RE: (MAC/DAC) RE: Future Linux devel. Kernels

From: Linda Walsh (
Date: Tue May 09 2000 - 12:57:56 EST

> One thing to be careful of when you implement MAC. Remember that the
> kernel is fully trusted. A single flaw in the kernel and bang, a user can
> circumvent any MAC.

	Oh yeah.  Don't you think this list will tear any implementation
flaws to shreds?  :-)  However...
> The kernel API is very non-trivial, and represents a lot of code. How sure
> are you that there isn't a subtle signed/unsigned issue somewhere on the
> kernel API which leads to a kernel mode buffer overflow?
	We've already done this once -- have had an evaluated system
since 95 even w/o capabilities (used root priv in early versions).

We even dumped the code out on In hopes others would take pieces and take ideas. We want to see an open-source solution to this.

> I think the principles behind MAC are very cool. However, in "real > world" security situations (as opposed to feature list based security), a > monolithic kernel is Not What A High Security System Should Be Based On > (tm). --- Monolithic means non-dividable. I would hope to see ACLs, file-CAPs, MAC and audit all as separate options. Pick and choose a la carte.

> The previous problem? The all-powerfulness of the root user. The new > problem? The all-powerfulness of the monolithic kernel. --- Hey, don't delude yourself -- the kernel already *is* all powerful -- it has to be as it is the basis upon what everything else is built on.

> Amusingly, though, such practical considerations typically aren't a > barrier to high security certification. This is one of the reasons I view > a lot of certifications as of limited value. However, since Governments > see things differently.... --- And in the US the government buys 10% of the computers. By Jan 2001 the Dod will "prefer" evaluated systems -- and recommend them to the rest of .gov. By July 2002, Dod will require evaluated systems only -- waivers are handled through the NSA which promises to be way stingy.

That's a 10% market that the NSA would like to see running open-source software (Linux/Gnu...or Free/Trusted BSD). But right now the only players are proprietary OS's w/closed source. This means there could be backdoors and lots of poorly audited code. *plegh*.


- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to Please read the FAQ at

This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:14 EST