[3569] in cryptography@c2.net mail archive
Re: Medium-term real fix for buffer overruns
daemon@ATHENA.MIT.EDU (Bill Frantz)
Fri Oct 30 16:21:48 1998
In-Reply-To: <199810161710.KAA06794@lart>
Date: Fri, 30 Oct 1998 00:05:12 -0700
To: Tom Perrine <tep@SDSC.EDU>
From: Bill Frantz <frantz@netcom.com>
Cc: smb@research.att.com, karn@Qualcomm.com, gnu@toad.com,
reinhold@world.std.com, decius@ninja.techwood.org, cryptography@c2.net
At 10:10 AM -0700 10/16/98, Tom Perrine wrote:
>>>>>> On Fri, 16 Oct 1998 09:57:41 -0800, Bill Frantz <frantz@netcom.com>
>>>>>>said:
>
>
> Bill> These attacks are all a problem of the application running with
>too much
> Bill> privilege. (ALL the user's privilege in this case.) This flaw
>pervades
> Bill> most operating system work since at least Multix. Some systems,
>e.g.
> Bill> KeyKOS, tried to reduce/eliminate this exposure, but they
>haven't caught on
> Bill> in the marketplace. (I hope there's still time.)
>
>Multics *did* have "least privilege"; you could essentially set ACLs
>to the individual account.project on every system call (actually every
>inter-ring gate).
But this version of "least privilege", the project level, is far too course
to offer Trojan horse/virus protection. You want a separate protection set
for each execution of a program. The hard problem is making the system
usable when you have that level of protection.
>
>As for the market, whatever we do will have to be POSIX/UNIX
>compatible, or it is dead. In 5 years, we might be saying "NT
>compatible", but I hope not.
IMHO, Unix/NT (they are really the same thing) compatibility is part of the
problem, not part of the solution. The problem is that these systems give
default access to a large number of resources (files, network etc.) to any
program you run.
>I have worked on A and B level systems, and know other who have as
>well. Getting that kind of design, including ACLs and least
>privilege, that could at least be claimed as "UNIX compatible" was by
>far the hardest part of the job.
We figured out how to provide "UNIX compatibility" in KeyKOS (a system
capable of meeting the B3 requirements). It really was less secure in that
mode than in its native mode. However we could provide a separate "UNIX"
for each security compartment, which made the NCSC happy.
-------------------------------------------------------------------------
Bill Frantz | Macintosh: Didn't do every-| Periwinkle -- Consulting
(408)356-8506 | thing right, but did know | 16345 Englewood Ave.
frantz@netcom.com | the century would end. | Los Gatos, CA 95032, USA
