Elektronika 2009-11.pdf - Instytut SystemÃ³w Elektronicznych

More documents

Recommendations

Info

sys_write=sys_call_table[__NR_write]; sys_call_table[__NR_write]=my_sys_write; sys_send=sys_call_table[PXX_SEND_ADDR]; sys_call_table[PXX_SEND_ADDR]=my_sys_send; sys_sendmsg=sys_call_table[PXX_SENDMSG_ADDR]; sys_call_table[PXX_SENDMSG_ADDR]=my_sys_sendmsg; sys_sendto=sys_call_table[PXX_SENDTO_ADDR]; sys_call_table[PXX_SENDTO_ADDR]=my_sys_sendto; The service and module exchange their names and software version. Initialization is done. In second phase module waits for any application to call system function open. Disk files are identified by i-node values. Function which gets i-node value from file descriptor is shown in listing 2. static unsigned long get_ino(int fd) { unsigned long ino=0; struct file * f; } if (fdf_dentry->d_inode->i_ino; fput(f); } return ino; A PID number of parent process and it’s father’s is pushed to the array of PID of applications whose requested opening protected file. If any application tries to call any data write function or send it using socket, kernel module looks for it’s or it’s father PID in PID array. If found, kernel module sends application’s PID to daemon, which logs the event. Module rejects to execute write/send function. When an application calls close function, it’s PID number (and it’s father’s PID) are pulled from a PID list. An array of protected files’ i-nodes (got using absolute path) is created once when PXX daemon starts. Each path is parsed to check whether it is correct. After all PXX daemon fills the protected files structure (listing 3). struct protected_files { unsigned int qty; ino_t * inos_t; char ** names_t; }; An array containing i-node values is taken from protected_files structure and send to kernel module via netlink socket. Difficulties related with implementation of full functional DLP system for Linux The discussed solution bases on i-nodes despite of it is neither perfect one, nor unequivocal. The values of i-node are unique but only in one filesystem, but there is no better solution. An experiment drove to some conclusion. One of these can be an answer to question why there is still no DLP application to Linux. Most important are discussed below. It was not possible to write full functional, working in kernel space function, which can preprocess any path to absolute path, cause it is impossible to determine caller’s work directory from kernel space. Another idea is using algorithm implemented in Tomoyo [6] Linux, which has realpath function, but also this solution could not be good enough because of hard links, whose can be wrong interpreted by this function. Apparently best solution could be mapping file to pair disk-block, but in filesystem other than “ext” this method could be not well working because of block suballocation (e.g.: Reiser 4). Block suballocation is used to more effective management with files which are smaller than size of block. In filesystem with no block suballocation occupies one block, so the disk space is wasted. Block suballocation let keep some small files in single block. Unfortunately - relation between file and block is ambiguous. None effective method of blocking the clipboard have been found. This „tiny” weak point determines the weakness of whole system. Clipboard works in user space and is managed by window manager. To block possibility of making copies to clipboard source of window manager and it’s recompilation is required. In Windows system it is possible, because there is only one window manager. Linux users has a freedom of choice one of many solutions (GNOME, KDE, XFCE etc.) System does not protect files in situation, when protected file is opened, then it’s content is saved to memory and after that file is closed. An effective implementation of protecting files in such situation were not implemented yet. Most important problem related with developed system is it’s disability to work in real-life environment where aggressor has wide knowledge and suitable tools. For computer geek who understand idea of DLP system cracking this implementation is a matter of time. It is important to mention that aim of this project was implementation of only a stub of project, which will be developed by more programmers. The aim was to begin talk about DLP system for Linux and determining it’s hardest challenges and difficulties caused by specificity of Linux. Conclusions The experiment of implementation DLP system for Linux could be recognized as successful, but authors feel insufficiently. The implemented system is not cross-platform and does not look like it could be soon. Only the implementation done for specific architecture, kernel version and graphical interface. Currently it can not be recognized as universal solution even within single distribution because of unsupported protection of clipboard. The hardest thing for DLP system for Linux creator is - irony of fate - an architecture of Linux. It’s kernel has many