Re: [PATCH 0/12: eCryptfs] eCryptfs version 0.1

[James Morris]

On Mon, 21 Nov 2005, Michael Halcrow wrote:

> I think you brought up two categories of potential security
> vulnerabilities.

> The first has to do with the theoretical security of
> the algorithms -- do the encrypted files really have the attribute
> such that decrypting the files without the proper key is
> computationally infeasible? This is the job for the cryptographers to
> confront.
> 
> The other category has to do with ``exploits''; I assume you are
> talking about -- for instance -- malicious files that are able to
> circumvent the intended behavior of the code. Such vulnerabilities may
> coerce the filesystem to dump the secret key out to an insecure
> location. This is an extension of the general ``correctness'' problem
> that can be an issue with any code. I would say that this is the job
> of the engineers to help prevent. It basically involves verification
> that eCryptfs is handling all of its memory correctly (i.e., via data
> and control flow analysis).

There's a third important category: the design of the _system_.

(Which you end up discussing somewhat further in the email).

It would be great to have a document which describes the design of the 
system and includes a comprehensive security analysis.


- James
-- 
James Morris
<jmorris@xxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/