Re: New Security Features, Please Comment

From: Peter Teoh
Date: Tue Dec 02 2008 - 23:35:57 EST

On Wed, Dec 3, 2008 at 12:02 PM, Geoffrey McRae <geoff@xxxxxxxxxxxxx> wrote:
> My initial concept is to implement a HTTP server that is designed from
> the ground up to use this new functionallity. Each server that has been
> pre-forked will just sit there until the parent sets its uid/gid and
> hands it the request to handle.

I think the above is the core issue - you have something privileged to
be executed. So why not execute it in a small, code-verifiable
implementation, just like the Privilege Separation idea of SSH?

Everything is done in userspace. SInce the privileged component is
small, it is easy to verify for correctness. The rest execute with
lesser privilege.

Recently, the hypervisor has been used to implement this verifiable
source code concept: see:

where GreenHill achieved EAL6 certification - as it built its entire
kernel on top of the hypervisor. (called Separation Kernel,
conceptually similar to that of Privilege Separation in SSH).

Just my 2cts :-).

Peter Teoh

Ernest Hemingway - "Never mistake motion for action."
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at