Subject: Re: is there an sshfs for NetBSD ?
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 05/13/2003 14:17:49
>>> How would a cryptographic filesystem have helped any more than
>>> simply changing the permissions on the binaries so that they were
>>> executable but not readable?
>> The kernel will have a key to decrypt binaries that are loaded from
>> hard disk. so copying the encrypted binaries on another unix box
>> will not allow them to be used.
> That doesn't make any sense at all; if you can bypoass the kernel's
> protection and copy executables that have executable but not read
> permission, you can bypass the kernel's protection and decrypt and
> copy the executables.

Only if you have the decryption key - or if the bypass method includes
the decryption path.

If, for example, the executables are stored on a different machine and
are decrypted locally, and the bypass method is to snoop the network
traffic, encryption helps.  (If you read the file from another machine,
encryption helps if only the one machine has the appropriate key.)

If the bypass method is to pull the disk out and put it in another
machine, encryption helps.

If the bypass method is a readable device file for the raw disk,
encryption helps.

About the only bypass method I can see for which it doesn't help is
something like a "read any file" bug in a run-as-root program.

> Hiding a decryption key in the kernel and thinking that this is
> somehow better than just using filesystem permissions to keep
> binaries from being read seems like a typical example of [treating
> encryption as a magic bullet]...

I've given three threats against which encryption helps, two of them
plausible in many environments, the third somewhat less so but still
not entirely unreasonable.

I haven't seen you give even one threat, of any level of plausibility,
against which encryption doesn't help.  The only one I've come up with
depends on a bug's presence, unlike the two more plausible threats I
found against which encryption helps.

Yes, it has to be done right (especially with respect to key
management).  Encryption can certainly be implemented badly.  But
that's true of anything, including ordinary permissions.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B