jmjonesat_private wrote: > 1) It appears that passed pointers to structures can be protected by a > stacked module, even without going authoritative at this time. The > cost is partially the same as the benefit: structures and substructures > (etcetera) could NOT be altered unless the guardian module specifically > allowed it. > ... > 3) The cost of this sort of protection, on a scale of 1-10 is somewhere > around 20. Structures need to be copied and return conditions > evaluated. Sometimes, it can get pretty "hairy". Justification for > putting it in a module that ONLY those who REALLY need it would employ. I think you're off in the weeds here. I disbelieve that a module that does full data structure marshalling/demarshalling would be useful. As you say, the costs are prohibitive. What I thought you were talking about was a SIMPLE module that would just take the DAC decision, the module decision, and return whichever is stricter. But the kernel pointer problem is hopeless: don't try to solve it. What you end up with is a lame micorkernel. Of course, since its a module, it doesn't impinge on the rest of us, so go ahead if you see value in it. > I remember discussions not long ago that actually seemed fairly "split" > with regard to authoritative hooks, and have seen pleas and arguments that > they will be more useful in the future for a variety of interests... I perceive the community as currently split on tha authoritative question. * Still want restrictive-only hooks: Crispin, Greg, and David Wagner * Want authoritative hooks: Valdis, Richard Offer, JMJ Much of the motive to yield the simple assurance property is the big pile of stuff that allegedly improves if we go to authoritative hooks. However, I posted a bunch of issues with those alleged benefits last night, and I'm still waiting to hear back from SGI as to whether authoritative hooks (*without* moving the kernel's DAC logic into a module) make things better for them. If not, we're back to square one. > The idea that "something is better than nothing" ... lock the doors and > leave the windows open? That's not much assurance. Saltzer & Schroeder make a strong distinction betwen protection for debugging and protection against threats. "doors locked & windows open" is useless against an adversary, but is useful against the merely stupid (bugs). Since we must assume that modules are not malicious, but may be buggy, locking the door does provide value. Your initial observation degraded my perception of the value of simple assurance, but did not destroy it. That, plus the big shopping list of benefits to authoritative hooks pushed me from one side of the field up onto the fence. I'm anxiously waiting to see if the alleged benefits will actually pan out. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 13:11:37 PDT