Making Linux protection mechanisms egalitarian with UserFS

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2011.Cataloged from PDF version of thesis.Includes bibliographical references (p. 46-51).UserFS provides egalitarian OS protection mechanisms in Linux. UserFS allows any user-not just the system administrator-to allocate Unix user IDs, to use chroot, and to set up firewall rules in order to confine untrusted code. One key idea in UserFS is representing user IDs as files in a /proc-like file system, thus allowing applications to manage user IDs like any other files, by setting permissions and passing file descriptors over Unix domain sockets. UserFS addresses several challenges in making user IDs egalitarian, including accountability, resource allocation, persistence, and UID reuse. We have ported several applications to take advantage of UserFS; by changing just tens to hundreds of lines of code, we prevented attackers from exploiting application-level vulnerabilities, such as code injection or missing ACL checks in a PHP-based wiki application. Implementing UserFS requires minimal changes to the Linux kernel-a single 3,000-line kernel module-and incurs no performance overhead for most operations, making it practical to deploy on real systems.by Taesoo Kim.S.M

Making Linux Protection Mechanisms Egalitarian with UserFS

URL to paper on conference site: http://www.usenix.org/events/sec10/tech/UserFS provides egalitarian OS protection mechanisms in Linux. UserFS allows any user—not just the system administrator—to allocate Unix user IDs, to use chroot, and to set up firewall rules in order to confine untrusted code. One key idea in UserFS is representing user IDs as files in a /proc-like file system, thus allowing applications to manage user IDs like any other files, by setting permissions and passing file descriptors over Unix domain sockets. UserFS addresses several challenges in making user IDs egalitarian, including accountability, resource allocation, persistence, and UID reuse. We have ported several applications to take advantage of UserFS; by changing just tens to hundreds of lines of code, we prevented attackers from exploiting application-level vulnerabilities, such as code injection or missing ACL checks in a PHP-based wiki application. Implementing UserFS requires minimal changes to the Linux kernel—a single 3,000-line kernel module—and incurs no performance overhead for most operations, making it practical to deploy on real systems.Quanta Computer (Firm)Samsung Scholarship Foundatio

Criminal Justice and the Challenge of Family Ties

This Article asks two basic questions: When does, and when should, the state use the criminal justice apparatus to accommodate family ties, responsibilities, and interests? We address these questions by first revealing a variety of laws that together form a string of family ties subsidies and benefits pervading the criminal justice system. Notwithstanding our recognition of the important role family plays in securing the conditions for human flourishing, we then explain the basis for erecting a Spartan presumption against these family ties subsidies and benefits within the criminal justice system. We delineate the scope and rationale for the presumption and under what circumstances it might be overcome. When the presumption is overcome, we urge distributing the benefit on terms that are neutral to family status, if possible, with a focus instead on functions served by established relationships of care-giving responsibility

Corruption and Pro-Poor Growth Outcomes: Evidence and Lessons for African Countries

There is growing consensus that corruption hurts economic performance by reducing private investment, adversely affecting the quantity and quality of public infrastructure, reducing tax revenue, and reducing human capital accumulation. In addition to inefficiency effects—lower growth for a given endowment in factors and technology—corruption also has adverse distributional effects as it hurts the poor disproportionately. For a given level of government budget and national income, high corruption countries have lower literacy rates, higher mortality rates, and overall worse human development outcomes. Corruption deepens poverty by reducing pro-poor pubic expenditures, creating artificial shortages and congestion in public services, and inducing a policy bias in favor of capital intensity, which perpetuates unemployment. High levels of corruption in African countries constitute one of the factors behind slow growth and limited progress in poverty reduction. Eradicating corruption in African bureaucracies is a challenging task, especially because it is a systemic phenomenon with effects that often lag far behind the causes. Therefore, explicit strategies are necessary to change the incentive structure by modifying the payoffs and sanctions that govern the interactions between bureaucrats and private economic operators. Strategies to fight corruption include measures to increase transparency in the management of public resources, establishing an incentive structure that rewards honest behavior among civil servants, enforcing transparency in international contracts and equal penalties to all parties to corrupt deals, and promotion of a free and responsible media.Corruption; pro-poor growth; rent-seeking; African countries

Mitigating Docker Security Issues

It is very easy to run applications in Docker. Docker offers an ecosystem that offers a platform for application packaging, distributing and managing within containers. However, Docker platform is yet not matured. Presently, Docker is less secured as compare to virtual machines (VM) and most of the other cloud technologies. The key of reason of Docker inadequate security protocols is containers sharing of Linux kernel, which can lead to risk of privileged escalations. This research is going to outline some major security vulnerabilities at Docker and counter solutions to neutralize such attacks. There are variety of security attacks like insider and outsider. This research will outline both types of attacks and their mitigations strategies. Taking some precautionary measures can save from huge disasters. This research will also present Docker secure deployment guidelines. These guidelines will suggest different configurations to deploy Docker containers in a more secure way.Comment: 11 page