Re: User sessions, system request

[Jonathan S. Shapiro]

On Fri, 2008-01-18 at 17:39 +0100, Bas Wijnen wrote:
> Hi,
> 
> It's been a while since anything happened here.  I haven't had any
> comments about my kernel, which I found disappointing (I talked a bit
> about it with Marcus, so I didn't expect new comments from him, but I
> had expected some from others like Jonathan).

Bas:

I apologize, but (as you have probably figured out) things have been
very hectic, and I really don't have time to look at another kernel
right now.  As I said in my other mail, I think there are some
fundamental problems with trusted path in the session management design
that you have outlined.

Here is a pair of "litmus test" questions:

If I am a user typing in a password,

  1. How does the receiving software know that the password is
     coming from the user, and not from software simulating the user?

  2. How does the user know that the password they type is going
     to software that can be trusted to protect it, rather than
     software that will broadcast the password to the entire world?

Both issues are very difficult, and they both require support from both
hardware and software (in particular, hardware keyboard sniffers are a
serious problem). Both issues tend to prohibit designs in which
arbitrary drivers can be replaced by untrusted users.

Jonathan