Re: permissive vs. restrictive issue and solutions...

From: Valdis.Kletnieksat_private
Date: Fri Jun 01 2001 - 22:45:48 PDT

  • Next message: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."

    On Fri, 01 Jun 2001 12:39:57 EDT, jmjonesat_private said:
    > Well, "beauty is in the eye of the beholder"... my thought is it increases
    > overhead.  If the developer of the module WANTS the kernel's advice,
    > great... let the code in the module reproduce the original tests.  If the 
    > strategy in place in the module would result it in "overriding" the
    > kernel's "advice" always, why pay the cost?
    
    OK.. thought experiment time - has anybody contemplated pushing *ALL*
    and I do mean *ALL* the security/permission checking off to the LSM?
    
    I mean all the places where the kernel calls suser()/capable(),
    all the places that check user/group/world permissions, etc etc.
    
    Contemplating this is a good reducto ad absurdum check for "let the
    code in the module reproduce the tests".  Contemplate the following:
    
    1) The number of eyeballs that will look at a check for suser() in
    mainline code, and the number of organizations that will have to
    fix their code.  Answer:  Lots of eyeballs, and you only have to
    fix the kernel once.
    
    2) The number of eyeballs that will look at a check for suser() in
    a given LSM module (lots fewer eyeballs), and the number of times
    the same problem may need to be fixed.  Yes, a blown check in a
    given LSM may *seem* to only affect sites that use that LSM, but....
    
    I've added a posting from Bugtraq from a while ago that seems to
    indicate that we should *EXPECT* multiple people to screw up
    multiple modules the same way.
    
    /Valdis
    
    Date:         Mon, 21 Jun 1999 09:28:23 -0700
    From: Edward Berner <bernereat_private>
    Subject:      Diversity
    To: BUGTRAQat_private
    
    On the subject of diversity and reliability, I found the following in RISKS 3.41:
    Q11: True or False?  Computer programs prepared independently from the same
            specification will fail independently.
    
    A11: False.  In one experiment, 27 independently-prepared versions, each
            with reliability of more than 99%, were subjected to one million
            test cases.  There were over 500 instances of two versions failing
            on the same test case.  There were two test cases in which 8 of the
            27 versions failed.  (Knight, Leveson and StJean, "A Large-Scale
            Experiment in N-Version Programming,"  Fault-Tolerant Computing
            Systems Conference 15)
    
    RISKS 3.41 can be had at the following URL:
    	http://catless.ncl.ac.uk/Risks/3.41.html
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 22:46:50 PDT