Re: kernel stack challenge
From: Horst von Brand
Date: Tue Apr 06 2004 - 15:05:04 EST
Sergiy Lozovsky <serge_lozovsky@xxxxxxxxx> said:
> --- Horst von Brand <vonbrand@xxxxxxxxxxxx> wrote:
> > Sergiy Lozovsky <serge_lozovsky@xxxxxxxxx> said:
> >
> > [LISP inside the kernel?!]
> >
> > > Basically there are two reasons.
> > >
> > > 1. Give system administrator possibility to change
> > > security policy easy enough
> >
> > SELinux
>
> To create a new 'security model' one should write a C
> program within Selinux user space security server.
> People like to use higher level languages.
C is a high level language. If you don't like it, use C++, Perl, Ruby, TCL,
Guile, Common LISP, PostScript, ... It's userspace, program in whatever you
like most.
> > > without C programminig
> > > inside the kernel (we should not expect system
> > > administartor to be a kernel guru).
> > As 97.572% of the job has to be done in userland anyway, place your
> > checks/high-level language/GUI frobnitzer in there at will. Compile to a
> > compact, easy-to-handle, digitally signed, binary blob and stuff _that_
> > into the kernel as needed.
> I'm not ready to put a binary compiled with Common
> Lisp or PERL (if it exists)
Yep.
> compilers into the kernel.
Again.... use something written in C, Perl, Common LISP, even COBOL to
parse the description and generate a binary blob from it that you then
stuff into the kernel. No in-kernel runtime for high-level general purpose
languages needed at all.
> At the same time I want people to benefit from using
> high level langages (even kernel gurus don't use
> Assembler all the time, higher level languages is
> easier to use and less lines of code to write).
Kernel gurus write C and think assembler. Wrong crowd selected ;-)
> .....
>
> > > 2. Protect system from bugs in security policy
> > > created by system administrator (user).
> > Sounds like you are demanding a solution to Turing's test here... and
> > also to the halting problem.
> I didn't claim that I solve all problems on earth :-)
You certainly do. How do you protect the system from a mistaken policy that
takes away all rights from the user supposed to manage it, and gives them
to the local script kiddie instead?
> What I can claim:
> 1. Some kernel parts can be developed with language of
> higher level than C.
It efficiency doesn't matter, do it in userland. If efficiency matters, do
it in hand-tuned C + assembly, inside the kernel only if there is no other
way.
> 2. Problems with such parts can be to some extent be
> encapsulated within VM (no, it's not 100% fool prof
> for sure), but it helps.
Doing it in userland helps even more.
> 3. Code can be easily debugged in the user space
> (running with user space VM) and used in the kernel
> after that.
The environment isn't the same, so this doesn't help that much. Besides, if
the job _can_ be done in userland, it has no business being done in the
kernel. Stuff is being moved _out_ of the kernel (for example, finding
partitions and filesystems) as we speak...
[...]
> LISP code is located in the kernel. Application issues a system call LISP
> program checks arguments of this call. If LISP program fails (crashes) -
> VM will return default value which is EACCESS, so application will get
> 'access denied'. (and will fail, probably).
So the idea is _userland_ code stuffed into the _kernel_ to be checked and
executed there? And if it is broken, and denies all access, it is a nice
DoS.
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/