Where A, B, C, and D are used here to refer to occurrences of the variable i. There are two parts of this statement: everything before the AND, and everything after the AND. After the AND, the variables C and D are bound to the definition at B, but not A. This is analogous to variable scoping in a code fragment like this:i = 5 AND FOR ALL i: 0 <= i < 10 --> P(i) ^ ^ ^ ^ A B C D
Note that in this code fragment, the variable i inside the if block is different than the variable in the if test.if (i == 5) { int i; for (i = 0; i < 10; i++) { P(i); } }
Example: Input validation
Suppose you are designing a web-based storage system for users. This
system should let many (authorized) users store and retrieve their own
files using a web interface. So you are designing the CGI program that
handles user input and accesses the file system to store and retrieve
files. The interface for the system could be as simple as this:
You want to store all the files for each user in their own directory (perhaps with subdirectories) on the server running the web program. Each user's files will be named by their username. Imagine the user "bsy" is an authorized user of the system. Then his files would be stored under the directory "/var/foo/bsy/". Then if bsy wants to retrieve file "/var/foo/bsy/text/README", he should supply the relative path name "/text/README", which will be appended to "/var/foo/bsy/" by the retrieval program to find the intended file.
However, there is a problem with allowing him to supply any path name, because of the ".." directive, which means to go up a directory. Suppose the user supplied the path "/../ghamerly/secretBankAccountInfo.txt". If not checked, this will give bsy access to potentially secret information of ghamerly. How can we handle this? There are several ways:
Suppose we chose to implement the first policy of allowing any file name, but tracking the accesses and disallowing access outside of a user's own area. One way we could do this is to calculate the relative path name ourselves. This is error prone and amiguous, as noted above, but it is possible. Another option is the "chroot", which is a privileged operation to set the root of a filesystem for a process. For example, if the program we wrote was run as "chroot /var/foo/bsy/ program", then the program would see /var/foo/bsy/ as the root of the filesystem (i.e. /), and the operating system would not allow access anywhere outside of that area. However, chroot has other problems we will not go into here.
Suppose we choose to implement the second policy of disallowing certain characters in the relative path name. How should we do it? Should we scan the input path name for characters that aren't allowed and remove (or reject) any we see, or should we scan for characters that are allowed, and remove (or reject) anything we don't recognize? Which is a better policy?
Suppose that we are scanning for all characters that are not allowed in the path name. What if we make a mistake and omit some illegal characters that we should be checking for? Then we may have a security breach. However, what if we are scanning for all characters that are allowed in the input and we make a omission? Then we may have a usability problem, as users won't be able to use certain characters that they should, but we are also less likely to have a security breach.
A Virtual Private Network (VPN) is a system that is becoming common that allows a host that is not in a private network to pretend as if it is. Imagine that a company employee with computer A is on business trip. Computer A is connected to the global internet (through an ISP), and the user wants to connect to the internal private network P. Then his company owning network P can create a VPN gateway (call it G) that A can connect to. Then G pretends to be host A for the internal network, and A communicates to G over the global internet using encryption. Often times, VPN software will disallow host A to connect to any site other than G (or receive connections from elsewhere other than through G) while using the VPN. This helps to prevent host A from becoming a stepping stone in an attack.
bsy+cse127w02@cs.ucsd.edu, last updated
email bsy.