検索 - みる会図書館

全データから 444件ヒットしました。

root# KERNEL 4.0.1


▽ 奥 何 ▽ 三 士 前 : root# KERNEL 生 0 コ 行 : ス ト し 一 ト 6 編 集 : [ 日 日 Ru 日 編 集 長 : Jun686 ( ⅳ [email protected] 口 i ght6. org) 行 日 : 05 年 ヨ 月 1 ヨ 日 行 イ ベ ン ト : 廿 ン シ や イ ン ク リ エ イ シ ョ ン 羽 URL : http : //www. 5 口 i ght6. org/

OpenSource For You August. 2017 Volume.05


Overview in their software development and testing cycle. This infrastructure is also developing very fast in cloud technology and cloud based services. HiStory Of Linux containers Container technology has evolved from a number 0 f previous innovations and ideas. Starting from 1979 , a lot 0f work has been done ⅲ the field Of containerisation, which has given birth tO present day container management systems like Docker. 7979 - UNIXV7 When the development of UNIX V7 was under way in 1979 , the chroot system call was invented for changing the root directory Of a process and its children to a new file system work on the vanilla Linux kernel. lt is widely used since it location. The thinking behind this was to provide an isolated provides support for different languages such as Java, Ruby, hard drive space for each process. This was the first step in Python3, etc. the field Of containerisation. 2077 ー Warden 2000 ー FreeBSD 面 淞 CIoudFoundry developed Warden ⅲ 2011. This container Approximately 20 years later, the owner of R&D Associates was not limited tO the Linux operating system; instead, it lnc. , Derrick 工 Woolworth, came up with the earliest was made to work on any OS. Though in the initial stages of container technology in 2000 and named it FreeBSD Jails. its development it was based on LXC, it later replaced LXC This was done in order to partition a computer system into with its own execution. lt works by isolating environments by numerous independent smaller systems called jails. lt had the running on daemons, and providing an interface for managing ability tO assign an IP address, custom software installations the containers. and configurations. 2073 ー LMCTFY 2001 ー Linux VServer LMCTFY or 'Let me contain that for you', can be thought This was similar to FreeBSD's jail mechanism and could Of as an open source form Of container stack. The be used tO securely partition resources on a computer file aim behind this project was to develop Linux application system by patching a Linux kernel. Each partition is given containers With high utilisation Of shared reS()LllACeS, so as the name and security context, and the virtualised system tO get the maximum performance with the containers. This within is called a virtual private server. lts last stable patch project proved t0 be a benchmark ⅲ the field, since many was released ⅲ 2006. organisations have built tOOls as a result of it. After GoogIe's 2004 ー Oracle Solaris con ⅲ contribution 0f the central LMCTFY ideas to libcontainer, the Oracle released the beta version of the solaris container work on this project st 叩 ped in 2015. ⅲ 2004 and the full release took place ⅲ 2005 , which was 2073 ー Docker a combination Of system resource controls and boundary When Docker 叩 peared in 2013 , it was the most efficient separation provided by zones. These zones act as a complete container management system and is still rated as the iSOlated server within a single operating system instance. market leader. lt was initially named dotCloud but was later 2005 ー OpenVZ (Open Virtuzzo) renamed tO DOCker. lt uses its own container library known as ThiS iS similar t0 the solaris container in its implementation libcontainer for its management, though initially it made use Of a patched Linux kernel for isolation, resource management of LXC just like Warden. lt differed from the earlier container and virtualisation purposes. Each container has an isolated management systems ⅲ the way that it was a complete file system, its users and user groups, devices, networks, etc. ecosystem for handling containers. 2006 ー Process containers 207 6 ー Windows containers Process containers were introduced by GoogIe in 2006 to After watching the popularity of containers in the Linux limit and iSOlate reS()llI*Ce usage 0f a collection 0f processes. operating system, Microsoft released Microsoft Windows These were later renamed Control Groups in order tO avoid Server 2016. being confused with the 'container' used in the Linux kernel context, and were ultimately merged with Linux Security Of containers kernel 2.6.24. The security 0f Linux containers is of paramount 2008 ー LXC importance, especially if you are dealing with sensitive LXC was the first and the most complete Linux container. data like ⅲ the banking domain. Since different software lt was developed by using cgroups and Linux namespaces. iS installed on different containers, it becomes very lt did not require any patches to work and was made to important tO secure your container properly to avoid any Containers are isolated but share the OS and, where appropriate. the bins/libraries .... 「 esult is significantly faster dployment. much lessoverhead,easier migration. faster restart APP Bins/ LibS vAPP APP Bin 立 Libs Libse VM Guest Guest 05 Guest 05 DOcke 「 、 APP ß* APP 望 APP 望 」 APP B APP ・ 〔 APP 、 A 、 Container 4 H05 ( 05 H05 【 05 Server Figure 1 : Differences between the architecture 0f VMS and containers. /mage c 血 : DockerInc. 38 ー AUGUST 2017 ー OPEN S()I_J 日 CE FOR YOU ー www.()penSourceForU.com

