Subject: Re: transparent filtering and bridge(4)?
To: Bill Squier <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 03/08/2002 14:55:51
In message <20020308131915.A19126@yog-sothoth.old-ones.com>, Bill Squier writes
>On Thu, Mar 07, 2002 at 12:26:48PM -0500, Thor Lancelot Simon wrote:
>> On Wed, Mar 06, 2002 at 11:17:20PM -0500, Steven M. Bellovin wrote:
>> > Even so, that's a lot of machine-dependent code in the kernel. It
>> > doesn't really strike me as the way to go. As I said, we already
>> > permit LKM; is there an incremental risk?
>> Well, one problem is that lots of firewall configurations effectively
>> *don't* permit LKMs, at least not without a manual, attended reboot to
>> get the LKMs loaded.
>> What about:
>> 1) Signed BPF->C->object code toolchain, which signs its output
>> 2) Kernel allows signed "BPF modules" to be loaded while running.
>> Now you are at the mercy of bugs in your BPF compiler, but otherwise just
>> as safe as you were before; the same situation you'd be in if you put the
>> BPF translator in the kernel.
>BPF is small and restricted enough that you might have a chance of proving
>safety properties of the compiled code.
Might be an interesting use for proof-carrying code.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com