On Sun, 23 Jul 2000, James Sutherland wrote:
>
> The "security" aspect of this is largely a red herring, I suspect; at
> best, fixing this will make a malicious root marginally less damaging. The
> real issue is just that the kernel is accepting unvalidated parameters
> from userspace, and shooting itself in the foot with them. MS took a fair
> bit of flak, IIRC, for doing this with WIN32K.SYS in NT4. Do we now expect
> higher standards of design from NT than Linux? :-)
What validation?
The OS doesn't even know what the commands do. They are undocumented. And
they vary from drive to drive.
How do you expect the OS to validate the drive firmware update commands
for every drive manufacturer?
In short, should we
- know every single drive, know every command it can take, and do all of
this inside the OS
OR should we
- move this policy into user space, and potentially have programs that
know what different drives can do, and upgrade them the proper way
I think the thing is fairly clear. If you want "the OS" to validate the
parameters, then you should create a user-mode program that validates the
thing.
Basically, Linux already validates everything it _can_ validate. Sure, it
could also verify that only "approved" commands are sent, but what about
the undocumented yet potentially useful ones?
Let's take a hypothetial example (you judge on just _how_ hypothetical it
actually is): imagine that you have a drive that can be made to refuse to
read certain removable media based on where the drive was purchased.
Imagine that this was actually done in firmware, and that there was a way
of overriding it. Imagine further that you moved, and you wanted to make
the drive read certain removable media in the new location, using
undocumented commands..
Should the kernel block those commands because it doesn't know what they
do?
Or should the kernel assume that "Oh, he has the permission to do this,
then sure, I'll let him do it..".
Note that everybody has gotten very lathered up about the fact that you
can kill certain hardware. Guess what? This is neither new nor very
exciting. Look at your XFree86 configuration file some time, and read the
warnings in the documentation. And ruminate on it. A monitor can be quite
a bit more expensive than your harddisk.
Firthermore, destroying your harddisk may be the most _polite_ thing that
can be done to you. Quite frankly, I'd personally rather have a dead
harddisk than have all my data on that harddisk be siphoned back to an
intruder.
A dead harddisk you might get a refund for under the warranty. Your credit
card information (or your browsing habits or copies of your personal
emails) made available all over the place might be more of a bother.
"There are worse things than death". Even with harddisks.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Jul 31 2000 - 21:00:15 EST