Surreptitious software obfuscation watermarking and tamperproofing for software protection


11.1 Anti-Piracy by Physical Distribution 657 secret key stored ⅲ (t) and the BIOS stored ⅲ ROM on the motherboard together form the root of trust in this case. During the boot sequence, the TPM and the BIOS collaborate to 4 ゞ 4 尾 the various software and firmware that together make up the PC. To measure, in this case, simply means to compute a cryptographically secure hash of a piece of code. To make sure that you're talking to a trustworthy computer (one that promlses not to steal the secrets in your software or leak encrypted media content), you ask it to give you a list of all the software runmng on it, along with their hashes. This includes hashes of the bootloader, the OS kernel, any kernel modules, start-up scripts, and so on, and any P1ece of code on that computer that could possibly violate your trust in it. If those hashes correspond to well-known trusted software, you can allow the computer to run your software without fear of it b eing comp romised. The IBM/Lenovo ThinkPad laptop s h ave been shipping with a TPM chip for several years now, although there are no fully deployed systems that a Ⅱ 0 从 " you to use them to measure trustworthiness. ln Section 11. う る 85 , the root of trust is a processor that can execute encrypted programs. More precisely, it's the private half of a public key key-palr stored inside it. To distribute a program to a customer, you first encrypt it with his processor s public key. That way, the program is completely tied to his computer, no one else can execute it, and you've solved the piracy problem. This assumes, of course, that the key remains hidden, and that there are no 立 2 ← 0 る 4 〃 〃 に / 4 〃 4 た , i. e. , clever ways to extract the cleartext of the program through means the designers didn't think of. ln Section 11.4 第 695 , we'll show you some attacks like that. They include watching the bus between the CPU and memory, guessing and injecting encrypted instructions and watching how the CPU reacts, and causing faults in the CPI_J that will coax it tO glve up lts secrets. 11.1 Anti-Piracy by Physical Distribution ln this sectlon, we cover ways to protect software by means of 戸 る ツ な 4 / ノ な 〃 ル 4 / わ 〃 . There are two basic ideas: Either you protect the medium (CD, floppy disk, and so (n) on which the software is distributed so that it's difficult to copy, or along with the software you also distribute a piece of hardware (a token, a dongle) without which the program cannot run. These copy protection schemes have a long history, filled with lots of easily broken schemes ! One of the problems is that users have expectations of what they should be allowed to do with software or media that they legally bought and own, and often the copy protection scheme gets in the way of letting them do that. The frustration they experlence from an overly cumbersome copy protection

Surreptitious software obfuscation watermarking and tamperproofing for software protection


