Re: Making forward progress

From: Crispin Cowan (crispinat_private)
Date: Mon Aug 06 2001 - 11:44:29 PDT

  • Next message: Seth Arnold: "Re: Making forward progress"

    jmjonesat_private wrote:
    > On Mon, 6 Aug 2001, Crispin Cowan wrote:
    > > I think it would be the right thing to do if this were Linux 0.6, and we were
    > > designing the security implementation for a new kernel.  I agree that it is
    > > the right design.  My main objection is that it is not the design used for
    > > Linux, and an attempt to impose this design on the existing code will succeed
    > > about as well as an organ transplant to a human from a turnip.
    > We're in the 0.x versions of LSM.  LSM is the "new security paradigm" for
    > linux, is we succeed.  We're changing things.  If you don't want to change
    > things, drop out now... things are GOING to change.  It's inevitable.
    No it is not.  If that's what we try to sell Linus, it will bounce.  This is the
    pragmatic teensy weensy hook project that enables new security paradigms (that
    aren't really all that new :-) to live in the classical Linux model.  To succeed,
    we have to be as non-disruptive as possible.
    > I agree, things have gone wrong, but LSM can fix this, and it can do it
    > WITHOUT breaking other strategies toward security.  I admin being naive...
    Yup.  "I know; lets just re-write everything the right way!" is a typical security
    reaction to the way the rest of the world does things, and it never succeeds.  The
    non-security way the rest of the world does things is never secure, but it does
    succeed.  Security is not a high priority for most people; you do the math.
    For us to succeed, we must be as unobtrusive as possible.  Ripping the guts out of
    the Linux kernel and putting them back upside down just doesn't qualify :-)
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc.
    Security Hardened Linux Distribution:
    Available for purchase:
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:45:35 PDT