> One thing to be careful of when you implement MAC. Remember that the
> kernel is fully trusted. A single flaw in the kernel and bang, a user can
> circumvent any MAC.
--- Oh yeah. Don't you think this list will tear any implementation flaws to shreds? :-) However... > > The kernel API is very non-trivial, and represents a lot of code. How sure > are you that there isn't a subtle signed/unsigned issue somewhere on the > kernel API which leads to a kernel mode buffer overflow? --- We've already done this once -- have had an evaluated system since 95 even w/o capabilities (used root priv in early versions).We even dumped the code out on http://oss.sgi.com/projects/ob1. In hopes others would take pieces and take ideas. We want to see an open-source solution to this.
> I think the principles behind MAC are very cool. However, in "real > world" security situations (as opposed to feature list based security), a > monolithic kernel is Not What A High Security System Should Be Based On > (tm). --- Monolithic means non-dividable. I would hope to see ACLs, file-CAPs, MAC and audit all as separate options. Pick and choose a la carte.
> The previous problem? The all-powerfulness of the root user. The new > problem? The all-powerfulness of the monolithic kernel. --- Hey, don't delude yourself -- the kernel already *is* all powerful -- it has to be as it is the basis upon what everything else is built on.
> Amusingly, though, such practical considerations typically aren't a > barrier to high security certification. This is one of the reasons I view > a lot of certifications as of limited value. However, since Governments > see things differently.... --- And in the US the government buys 10% of the computers. By Jan 2001 the Dod will "prefer" evaluated systems -- and recommend them to the rest of .gov. By July 2002, Dod will require evaluated systems only -- waivers are handled through the NSA which promises to be way stingy.
That's a 10% market that the NSA would like to see running open-source software (Linux/Gnu...or Free/Trusted BSD). But right now the only players are proprietary OS's w/closed source. This means there could be backdoors and lots of poorly audited code. *plegh*.
-l
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:14 EST