Subject: Re: kauth, securelevel, and "run levels"
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 03/25/2006 13:15:29
On Sat, Mar 25, 2006 at 01:07:22PM -0500, Steven M. Bellovin wrote:
> On Sat, 25 Mar 2006 12:37:07 -0500, Thor Lancelot Simon
> <tls@rek.tjls.com> wrote:
> 
> I like what you said, but I want to call attention to one point:
> >
> > As Kirk said to me years ago, the idea was to
> > provide a simple, even provably-correct, means of dramatically limiting
> > the extent of any system compromise
> 
> I'd like to retain the focus on "simple, even provably-correct".  Any
> new scheme should be high assurance.

What Elad's done with kauth is, viewed one way, to gather all the individual
if-statements that implemented the old "security level" framework -- and
many other privileged operations besides -- into one central authorizer.

This makes the code where the old if-statements were more complex, because
it calls out to other code; but, conversely, it means that to see all the
tests, you only have to look in one place.  The major issue of correctness
becomes, then, not "are there tests everywhere they are needed", but
instead "is the code that implements all the tests correct".

That the total size of the code has expanded is a concern.

Either way, you must either trust or prove that the code testing for the
set of prohibited operations is correct, in order to be able to trust
your proof that _if_ the following operations are prohibited, _then_ X,
for whatever X.  The job of getting the sets of permissions right is
the same for either implementation, I think.

-- 
  Thor Lancelot Simon	                                     tls@rek.tjls.com

  "We cannot usually in social life pursue a single value or a single moral
   aim, untroubled by the need to compromise with others."      - H.L.A. Hart