We continue discussing the paper "Shielding applications from an untrusted cloud with Haven,” written by Andrew Baumann, Marcus Peinado, and Galen Hunt. We discussed instructions with Intel SGX Today we look at the Drawbridge. It is a system that supports low-overhead sandboxing of Windows applications comprising of a picoprocess or library OS.  The picoprocess is an isolation within the hardware address space but with no access to traditional OS services. Instead it uses a narrow ABI of OS primitives using a security monitor. The LibOS is a version of Windows refactored to run as a set of libraries within the picoprocess, depending only on the ABI. It consists of lightly modified binaries for most user-mode and some kernel components of Windows, and a "user-mode kernel" that implements  the interfaces on which they depend. Together they enable sandboxing of the unmodified windows application. This is at par with VM security but with substantially lower overhead. By sandboxing, it is implied that Drawbridge protects the host from an untrusted guest. Complimentary to this Haven shields the execution of the application and LibOS from an untrusted host, thereby enabling mutual distrust between host and guest. Haven is built on instruction level isolation mechanism of Intel SGX. Let us look at how it protects the application from the malicious host OS The first of these is a class of attacks called the lago attacks.  The application makes an assumption that OS will perform correctly. The malicious OS violates this by not only resulting incorrect results from system calls but also seek to expose bugs in the application. The end result is the application crashes but further more sophisticated harm can also be done with such things as data corruption. For example, it may allocate valid but abnormally high virtual addresses., return unexpected error codes from system calls, or simply fail calls that an application naively assumes will succeed. Haven counteracts this by limiting the scope using a LibOS within the enclaveSince the LibOS is under user control, it can be arbitrarily inspected or tested online. Since the LibOS is under user control, and can be arbitrarily tested or inspected offline, it is not malicious. Second with the reduced interface, corrective techniques can be used to implement these OS primitives against a malicious host. This can be done with careful defensive coding, exhaustive validation of untrusted inputs, and encryption or integrity protection of any private data exposed to untrusted code.
#codingexercise
There is a set of sentences appearing below where the letters have been replaced with substitutes. The substitutes are one to one and onto mapped. meaning that the mappings are bidirectional between the meaningful and transformed letters. For example, we are given "a zoo" with letter replacements 'a' with 'y', 'z' with 'q' and 'o' with 'e'  yielding "y qee".  We start out with a meaningful phrase or sentence and we translate to the transformed set. If we are given the following samples, write code to translate any given transformed string.
 ejp mysljylc kd kxveddknmc re jsicpdrysi
rbcpc ypc rtcsra dkh wyfrepkym veddknkmkrkcd
de kr kd eoya kw aej tysr re ujdr lkgc jv
Case #1: our language is impossible to understand
Case #2: there are twenty six factorial possibilities
Case #3: so it is okay if you want to just give up
void Train(string transforms, string actual, ref Hashtable<char, char> h)
{
for (int I = 0; I < transforms.length; i++)
{
  if (transforms[I] != " " && h.ContainsKey(transforms[I]) == false))
 {
           h.Add(transforms[I], actual[I]);
 }
}
}
// q and z may still be missing from Hashtable

string Test(string candidate, ref Hashtable<char, char>h)
{
if (h.Count() != 26)
{
foreach (char c in "abcdefghijklmnopqrstuvwxyz")
{
if (h.ContainsKey(c) == false)
   h.Add(c, "_");
}
}
var ret = new stringbuilder(candidate);
for (int I = 0; I < candidate.length; i++)
{
  if (candidate[I] != " ")
 {
           ret[I] = h[candidate[I]];
}
return ret.ToString();
}