Outline for November 3, 2005

1. MULTICS ring mechanism
   1. MULTICS rings: used for both data and procedures; rights are REWA
   2. (b₁, b₂) access bracket - can access freely; (b₃, b₄) call bracket - can call segment through gate; so if a's access bracket is (32,35) and its call bracket is (36,39), then assuming permission mode (REWA) allows access, a procedure in:
      rings 0-31: can access a, but ring-crossing fault occurs
      rings 32-35: can access a, no ring-crossing fault
      rings 36-39: can access a, provided a valid gate is used as an entry point
      rings 40-63: cannot access a
   3. If the procedure is accessing a data segment d, no call bracket allowed; given the above, assuming permission mode (REWA) allows access, a procedure in:
      rings 0-32: can access d
      rings 33-35: can access d, but cannot write to it (W or A)
      rings 36-63: cannot access d
2. Firewalls
   1. What they are
   2. Proxy (application layer) vs. filtering (network layer)
   3. Example access control lists
   4. Filtering services
   5. Redirection of traffic
   6. Example network setup with firewalls: home
   7. Example network setup with firewalls: organization

Puzzle of the Day

Sun Tzu writes in his classic book The Art of War:

He will win who knows when to fight and when not to fight.

He will win who knows how to handle both superior and inferior forces.

He will win whose army is animated by the same spirit throughout all its ranks.

He will win who, prepared himself, waits to take the enemy unprepared.

He will win who has military capacity and is not interfered with by the sovereign.

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.1

What does this say to a system manager about computer security?