Subject: Re: kauth, securelevel, and "run levels"
To: None <tls@rek.tjls.com>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-security
Date: 03/25/2006 17:17:08
On Sat, 25 Mar 2006 13:15:29 -0500, Thor Lancelot Simon
<tls@rek.tjls.com> wrote:

> On Sat, Mar 25, 2006 at 01:07:22PM -0500, Steven M. Bellovin wrote:
> > On Sat, 25 Mar 2006 12:37:07 -0500, Thor Lancelot Simon
> > <tls@rek.tjls.com> wrote:
> > 
> > I like what you said, but I want to call attention to one point:
> > >
> > > As Kirk said to me years ago, the idea was to
> > > provide a simple, even provably-correct, means of dramatically limiting
> > > the extent of any system compromise
> > 
> > I'd like to retain the focus on "simple, even provably-correct".  Any
> > new scheme should be high assurance.
> 
> What Elad's done with kauth is, viewed one way, to gather all the individual
> if-statements that implemented the old "security level" framework -- and
> many other privileged operations besides -- into one central authorizer.

Understood.
> 
> This makes the code where the old if-statements were more complex, because
> it calls out to other code; but, conversely, it means that to see all the
> tests, you only have to look in one place.  The major issue of correctness
> becomes, then, not "are there tests everywhere they are needed", but
> instead "is the code that implements all the tests correct".

Not really.  Have a look at
http://www.usenix.org/publications/library/proceedings/sec02/zhang.html
-- it describes an automated analysis of the Linux kernel to ensure
that certain checks were done at the right points.
> 
> That the total size of the code has expanded is a concern.

I'm less concerned with the efficiency (a concern others have
expressed) than with the correctness of the larger code.
> 
> Either way, you must either trust or prove that the code testing for the
> set of prohibited operations is correct, in order to be able to trust
> your proof that _if_ the following operations are prohibited, _then_ X,
> for whatever X.  The job of getting the sets of permissions right is
> the same for either implementation, I think.
> 
That's where we disagree.  I'm concerned not just with assurance for
the programmer, but for the administrator of such a system.  With the
new scheme, when you set certain flags, do you have a clear
understanding what is and isn't possible for an attacker?  Securelevel
can be described in a few paragraphs; you know what you're getting
(modulo code bugs, but that's not what I'm talking about here).

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb