Hi Guys,
Hope I'm not bothering you. I'm looking for a masters thesis idea, and
if possible doing one related to open source software (of course I
have the option of tying it in to the Powermax kernel I work on also
with Dell). One idea that sprung to mind is, I'm really liking this
new QUIC (UDP) protocol as an alternative to TCP over TLS. And with
the growth of new modern secure protocols like Wireguard. I was
wondering, would it be an idea to do a monolithic secure TCP protocol
(as an alternative to TCP over TLS) as a small thesis project or is it
as hard as the guys at Google make is sound?
"Because TCP is implemented in operating system kernels, and middlebox
firmware, making significant changes to TCP is next to impossible."
I'm open to any other suggestions also for my thesis :)
The middlebox firmware sounds like it could be the issue I guess.
Eric Curtin <[email protected]> wrote:
> Hope I'm not bothering you. I'm looking for a masters thesis idea, ...
> I'm really liking this
> new QUIC (UDP) protocol as an alternative to TCP over TLS. And with
> the growth of new modern secure protocols like Wireguard. I was
> wondering, would it be an idea to do a monolithic secure TCP protocol
> (as an alternative to TCP over TLS) as a small thesis project or is it
> as hard as the guys at Google make is sound?
>
> "Because TCP is implemented in operating system kernels, and middlebox
> firmware, making significant changes to TCP is next to impossible."
I'm inclined to agree with the Google folk on that. However, what about
IPsec? That was designed to secure anything-over-IP so it should be
a more general solution. The FreeS/WAN project added opportunistic
encryption for wider availability
https://freeswan.org/freeswan_trees/freeswan-2.06/doc/intro.html#goals
Today some opportunistic encryption protocols -- SMTP-over-TLS and
HTTPS Everywhere -- are quite widespread but my impression is
that opportunistic IPsec is not. Would adding it to an open source
router be a thesis-sized project? Or, since routers likely have IPsec
already, just making it easier to deploy?
> I'm open to any other suggestions also for my thesis :)
Linux's OOM killer strikes me as a spectacularly ugly kluge,
but people who are certainly more knowledgeable and likely
more competent seem to think it is necessary. Is there a
thesis in examining it, looking at how other Unix-like systems
handle the problem & perhaps implementing an alternative
for Linux?
Hi Sandy,
I actually have worked quite a bit with IPsec, it's not a protocol I'm
a huge fan of, it's use of multiple ports make it difficult to work
with middleboxs (be it load-balancers, TLS interceptors, reverse
proxies, proxies, firewalls, routers, switches, etc.). I've even seen
issues where some middleboxes only recognize TCP/UDP packets and not
ESP packets. There's so many implementations of IPsec with various
routers OS's and the standard seems to be only sort of universally
accepted. It can be difficult to deploy.
Although Wireshark does solve at many of these problems, it's simpler
at least, as regards VPNs I really like it. I'm actually more a fan of
protocols that applications have a little more control over like QUIC
over UDP or TLS over TCP.
I actually use HTTPS Everywhere plugin, but at the end of the day,
that simply just turns on TLS encryption if it's available right?
I like some of the problems QUIC solves, the multiple handshake
problem decreasing overall round trips, and just that it's more
modern. openssl is brilliant, but there's a lot of deadwood, older
encryption techniques in that codebase.
A monolithic secure TCP protocol seems like a nice idea, but maybe it
is too difficult.
I think it's a nice idea to explore OOM killer and compare it to the
solutions on various other OS's (FreeBSD, AIX, z/OS, Solaris, HP-UX,
macOS, iOS, Windows, Zircon, etc. and the OS I work on Powermax).
Thanks for that.
Any other ideas, keep them coming :)
On Tue, 26 May 2020 at 08:18, Sandy Harris <[email protected]> wrote:
>
> Eric Curtin <[email protected]> wrote:
>
> > Hope I'm not bothering you. I'm looking for a masters thesis idea, ...
>
> > I'm really liking this
> > new QUIC (UDP) protocol as an alternative to TCP over TLS. And with
> > the growth of new modern secure protocols like Wireguard. I was
> > wondering, would it be an idea to do a monolithic secure TCP protocol
> > (as an alternative to TCP over TLS) as a small thesis project or is it
> > as hard as the guys at Google make is sound?
> >
> > "Because TCP is implemented in operating system kernels, and middlebox
> > firmware, making significant changes to TCP is next to impossible."
>
> I'm inclined to agree with the Google folk on that. However, what about
> IPsec? That was designed to secure anything-over-IP so it should be
> a more general solution. The FreeS/WAN project added opportunistic
> encryption for wider availability
> https://freeswan.org/freeswan_trees/freeswan-2.06/doc/intro.html#goals
>
> Today some opportunistic encryption protocols -- SMTP-over-TLS and
> HTTPS Everywhere -- are quite widespread but my impression is
> that opportunistic IPsec is not. Would adding it to an open source
> router be a thesis-sized project? Or, since routers likely have IPsec
> already, just making it easier to deploy?
>
> > I'm open to any other suggestions also for my thesis :)
>
> Linux's OOM killer strikes me as a spectacularly ugly kluge,
> but people who are certainly more knowledgeable and likely
> more competent seem to think it is necessary. Is there a
> thesis in examining it, looking at how other Unix-like systems
> handle the problem & perhaps implementing an alternative
> for Linux?
Eric Curtin <[email protected]> wrote:
> Hope I'm not bothering you. I'm looking for a masters thesis idea, ...
Here's a report claiming 70% of security bugs involve memory errors.
https://www.zdnet.com/article/chrome-70-of-all-security-bugs-are-memory-safety-issues/
Build a tool to find or fix those?
Another report I saw on Slashdot recently said lots of web vulnerabilities
were due to problems in widely used open source libraries.