Misleading code description
jrtc27 opened this issue · 1 comments
In "Security analysis of CHERI ISA.pdf", section "Stealing capabilities, signing gadgets", there is the following description:
The next lines do a logical or on a capability taken from $c3 and then $c1 with 3 and saves it again at $c1+0x16
referring to the code sequence:
clc $c1, zero, 0($c3)
clc $c2, zero, 16($c1)
cgetaddr at, $c2
ori at, at, 3
csetaddr $c2, $c2, at
csc $c2, zero, 16($c1)
Firstly, it should say $c1+0x16
not $c1
in the description. Secondly, "taken from" is vague and could be taken as a register-register move rather than a load; I would suggest saying "loaded from/via" (and use "stores" rather than "saves", though that one at least is not ambiguous).
The security challenges facing the usage of mobile devices in the enterprise are an example where additional attention is warranted. While many of the core security concerns of enterprise IT systems are shared by mobile devices and their management systems, unique challenges do exist. For instance, mobile devices leave the physical and logical boundaries defined by the organization. The small form factor of a mobile device make device loss or theft a real concern, especially when these devices store proprietary enterprise information which may also be governed by additional regulations (e.g., healthcare data). Although mobile devices are not the only type of device that generally transcend the traditional enterprise network boundary (e.g., laptops), users frequently connect to unsafe networks, perform enterprise activities, and then bring the device back to the enterprise. Many devices automatically connect to unsafe networks without the user’s knowledge, are exposed to unsafe systems, and then brought back into the enterprise. Finally, users generally feel empowered to install applications that a system administrator may have no knowledge of, yet will need to defend against.