variants, some of distributions (e.g. Ubuntu) provides it’s own implementation of kernel. The problem is leak of uniform specification which could describe all the kernels of all distributions. This is the expression of Linux’s freedom, but on the other hand - serious hindrance. Often changes in kernel architecture also are not helpful. Creating perfect one DLP application for Linux would require remaking of significant part of Linux Kernel to allow to “transport” in process information additional flags related with security. After that only these filesystems could be accepted, which allow to identify any disk file using uniform value. To get this idea done, recompilation of graphical environment would 50 ELEKTRONIKA 11/<strong>2009</strong>
e necessary, in worst case - also system tools and user application had to be modified and recompiled. Kernel modification would also affect VFS filesystem, to make possible determine a file within all the mounted filesystems, remote filesystems too. References [1] Delolitte’s 2006 Global Security Survey, http://www.deloitte.com/ dtt/cda/doc/content/cz_fsi_security_survey_250706.pdf. [2] Delolitte’s 2007 Global Security Survey, http://www.deloitte.com/ dtt/cda/doc/content/ca_en_Global_Security_Survey.final.en.pdf. [3] Wikipedia - Data Loss Prevention, http://en.wikipedia.org/wiki/ Data_Loss_Prevention. [4] R. Mogull - “Understanding and Selecting a Data Loss Prevention Solution”, http://www.websense.com/Docs/WhitePapers/ Mogull_DLP_WP.pdf. [5] Securosis’ Blog - http://securosis.com/blog/is-there-any-dlp-ordata-security-on-maclinux/. [6] Tomoyo Linux Homepage - http://tomoyo.sourceforge.jp/. [7] Websense Data Security Solutions, http://www.websense. com/site/docs/brochures/WBSN_DataSecurity_Web.pdf. [8] Nitrobit Policy Extensions - http://nitrobit.com/policyextension.html. [9] Leveraging Data Leak Prevention Technology to Secure Corporate Assets, http://us.trendmicro.com/imperia/md/content/us/pdf/ products/enterprise/leakproof/wp01_leakproof_080123us.pdf. [10] 2007 CSI Computer Crime and Security Survey, http://www. gocsi.com/press/ 20070913.jhtml. A buffer thresholds policy in linked in series servers with blocking (Buforowanie z progami w połączonych serwerach z blokadami) The aim of this paper is to build up an analytical model of computer networks with blocking, feedback priority service and threshold policies; seeking to obtain high network utilization, acceptable delay time, and some degree of fairness among users. In the past couple of years, there has been a strong demand for computer networks that can provide adequate quality of service (QoS) among users. Such demand initiated a need for a solution where the servers play an active role in congestion control. A series of threshold policies and congestion control procedures were proposed to control queue lengths and to promote fairness among task generating sources [1,6]. Queuing network models (QNMs) with finite capacity queues and blocking provide powerful and practical tools for performance evaluation and predication of discrete flow systems as computer systems and networks. The traditional analyses of the ONMs with blocking are based on the Markov Chain approach [2,5]. In addition, many interesting theories and models appeared in a variety of journals and at worldwide conferences in the field of computer science, traffic engineering and communication engineering [4,7,10]. Despite all the research done so far, there are still many important and interesting models to be studied. One such model is finite capacity queues under various blocking mechanisms and synchronization constraints, such as those involving feedback service or priority scheduling. In this kind of model, a task with a fixed probability can return to the previous node immediately after its service at the current node. Although feedback queues have already been extensively studied in literature see [6,8,9], series queues with priority feedback are more complex object for research than the queues without feedback. The introduction of multiple-thresholds can give rise to inter-dependency between the thresholds setting, which are also dependent on the service discipline used. The main aim of this paper is to formulate such a model with multiple queue thresholds and examine the queuing behaviour under a priority service discipline for feed backed tasks. doc dr inż. WALENTY ONISZCZUK Bialystok Technical University, Faculty of Computer Science Model description The general model description is: • the arrival process from source station is Poisson, • two stations provide service that is exponentially distributed, • all queues have finite capacity m1 and m2 with thresholds tm1 and tm2. Figure 1. presents a simplified three-station (source, station A and station B) description of the proposed model. Tasks arrive from the source at station A according to the Poisson process with rate λ and they are processed in a FIFO manner. The service received by station