So, all that a nefarious process would have to do is *not* inform the kernel that is was running un-sourcable code, and you would never know.
That's like asking criminals to report their offenses to the police. It makes complete sense. Michael Sokolov wrote: > Dante Lanznaster <[email protected]> wrote: > >> Believe me, you'll want a x86 platform to run youtube videos... (it needs >> the flash plugin) >> >> FLASH! you know, that one from Adobe! > > I've already figured as much. > > Has anyone already come up with a mechanism to run these f***ing closed > source binary plugins in some kind of severely restricted "jail" > environment where the untrusted code is blocked from accessing any > system resources which aren't on a pre-approved list? I'm thinking > along the lines of something like this: a process makes a special system > call which tells the kernel "I'm about to run untrusted binary code for > which we have no source", and from that point on the kernel sets some > special flag marking the process as untrusted. The untrusted process is > then prohibited from using any system calls which aren't on a > pre-approved list, from accessing any files outside a pre-approved list, > and from accessing any network resources outside of another pre-approved > list. Has anyone already created something like this, or am I going to > have to hire someone with NSA-level security experience to custom-design > it for me from scratch? > > Developing this idea further, if I want to treat all closed source > binary x86 code as untrusted and dangerous (which is indeed my security > policy) and run it only in special restricted "jail" environments like > I've described, it probably wouldn't be that much extra effort to make > this "jail" environment in the form of a software-based x86 instruction > set emulator running on a machine whose native architecture could be > completely different... > > MS > _______________________________________________ > LinuxUsers mailing list > [email protected] > http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
