUID) + - Same as the user ID of parent (unless changed) + - Used to determine which user started the process + - Effective user ID (EUID) + - From set user ID bit on the file being executed, or sys call + - Determines the permissions for process + - File access and port binding + - Saved user ID (SUID) + - So previous EUID can be restored +- Real group ID, effective group ID used similarly + +#### Weaknesses in Unix isolation, privileges + +- Shared resources + - Since any process can create files in `/tmp` directory, an untrusted process may create files that are used by arbitrary system processes +- Time-of-Check-to-Time-of-Use (TOCTTOU), i.e. race conditions + - Typically, a root process uses system call to determine if initiating user has permission to a particular file, e.g. `/tmp/X`. + - After access is authorized and before the file open, user may change the file `/tmp/X` to a symbolic link to a target file `/etc/shadow`. + ### Hazard: race conditions \ No newline at end of file diff --git a/content/Math4202/Math4202_L23.md b/content/Math4202/Math4202_L23.md index 4ff60f8..8733d46 100644 --- a/content/Math4202/Math4202_L23.md +++ b/content/Math4202/Math4202_L23.md @@ -29,6 +29,8 @@ $f|_{B^2}$ is a continuous map from $B^2\to \mathbb{R}^2-\{0\}$. $f|_{S^1=\partial B^2}:S^1\to \mathbb{R}-\{0\}$ **is nulhomotopic**. +> Recall that: Any map $g:S^1\to Y$ is nulhomotopic whenever it extends to a continuous map $G:B^2\to Y$. + Construct a homotopy between $f|_{S^1}$ and $g$ $$ @@ -57,7 +59,7 @@ Therefore $f$ must have a root in $B^2$.
Proof: part 2 -If \|a_{n-1}\|+\|a_{n-2}\|+\cdots+\|a_0\|< R$ has a root in the disk $B^2_R$. (and $R\geq 1$, otherwise follows part 1) +If $\|a_{n-1}\|+\|a_{n-2}\|+\cdots+\|a_0\|< R$ has a root in the disk $B^2_R$. (and $R\geq 1$, otherwise follows part 1) Consider $\tilde{f}(x)=f(Rx)$. diff --git a/public/CSE4303/Intel_SGX.png b/public/CSE4303/Intel_SGX.png new file mode 100644 index 0000000..00bc18e Binary files /dev/null and b/public/CSE4303/Intel_SGX.png differ