[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: POSIX
|
From: |
Jonathan S. Shapiro |
|
Subject: |
Re: POSIX |
|
Date: |
Wed, 26 Oct 2005 11:28:25 -0400 |
On Wed, 2005-10-26 at 16:13 +0200, Alfred M. Szmidt wrote:
> Web browsers
> Email readers
> Word processors
> Document browsers (e.g. acrobat, xpdf, ghostview)
>
> All those run in a jail of sorts: the current user. What would be
> nifty is a way to allow a user to make sub-users, where he can
> encapsulate a program and only give write/read access to a specific
> directory. Which is possible to do with any extensive rewrites I
> think.
Typo: I believe you meant to write "... *without* any extensive
rewrites"
I have often thought about doing something like this, because it would
be very attractive to be able to rescue the design model of current
systems. Here is what I believe it would take:
1. A model of "user" that is hierarchical, in the sense that I can
add and destroy new pseudo-users that are subordinate to me.
2. A real ACL implementation in the file systems
3. A very efficient way to visit all of the files that *I* have access
to and grant access to a new, subordinate user.
I have always failed to achieve the third part. If the actual number of
necessary configurations can be kept very small, I can see that a
statically preconfigured "safe subset" is possible. What I do not see is
how to efficiently build a similar thing dynamically, in a way that is
specific to the particular application that I am trying to run at the
moment. By the time my protection agent is done visiting all of the
necessary files, I have taken far longer than I can afford.
One alternative is syscall filtering. There are lots of products out
there that do this (e.g. tripwire) and the bottom line is that they do
not work. Tripwire only handles the statically preconfigurable case, and
the lesson is that there are *way* too many cases and they change too
rapidly. The dynamic case is a mess, because user's simply don't know
how to make these decisions correctly.
People like Crispin Cowan at Immunix have been working very very hard to
find a way to straddle this boundary. So far, their success is unclear.
SELinux definitely does *not* manage it.
> Each of these runs code written by a very large number of untrusted
> developers, and each downloads "plugins" (or equivalently: can spawn
> local commands at the direction of documents) that I know nothing about.
> [...]
> The plugin code very often *is* hostile, and the programs that run
> them very often contain security bugs.
>
> Same thing can be said about kernels.
I do not believe so. The difference is that with a kernel I know where
the kernel came from and so do a lot of other users. If the kernel
screws the users, they have a decent chance to figure this out and
abandon the system. Also, kernels are well known to be sources of
vulnerability and they get inspected.
The problem with plugins and active content is that you never know what
you are running. You definitely don't know where it came from. If this
were not true, spyware installation would not be emerging as big
business.
> On the server side, things are even worse -- for those I need a new
> sub-hurd for every page request that involves any sort of active
> content.
>
> Such paranoia isn't useful for a multi user system, or a single user
> system. All it is is a academic excersise in `intellectual
> mastrubation'.
Well, that is your opinion. Out here in impractical academia my servers
see almost 100 attempted penetrations a minute, 24 hours a day. Most of
these are just irritants, but I cannot afford to be waiting for patches
in order to defend myself. I need a system that provides structural
defenses.
And if a confined subsystem per request is practical, why *shouldn't*
that be the normal thing to do? The problem with creating a sub-hurd for
every request isn't that it's a bad idea. It's that it is prohibitively
expensive.
And if it is a purely "academic" exercise, can you explain why KeyKOS
has *never* been hacked over 25 years in production use? And yes, there
have been attempts.
Finally, a word on your disparagement of "academics". Have you stopped
to consider that nearly all of the POSIX software you seem to love was
written by academics? Believe me, when I was there, the computing
research center at Bell Labs was pretty academic in outlook. Or consider
such impractical concepts as web browsers, databases, file systems,
graphical displays, the von Neumann computer, the transistor, and many
others. Yes, some things in academia take a very long time to become
practical. This does not make them intellectual masturbation. And
sadly, there is a large amount of garbage that passes for research in
academia. Some of that garbage is very easy to identify, but I don't
agree that the current discussion falls in to that category.
You are certainly entitled to your opinion, but perhaps if your
objection is to *my* comments you should focus your accusations less
broadly.
shap
- Re: POSIX, (continued)
- Re: POSIX, Alfred M\. Szmidt, 2005/10/26
- Re: POSIX, Jonathan S. Shapiro, 2005/10/26
- Re: POSIX, Alfred M\. Szmidt, 2005/10/26
- Re: POSIX, Jonathan S. Shapiro, 2005/10/26
- Re: POSIX, Alfred M\. Szmidt, 2005/10/26
- Re: POSIX, Bas Wijnen, 2005/10/26
- Re: POSIX, Alfred M\. Szmidt, 2005/10/26
- Re: POSIX,
Jonathan S. Shapiro <=
- Re: POSIX, Ronald Aigner, 2005/10/26
- Re: POSIX, Jonathan S. Shapiro, 2005/10/26
- Re: POSIX, Alfred M\. Szmidt, 2005/10/27
- Re: POSIX, Jonathan S. Shapiro, 2005/10/27
- Re: POSIX, Alfred M\. Szmidt, 2005/10/27
- Re: POSIX, Jonathan S. Shapiro, 2005/10/27
- Re: POSIX, Jonathan S. Shapiro, 2005/10/26
- Re: POSIX, Bas Wijnen, 2005/10/26
- Re: POSIX, Jonathan S. Shapiro, 2005/10/26
- Re: POSIX, Leonardo Lopes Pereira, 2005/10/26