[cgl_discussion] Latest draft on security requirements
Makan Pourzandi (LMC)
Makan.Pourzandi at ericsson.ca
Fri Nov 15 16:14:07 PST 2002
thanks for you comments, see my comments in the text:
> -----Original Message-----
> From: Andy Pfiffer [mailto:andyp at osdl.org]
> Sent: Tuesday, November 12, 2002 5:28 PM
> To: Makan Pourzandi (LMC)
> Cc: 'cgl_discussion at osdl.org'; 'cgl_specs at osdl.org'
> Subject: Re: [cgl_discussion] Latest draft on security requirements
> What is the intention of this subtle distinction?
Well, actually the distinction is that I wanted to distinguish between code loaded for the first time from hard disk and code already present in the memory. All this, without entering into details: copy on write, lightweight processes, clone() .... . I believe as for a requirement doc, we must not go into that level of details and give us some flexibility.
Mainly, what I wanted to express is that at level 3, you verify the signature when doing exec()-like, but not when doing fork()/clone() as the child process will execute the same code as the parent. Also this includes the case when a dynamic loader loads a dynamic library.
At level 4, you verify the digital signatures even when you fork()/clone(). Don't forget that we are at paranoid level here, when we can have the system suspecting several hostile processes already running. This measure will forbid those processes from creating new processes and control the damage.
> At the lowest levels, there is no distinction between
> binaries and other
> files. All of it is considered the same: buffers of data in
> the buffer
> cache. *That* is when the data is actually loaded into the memory of
> the server.
> At a higher level, I could see that a dynamic loader might want to
> verify the signature of a dynamic library. And I can also
> see that much
> of the code in the execution path of exec() would also want
> to validate
> the signature.
> Would it be possible to simplify or eliminate the
> distinction? Perhaps
> something like this:
> "When operating at increased security levels, the
> signatures of all
> files that are marked as executable (or otherwise marked as
> requiring a valid signature) will be verified by the following
> calls: open(), exec(), [etc]. If the signature is not valid, an
> error will be returned to the caller and the operation will not be
I am going to rephrase the level 3 and 4 regarding signatures requirement.
Do you believe that it is useful to distinguish between fork()/clone() and exec()?
More information about the cgl_discussion