Re: Challenge: Find potential use cases for non-trivial confinement

[Bas Wijnen]

On Mon, May 01, 2006 at 04:55:36PM -0600, Christopher Nelson wrote:
> > This is getting annoying.  I wrote at least twice already 
> > that the primary space bank is *not* owned by the system 
> > administrator.  It is owned by the TCB, which is an entity 
> > itself.  It will restrict access to it carefully, in 
> > particular it will not give anyone (and that includes the 
> > administrator) direct access to the prime space bank.
> 
> Ah, yes. Who owns the TCB?
> Oh - no one. Cool. So who gets permission to update the TCB? 
> Ah, of course, no one.  It's not like you ever need to patch a piece of
> software, because all software is perfect once released.

No, it isn't, and yes, it may need to be replaced.  IMO this should only be
possible when the OS isn't running, but mounted on a different system.
Theoretically it can be done while it is running as well, of course.

Anyway, anyone who can physically take the hard disk home has access over
everything, including the TCB.  This was about the administrator (which I took
to be the person creating user accounts and installing non-TCB software).
That person _doesn't_ have access to the primary space bank.

Someone who owns the TCB can inspect everything anyway, because they can
change the TCB in a way that it allows such inspection.  This is true also if
you were using constructors and protecting space banks (because they can be
changed).  I usually call this person the machine owner, although he may not
always be that.

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://129.125.47.90/e-mail.html

signature.asc
Description: Digital signature