More Input From User Space

• Previous message: Casey Schaufler: "Re: Low-cost hooks, multiple modules, per-task data"
• Next in thread: Crispin Cowan: "Re: More Input From User Space"
• Reply: Crispin Cowan: "Re: More Input From User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Folks,

    I drive a lot (about 90% of my professional time) and 
I've had a lot of time to think about LSM.


    My previous post requested an "applications layer" interface
for requesting permissions.  I no longer think this is advisable.

Why?

   If an application can request information about it's own permissions
and capabilities, so can a virus (worm, trojan horse).  If you give
"polite requests" non-logging or special treatment... you accomplish
nothing.

    Well designed applications will do their own "checking" then try 
to do the thing.  If the thing returns with "EPERM", then *let it*.
A well designed module COULD implement a little AI and count these 
illegal attempts, making a decision thereupon, OR, it could be provided
with a "signature" file of sorts that states what the designer intended
his program to access.  A well designed LSM could implement a policy 
that allows application layer programs to register their "normal"
behaviour with the LSM... resulting only in WHOOPSIE in the event that
the application suddenly does something unexpected.

    My worry at this point, is "trust".  I think there MUST be some way
to verify that the security module loaded is correct.  I despise the idea
of "central registration", but if you put a security module into the
system, it's a PRIME target for crackers.  I think you have to trust the 
Kernel boot, but if you run INIT, the security module should be verified
somehow to determine if it has been "cracked."  Certainly, only ONE
registration by a security module should be allowed.

     "Contrary to popular opinion, it is possible for 15 year olds with 
compilers to both SUCK *and* BLOW"

     Summary: let applications handle failures already existant
gracefully, build SMART LSMs, and find a way to ASSURE that loaded
modules are "original"

My Two Cents,
J. Melvin Jones



|>------------------------------------------------------
||  J. MELVIN JONES            jmjonesat_private 
|>------------------------------------------------------
||  Microcomputer Systems Consultant  
||  Software Developer
||  Web Site Design, Hosting, and Administration
||  Network and Systems Administration
|>------------------------------------------------------
||  http://www.jmjones.com/
|>------------------------------------------------------



_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Chris Wright: "Re: backward compat / access (was Re: Benchmarks)"
• Previous message: Casey Schaufler: "Re: Low-cost hooks, multiple modules, per-task data"
• Next in thread: Crispin Cowan: "Re: More Input From User Space"
• Reply: Crispin Cowan: "Re: More Input From User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 17:27:43 PDT