Tuesday, December 27, 2005

The October 2005 and December 2005 issues of login magazine feature some interesting articles.

  • Michael W. Lucas wrote FreeBSD 5 SMPng, which does not appear to be online and will be available to non-USENIX members in October 2006. Michael uses layman-friendly language to explain architectural decisions made to properly implement SMP in FreeBSD 5.x and beyond. He explains that removing the Big Giant Lock involved deciding to "make it run" first and then "make it fast" second. Given the arrival of dual-core on the laptop, desktop, and server, with more cores on the way, FreeBSD's SMP work is being validated.

  • Marc Fiuczynski wrote Better Tools for Kernel Evolution, Please! about the problems with the current Linux kernel development model. I am not sure his proposed solution, C4 (CrossCutting C Compiler), is the answer. As mentioned in the conference report on Marc's talk at HotOS X, "Jay Lepreau commented that the problem is that Linux has a pope model -- there’s only one integrator."

  • Peter Baer Galvin wrote about Solaris 10 Containers. This article explained some of the concepts behind containers, which are a way to run multiple instances of the same version of Solaris on a single Solaris system. They sound more advanced than FreeBSD jails.

  • Hobbit wrote DNS-based Spam Rejection, which uses pattern matching for DNS records to reject mail. Yes, that is the same Hobbit who wrote Netcat.
  • The December Security issue began strong with musings by new ;login: editor Rik Farrow. He makes some great points about weakness in depth. He notes that Microsoft's research OS Singularity, "like [Cisco] IOS, runs entirely in Ring 0, avoiding the performance penalties for context switches -- Singularity can switch between processes almost two orders of magnitude faster than BSD, which goes through context switching. Again, the penalty is the reduction in security by running all processes in Ring 0." Now, I am not even close to being a kernel developer, but I cannot believe Microsoft is toying with the idea of running everything in Ring 0. Is this just hubris on the part of Microsoft's developers? Do they seriously think they are smarter than everyone else who came before, and that they are going to get Singularity "right"?

  • Last week I ranted against the folly of a "pull the plug" first mentality to host-based forensics. Thankfully, Using Memory Dumps in Digital Forensics by Sam Stover and Matt Dickerson, explains why it is not a good idea to power down immediately.


Getting free copies of these magazines is almost a good enough reason to attend USENIX conferences!

2 comments:

Keydet89 said...

Re: your rant. While I agree that simply "pulling the plug" is folly, for a wide range of reasons, the fact remains that it is the default SOP. There are still purists out there, but more importantly, one has to understand the position of the folks who do this, most notably, law enforcement.

On page 6 of "Forensic Discovery", the authors state a philosophy that great understanding is more desirable than increased certainty...that performing live response and understanding the effect that those actions have on a system are preferable to "freezing" the system state by pulling the plug. The reason many organizations haven't explored this philosophy is that lack of understanding. As is the case with many organizations, and in particular law enforcement, staffs are overburdened and undermanned, so there are too few resources to innovate and expand the state of forensic analysis.

With regards to the "Memory Dumps" article...I can't access it, so I have to ask how much of the article addresses Windows memory dumps specifically.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Jane-Ellen Long said...

Michael Lucas's article is indeed online: it's the first listed under Operating Systems.

You can get ;login: without leaving the comfort of your home office. Just join USENIX.