1998-12-23-15:00:06 Paul McNabb:
> I can set up a network service (such as telnet, http, ftp, etc.) so that
> the process can never get access to certain hosts, network interfaces,
> other processes (via signals or other IPC mechanisms), files, devices,
> etc. This denial of access extends to anything this process does or that
> is handled by a descendent process through any combination of fork() and
> exec(). The design of the trusted OS is such that you can give away a copy
> of the hard disk and all source code for the OS and all other binaries, and
> even with all account names, passwords, and encryption keys, and a person
> still can't "break in."
Great. But why go to the effort of using a trusted OS, and configuring it to
allow logins, then use the trusted OS to prevent those logins from doing
anything to the web subsystem; better to just disable the logins, and you can
do that without a trusted OS really easily.
> With a trusted OS I can have my CGI scripts running in such a way that
> they cannot access any file on the system or send or receive packets on
> any network interface. Of course this extends to any process that descends
> from a CGI script through any combination of fork() and exec().
Cool. Useless, but cool. If the CGI can't interact with any files or network
ports, it's just an over-complex way to croak out some static content.
_Useful_ CGIs need to interact with local files and/or network resources. And
the ability they may have to damage those resources is what needs to be
protected against, and that protection requires thought and analysis, and
isn't going to be helped by a trusted OS.
> With a trusted OS I can make my file system, or any portion thereof,
> read-only to whatever processes I want, such as the web server, even if
> the webserver is running as root.
Cool. Personally, if I needed readonly media, I'd rather do it in hardware,
but people will place their trust wherever they wish. But as a demonstration
of something special you can do, it's certainly cool.
> Protecting web sites from being trashed is "trivial" with a trusted OS
> because that's a fundamental operation of the software.
If the job at hand is to prevent the CGI scripts from being able to interact
with the local filesystem or remote network interfaces, then yeah, it's
trivial to do with a trusted OS. But it's trivial to do without one, too ---
just remove the CGI. If on the other hand the CGI has to do some substantive
and interesting work, then there's no way around it, you have to validate its
handling of the information it gets from the network, and make sure it does
the right thing and not the wrong thing.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