672 Hardware for Protecting S0ftware Here's how trusted boot works, in a turtle-shell に 46 ] : measure then load measure then load measure th en load measu re then load At the very bottom ofthe stack 0f turtles, are two things you need t0 trust implicitly: the 0 尾 root イ 〃 4 立 ル 尸 尾 / (CRTM) and the / 4 々 e ゆ ro イ 0 な . The CRTM is a piece of code contained ⅲ the BIOS that measures itself and the BIOS before letting the BIOS execute. You have t0 trust the t00 , because this is where the measurements are stored. 1 The BIOS measures the bootloader' stores away the measurement (remember, this is nothing more complicated than a hash' such as a SHA- 1 , of the code), and then lets the bootloader execute. The bootloader measures the OS kernel, saves the result, and loads the OS. The OS needs to measure any kernel modules, configuration files, and SO on' that it relies on' and store them ⅲ the TPM before it can let any applications run. NOtice hOW the turtles at the bOttom are smaller than those on tOP. This is not accidental ( although awfully cute)—we drew them this way t0 indic ate two things. First, the size of the turtle is proportional t0 the size 0f the code: The CRTM is a part of the BIOS boot block and might need to fit ⅲ う 12 bytes or so. The programs get bigger as we go up the stack. The TPM is also "small": lt's not part of the CPU ()t least not yet) but typically soldered onto the motherboard' and it's supposed to be cheap SO that manufacturers won't hesitate tO include it on their platforms. second, the whole stack will easily t0PPle over if either the CRTM or the TPM IS compromised. The contains measurement code that can't be modified 1. Actually, the storage within the TPM is limited' so 0 司 Y a summary 0f the measurements is stored there. More about that later.

OpenSource For You August. 2017 Volume.05


Admin The usefulness 0f Linux Containers (LXC) Containers are the future when it comes tO using and shipping applications. But Linux containers or L)<C can be used for more thanjust that. This article covers the use Of LXC on a daily basis as well as for production. lthough containers have become popular due to their IDS inside a namespace, which is allowed to have the same extensive use of Docker by Docker lnc. , which has UID or GID in the namespace as in the host machine. ln your been ⅲ the market since 2013 , Linux has also had system, unprivileged processes can create user namespaces in itS own containers for several years no 、 N,T. These native Linux which they have full privileges. containers are also referred to as LXC. The LXC project has Network namespace (net): lnside this namespace, been around since 2008 , and is being actively maintained and processes can have different network stacks, i. e. , different supported by CanonicaI Ltd. lt is a set of tools (technically, network devices, IP addresses, routing tables, etc. more an. APl) WhiCh gives you an interface to create a container LXC is a set of tools that makes it possible to use these using Linux namespaces and cgro 叩 s (Control Groups). Linux features and create something called a container, which is namespaces (mnt, pid, net, ipc, uts, user, etc) is a feature of nothing but a very lightweight VM with less isolation. The the kernel that is used for a different type 0 f isolation, whereas reason for less iSOlation iS the absence Of a hypervisor layer, cgroups iS used tO set limitations over the resources (mostly WhiCh makes containers use the same kernel as the host hardware like memory and disk size) used by any process. system. But this absence alSO makes containers more widely Mount namespace (mnt): ln this namespace, a usable, as there is no overhead of configuring and no need for views different mount points other than the original system a hypervisor; SO you can select 、 resources you wish to mount point. lt creates a separate file system tree associated iSOlate according tO your usage. L et's now dive into the Linux with different processes, which restricts them from making container world. changes tO the root file system. Getting started with LXC PID namespace (pid): PID namespace isolates a process ID from the main PID hierarchy. A process inside a 師 Ⅱ Note: For demonstration purposes, I will use LXC ⅲ PID namespace can have the same PID as a process outside Ubuntu 16.04. LXC has great support on Ubuntu since the it, and even inside the namespace, you can have a different LXC project is backed by Canonical Ltd, which is also the init with PID 1. publisher 0f the Ubuntu operating system. But you can also UTS namespace: ln the UTS (UNIX Time-sharing install LXC on any other Linux distribution through its System) namespace, a process can have a different set Of Official repositories. domain names and hOSt names than the main system. lt uses sethostname() and setdomainname() to do that. ln your Ubuntu machine, install LXC and lxc-templates namespace: This is used for inter-process by pasting the following command ⅲ your terminal: communication reS()LllQS isolation and POS IX message queues. User namespace (user): This isolates user and group $sud0 apt install lxc lxc-templates 56 ー AUGUST 2017 ー OPEN S()U 日 CE F() 日 YOU ー www.0penSourceForU.com

