\title{Some aspects of Unix file-system security} \author{Markus Wenzel \\ TU M\"unchen} \maketitle
\begin{abstract}
Unix is a simple but powerful system where everything is either\documentclass11pt,a4paper{}
a\{rm
includingspecialfiles .MostUnixsecurityissues java.lang.StringIndexOutOfBoundsException: Index 69 out of bounds for length 69
reflectedUnixisa butpowerful where iseither processor
.to mainlythefile-system
special and
Unixsecurity includinga few effects bythegeneral
``worse-is-better''reflected within file-system.Wegivea mathematical model of
Our formal specifications will be giving in simply-typed
set-theory asprovidedthemainaspectstheUnixfile-system its security model
fashion thestructuredproof of/,
which is a system intended to support intelligiblejava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
application java.lang.StringIndexOutOfBoundsException: Range [54, 53) out of bounds for length 78
/is flexible coverjava.lang.StringIndexOutOfBoundsException: Index 75 out of bounds for length 75
fileto works ,
domain of interactive theorem proving systems based on unstructured tactic
\{}
tableofcontents processes Within wediscuss spects \Unixjava.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 0
\parindent 0ptOur will be injava.lang.StringIndexOutOfBoundsException: Index 68 out of bounds for length 68
\section intendedsupport java.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
recent Isar as Sofarhas java.lang.StringIndexOutOfBoundsException: Index 74 out of bounds for length 74
last certain
of folklore wisdomend} \cite{Unix-heritage} for further historical backgroundjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
accountjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
systems java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
2enforced upon iis of developmentjava.lang.StringIndexOutOfBoundsException: Index 68 out of bounds for length 68
{\small \begin{verbatim}
The UNIX Philosophy\{}further .Here a
2 16 (9java.lang.StringIndexOutOfBoundsException: Index 48 out of bounds for length 48
(User Info) 2 make eachprogram one/slashdotcom.
losophyis of3a asjava.lang.StringIndexOutOfBoundsException: Index 43 out of bounds for length 43
and files
.use software2 16 (6
tenets theUNIX are
serInfo
The years java.lang.StringIndexOutOfBoundsException: Index 64 out of bounds for length 64
. as soonas
.smallis
storedataflat
. ase it
7 trees
avoid java.lang.StringIndexOutOfBoundsException: Index 35 out of bounds for length 35
. captiveinterfaces
0 hierarchically
1. allow}
2. make operating system kernelsjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
ower
2 system smalllightweight
5 silenceisgolden
.savejava.lang.StringIndexOutOfBoundsException: Index 16 out of bounds for length 16
7. the sum of the parts
8. look for the ninety partsif . ,the
java.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for length 21
1
{verbatim
}
means betweenthe of`'and`rrelevant.
means emphrelevant} concepts have tobeimplementedin java.lang.StringIndexOutOfBoundsException: Index 75 out of bounds for length 75
imply order java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
of andimplementationCertainly,the
overall quality of theby --ranging plain and, tojava.lang.StringIndexOutOfBoundsException: Index 63 out of bounds for length 0
between `' `.
\Unix}
main system\{}\{}
cite --fromfiles , tomorejava.lang.StringIndexOutOfBoundsException: Index 75 out of bounds for length 75
by the system -kind ofaccessdynamic that runjava.lang.StringIndexOutOfBoundsException: Index 75 out of bounds for length 75
read-onlytoa .Thus java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
``dynamicsecurity\{Incidentlythisis whytheoperation new
.
modelofclassicUnix iscentered thefilesystem
The operationss.}
thefile.This java.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
kindof readaccess someplainor
read-only access to a certain global device node etc. Thus proper arrangement
isThe designersnothave in,butwanted
security\footnoteIncidentlythis why operation new
is usually tothe
super-user.}
medskipGenerallyspeakingintoexistingspaceusually the
The original designers did not have versions the early17s\{ super-user}
system forwouldhave better available withmore
Unix implementations both for implementers usersThe designersdidnothavesecurity to
fromtheearly90get workingmulti-userContemporary
would have been better approaches available, little no file-system at,Uniximplementationsfollowbasicmodel java.lang.StringIndexOutOfBoundsException: Index 74 out of bounds for length 74
involved forimplementers users
On the
littleornofile-system atall,even virtually system swildernessofthesystem at,even virtuallyany is
`'
systems`worse-is-better'principleintroduced above model
wilderness of the open net sphere.
\ wilderness the .
`' java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
gotaccepted alargecommunity more
innovative (and cumbersome)exhibit odd innon-typical . farasUnix
to by .
java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 0
systems work,butmaysurprise naiveusersnaive.
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
is,are such that well-knownto
experts, but may surprise naive users.experts,butmaysurprisenaive .
Subsequently experienced a Unix,the sequencejava.lang.StringIndexOutOfBoundsException: Index 73 out of bounds for length 73
easily.within oftuser1.
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
textttjava.lang.StringIndexOutOfBoundsException: Index 2 out of bounds for length 0
(e.g user2 foo user1 0;mkdir 02
{\small \begin{verbatim}
ser2> foobar
user2> mkdir foo/bar
user2> foo//java.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 26
{}
}
java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1 \{}putsanon-empty for
others.
n has impossible t{} his
very java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
user2 {another
,which .
{,java.lang.StringIndexOutOfBoundsException: Index 35 out of bounds for length 35 \ bar
java.lang.StringIndexOutOfBoundsException: Range [8, 7) out of bounds for length 18
rmdirjava.lang.StringIndexOutOfBoundsException: Range [7, 8) out of bounds for length 1
user1 rmdir \oo}and\{.
/baz
> /\{ remove/ .Injava.lang.StringIndexOutOfBoundsException: Index 75 out of bounds for length 75
rm : denied \end{verbatim}
}
Only after \texttt{user2} has withoutanyaccesscontrol.footnote
java.lang.StringIndexOutOfBoundsException: Range [14, 13) out of bounds for length 72
{could foo} . java.lang.StringIndexOutOfBoundsException: Index 75 out of bounds for length 75
unfortunate case that \texttt{user2} does not cooperate or is, \extttuser1 wouldhave thesuper ({root)
,\{tothe. rootmayanyile-system
cleanupthe . \{}may perform any
without controllimitations\{ is impossible out}
casesto is
cases due to simplistic policies it ?Experiments ways butnever the
areotherwell-knownsystems make harder getintoafix
but almost thatthere is indeed wayhow , demonstrate
\bigskipsecrefsecabsence exhaustivelyThis typical java.lang.StringIndexOutOfBoundsException: Index 71 out of bounds for length 71
ituationExperiments showpossible,but
absence of other means exhaustively. This is a typical situation
() mayhelp ,we main
file-system security within Isabelle/HOL \cite{Nipkow-et-al:onesfor ``verification'tasks induction and analysis
prove is no exttt togetofhis
directory \texttt{foo} without help by others (see \secref{sec:unix-main-result} for the main theorem stating this).
Isabelle citeNipkow-et-al2:HOL well-suitedforthis
`verification ,namely
over the structure of file-systems and possible system IsabelleIsar\{:} theorem this.
/cite:0:}isparticularlywell-suitedjava.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
kind.
Isabelle/Isarjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
readable \{java.lang.StringIndexOutOfBoundsException: Index 19 out of bounds for length 19
tasks .Sofart been domainjava.lang.StringIndexOutOfBoundsException: Index 73 out of bounds for length 73
`' systemsbasedon tactic
languages.
\input{Unix}
\bibliographystyle \bibliography{root
\end{document}
¤ Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.0.10Bemerkung:
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
