Re: New Security Features, Please Comment

[Peter Teoh]

On Wed, Dec 3, 2008 at 12:02 PM, Geoffrey McRae <geoff@xxxxxxxxxxxxx> wrote:
>
> My initial concept is to implement a HTTP server that is designed from
> the ground up to use this new functionallity. Each server that has been
> pre-forked will just sit there until the parent sets its uid/gid and
> hands it the request to handle.
>

I think the above is the core issue - you have something privileged to
be executed.   So why not execute it in a small, code-verifiable
implementation, just like the Privilege Separation idea of SSH?

http://www.citi.umich.edu/u/provos/papers/privsep.pdf

Everything is done in userspace.   SInce the privileged component is
small, it is easy to verify for correctness.   The rest execute with
lesser privilege.

Recently, the hypervisor has been used to implement this verifiable
source code concept:   see:

http://www.ghs.com/news/20081117_integrity_EAL6plus_security.html

where GreenHill achieved EAL6 certification - as it built its entire
kernel on top of the hypervisor.   (called Separation Kernel,
conceptually similar to that of Privilege Separation in SSH).

Just my 2cts :-).

-- 
Regards,
Peter Teoh

Ernest Hemingway - "Never mistake motion for action."
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/