OpenSource For You August. 2017 Volume.05


Admin Let's Try This will give you the IP address Of interfaces inside the container, rather than your hOSt. LXC also supports cloning and sn 叩 shots of the container. TO clone a container, use the following command: $sud0 lxc-copy -n mycontainer -N newcontainer m)-(CPU 15 . 2 % : 0 : Net 24 ト い k む 代 osh : ~ ト ( 4 . 2G : 82 ) (Mon 」 u い 7 - ; : 》 sudO txc-copy -n nycontaine 「 "N ー ・ B OV 住 「 1 日 yfs - 5 5 : い 、 : 3 洋 ) - ( ( : pu 10.2 % : 3 : 、 et - 22 ) - ( ト ( kintO 雪 ト : ~ ト ( 4.20 : 82 ) ( MO い 〕 u し 7 ) ー x ( ユ も ( 0 科 〕 u し 7 当 : 35 : ・ に 0 ) ・ ( こ 10.2 % : 0 : 製 et 23 ト 0 ( k を nt0 ミ ト : ~ ) - ( 4.2 い 82 ) 》 sudo lxc-ls devstack mycontainer newcontainer ubun に リ 2 basebuntu busyboxl ( ド on 」 u し 7 ド : を 5 沁 : 0 。 = ト ( ( : PU 10 . 2 % : 0 : 製 et 22 ) - ( hackint 5 れ : ~ ト ( 4.2G : 82 ) 》 sudO txc ・ vsnapshot -n newcOntainer ) (CPU 16 は 第 : 0 い t 22 ) - ( ト 員 ( : k い tosh : ~ ト ( 4.2G : 82 ) ( 片 on - ル し 7 」 : 第 1 い し 当 - 》 5 リ dO lxc•snapshot ヨ ) newcontainer (Mon コ リ し 7 5 : : 3 気 汕 1 ) - い P リ 1 色 : 0 : t ~ 2 ) ー ( h 己 ( k 朝 tosh : ~ ト ( 4. 2G : 82 ) 》 sudO lx ( - 5n8P5 ト Ot ・ L -n newcontainer snape (/var/lib/lxc/newcontainer/snaps) 2017 : 97 : 03 17 : 96 : 56 snapl (/var/lib/lxc/newcontainer/snaps) 201 た 37 : 03 17 : 07 : 02 FUDF!)-(CPU ー 0.1 % : を : 立 ト ( ha ( k い お 05h : ~ ) 、 ・ ( 4.2G : 82 ) ( 呂 on J し し 7 ー - 》 5 リ dO ( ・ 5 卩 日 ps ト Ot - 「 snapl -n newcontainer Ⅱ Note: To clone your container, it should not be ⅲ a running state. We will discuss snapshots ⅲ the next section. Configuring Linux containers Till now, we have used LXC tools only for general purposes. But when you are using containers ⅲ a production or development environment, you need more controls and options to get your work done. TO configure a container, you must know how to use the config file. But, first, you need to know the actuallocation 0f your containers on your disk. The answer is at the path ん / lib/lxc/your—container—name. lnside this path, you will find the roo directory, which is the root of your container (also called the backing store), and a co 9 file. You can change this container 's path while creating the container using lxc-create by passing parameter -P newpath or —Ixcpath=PATH. You can even create a separate partition and use it as the root file system of the container. The default backing store, which is /var/lib/lxc/container_name/rootfs is called dir backing store. Other available options are lvm, 10 叩 , brtfs, zfs, aufs, overlayfs and rbd. With the -p option you can only define the path of your container's roo [ , but the container will still be a 市 「 container. SO, to change the backing store, use -B backing_store type with lxc-create and lxc-clone ()o clone it into another container Of a different backing store). A strong feature that LXC comes with is the container's sn 叩 shot c 叩 ability. You can create a sn 叩 shot using lxc-snapshot. Figure 5 : Basic snapshot 叩 erations Every container has a co 可 朝 file at path /var/lib/ lxc/your_container/config. You can use this file for almost every possible change you want to do with LXC, including but not limited tO networking, setting cgroups limitations, profiling and Other common container related configurations. For example, you can mount an external folder inside the container by adding the following line ⅲ the config file of your container: lxc. mount. entry ニ /mnt/share /root/share none 「0 ′ bind @. @ We will discuss more about the config file in the next article in this series. How LXC is different from Docker and VMs LXC ()r LXD) has been created to replace the work of VMs as the latter are really heavy to use and can be unmanageable if run ⅲ large numbers. The only difference between containers and VMs is that the former have the same kernellayer as that of the host, whereas VMs provide full isolation. SO Linux containers run a wh()le Linux machine (or simply multiple services) inside the isolated environment provided by the Linux kernel, whereas Dockers are replacements Of the traditional way of running applications and run them in isolated environments, i. e. , DOCker containers are made tO run a single application inside their containers. LXC containers are even capable Of nested containerisation, which means you can run DOCker or any Other container inside an LXC container without any issues. ln general, it iS immaterial what is running inside a container, since all applications will be treated the same way. We will discuss that comparison in the next article in this series.ßIIDO $sudO lxc-snapshot -n mycontainer ー り ″ Ⅳ ote : Sn 叩 shots are not supported for dir based containers; SO before using them, you have to clone them t() the container of type au 町 ( ル e 日 This will save the snapshot with the name sn 叩 0. Now, 、 Mhenever you dO some changes you are not sure ab out in your container, you can just create a snapshot before the change and restore it later with the following command: $sudO lxc-snapshot -r [email protected] -n mycontainer. TO list all the snapshots of a container, use the following command: By: Shubham Dubey The author is a Linux enthusiast, and works in the fields of cloud computing, virtualisation and cyber security. He is 引 so an active contributor to some large cloud and virtualisation projects like Open Stack and Ovirt. He can be contacted at [email protected] 〃.com/ $sudO lxc-snapshot -L -n mycontainer 58 ー AUGUST 2017 ー OPEN S()URCE FO 日 Y()U www.OpenSourceForU.com

