[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <804dabb00812022035k1876a521qa41cd4634b70f9a2@mail.gmail.com>
Date: Wed, 3 Dec 2008 12:35:43 +0800
From: "Peter Teoh" <htmldeveloper@...il.com>
To: "Geoffrey McRae" <geoff@...idhost.com>
Cc: Valdis.Kletnieks@...edu, "Alan Cox" <alan@...rguk.ukuu.org.uk>,
linux-kernel@...r.kernel.org
Subject: Re: New Security Features, Please Comment
On Wed, Dec 3, 2008 at 12:02 PM, Geoffrey McRae <geoff@...idhost.com> wrote:
>
> My initial concept is to implement a HTTP server that is designed from
> the ground up to use this new functionallity. Each server that has been
> pre-forked will just sit there until the parent sets its uid/gid and
> hands it the request to handle.
>
I think the above is the core issue - you have something privileged to
be executed. So why not execute it in a small, code-verifiable
implementation, just like the Privilege Separation idea of SSH?
http://www.citi.umich.edu/u/provos/papers/privsep.pdf
Everything is done in userspace. SInce the privileged component is
small, it is easy to verify for correctness. The rest execute with
lesser privilege.
Recently, the hypervisor has been used to implement this verifiable
source code concept: see:
http://www.ghs.com/news/20081117_integrity_EAL6plus_security.html
where GreenHill achieved EAL6 certification - as it built its entire
kernel on top of the hypervisor. (called Separation Kernel,
conceptually similar to that of Privilege Separation in SSH).
Just my 2cts :-).
--
Regards,
Peter Teoh
Ernest Hemingway - "Never mistake motion for action."
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists