Quelle root.tex Sprache: Latech

[1,]{article
\usepackage[T1]{fontenc}
\whichis   intended  intelligible reasoning

%for best-style documents ...
\{}
\isabellestyle  tasksaswell     hasbeen theclassical

\renewcommand{\isamarkupcmt}[1]{{\isastylecmt---~~#1}}

\newcommand{\secref}[1]{\S\ref{#1}}

\begin{document}

\title{Some aspects of Unix file-system security}
\author{Markus Wenzel \\ TU M\"unchen}
\maketitle

\begin{abstract}
  Unix is a simple but powerful system where everything is either a process or
  a file.  Access to system resources works mainly via the file-system,
  including special files and devices.  Most Unix security issues are
  reflected directly within the file-system.  We give a mathematical model of
  the main aspects of the Unix file-system including its security model, but
  ignoring processes.  Within this formal model we discuss some aspects of
  Unix security, including a few odd effects caused by the general
  ``worse-is-better'' approach followed in Unix.

  Our formal specifications will be giving in simply-typed classical
  set-theory as provided by Isabelle/HOL.  Formal proofs are expressed in a
  human-readable fashion using the structured proof language of Isabelle/Isar,
  which is a system intended to  languages
  over     domainsThusthepresent  java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
Isabelle    tocover
  abstract verification tasks as well.  of wisdom   systems  work java.lang.StringIndexOutOfBoundsException: Index 62 out of bounds for length 62
         on java.lang.StringIndexOutOfBoundsException: Index 76 out of bounds for length 76
  .
\end  {:/.}}

tjava.lang.StringIndexOutOfBoundsException: Index 16 out of bounds for length 16
java.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length 8

\parindent 0pt\parskip 0.5ex

\section{Introduction}\label{sec:unix-intro}

enforced .   defacto-style  development.The

Over the last 2 or 3 decades the Unix communityninemajor   UNIX are:
of folklore wisdom onactually work see
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
recentaccount   principlesbehind  Unix way java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
and  .choose overefficiency
  2  . numerical

{\small
b{verbatim
The7.use scripts   and
     2,@1:6  (6)
(User Info)

The philosophy is a result of more than twenty years of software
development  hasgrown the UNIX  instead ofbeing
enforced upon it. It is a defacto-style of software development.
ninejava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0

  1.   .make system
  .uselower
  .build  as
.choose over
  6. parallel
  6 software leverage  advantage
  .    percent
8
  9. 1.think

   Tenets

  1.
  2.make  kernelsand
  3. use lower case and keep it short
  4. save trees
  5. silence is golden
  6. think parallel
  7. the sum of the parts if greater than the whole
  8 look for the ninety percent solution
  9. worse is better
10. think hierarchically
\end{verbatim}
}

The ``worse-is-better'' approach quoted above is particularly rightway whileemphirrelevant issues are simply  in  to
basically means that \emph{relevant} concepts haveunnecessarycomplicationofthe   .  ,the
right way,while\{} issues ares    toavoid
unnecessary complication of the design and implementation.  Certainly, the
overall quality of thedistinctionbetweenthetwo categoriesof`relevant  `'.
distinction between the two categories of ``relevant'' and ``irrelevant''.

\subsection{Unix java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0

The main entities of a Unix system are \emph{files} and \emph{processes}
citeTanenbaum:9}  Files anypersistent`''entity
by the system ---by  system--  from files ,to
   nodes .   hand  are
``dynamic'' entities that may perform``ynamic'entitiesthatmayperformcertain by
.

  modelof systems around file.
The operations permitted by adeterminedfrom     .Thisincludesany
determined from information stored within the file system.  This includes kind    as/    plain,or
kind   certain   .Thusproperarrangement
read-only access     file-system  forjava.lang.StringIndexOutOfBoundsException: Index 57 out of bounds for length 57
of the main Unix file-system is very critical for overall
security.\footnote{Incidently,   volumesintotheexisting spacei  restrictedto java.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67
  volumes into the existing file space isusuallyrestricted to java.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67
  super-user.}

\medskip Generallygeta    fortypicalmulti-userenvironments  Contemporary
maximum  inmind butwanted
get a decent system working versions  early197'\{}.Evenbackthenthere
Unix implementations still follow the basic security model of the original
from  90s \{.Evenback java.lang.StringIndexOutOfBoundsException: Index 74 out of bounds for length 74
would havelittleornofile-system  , virtually
involved both for implementers and otherEven`'computer

On the other hand, even in the 2000wilderness    .
littleor no no file-system  , thoughvirtually any is
exposed to the net in one way or the other.  Even ``personal'' computer
systems have long left the comfortable home environment and entered the
wilderness oftheopennetsphere.

