More Input From User Space

From: jmjonesat_private
Date: Wed Apr 18 2001 - 17:25:41 PDT

  • Next message: Chris Wright: "Re: backward compat / access (was Re: Benchmarks)"

    Hi Folks,
    
        I drive a lot (about 90% of my professional time) and 
    I've had a lot of time to think about LSM.
    
    
        My previous post requested an "applications layer" interface
    for requesting permissions.  I no longer think this is advisable.
    
    Why?
    
       If an application can request information about it's own permissions
    and capabilities, so can a virus (worm, trojan horse).  If you give
    "polite requests" non-logging or special treatment... you accomplish
    nothing.
    
        Well designed applications will do their own "checking" then try 
    to do the thing.  If the thing returns with "EPERM", then *let it*.
    A well designed module COULD implement a little AI and count these 
    illegal attempts, making a decision thereupon, OR, it could be provided
    with a "signature" file of sorts that states what the designer intended
    his program to access.  A well designed LSM could implement a policy 
    that allows application layer programs to register their "normal"
    behaviour with the LSM... resulting only in WHOOPSIE in the event that
    the application suddenly does something unexpected.
    
        My worry at this point, is "trust".  I think there MUST be some way
    to verify that the security module loaded is correct.  I despise the idea
    of "central registration", but if you put a security module into the
    system, it's a PRIME target for crackers.  I think you have to trust the 
    Kernel boot, but if you run INIT, the security module should be verified
    somehow to determine if it has been "cracked."  Certainly, only ONE
    registration by a security module should be allowed.
    
         "Contrary to popular opinion, it is possible for 15 year olds with 
    compilers to both SUCK *and* BLOW"
    
         Summary: let applications handle failures already existant
    gracefully, build SMART LSMs, and find a way to ASSURE that loaded
    modules are "original"
    
    My Two Cents,
    J. Melvin Jones
    
    
    
    |>------------------------------------------------------
    ||  J. MELVIN JONES            jmjonesat_private 
    |>------------------------------------------------------
    ||  Microcomputer Systems Consultant  
    ||  Software Developer
    ||  Web Site Design, Hosting, and Administration
    ||  Network and Systems Administration
    |>------------------------------------------------------
    ||  http://www.jmjones.com/
    |>------------------------------------------------------
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 17:27:43 PDT