Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755488AbYLCEf4 (ORCPT ); Tue, 2 Dec 2008 23:35:56 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752730AbYLCEfq (ORCPT ); Tue, 2 Dec 2008 23:35:46 -0500 Received: from an-out-0708.google.com ([209.85.132.248]:59647 "EHLO an-out-0708.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752716AbYLCEfp (ORCPT ); Tue, 2 Dec 2008 23:35:45 -0500 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=nae1fjI6wuX5kgjAqj+VT0nD+AP8pNPYMlvLrqmqFCZtIH+tAbPiuSe7c1hEnzjWyP RJXSeTvamFBdb85ysCwjWlU3TrEL+g4ITbHVW5uVE3uJjBDxq/aKNjViJuvW/sI5Rk7W rgxWJAAXufLyRFN3hHEl58fVTyXOSaoghl5Hc= Message-ID: <804dabb00812022035k1876a521qa41cd4634b70f9a2@mail.gmail.com> Date: Wed, 3 Dec 2008 12:35:43 +0800 From: "Peter Teoh" To: "Geoffrey McRae" Subject: Re: New Security Features, Please Comment Cc: Valdis.Kletnieks@vt.edu, "Alan Cox" , linux-kernel@vger.kernel.org In-Reply-To: <1228276959.6679.27.camel@lappy.spacevs.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1228260494.24232.21.camel@compy.ivent.com.au> <20081203005338.6472db7a@lxorguk.ukuu.org.uk> <1228268657.6679.4.camel@lappy.spacevs.com> <73639.1228272932@turing-police.cc.vt.edu> <1228276959.6679.27.camel@lappy.spacevs.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1448 Lines: 39 On Wed, Dec 3, 2008 at 12:02 PM, Geoffrey McRae wrote: > > My initial concept is to implement a HTTP server that is designed from > the ground up to use this new functionallity. Each server that has been > pre-forked will just sit there until the parent sets its uid/gid and > hands it the request to handle. > I think the above is the core issue - you have something privileged to be executed. So why not execute it in a small, code-verifiable implementation, just like the Privilege Separation idea of SSH? http://www.citi.umich.edu/u/provos/papers/privsep.pdf Everything is done in userspace. SInce the privileged component is small, it is easy to verify for correctness. The rest execute with lesser privilege. Recently, the hypervisor has been used to implement this verifiable source code concept: see: http://www.ghs.com/news/20081117_integrity_EAL6plus_security.html where GreenHill achieved EAL6 certification - as it built its entire kernel on top of the hypervisor. (called Separation Kernel, conceptually similar to that of Privilege Separation in SSH). Just my 2cts :-). -- Regards, Peter Teoh Ernest Hemingway - "Never mistake motion for action." -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/