On Tue, 29 Dec 1998, Bennett Todd wrote:
> I think I've got it!
>
> While a CGI-with-security-holes can be forced to "misbehave" for the invoking
> user, if the CGI itself and all its configuration and static data are readonly
> (enforced by MAC in the trusted OS) and data it modifies is handled as an
> append-only transaction log (again enforced by MAC), then the trusted OS can
> guarantee that subsequent users won't see behavior modified by the
> interactions of the intruder. Gotcha! And _neat_!
Phew! Now we're getting somewhere! :)
As I said, ACLs and per-user CGI execution start to approach this but only
(for mod_user) within the scope of the httpd. The "real" trusted system I
have is pretty cool, and I'm hoping to get some stuff developed on it
soon.
> I just wish that URL you posted for the "rsbac" stuff were reachable. Is a
> mirror of that site? As far as I can tell, that host isn't running a daemon on
> port 80.
No mirrors that I know of, and it looks like the httpd is down. I knew I
should have mirrored it locally. Hopefully it'll be up soon, time for
an e-mail or two I think. Now that 2.2.0pre1 is out I was thinking of
trying to fit the code into it.
My current interest in RSBAC is more in things like named, smtpd, and
single-purpose machines (though the privacy model stuff is interesting),
hopefully I'll clear enough time to start messing with it seriously,
because if apache can be made to play well with it, I think there's hope
for us all yet. Compartments and ACLs will help enourmously.
For me, there are two things that make trusted-model systems (especially
MLS) interesting, the first is being about to sandbox untrusted code
fairly effectively - especially for core services like DNS, the second is
to start in on real, secure, transactional Web-based systems. I still
have some interest in potentially providing Web-based systems where I
don't have to strongly audit code, including some with HTTP upload
capability and multiple layers of administration. I think with the right
OS modifications, that could be extended to include CGI access.
All it should eventaully take is RSBAC-Linux, Apache (+SSL) with some
modifications and a database (postgresql or mysql) with some modifications
a non-reusable password scheme and I think most problems can be solved
with a good infrastructure.
After making some infrastructure code here for real stuff, I think I may
have a go at the administration part. That's going to be the make/break
piece.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
