On Mon, 12 May 2003 17:51:25 EDT, Chuck Ebbert said:
> Alan Cox wrote:
>
> >> ...and on a related topic, if someone wrote a patch to optionally clear
> >> the swap area at swapoff would it ever be accepted?
> >
> > man dd ?
>
> "That can be done manually" does not get you the check mark in
> the list of features. Management wants idiot-resistant security.
In particular, the code that handles the zeroing out of resource objects
before re-use needs to be "inside" the trusted-base perimeter. This has
been well-understood for years - even my August 83 copy of the Orange Book
says (for class C2):
2.2.1.2 Object Reuse
All authorizations to the information contained within a storage object
shall be revoked prior to initial assignment, allocation, or reallocation
to a subject from the TCB's pool of unused storage objects. No information,
including encrypted representations of information, produced by a prior
subject's actions is to be available to any subject that obtains access
to an object that has been released back to the system.
(OK.. it doesn't have to be in-kernel, but the function *does* have to
be inside the TCB, not out in random userland)...
This archive was generated by hypermail 2b29 : Thu May 15 2003 - 22:00:42 EST