RE: (MAC/DAC) RE: Future Linux devel. Kernels

From: Linda Walsh (law@sgi.com)
Date: Tue May 09 2000 - 12:57:56 EST

Next message: Chris Evans: "Re: (MAC/DAC) RE: Future Linux devel. Kernels"
Previous message: Pete Zaitcev: "Re: NFS knfsd strange behavior..."
In reply to: Chris Evans: "Re: (MAC/DAC) RE: Future Linux devel. Kernels"
Next in thread: Chris Evans: "RE: (MAC/DAC) RE: Future Linux devel. Kernels"
Reply: Chris Evans: "RE: (MAC/DAC) RE: Future Linux devel. Kernels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> One thing to be careful of when you implement MAC. Remember that the
> kernel is fully trusted. A single flaw in the kernel and bang, a user can
> circumvent any MAC.

--- Oh yeah. Don't you think this list will tear any implementation flaws to shreds? :-) However... > > The kernel API is very non-trivial, and represents a lot of code. How sure > are you that there isn't a subtle signed/unsigned issue somewhere on the > kernel API which leads to a kernel mode buffer overflow? --- We've already done this once -- have had an evaluated system since 95 even w/o capabilities (used root priv in early versions).

We even dumped the code out on http://oss.sgi.com/projects/ob1. In hopes others would take pieces and take ideas. We want to see an open-source solution to this.

> I think the principles behind MAC are very cool. However, in "real > world" security situations (as opposed to feature list based security), a > monolithic kernel is Not What A High Security System Should Be Based On > (tm). --- Monolithic means non-dividable. I would hope to see ACLs, file-CAPs, MAC and audit all as separate options. Pick and choose a la carte.

> The previous problem? The all-powerfulness of the root user. The new > problem? The all-powerfulness of the monolithic kernel. --- Hey, don't delude yourself -- the kernel already *is* all powerful -- it has to be as it is the basis upon what everything else is built on.

> Amusingly, though, such practical considerations typically aren't a > barrier to high security certification. This is one of the reasons I view > a lot of certifications as of limited value. However, since Governments > see things differently.... --- And in the US the government buys 10% of the computers. By Jan 2001 the Dod will "prefer" evaluated systems -- and recommend them to the rest of .gov. By July 2002, Dod will require evaluated systems only -- waivers are handled through the NSA which promises to be way stingy.

That's a 10% market that the NSA would like to see running open-source software (Linux/Gnu...or Free/Trusted BSD). But right now the only players are proprietary OS's w/closed source. This means there could be backdoors and lots of poorly audited code. *plegh*.

-l

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Evans: "Re: (MAC/DAC) RE: Future Linux devel. Kernels"
Previous message: Pete Zaitcev: "Re: NFS knfsd strange behavior..."
In reply to: Chris Evans: "Re: (MAC/DAC) RE: Future Linux devel. Kernels"
Next in thread: Chris Evans: "RE: (MAC/DAC) RE: Future Linux devel. Kernels"
Reply: Chris Evans: "RE: (MAC/DAC) RE: Future Linux devel. Kernels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:14 EST