Re: The Demise of Simple Assurance?

From: Crispin Cowan (crispinat_private)
Date: Wed Aug 01 2001 - 13:10:11 PDT

  • Next message: jmjonesat_private: "Re: The Demise of Simple Assurance?"

    jmjonesat_private wrote:
    > 1) It appears that passed pointers to structures can be protected by a
    >    stacked module, even without going authoritative at this time.  The
    >    cost is partially the same as the benefit: structures and substructures
    >    (etcetera) could NOT be altered unless the guardian module specifically
    >    allowed it.
    > ...
    > 3) The cost of this sort of protection, on a scale of 1-10 is somewhere
    >    around 20.  Structures need to be copied and return conditions
    >    evaluated.  Sometimes, it can get pretty "hairy".  Justification for
    >    putting it in a module that ONLY those who REALLY need it would employ.
    I think you're off in the weeds here.  I disbelieve that a module that does full data
    structure marshalling/demarshalling would be useful.  As you say, the costs are
    prohibitive.  What I thought you were talking about was a SIMPLE module that would just
    take the DAC decision, the module decision, and return whichever is stricter.
    But the kernel pointer problem is hopeless:  don't try to solve it.  What you end up with
    is a lame micorkernel.
    Of course, since its a module, it doesn't impinge on the rest of us, so go ahead if you
    see value in it.
    > I remember discussions not long ago that actually seemed fairly "split"
    > with regard to authoritative hooks, and have seen pleas and arguments that
    > they will be more useful in the future for a variety of interests...
    I perceive the community as currently split on tha authoritative question.
       * Still want restrictive-only hooks:  Crispin, Greg, and David Wagner
       * Want authoritative hooks:  Valdis, Richard Offer, JMJ
    Much of the motive to yield the simple assurance property is the big pile of stuff that
    allegedly improves if we go to authoritative hooks.  However, I posted a bunch of issues
    with those alleged benefits last night, and I'm still waiting to hear back from SGI as to
    whether authoritative hooks (*without* moving the kernel's DAC logic into a module) make
    things better for them.  If not, we're back to square one.
    > The idea that "something is better than nothing" ... lock the doors and
    > leave the windows open?  That's not much assurance.
    Saltzer & Schroeder make a strong distinction betwen protection for debugging and
    protection against threats.  "doors locked & windows open" is useless against an
    adversary, but is useful against the merely stupid (bugs).  Since we must assume that
    modules are not malicious, but may be buggy, locking the door does provide value.
    Your initial observation degraded my perception of the value of simple assurance, but did
    not destroy it.  That, plus the big shopping list of benefits to authoritative hooks
    pushed me from one side of the field up onto the fence.  I'm anxiously waiting to see if
    the alleged benefits will actually pan out.
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc.
    Security Hardened Linux Distribution:
    Available for purchase:
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 13:11:37 PDT