The BSD Socket API for Simulator

Liu, Zhiwei

January 2007

BSD Socket API for Simulator is a project to run untouched Real World Application (RWA) binaries on the powerful modern general-purpose network simulators. BSD Socket API for Simulator is designed to eliminate most of the drawbacks of previous works. It is simulator independence, so it can make use of the powerful functionality and versatile tools provided by modern general-purpose simulators such as NS-2. It is fully compatible with BSD Socket API, so RWA can be run on it without re-linking and re-compiling. It is transparent to the RWA, so RWAs are run on BSD Socket API for Simulator as they are on normal operating systems. BSD Socket API for Simulator is built on the concept of message redirecting. It has two critical parts: shared library and customized simulator application. The shared library is loaded into the address space of RWA. On one hand, messages sent by RWA are captured by the shared library and redirected to the customized simulator application. On the other hand, messages from simulator are redirected by the customized simulator application to the shared library. BSD Socket API for Simulator has been intensively tested. The test results show that it functions as expected and it has an acceptable performance.

BSD Socket API

network simulator

real world application

ns-2

message redirecting

The Security Layer

O'Neill, Mark Thomas

01 January 2019

Transport Layer Security (TLS) is a vital component to the security ecosystem and the most popular security protocol used on the Internet today. Despite the strengths of the protocol, numerous vulnerabilities result from its improper use in practice. Some of these vulnerabilities arise from weaknesses in authentication, from the rigidity of the trusted authority system to the complexities of client certificates. Others result from the misuse of TLS by developers, who misuse complicated TLS libraries, improperly validate server certificates, employ outdated cipher suites, or deploy other features insecurely. To make matters worse, system administrators and users are powerless to fix these issues, and lack the ability to properly control how their own machines communicate securely online. In this dissertation we argue that the problems described are the result of an improper placement of security responsibilities. We show that by placing TLS services in the operating system, both new and existing applications can be automatically secured, developers can easily use TLS without intimate knowledge of security, and security settings can be controlled by administrators. This is demonstrated through three explorations that provide TLS features through the operating system. First, we describe and assess TrustBase, a service that repairs and strengthens certificate-based authentication for TLS connections. TrustBase uses traffic interception and a policy engine to provide administrators fine-tuned control over the trust decisions made by all applications on their systems. Second, we introduce and evaluate the Secure Socket API (SSA), which provides TLS as an operating system service through the native POSIX socket API. The SSA enables developers to use modern TLS securely, with as little as one line of code, and also allows custom tailoring of security settings by administrators. Finally, we further explore a modern approach to TLS client authentication, leveraging the operating system to provide a generic platform for strong authentication that supports easy deployment of client authentication features and protects user privacy. We conclude with a discussion of the reasons for the success of our efforts, and note avenues for future work that leverage the principles exhibited in this work, both in and beyond TLS.

SSL

TLS

man in the middle

certificate

OpenSSL

security

operating system

administrator control

kernel security

policy

certificates

transport layer security

secure sockets layer

developer mistakes

vulnerabilities

client authentication

DANE

OSCP

CRLSet

CRL

Convergence

notary

POSIX

socket API

API

Computer Sciences