[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-kernel
Subject:    But... (was Re: signing a filesystem)
From:       rdm () tad ! micro ! umn ! edu
Date:       1996-12-31 22:49:59
[Download RAW message or body]

First off a disclaimer: Ted T'so has expressed significant doubt
about my past email on the subject of security.  It was fairly
non-specific doubt, however.

Second, my beef: I worry that a lot of the work being done to make
linux more secure is getting off on the wrong foot.  I worry that
work is going into place that will make linux harder to understand
(thus, harder to audit, harder to secure) when similar efforts
would go a long way towards making the system simpler and more
secure.

(a) security labels are implemented as distinct linux boxes.
Information has a security label if it's on the appropriate
linux box.  [I'd even assign different physical networks to
each security label if I was really concerned about security.]

(b) ssh or the equivalent is used to encrypt all network traffic
(except, optionally for the least secure classification).

(c) all user access to the system is via specific X servers.  These
would be sealed units, with no ability to expand on fonts or software
(except by replacing them).  These would have modified X server
software that enforces security labels.  [No internet access from
secure machines -- this seems to be built into the specs.]

(d) sealing covert channels: high security traffic should receive
far lower physical priority (e.g. at routers) than low security
traffic.

In other words, I wouldn't on a kernel to enforce security
stratification beyond the simple level of access/no access.

You can achieve moderate levels of security by breaking up a
single machine into isolated sub-systems, but you're fighting
the underlying physical architecture when you do this, so
it's mostly a good way of eating your lunch.  Requiring multiple
physical machines is a more expensive proposition, for some people,
but if you're really concerned about security the physical cost of
a pc-class machine is a trivial part of your total costs.

-- 
Raul

[prev in list] [next in list] [prev in thread] [next in thread]