Two Scoops of Django Best Practices for Django 1.8


3.2 ・ 0 ″ た Pn 尾 イ P 鑽 ツ “ / ん 4 ッ 0 雇 3.2.1 Top LeveI: Repository Root lhe top-level “ 学 ワ ー r わ / directory is the absolute root directory of the project. ln addi- tion to the く 4 れ 0 学 r り “ た 0 わ we so place other critical components like the 犬 E イ D. 外 イ お 才 立 , イ “ ノ directory, ・ & な 加 , 9 〃 川 砌 な ノ files, and other high-level files that are required for deployment. ? 05 0 kEE? THIN6S 5 を ー 宀 0 員 / eT 月 を ん ^ MELT Figure 3.1 : Yet another reason why repositories are important. TIP: Common Practice Varies Here Some developers like to make the く り r り “ た 。 わ the く r 学 ワ ー 。 わ of the pr0J ect ・ 3.2.2 Second LeveI: Project Root 1his second level is the root of the actual Django project. 川 1 Python code files are inside this く dj ango-proj ect-root>/ directory, its subdirectories, or below. If using dj ango-admi n. py startproj ect, you would run the command 伝 om within the repository root. FIhe Django project that it generates would then be the project root. 3.2.3 Third LeveI: Configuration Root FIhe “ 。 ra 〃 ー > directory is where the settings module and base URLConf(ur/s. た) are placed.lhis must be a valid Python package (containing an ー ″ ー module).

Two Scoops of Django Best Practices for Django 1.8


C み 孕 / 5. ・ & ″ 4 〃 ノ 犬 岬 〃 な 角 な If you really want to set your BAS E-DI R with the Python standard library's os. path library, though, this is one way to do it in a way that will account for paths: ー EXAMPLE 5.28 # At the top Of settings/base ・ py OS. path import jOin, abspath, dirname from here tambda *di rs: join(abspath(dirname(— *dirs) here(tt ~ BASE_DIR tambda *di rs: join(abspath(BASE—DIR) , *dirs) root # Configuring MEDIA_ROOT MEDIA_ROOT = root('tmediail) # Configuring STATIC—ROOT STATIC_ROOT root("coltected—static") # Additiona1 locations Of static files STATICFILES DIRS root("assetstt) , # Configuring TEMPLATE—DIRS TEMPLATES ー BACKEND'.• 'dj ango.temptate . backends. django.DjangOTemp1atesr (root("templates") , ) DIRS With your various path settings dependent on BAS E-DI R, your file path settings should wo which means your templates and media should be loading without error. 60

FPGAマガジン No.15


FPGA マ カ ジ ン No. 15 AItera SDK fo 「 OpenCL の コ ン バ イ ラ へ の バ ス 設 定 リ ス ト 1 QUARTUS ROOTDIR=/root/a1tera/16 . 0/quartus export ALTERAOCLSDKROOT=/rOOt/a1tera/16.0/h1d export PATH=$PATH : $QUARTUS ROOT D 工 R" /bin : $ALTERAOCLSDKROOT" / 1 土 nux64 /bin : $ALTERAOCLSDKROOT" /bin export AOCL BOARD PACKAGE ROOT=" $AOCL_BOARD PACKAGE_ROOT" / 1 inux64 /1ib $ALTERAOCLSDKROOT" /board/ export terasic/de5net LD_LIBRARY PATH=" $AOCL BOARD PACKAGE_ROOT" / 1 inux64/ 1 ib : $ALTERAOCLSDKROOT" / hos し / 1 土 nux64 / 1 ib export QUARTUS 64BIT=1 export LM L 工 CENSE FILE=/root/a1tera/16 .0/h1d/1icense . dat export で は 電 力 が 足 り な い の で , 追 加 の 電 源 も ポ ー ド に 接 続 ト ー ル が 行 わ れ ま す ( 図 6 ). こ で も し CentOS の し ま す . ま た , 次 の ス テ ッ プ を 行 う ま で は mini USB バ ー ジ ョ ン が 6.4 で な け れ ば 失 敗 し ま す . そ の 時 は ケ ー プ ル を DE5-NET に 刺 し て お き ま す ( 次 回 以 降 は Terasic 社 の マ ニ ュ ア ル 罔 の 23 ペ ー ジ を 参 考 に し て USB ケ ー プ ル を 外 し て 大 丈 夫 ). く だ さ い . た だ し , カ ー ネ ル の バ ー ジ ョ ン を 変 え る の ・ PClExp 「 ess ド ラ イ バ の イ ン ス ト で , 他 の ア プ リ ケ ー シ ョ ン に 影 響 が 出 る 場 合 が あ り ま ー 丿 レ 起 動 時 の FPGA は 中 身 が 空 な の で , BSP で 提 供 し す . て い る 回 路 一 式 の コ ン フ ィ グ レ ー シ ョ ン ・ フ ァ イ ル を ・ BSP の コ ン フ ィ グ レ ー シ ョ ン ・ フ ァ イ ル の 書 き 込 み フ ラ ッ シ ュ ・ メ モ リ に 書 き 込 み ま す . タ ー ミ ナ ル を 起 PCI Express ド ラ イ バ が イ ン ス ト ー ル さ れ た の で , 動 し て root に な っ た あ と で , 次 に BSP の 初 期 コ ン フ ィ グ レ ー シ ョ ン ・ フ ァ イ ル を フ ラ ッ シ ュ ・ メ モ リ に 書 き 込 み ま す . #aoc -list-boards と 入 力 し て , de5net ー a7 が 表 示 さ れ る か 確 認 し て く だ # c d / て 0 0 t / a 1 し e r a / 1 6 . 0 / h 1 d / b 0 a r d / さ い ( 図 5 ). aoc command not found と 表 示 さ れ れ ば terasic/tests/hello world/bin source /etc/profile と 入 力 し て 環 境 変 数 を 再 設 と 入 力 し て デ ィ レ ク ト リ を 移 動 し て か ら , 定 し て く だ さ い . Board ⅱ st : が 空 の 場 合 は , terasic #aocl flash ac10 he110 world . aocx フ ォ ル ダ が 適 切 な デ ィ レ ク ト リ に コ ピ ー さ れ て い る か を 実 行 し て く だ さ い . こ の と き , フ ラ ッ シ ュ ・ メ モ リ 確 認 し て く だ さ い . コ マ ン ド が 正 し く 設 定 さ れ て い れ ば , 次 に コ ン フ ィ グ レ ー シ ョ ン を 行 い ま す . #aocl install と 入 力 し て く だ さ い . PCI Express ド ラ イ バ の イ ン ス ー 「00【@ー0 ( 物 ー れ 05t : 、 二 し ス Eile 日 山 t Ylew rrr 05 日 回 p ー 「 00t0t0 ( ヨ 1. hOSt ~ ] # ao ( 1 1n5ta11 ョ 0 ( 1 inst ョ ~ 1 : Running install す 「 om / 「 00t / alte 「 ヨ / 14.0 / hld / board / te 「 ヨ 51 ( / de5net / 11 nux64/libexec U51n9 kernel 50u 「 ( e f11e5 from / us 「 / 5 「 ( / ke 「 ne ー 5 / 2.6.18-238. e15 - X86 ー 64 make: Entering 01 「 2 ( tO 「 y ・ / us 「 / 5 「 ( / ke 「 nels / 2.6.18-238. e ~ 5 - X86 64 ・ CC [MJ /tmp/opencledriver De4045 / 3 ( lp ( 1 queue. 0 ( ( ー 呂 ] /tmp/openct driver De4945 / ヨ ( ~ p ( 1 . 0 ( ( [M] / tmp / ope 猫 ( 1. 一 d 「 1 2 「 De4045 / ヨ ( ー p ( 1 f11210. 0 ( ( [MJ /tmp/opencl_drlver D24045 / ョ ( 1. p ( i dm ョ . 0 ( ( / て mp/opencl d 「 1V2 「 D24e45 / ( lpc 1 CVP . 0 ( ( (M) /tmp/opencl_driver De4645 / a ( tp ( 1 cmd . 0 LD tMJ /tmp/openct_drlver De4645 / a ( lp ( 1 0 「 V . 0 日 u11d1n9 modu ~ 25. 5t39e 2. MODPOST /tmp/opencl driver De4045/actpci 0 「 V .200.0 LD (M) /tmp/opencl_driver De4045/actpci d rv . ko make: Leaving directory 、 / us 「 / 5 代 / ke 「 nels / 2 .6.18 ・ 238. e15 - X86 ー 64 ー 「 00t0t0 ( ョ 1 れ 05t ~ ] # 図 6 PCI Express ド ラ イ バ の イ ン ス ト ー ル す 00t0 0 ( 物 旧 0 、 t : 、 ′ 物 に に ′ 日 ′ 14 , 0 / 川 d / わ 0 物 を d / t に に み 引 に 代 に t 引 h を 料 0 WO d / 国 0 ・ 第 : ロ い X Eile 日 Yiew 丁 m 旧 謝 05 日 p 【 「 00t010 ( a1 れ 05t bin]# ヨ 0 ( 1 ft ヨ sh actO h2110 world. aocx 20 ( ー t ー 25 配 Running f ー ヨ 5 れ from ノ 「 00t / a ~ te ロ / 14.9 / 凪 0 / b02 「 0 / te 51 ( / 025n2t ハ inux6 4/tibexec P12 se 52 ー 2 ( t the tl. ヨ sh page where tO 5t0 「 e your FPGA configure data: 05 tion) 20 0 「 y mage 0 ( ヨ on 「 255 X g ー 1 ] User I 第 ヨ 92 LO ( ョ tion ( Add 「 e55 6Xe20 ( 6060L 5 5 . 2 ” 0 ” (Left P051t10n ) Ente 「 a digit ヨ 1 number 0 0 「 1 ( 0 「 other values to exit the p 「 09 「 a 新 ) f0110W00 by pressing the "Enter" key: 1 FIas い P 「 09 「 amming. い い 0 : 0 し 3 「 : 以 5 : ー ら ・ B ! を C.onvert 0r09r & 川 第 1 「 「 1 を 日 い 1 ー 0 : V を 「 ! 0 n ー 4 . 0 . 0 鉙 一 d 2 0 06 / 17 / 26 】 4 5 」 朝 1- ミ Ve ! 当 : 0 n 、 「 ) 100 01 ム 1 ョ ・ ヨ ( 0 「 PO 「 - き t : 0 「 A い . 「 : 1 て 5 reserved. 卩 Of A も 1 日 ( い り 「 8 ! 10 い - 5 0e514 い t00 { 5 10 曾 : ( t し い こ [ 10 卩 5 朝 0 い 1 ら を 0 : ー w み い を : 001-5 . 300 1 【 5 A"PP 10q1 ( ln す 0 、 fZ.le6 from 冫 引 1 ゾ Ot the ー 0 「 0901 い g 鸞 ! [ 1- リ 自 1 い 0 じ 2 、 1 ( を p ! 。 00 「 き 第 洋 1 9 0 ! 51mu1- 日 一 一 00 ー 1 い 5 ) 8 : 第 、 イ ン い 1 f 0 : 550 こ : 日 t 0 00 ( い 0 を ? れ ! 8 て 10 ー 0 ロ み t ー 0 い 「 2 e 人 「 2 を 5 ー y 5 し 03e ( て ! 0 te ! ・ 「 5 0 ( on 朝 よ キ ! 00 当 0 ! he A1te 「 み Program : す 0 : 」 」 05 、 : ! 鬘 - 第 ! : り 信 ! や 物 を れ ま . : れ を Al ー 0 「 3 0 リ き ! ユ II し 1 ( ロ Agre を 第 2 ロ ー . 写 真 2 FPGA ポ ー ド を ホ ス ト に 取 り 付 け る 特 に SW5.2 [ 0 ] が ON ( 左 ) に な っ て い る か 要 確 認 し て お く こ と 「 [email protected]ー 0 ( 日 一 host : 、 - 日 に 長 朝 t Yiew 「 m 吶 謝 05 旦 引 p ー 「 00t 10 ( れ 05t ~ 1 # aoc ・ 一 15t - boa 「 05 80 ョ rd 115 t : FPGA7fi— ト を 認 識 し て い る de5net ョ 7 [ 「 00t010 ( alhost ー ] # ロ 図 5 aoc コ マ ン ド の 確 認 図 7 フ ラ ッ シ ュ ・ メ モ リ に 書 き 込 む ア ド レ ス を 指 定 当 " と タ イ プ し て ユ ー サ 空 間 を 指 定 す る 2 AItera SDK fo 「 OpenCL の 導 入 127

Surreptitious software obfuscation watermarking and tamperproofing for software protection


682 Hardware for Protecting S0ftware policy ⅲ place t0 decide wh at t0 d0 when you encounter an unknown h ash value. lt could be the result Of a new version Of a program you know, an entirely new program you ve never heard Of, or a known program whose security has COmprOmised. If you encounter a single unknown measurement value , dO you completely distrust the remote system and refuse tO talk tO it further? On the one hand' if you're amazon. com and your policy is t0 not accept a purchase from any system that hasn't installed all the latest security patches, you nught qmckly find yourself out 0f business. On the other hand, if the remote computer has even a single altered its security could have been completely compromsed. ln lBM's implement ation Of authentic ated bOOt , their datab ase Of measurements for Redhat Fedora contains about 2 う , 000 measurements. A typical SML contains 700 to 1 000 measurements. lt would seem a herculean task t0 manually determne which measurements tO trust and which not tO. lnstead' a typical strategy is tO bOOt a trusted system," i. e. , one where all known security patches have been applied' and measure all modules, configuration flles' and scriptS' and store their hashes in a whitelist. Additionally, you can b00t a system with known root-kits and trojans and store the hashes of infected files ⅲ a blacklist. Given all the different operatlng systems available, all Of WhiCh C01 e ln myriad versl()ns and configurations, even with a ser れ 1- automated system tO collect measurements , keeping up - tO- date white- and blacklists available would seem close to rmpossible. Add to that having to measure the firmware 0f every device that could potentially be plugged in' every application that could possibly and having t0 determine which combinations could possibly constitute a security threat, and hard tO imagine that TPM-based security WiIl ever become widespread. still, there has been much / 4 〃 about potential uses and abuses of the technology. The most obvious application is t0 help digital rights management media players t0 run untampered on pcs. Before you're allowed t0 buy and down- load a movie, the movie distributor would verify that only approved software and hardware is installed on your computer. SO if you happen t0 have a COPY 0f the 、 ゞ 0 ア ー CE debugger (a mainstay ⅲ the hacker arsenal of t001S ) on your hard disk, are running a slightly out-of-date kernel' or your media player has been blacklisted' you re out 0f luck. If your OS happens to be localized to a part of the world where the movie has yet t0 appear ⅲ theaters, the distributor may decide t0 refuse the download. Since the OS can't lie about any of the files on the hard disk, including any configuration files (the TPM guarantees that), it can't lie about where in the world it's runmng. ln other words, without having tO use the tamperproofing techniques in Chapter 7 (Software Tamperproofing) , you can build a media player that can't be tampered with. That is, you re guaranteed that the untampered player executable