On Sat, Mar 25, 2006 at 01:07:22PM -0500, Steven M. Bellovin wrote:
> On Sat, 25 Mar 2006 12:37:07 -0500, Thor Lancelot Simon
> <tls@rek.tjls.com> wrote:
> 
> > As Kirk said to me years ago, the idea was to
> > provide a simple, even provably-correct, means of dramatically limiting
> > the extent of any system compromise
> 
> I'd like to retain the focus on "simple, even provably-correct".  Any
> new scheme should be high assurance.

Help to verify that (a) the actual implementation of the kauth framework
is correct. It is pretty much self contained and shouldn't be a problem
to get the high assurance you want. After that, (b) check that all the
checks are *semantically* correct where they occur. This part is
actually a review of the old implementation *as well* The imporant part
here is that instead of having code "to bail out based on the value of
a global variable", the code now explictly documents what is checked
for. This part was at the very least a lot harder befor.

Joerg