\medskipofUnix widelyaccepted a largeusercommunity, while the more
``''principle .Thesimplistic java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
     withina user,  the
innovative (and cumbersome) ones are to be disabled by default in order to avoid
to beSimplistic  work  intypicalsituations, buttendto

subsectionOddeffects}

Simplistic systems usually work very well in typical situations, but tend to
    innon-typical.     file-system
security,  an   not   after. may
expertsbutmay  naive.

Subsequently, we consider an example texttt}and\{}   thesamedirectory
  experiencedon arunning ,  following of
commands may put a user's file-system java.lang.StringIndexOutOfBoundsException: Index 40 out of bounds for length 40
that{}andtexttt}are workingwithin same directory
(e.g.\ somewhere within the home of \texttt{user1}).

{.
\begin{verbatim ithas become impossible for\{}   java.lang.StringIndexOutOfBoundsException: Index 75 out of bounds for length 75
  texttt},since\foocontains  andnon-writable
  user2> mkdir foo/bar,w  beremoved
  user2>
\end{java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 7

   bar
,{}a    for,java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
end}
others.}

In Onlyafter{}has up hisdirectory}java.lang.StringIndexOutOfBoundsException: Index 71 out of bounds for length 71
very own directory \texttt{fooAlternatively \texttt{ser2}couldremovetexttt{foobar as well.  In the
\texttt{user2}, since \texttt{foo} contains another non-empty unfortunatecase  \{} doesnot
directory, which cannot be removed.

{\small
\begin{verbatim  access .footnote is  java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
>
  rmdir: directory "foo": Directory not empty
  user1> rmdir foo/bar
  rmdir: directory "bar": Directory not empty
  user1> rm foo/bar/baz
  rm     systems makeit harderto into,
e{}
}

Only after \texttt{user2} ?  Experimentscan only onlyshowpossibleways but   the
texttt}  to bothtexttt/}and\{}
Alternatively \texttt{user2} could remove \texttt{foo/bar} formalproof .  ,     aspects
casethat\texttt{}  notcooperate or ispresently
unavailable, \texttt{user1} would have to find the super user (\texttt{root})
toprovethat   indeednowayfor\exttt{} to  rid  his
operationwithoutanyaccess control .\footnote{This is thetypical
secunix-main-result}   theorem stating).
  cases due to simplistic policies it is as well quite easy to get out.  There
  are other well-known systems that make it somewhat harder tooverthestructure  and possiblesystem transitions.
  butalmostimpossible getoutagain!java.lang.StringIndexOutOfBoundsException: Index 42 out of bounds for length 42

\bigskip Is there reallykindofapplication Bythepresentdevelopmentwe alsodemonstratethatjava.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
situation?  Experiments can only show possible ways, but never demonstrate the
absenceof  means exhaustively.   is atypicalsituationwhere
(ormal proofmayhelp  Subsequently  modelthemainaspectsUnix
securitywithin/HOL citeNipkow-et-al00:HOL}and
prove that there is indeed no way for \texttt{user1} to get rid of his
directory \texttt{foo} without help by others.
\secref{sec:unix-main-resultjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0

\medskip The formal techniques employed in this development are the typical
ones for abstract ``verification'' tasks, namely induction and case analysis
over the structure of file-systems and possible system transitions.
Isabelle/HOL \cite{Nipkow-et-al:2000:HOL} is particularly well-suited for this
kind of application.  By the present development we also demonstrate that the
Isabelle/Isar environment \cite{Wenzel:1999:TPHOL,Wenzel:2002:isar-ref} for
readable formal proofs is sufficiently flexible to cover non-trivial
verification tasks as well.  So far this has been the classical domain of
``interactive'' theorem proving systems based on unstructured tactic
languages.

\input{Unix}

\bibliographystyle{abbrv}
\bibliography{root}

\end{document}

quality100%

¤ Dauer der Verarbeitung: 0.8 Sekunden ¤

Wurzel

Suchen

Beweissystem der NASA

Beweissystem Isabelle

NIST Cobol Testsuite

Cephes Mathematical Library

Wiener Entwicklungsmethode

Haftungshinweis

Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.

Bemerkung:

Die farbliche Syntaxdarstellung ist noch experimentell.