[3503] in cryptography@c2.net mail archive
Re: Medium-term real fix for buffer overruns
daemon@ATHENA.MIT.EDU (Tom Perrine)
Sat Oct 17 11:34:12 1998
Date: Fri, 16 Oct 1998 10:10:58 -0700
From: Tom Perrine <tep@SDSC.EDU>
To: frantz@netcom.com
CC: smb@research.att.com, karn@Qualcomm.com, gnu@toad.com,
reinhold@world.std.com, decius@ninja.techwood.org, cryptography@c2.net
In-reply-to: <v03110722b24d38ffcc0f@[209.109.232.112]> (message from Bill
Frantz on Fri, 16 Oct 1998 09:57:41 -0800)
>>>>> On Fri, 16 Oct 1998 09:57:41 -0800, Bill Frantz <frantz@netcom.com> said:
Bill> These attacks are all a problem of the application running with too much
Bill> privilege. (ALL the user's privilege in this case.) This flaw pervades
Bill> most operating system work since at least Multix. Some systems, e.g.
Bill> KeyKOS, tried to reduce/eliminate this exposure, but they haven't caught on
Bill> in the marketplace. (I hope there's still time.)
Multics *did* have "least privilege"; you could essentially set ACLs
to the individual account.project on every system call (actually every
inter-ring gate).
As for the market, whatever we do will have to be POSIX/UNIX
compatible, or it is dead. In 5 years, we might be saying "NT
compatible", but I hope not.
I have worked on A and B level systems, and know other who have as
well. Getting that kind of design, including ACLs and least
privilege, that could at least be claimed as "UNIX compatible" was by
far the hardest part of the job.
--tep
