On Wed, Mar 06, 2002 at 11:17:20PM -0500, Steven M. Bellovin wrote:
>
> Even so, that's a lot of machine-dependent code in the kernel.  It 
> doesn't really strike me as the way to go.  As I said, we already 
> permit LKM; is there an incremental risk?

Well, one problem is that lots of firewall configurations effectively
*don't* permit LKMs, at least not without a manual, attended reboot to
get the LKMs loaded.

What about:

1) Signed BPF->C->object code toolchain, which signs its output
2) Kernel allows signed "BPF modules" to be loaded while running.

Now you are at the mercy of bugs in your BPF compiler, but otherwise just
as safe as you were before; the same situation you'd be in if you put the
BPF translator in the kernel.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud