Apache

setup

socket() - creates a socket
bind() - associates socket to a port
listen() - prepare to except requests

loop

(simplified) //only allows one request at a time

               for(;;) {
                       r=accept()
                       handle(r);
               }

(more real) //fork a child to handle each request

       for(;;) {
               r=accept();
               p=fork(); //bottleneck
               if (p==0) {
                       handle(r);
                       exit(0);
               }
       }

(most real) //have a pool of children already

       for (;;) {
               r = accept();
               hand off to idle child
               //each child does handle(r);
       }

issues

less fault tolerant
shared state

(also used sometimes) //use threads instead of forking

benefits

now you have shared state

issues

even less fault tolerant
worry about locking

(used on small systems) //event driven programming

(e.g. Twisted (Python), TinyOS)

       for(;;) {
               wait for an event;
               act on the even; //happens very quickly
               //no reads or writes or long loops
       }

select({set of fd})
//hangs until an event happens on one of fd and returns the fd that the event happened on (and details)
//and now you can read and/or write without hanging (small amounts)
//you must maintain a to do list

benefits

no locks
no context switches

drawback

more of a hassle to write
to do management
like threads (easy to crash)
does not take advantage of multiple CPU's

Security

Defense against force & fraud

May 19, NYT Estonia Computers Blitzed
April 27 attacks on president's website
government ground to halt
many banks too,
we took notes
one defense. block all non-Estonian traffic
V. Cerf's estimate (Jan); 25% of PC's are in a botnet

Main form of attacks on computers (three catagories)

against service "denial of service" attacks (a.k.a. "DoS")
against privacy "finding your SSN" attacks (Phishing etc.)
against integrity "tampering" attacks

Goals in security

allow authorized access (in a timely fashion)
Deny unauthorized access (negative goa) -> harder to test
- bugs don't get reported (bad guy wants to exploit them)

Thread modeling & Threat classification

(try not to forget this!)

insiders
social engineering
network attacks
- DoS
- buffer overruns, etc.
- email viruses
- drive-by downloads
device-based attacks
- floppy-based viruses
- USB-based viruses

General mechanisms for implementing security

Authentication: prove who you are (e.g. password)
Integrity: prove that the data has not been tampered with (e.g. checksum)
Authorization: prove that you have the rights to do something (e.g. ACL)
Auditing: prove what happened (e.g. tamperproof log)
Correctness
Efficiency