Subject: Re: kauth, securelevel, and "run levels"
To: None <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 03/25/2006 17:17:08
On Sat, 25 Mar 2006 13:15:29 -0500, Thor Lancelot Simon
> On Sat, Mar 25, 2006 at 01:07:22PM -0500, Steven M. Bellovin wrote:
> > On Sat, 25 Mar 2006 12:37:07 -0500, Thor Lancelot Simon
> > <firstname.lastname@example.org> wrote:
> > I like what you said, but I want to call attention to one point:
> > >
> > > As Kirk said to me years ago, the idea was to
> > > provide a simple, even provably-correct, means of dramatically limiting
> > > the extent of any system compromise
> > I'd like to retain the focus on "simple, even provably-correct". Any
> > new scheme should be high assurance.
> What Elad's done with kauth is, viewed one way, to gather all the individual
> if-statements that implemented the old "security level" framework -- and
> many other privileged operations besides -- into one central authorizer.
> This makes the code where the old if-statements were more complex, because
> it calls out to other code; but, conversely, it means that to see all the
> tests, you only have to look in one place. The major issue of correctness
> becomes, then, not "are there tests everywhere they are needed", but
> instead "is the code that implements all the tests correct".
Not really. Have a look at
-- it describes an automated analysis of the Linux kernel to ensure
that certain checks were done at the right points.
> That the total size of the code has expanded is a concern.
I'm less concerned with the efficiency (a concern others have
expressed) than with the correctness of the larger code.
> Either way, you must either trust or prove that the code testing for the
> set of prohibited operations is correct, in order to be able to trust
> your proof that _if_ the following operations are prohibited, _then_ X,
> for whatever X. The job of getting the sets of permissions right is
> the same for either implementation, I think.
That's where we disagree. I'm concerned not just with assurance for
the programmer, but for the administrator of such a system. With the
new scheme, when you set certain flags, do you have a clear
understanding what is and isn't possible for an attacker? Securelevel
can be described in a few paragraphs; you know what you're getting
(modulo code bugs, but that's not what I'm talking about here).
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb