Re: permissive vs. restrictive issue and solutions...

• Previous message: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• In reply to: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: David Wagner: "Re: permissive vs. restrictive issue and solutions..."
• Reply: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Reply: Titus D. Winters: "Re: permissive vs. restrictive issue and solutions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 01 Jun 2001 12:39:57 EDT, jmjonesat_private said:
> Well, "beauty is in the eye of the beholder"... my thought is it increases
> overhead.  If the developer of the module WANTS the kernel's advice,
> great... let the code in the module reproduce the original tests.  If the 
> strategy in place in the module would result it in "overriding" the
> kernel's "advice" always, why pay the cost?

OK.. thought experiment time - has anybody contemplated pushing *ALL*
and I do mean *ALL* the security/permission checking off to the LSM?

I mean all the places where the kernel calls suser()/capable(),
all the places that check user/group/world permissions, etc etc.

Contemplating this is a good reducto ad absurdum check for "let the
code in the module reproduce the tests".  Contemplate the following:

1) The number of eyeballs that will look at a check for suser() in
mainline code, and the number of organizations that will have to
fix their code.  Answer:  Lots of eyeballs, and you only have to
fix the kernel once.

2) The number of eyeballs that will look at a check for suser() in
a given LSM module (lots fewer eyeballs), and the number of times
the same problem may need to be fixed.  Yes, a blown check in a
given LSM may *seem* to only affect sites that use that LSM, but....

I've added a posting from Bugtraq from a while ago that seems to
indicate that we should *EXPECT* multiple people to screw up
multiple modules the same way.

/Valdis

Date:         Mon, 21 Jun 1999 09:28:23 -0700
From: Edward Berner <bernereat_private>
Subject:      Diversity
To: BUGTRAQat_private

On the subject of diversity and reliability, I found the following in RISKS 3.41:
Q11: True or False?  Computer programs prepared independently from the same
        specification will fail independently.

A11: False.  In one experiment, 27 independently-prepared versions, each
        with reliability of more than 99%, were subjected to one million
        test cases.  There were over 500 instances of two versions failing
        on the same test case.  There were two test cases in which 8 of the
        27 versions failed.  (Knight, Leveson and StJean, "A Large-Scale
        Experiment in N-Version Programming,"  Fault-Tolerant Computing
        Systems Conference 15)

RISKS 3.41 can be had at the following URL:
	http://catless.ncl.ac.uk/Risks/3.41.html


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Previous message: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• In reply to: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: David Wagner: "Re: permissive vs. restrictive issue and solutions..."
• Reply: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Reply: Titus D. Winters: "Re: permissive vs. restrictive issue and solutions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 22:46:50 PDT