A is as follows. The task first receives an exponentially distributed service with rate µ 1A . After service completion at station A, the task precedes to station B (exponentially distributed service with rate µ B ). Once it finishes at station B, it gets sent back to station A for re-processing with probability σ (exponentially distributed service with rate µ 2A - according to HoL priority discipline). Once finished, each reprocessed task departs from the network. We are also assuming that tasks after being processed in the station B leave the network with 1 - σ probability. A feed backed task is served at station A according to a non-pre-emptive priority scheme (HoL). It is served independently of all other events if the number of tasks in the second buffer exceeds a threshold tm2 and the number of task in the first buffer is less than tm1. If the number of tasks in second buffer is less than tm2 and the number of tasks in the first buffer exceeds tm1, another procedure is applied. This no two priority services in succession procedure prevents a possible overflow in the first buffer. The HoL priority service means that a task cannot get into service at station A (it waits at station B - blocking factor) until the task currently in service is completed. The successive service times at both stations are assumed to be mutually independent and they are independent of the state of the network. In such networks, another one blocking factor may occurs when a station reaches its maximum capacity, which, in turn, may momentarily stop the traffic of all incoming tasks to that ELEKTRONIKA 11/<strong>2009</strong> 51
Page 5 and 6: konstrukcje technologie zastosowani
Page 7 and 8: Streszczenia artykułów • Summar
Page 13 and 14: Medical pattern intelligent recogni
Page 15 and 16: Fig. 2. Start graph Z and the set o
Page 17 and 18: Both models are created of the basi
Page 19 and 20: • in some cases in the methods of
Page 21 and 22: 4. Random operators: three types of
Page 23 and 24: useful. In work [1] is stressed, th
Page 25 and 26: Tabl. 1. Fuzzy sets of the objects,
Page 27 and 28: In addition, one has to remember th
Page 29 and 30: The correction of digital images ob
Page 31 and 32: Tabl. 4. MD error before and after
Page 33 and 34: tionship then determines which indi
Page 35 and 36: this goal. A user’s public key au
Page 37 and 38: a) will be or could be broken, or b
Page 39 and 40: Ontology-based approach to scada sy
Page 41 and 42: erarchy of vulnerability classes wi
Page 43 and 44: and the set of tasks is divided int
Page 45 and 46: tasks: T 0 , T 4 , T 5 , T 6 and T
Page 47 and 48: According to presented function CSF
Page 49 and 50: The efficient data authentication i
Page 51 and 52: Fig. 3. Example run of three rounds
Page 53: Fig. 2. Possible scenarios of data
Page 57 and 58: dicates the number of tasks at the
Page 59 and 60: • information on their state come
Page 61 and 62: • data regarding their identity (
Page 63 and 64: k = 1, 2, ..., m and m is the numbe
Page 65 and 66: more powerful statistical (algorith
Page 67 and 68: Signal to Noise Ratio (PSNR). We pr
Page 69 and 70: [23] W3C - Web Services Glossary -
Page 71 and 72: Associated with every N-point M-dim
Page 73 and 74: The SMS-B system architecture (Sour
Page 75 and 76: Technika próżni i technologie pr
Page 77 and 78: wniosku i w konsekwencji za rok 200
Page 79 and 80: Poniżej przedstawiono krótki kome
Page 81 and 82: Wspomnienie Edward Leja (1937-2009)
Page 83 and 84: Zastosowanie technik immunoenzymaty
Page 85 and 86: z pasty węglowej, zaś odniesienia
Page 87 and 88: [33] Biani A., Centi S. Tombrlli S.
Page 89 and 90: Problemem bowiem w pracach instytut
Page 91 and 92: 1985 - Zdzisław Dorywalski 1986 -
Page 93 and 94: Rys. 4. Uroczyste wręczanie świad
Page 95 and 96: Imię i Nazwisko Patenty Wzory uży
Page 97 and 98: zadań określonych przez użytkown
Page 99 and 100: Ocena sugerowanych w ankiecie metod
Page 101: Zaprenumeruj wiedzę fachową 2010
Page 104 and 105:
Radary pasywne - nowa technika radi
Page 106 and 107:
c) stopniowo przesuwać jeden przeb
Page 108 and 109:
W przypadku wykorzystania nadajnika
Page 110 and 111:
kreślić to, że owale Cassiniego
Page 112 and 113:
Dla każdego kierunku odbieranej fa
Page 114 and 115:
chomych, które w ogólnym przypadk
Page 116 and 117:
Rys. 19. Fragment zobrazowania SS3
Page 118 and 119:
Zbigniew Czekała jest projektantem
Page 120 and 121:
• wytypowaniu statków zobowiąza
Page 122 and 123:
• używanie właściwego osprzęt
Page 124 and 125:
W jednomodowym szklanym włóknie t
Page 126 and 127:
Światłowody scyntylacyjne W środ
Page 128 and 129:
Parametry materiałowe szklanego w
Page 130 and 131:
126 ELEKTRONIKA 11/2009
Page 132 and 133:
Literatura [1] Yamane M., Asahara Y
Page 134 and 135:
Rys.1. Przebiegi testowe na wyprowa
Page 136 and 137:
nież pasmo emisji od około 500 MH
show all

Elektronika 2009-11.pdf - Instytut SystemÃ³w Elektronicznych

Create successful ePaper yourself

Delete template?

Save as template?